Companies face substantial challenges in complying with breach notification requirements under Article 33 of the General Data Protection Regulation (GDPR). Article 33 requires a data controller to report a personal data breach to European Union (EU) supervisory authorities within 72 hours of becoming aware of the breach if it is likely to result in a risk to the rights and freedoms of individuals. The notification must include, to the extent such information is available, (1) a description of the nature of the breach, including the categories and approximate number of data subjects and approximate number of personal records impacted, (2) the name and contact details of the data protection officer or other person from whom more information can be obtained, (3) a description of the likely consequences of the breach and (4) a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its adverse effects.
This article is part of a series of blog posts exploring the recommendations and guidance Health and Human Services (HHS) provides healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here.
In its report on cybersecurity best practices, HHS highlights email phishing attacks as one of the top threats healthcare organizations are facing. Email phishing is an attempt to trick an individual into responding to an email with personal information, commonly account credentials.
On January 10, Advocate General Maciej Szpunar released an opinion recommending that Google and other search engines should not be forced to apply the EU’s “right to be forgotten” beyond the EU. The advocates general assist the judges of the Court of Justice of the European Union (CJEU), providing independent legal solutions to issues presented to the CJEU. The judges decide whether an official opinion from an advocate general is necessary. The judges are not obligated to follow an advocate general’s recommendation but often do. Sometimes the CJEU will also arrive at the same conclusion as the advocate general but through different legal analysis.
In December 2018, Pagosa Springs Medical Center settled potential Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations and entered into a corrective action plan with the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services. The incident involved a former employee who continued to have remote access to Pagosa Springs Medical Center’s web-based scheduling calendar for two months after the employee’s termination, which resulted in 557 individuals’ electronic protected health information (ePHI) being improperly disclosed. Additionally, there was no business associate agreement between Pagosa Springs Medical Center and Google, the web-based scheduling calendar vendor. Pagosa Springs Medical Center, an 11-bed critical access hospital located in rural Colorado, paid $111,400 and entered into a two-year corrective action plan. The corrective action plan includes updates to Pagosa Springs Medical Center’s HIPAA security management, business associate agreement, and policies and procedures, as well as training its workforce in these areas.
Last week, the attorneys general (AGs) of 43 states and the District of Columbia announced they reached a $1.5 million settlement with Neiman Marcus Group LLC to resolve an investigation of a 2013 data breach that involved the payment card information of thousands of customers.
On Jan. 10, 2014, Neiman Marcus publicly announced that it had experienced a security incident involving its payment processing system that may have resulted in unauthorized access to the payment card data of thousands of its customers. Through its investigation of the incident, Neiman Marcus determined that, beginning in 2013, unauthorized parties had infected its payment processing system with malware that was capable of capturing customer payment card information. Shortly after Neiman Marcus provided notice of the incident, the AGs of 43 states and the District of Columbia launched a multistate investigation of the incident.
Following other regulators, the National Futures Association (NFA) recently amended its cybersecurity guidance to, among other things, impose a new cybersecurity incident reporting requirement on members.
Cybersecurity Incident Reporting. According to the amended guidance, members will be required to report to NFA any cybersecurity incident related to the member’s commodity interest business that resulted in (i) any loss of customer or counterparty funds, (ii) any loss of a member’s own capital, or (iii) the member making a notification to customers or counterparties under state or federal law (notably this part of the guidance does not include notification under foreign law, like the European Commission’s General Data Protection Regulation (GDPR)). Although the amended guidance does not define cybersecurity incident, it provides the following nonexhaustive list of examples: data loss, unauthorized access, malicious code, denial of service, ransomware attack and inappropriate usage. Additionally, the amended guidance encourages members that are futures commission merchants or introducing brokers subject to the Bank Secrecy Act to consider whether a cybersecurity incident also triggers the filing of a suspicious activity report (SAR) and points to other guidance by FinCEN on filing SARs for cyber-events and cyber-enabled crimes.
While the inauguration of a polarizing new president dominated the news of Brazil around the beginning of the new year, outgoing President Michel Temer, before leaving office, issued an executive order that has important ramifications for Brazil’s recently enacted General Data Protection Regulation (Lei Geral de Proteção de Dados or LGPD). Provisional Measure No. 869/2018 (MP 869/2018), published Dec. 28, 2018, takes the vitally important step of creating Brazil’s National Data Protection Authority (ANPD), tasked with rulemaking, education and enforcement of the LGPD. Additionally, MP 869/2018 delays the effective date of the LGPD by six months, from February 2020 to August 2020.
On Jan. 1, 2019, a new Vermont law intended to protect consumers by imposing new requirements on “data brokers,” companies that aggregate and sell consumer information, and credit reporting agencies took effect. Under the new law, data brokers must comply with registration, information security safeguards and reporting requirements, while credit reporting agencies are prohibited from assessing fees for establishing or removing security freezes. The Vermont legislature’s intent in enacting the new law is fourfold: (1) inform consumers about data brokers and their data collection practices; (2) protect consumer information by requiring that data brokers implement certain administrative, technical and physical safeguards; (3) prevent harm to consumers by prohibiting certain methods of acquisition and use of their information by data brokers; and (4) make it easier and less expensive for consumers to obtain and protect their credit information.
The California Attorney General and the Department of Justice held the first public forum about the California Consumer Privacy Act (CCPA) on Tuesday, Jan. 8, in San Francisco. The public forums are part of the rulemaking process the attorney general’s office is undertaking pursuant to Section 1798.185 of the CCPA, which requires the attorney general to “solicit broad public participation and adopt regulations to further the purposes” of the CCPA. These forums are an opportunity to provide input to the attorney general prior to publication of the proposed rules, and BakerHostetler will be actively participating throughout the public comment and subsequent rulemaking process.
On Jan. 10, 2019, Massachusetts Gov. Charlie Baker signed legislation that will significantly amend the state’s data breach notification law. The amendments become effective on April 11, 2019.
One of the significant changes includes a new requirement to provide an offer of complimentary credit monitoring for “a period of not less than 18 months” when the data security incident involves a Massachusetts resident’s Social Security number. With this new obligation, Massachusetts joins Connecticut and Delaware as states that require an offer of complimentary credit monitoring when the incident involves a resident’s Social Security number. There was no update to the timing of any required individual notice obligations, which remains “as soon as practicable and without unreasonable delay”; but the new amendments require a rolling notification to individuals under certain circumstances: “A notice provided pursuant to this section shall not be delayed on grounds that the total number of residents affected is not yet ascertained. In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.” Additionally, the notice to individuals must now identify the name of the parent or affiliated corporation if the organization that experienced a breach of security is owned by another person or corporation.