On April 26, 2019, the U.S. Department of Health & Human Services (HHS) issued an announcement that the annual penalty cap for three of the four tiers of HIPAA violations would be reduced significantly to match what HHS called a “better reading” of inconsistent language found in the Health Information Technology for Economic and Clinical Health Act’s (HITECH) penalty scheme. Continue Reading
Last Tuesday, the California Assembly’s Committee on Privacy and Consumer Protection (Assembly Privacy Committee), which has jurisdiction over matters related to privacy, the protection of personal information and information technology, held a committee hearing in which it voted in favor of advancing eight industry-backed bills that would amend the California Consumer Privacy Act (CCPA), set to take effect on Jan 1, 2020. To the benefit of businesses, the bills, which now move on to the Assembly’s Appropriations Committee, would clarify the text and limit the scope of the unprecedented, sweeping privacy law that grants consumers a great degree of transparency and choice with respect to their personal information, defined broadly under the act. If the bills survive the Assembly’s Appropriations Committee, they will come before the full Assembly before advancing to the California Senate, and would ultimately become law if signed by the governor. Also of note, two CCPA amendment bills, discussed further below, have been withdrawn from advancement to committee consideration. Continue Reading
Healthcare was the industry most affected by data breaches in 2018. We worked on nearly 200 healthcare matters involving multispecialty academic medical centers, hospital systems, small and large physician practices, small and large health insurers, and biotech and pharmaceutical companies.
In 2018, health information alone was just behind Social Security numbers (which can also be protected health information) as the most at-risk data.
Data security incidents are becoming more sophisticated in nature. We’ve noted an uptick in the number of targeted phishing attacks and network intrusion incidents affecting small and large organizations alike. And we’ve observed, along with this increased activity, intensified enforcement efforts by both federal and state regulatory agencies. Continue Reading
On April 16, 2019, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a risk alert, “Investment Adviser and Broker-Dealer Compliance Issues Relating to Regulation S-P – Privacy Notices and Safeguard Policies,” highlighting its data privacy and cybersecurity observations from recent examinations of registered firms.
By way of background, Regulation S-P is the SEC’s data privacy regulation that implemented the privacy provisions of the Gramm-Leach-Bliley Act. In particular, this regulation protects the nonpublic personal information of customers, including personally identifiable financial information and consumer lists or descriptions derived from nonpublic information. To protect this information, Regulation S-P requires firms to do two main things.
Forensics are a key component of many data incident investigations. The importance of forensics cannot be overstated. In fact, in 2018, 65% of the incidents we handled involved some type of forensic investigation.
Forensics firms can not only help determine what happened in a data incident but can also provide recommendations for containment and mitigation. Many of the key decisions in an investigation will be driven by forensics. Does the organization have notification obligations? Was there access to and/or acquisition or exfiltration of personal information or other sensitive data? Specifically, what data was accessed or exfiltrated? When did the compromise start and when did it end? Are the attackers still in the environment? Or in a business interruption event such as ransomware, how does the organization get back up and running and get back to work?
Over the past year, a host of new national, state and local laws have been introduced to regulate the collection and use of biometric information. Although these proposals vary in their requirements, certain elements appear to be inspired in part by the Illinois Biometric Information Privacy Act (BIPA), which has been the subject of significant litigation in recent years. Below we provide an overview of notable proposed legislation.
U.S. Federal Law
On March 14, 2019, Senators Brian Schatz (D-Hawaii) and Roy Blunt (R-Mo), introduced the Commercial Facial Recognition Privacy Act. The act focuses on providing notice and obtaining affirmative consent whenever facial recognition technology is used to collect or process facial recognition data for certain purposes.
- “Facial recognition data” is defined as “any unique attribute or feature of the face of an end user that is used by facial recognition technology to assign a unique, persistent identifier or for the unique personal identification of a specific individual.”
- “Facial recognition technology” is defined as technology that “analyzes facial features in still or video images” and is used “to assign a unique, persistent identifier” or “for the unique personal identification of a specific individual.”
We have previously written about California SB 561 here, introduced by Senator Jackson (D) and supported by the California Attorney General (AG), that among other things would vastly expand the CCPA’s private right of action and remove the right to cure before the AG can seek civil penalties. On April 9 the California Senate Judiciary Committee held a hearing on the bill, a recording of which is available here. The committee voted 6 to 2 to refer the bill to the Senate Appropriations Committee. There was concern expressed by some members of the committee, including some that voted in favor of moving the bill forward, as to the scope of the private right of action, its impact on businesses and the ambiguity of the current text. Senator Jackson promised to work with stakeholders to explore potential refinement of the private right of action so long as it maintained the ability for consumers whose CCPA privacy rights are violated (the current law restricts the private right of action to certain types of data security breaches) to seek meaningful redress and not have to rely on the AG to enforce the CCPA. It was noted that the restriction of the private right of action was fundamental to the compromise that lead to the bill, however, Senator Jacksons and others rejected that as not relevant, or at least not binding. We had previously encouraged further limitation of the private right of action. It appears that quite the opposite may be on its way to fruition. We will continue to monitor its progress.
2018 saw a continuation of companies moving toward cloud-based email systems. Phishing incidents targeting those systems followed suit. Fully one-third of incidents addressed by our incident response team in 2018 involved unauthorized access to an online email account.
Phishing attacks continued to dominate the types of cyberattacks organizations experienced in 2018, owed, in no small part, to phishing’s low sophistication, easy replication and high profitability for the hackers. Attackers routinely defraud organizations with spoofing emails requesting phony wire transfers or switching the bank information for employees’ or vendors’ direct deposit accounts. Employees acting on fraudulent requests risk the loss of thousands, and in some cases millions, of dollars, not to mention the cost of forensic investigations, notifications to individuals and regulators, and reputational fallout.
When the EU General Data Protection Regulation (GDPR) took effect on May 25, 2018, it dramatically changed the way multinationals manage the reporting of personal data breaches. It also substantially raised the stakes: Entities found to have violated the GDPR’s data security and breach reporting obligations could face much steeper regulatory fines than those available under U.S. laws.
Among the challenges facing companies responding to a personal data breach in the European Economic Area (EEA) are both the scope of what constitutes a notifiable breach and the tight time frame for providing notification. “Personal data” protected under the GDPR is defined much more broadly than is “personally identifiable information,” under U.S. laws, and under the GDPR an entity affected by a personal data breach must notify regulators within 72 hours of becoming aware of such a breach, unless it is “unlikely to result in a risk to the rights and freedoms of natural persons.” In addition, entities must notify affected individuals in the EEA where the breach is “likely to result in a high risk” to those rights and freedoms. Failure to implement appropriate data protection policies or to properly notify regulators or individuals is punishable by fines of up to 4% of a company’s global annual turnover. Continue Reading
On March 6, 2019, the U.S. Department of Justice (DOJ) announced that Linda Sue Kalina pled guilty to wrongfully disclosing the protected health information (PHI) of another individual in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Kalina was a patient information coordinator with the University of Pittsburgh Medical Center (UPMC) and its affiliate, Tri Rivers Musculoskeletal Centers (TRMC). From March 7, 2016, through June 23, 2017, Kalina improperly accessed the health information of 111 UPMC patients who had never been provided services at TRMC. In her capacity as a patient information coordinator, Kalina was authorized to access patient information contained in UPMC’s electronic medical record system as necessary to provide services to patients. Among others, Kalina accessed and disclosed the health information involving two individuals who worked at Kalina’s former employer. Continue Reading