Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity

credit card iStock_000009899701_LargeOn Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information.

According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an attacker infiltrated the e-retailer’s website. Nearly one year later, the e-retailer’s merchant bank notified it that fraudulent charges were appearing on customers’ credit card accounts. The e-retailer then hired a cybersecurity firm to conduct a forensic investigation, and the malware was discovered and removed from the e-retailer’s website.

The e-retailer, however, failed to take the next step, which should have been notification to affected customers. According to the attorney general’s office, the e-retailer never provided notice to its customers or law enforcement about the breach, in violation of New York General Business Law (GBL) § 899-aa, which requires that notice be provided to affected individuals and various government agencies, in the most expedient time possible and without unreasonable delay. Continue Reading

A Closer Look at the OCR’s Guidance on Ransomware

Hacker wearing black glove clicking on ransomware buttonIn the wake of several high-profile ransomware infections targeting hospitals and health care organizations, the Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance on the growing threat of ransomware.

Ransomware is a type of malware that denies access to systems and data. It uses strong cryptography to encrypt files to prevent access without a decryption key. To receive the decryption key and restore access, the entity must pay a ransom, typically in the form of a cryptocurrency such as Bitcoin. While this type of malware has been around for years, it has recently made headlines in the healthcare industry, most notably after Hollywood Presbyterian Medical Center was forced to use pen and paper when its computer systems were held hostage by ransomware back in February. Like an infectious disease, ransomware has spread throughout the healthcare industry, causing havoc and potentially jeopardizing patient care.

Given the publicity and the potential for harm, it should come as no surprise that the OCR has issued guidance in this area. As the regulatory agency that enforces HIPAA, when the OCR speaks, healthcare organizations should take heed. Continue Reading

OCR to Increase Efforts to Investigate Breaches Affecting Fewer Than 500 Individuals

HIPAA document magnifiedThe Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

The mere mention of an OCR investigation can strike fear into the hearts of HIPAA privacy officers and health care executives everywhere. Data breaches have been occurring with disturbingly high frequency in the health care industry. If a covered entity experiences a data breach involving more than 500 affected individuals, a regulatory investigation by the OCR is virtually guaranteed.

On August 18, 2016, the OCR announced that it was increasing efforts to investigate smaller breaches, such as those involving fewer than 500 individuals. While the OCR has always had the authority to investigate smaller breaches, it has traditionally done so only when it had resources to spare. This new initiative announced by the OCR represents a concerted effort to investigate the root causes of breaches affecting fewer than 500 individuals.

Even with this new initiative, the OCR is unlikely to investigate every breach; there are simply too many to handle. Instead, each regional office will prioritize its investigations based on:

  • The size of the breach;
  • Whether it involves the theft of or improper disposal of unencrypted PHI;
  • Whether it involves unwanted intrusions to IT systems (for example, by hacking);
  • The amount, nature and sensitivity of the PHI involved; or
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

The key takeaway from this announcement by the OCR is to treat every breach as if it will result in an OCR investigation. Do not become complacent, especially when dealing with smaller or routine incidents, because you never know when the OCR will come knocking.

Unanimous FTC Finds LabMD’s Data Security Practices Violated Section 5 of the FTC Act

Hard work brings rewardsOn July 29, 2016, a unanimous Federal Trade Commission (“FTC” or “Commission”) issued its Opinion and Final Order reversing the decision of an administrative law judge (“ALJ”) and holding that LabMD engaged in “unfair” practices in violation of Section 5 of the FTC Act because it failed to provide reasonable and appropriate security for personal information stored on its computer network. The FTC’s conclusion is significant because companies may face enforcement action for inadequate data security in connection with incidents in which there is no evidence that consumer information was accessed by unauthorized persons who likely intended to misuse the information.


As we previously reported, the FTC first began investigating LabMD’s data security practices in 2010, when Tiversa Holding Company, a cybersecurity consulting firm, informed the FTC that sensitive personal information held by LabMD may have been publicly disclosed on a peer-to-peer (“P2P”) file-sharing network. On Aug. 28, 2013, the FTC brought the administrative action against LabMD under Section 5 of the FTC Act, alleging, in part, that LabMD failed to provide reasonable and appropriate data security for personal information stored on its computer network and that its failure caused or was likely to cause substantial consumer injury, including identity theft, medical identity theft, and the disclosure of sensitive, private medical information. Section 5(n) of the FTC Act prohibits unfair acts or practices if: (1) the act or practice causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers themselves, and (3) not outweighed by countervailing benefits to consumers or to competition.

On Nov. 13, 2015, the ALJ concluded that the FTC failed to prove the substantial injury prong of the three-part test, holding that “[t]o impose liability for unfair conduct … , where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of ‘likely’ substantial consumer injury.” Counsel for the FTC appealed to the full Commission. Continue Reading

Automotive Industry Organization Releases Recommended Cybersecurity Best Practices

Auto-ISAC is not alone in its efforts to address potential cybersecurity risks imposed by connected vehicles. As we have previously discussed, in 2015 legislators introduced the SPY Car Act, which requires automakers to meet certain vehicle data security standards to combat potential hacking threats. The U.S. Department of Transportation (DOT) notes that it has been researching and testing vehicle communications for over a decade. In addition, through the Intelligent Transportation Systems Joint Program Office, the DOT has worked to fund almost $25 million in cyber security research between 2012 and 2014. The National Highway Traffic Safety Administration (NHTSA) also published information relating to its comprehensive approach to vehicle cybersecurity.

The Best Practices continue these efforts by promoting a self-regulation framework within the industry for vehicle cybersecurity. The Best Practices outlined by Auto-ISAC include: Continue Reading

Privacy Shield to Open for Business August 1

bigstock-Internet-Concept-30269060After more than two years of negotiations, on July 12, 2016, the European Commission formally adopted the EU-U.S. Privacy Shield (the “Privacy Shield”) framework as a valid mechanism for transfers of personal data from the EU to the U.S. Touting the Privacy Shield as “a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses,” the European Commission released an Adequacy Decision, along with accompanying Annexes, concluding that “the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield from the Union to self-certified organisations in the United States.” Continue Reading

Business Associates in the Crosshairs: Catholic Health Care Services Settles for $650,000 for Failure to Safeguard PHI

Stethoscope on Computer KeyboardCatholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to enter into a $650,000 resolution agreement and a two-year corrective action plan (CAP) with the Office for Civil Rights (OCR). CHCS provides management and information technology services as a business associate to six nursing homes. The OCR settlement follows a finding that CHCS violated the HIPAA Security Rule, which requires business associates to conduct enterprise-wide security risk analyses and to prepare corresponding risk management plans.

OCR initiated its investigation upon notification by CHCS of the theft of an employee’s unencrypted company iPhone containing Social Security numbers, diagnosis and treatment information, medications, and names of family members and legal guardians. This resulted in separate notifications from each of the six nursing homes regarding a breach of e-PHI, which, according to OCR, affected some 412 individuals. Continue Reading

$90 Million Cyber Thefts From Banks Using SWIFT Network Raise Security Issues

Security Breach_465738902In February 2016, attackers stole $81 million from the Bangladesh central bank’s account at the New York Federal Reserve Bank by hacking into the Bangladesh bank’s computer network and sending fraudulent messages through the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment network. In January 2015, attackers netted $9 million in funds from an Ecuadorian bank through fraudulent SWIFT messages. Information about the attacks and documents from a lawsuit related to the theft from the Ecuadorian bank reveal the challenging data security issues banks face when they use the SWIFT network.

How SWIFT operates. SWIFT, founded in 1973,[1] is a cooperative owned by 3,000 financial institutions from around the world.[2] SWIFT’s message platform is used by more than 11,000 banks[3] in 200 countries.[4] Those banks sent approximately 25 million SWIFT messages per day in April 2016.[5] To use the SWIFT network, a person or business that wants to transfer funds internationally, referred to as the “sender,” asks an “originator bank” to send a SWIFT message to a bank in another country directing the “receiving bank” to pay funds to a “beneficiary bank” for the account of the person or entity to receive the funds, the “beneficiary.”[6] Each bank using the SWIFT network is assigned an eight-character identification code and a SWIFT message can be sent only from a SWIFT terminal at the originator bank; the SWIFT terminal authenticates to the SWIFT network using smart-card technology.[7] Receiving banks verify that each payment message contains the originator bank’s code and was sent from the originator bank’s SWIFT terminal.[8] Continue Reading

Mobile Ad Co Settles with FTC Over Allegations of Deceptive Geolocation Tracking And Children’s Privacy Violations for $4 Million


On June 22, 2016, mobile advertising company InMobi Private Ltd. settled Federal Trade Commission (“FTC” or “Commission”) claims of violations of Section 5 of the FTC Act, and the Children’s Online Privacy Protection Act and Rule (COPPA), for $4 million.  The violations of COPPA supported the monetary penalty since, unlike Section 5, COPPA provides for civil penalties.  However, there are lessons here for the mobile app industry beyond that geolocation services for children require verified parental consent.  In addition, this action reinforces the FTC’s position that device location information is sensitive and thus justifies heightened consumer notice and choice, and that providing notice of an opt-out method that is not completely effective could be a deceptive practice if the limitations are not clearly explained — a common mistake we see clients making.

The Commission’s Allegations and the InMobi’s Settlement

InMobi is ranked among the top 10 mobile advertising companies in the world, said to reach over one billion unique mobile devices, of which 19 percent are located in North America. InMobi’s advertising platform allows app developers/publishers to serve third party ads within their apps.  The ads can be customized for app users based on physical location as determined by checking device geolocation, including based on location history over up to a two month period. Continue Reading

Privacy Shield Developments and UK Data Transfers Post-Brexit

connectivityWith the UK’s Brexit referendum dominating the news out of Europe over the past week, it may have been easy to miss a key development in the continuing Privacy Shield negotiations. On Friday, June 24, news outlets reported that U.S. regulators and the European Commission had agreed on a finalized version from the Privacy Shield, a proposed “replacement” of the Safe Harbor framework that was invalidated last October. The revised draft is said to address concerns voiced by the European Parliament, Article 29 Working Party, and European Data Protection Supervisor in recent months.

The latest draft of the Privacy Shield, which the European Commission sent to EU Member States for review, has not yet been made public, but reports have sketched out the following updates:

  • Bulk data collection: The U.S. has provided further details on its bulk data collection practices, specifying the preconditions for “targeted and focused” personal data collection and safeguards for how the data may be used.
  • U.S. Ombudsperson: The Privacy Shield calls for the appointment of a U.S. Ombudsperson to address complaints regarding the U.S. government’s use of EU citizens’ personal data. The revised draft specifies that this Ombudsperson will be independent from U.S. national security services.
  • Data retention: The revised draft includes more explicit data retention restraints, requiring that personal data be deleted when it no longer serves the purpose for which it was collected.

The revised draft is now in the hands of the Article 31 Working Party (WP31) – a group composed of EU Member State representatives with veto power – which is expected to hold a vote in early July. The WP31 was unable to reach an agreement on the adequacy of the Privacy Shield during its meeting on May 19. If the WP31 approves the European Commission’s revised Privacy Shield, it would then need to be formally adopted by the European Commission’s College of Commissioners. With alternative data transfer mechanisms under continued scrutiny, the fate of the Privacy Shield is of great interest to U.S. companies seeking to lawfully transfer personal data from the EU. Continue Reading