Category Archives: Privacy

Blockchain in 2018 and beyond

Buoyed by Bitcoin’s latest price and a steady supply of Initial Coin Offerings (ICOs), the blockchain ecosystem in 2018 resembles the Web ecosystem of 1995 – an ecosystem that eventually disrupted advertising and marketing models by having companies such as Amazon, Google and Facebook outplace traditional retail sales and marketing companies.  This time around, however, the financial levers presently held by banks and related financial services firms will be retooled – as well as the present centralized server model so very important to the same companies who previously benefited from the Web ecosystem, namely Amazon, Google and Facebook.

Speculation vs. Utilization

in September 2017, Bitcoin was famously derided by the financial titan Jamie Dimon as “a fraud”.  The JPMorgan CEO went so far as to say he would fire anyone on his trading team who bought Bitcoin.  His gratuitous digs at Bitcoin did not temper the rise of Bitcoin and became noteworthy – and a likely source of friction with his traders, because the Bitcoin cryptocurrency went on to increase in value over three-fold a mere 1Q after Dimon’s public derision.   As of December 31, 2017, Bitcoin sits at a price of near $14,000 whereas when Mr. Dimon’s bold pronouncements were made Bitcoin “only” had a price of $4,115.

Similarly, another banker – Vitor Constancio, the vice president of the European Central Bank, said in July 2017 that Bitcoin “is not a currency but a mere instrument of speculation” – comparing it to tulip bulbs during the 17th century trading bubble in the Netherlands.

In the same way that the World Wide Web was never defined solely by Pets.com, the benefits of blockchain technology should never be defined solely by the latest price of Bitcoin.  Even Mr. Dimon acknowledges as much given during his tirade against the speculative nature of Bitcoin he also said “he supported blockchain technology for tracking payments.”

By way of background, a blockchain is nothing more than an expandable list of records, called blocks, which are linked and secured using cryptography, namely cryptographic hashes that point to each prior block and result in an unbreakable “chain” of hashes surrounding the blocks.  More accurately referred to as a distributed ledger of accounts, a blockchain ecosystem will disrupt more than one industry beginning in 2018.

The inevitable changes that will occur in 2018 spring from several unique attributes of the blockchain ecosystem.  First, because a blockchain ledger is distributed it takes advantage of the vast amount of compute power available in most every computer device.  Similar to how the Mirai botnet distributed denial of service (DDos) attack became the largest DDoS attack by simply using unsecured IoT access, blockchain technology harnesses secure unused compute power in powerful and productive new ways.  Our new IoT ecosystem – which itself is an outgrowth of the Web ecosystem, will only feed into that result.

Secondly, blockchain ledger transactions are the closest thing to an immutable form of transaction accounting we have given the transactions have been verified and cannot be changed once written to the blockchain without evidence of obvious tampering – which was always the reason Bitcoin derived any actual intrinsic value.  In other words, the promise of blockchain coupled with pure speculation has solely driven Bitcoin pricing.  By buying Bitcoin and other cybercurrencies, it is almost as if people were given a chance to turn back the clock and bet on the Web ecosystem in 1995.  Without usage for its intended purpose, namely being a trusted and immutable listing of Bitcoin transactions, Bitcoin would most certainly go to the zero valuation postulated by Morgan Stanley.  The logic is pretty straight forward – without an actual intrinsic store of value, there is no actual intrinsic store of value.  And, without some sort of intrinsic store of value there is no reason to consider Bitcoin an asset.  Accordingly, unless utilized by choice or forced to be used by a government, speculation will never be a sustainable impetus for the pricing of Bitcoin – or any other cryptocurrency for that matter.  Without utilization, tokens/app coins/cryptocurrencies will all die on the vine given external utilization will always be needed to create a store of value.

Utilization under the Ethereum protocol

Disregarding the unlikely scenario of governmental adoption, the future of any blockchain/cryptocurrency ecosystem necessarily ties directly to utilization.  Even though there are several protocols with smart contracts amendable to utilization, there is only one founded by a visionary who understands the issue of scalability and why scalability is the sine qua non of a successful blockchain ecosystem – in the same way a non-scalable Web ecosystem was always a non-starter.  An early December 2017 presentation given by that visionary – Vitalik Buterin,  talks to scalability as being the most important new initiative of Ethereum going forward in 2018.   Mr. Buterin – who will likely take the blockchain ecosystem where Gates took the PC ecosystem and Bezos took the Web ecosystem, suggests that “sharding” using a Validator Manager Contract –  a construct that maintains an internal proof of stake claim using random validators, will eventually solve the problem of scalability.  Simply put, not all blocks/shards will need to be placed under the main chain.  This is a natural evolutionary progression given as it stands now everyone seeking an Ethereum wallet needs to download Ethereum’s entire trove of over four million blocks – hardly a scalable solution for the many app tokens or coins running the Ethereum protocol.  Moreover, each Ethereum block currently also takes about 14.70 seconds to promulgateIn 2014, Buterin anticipated the feasibility of a 12 second block time so has certainly been moving in the right direction.  Given security and propagation issues, work on this remains in the infancy stage with a great deal of work necessary in 2018.  Nevertheless, in 2018 and beyond, smart contracts such as those available under Ethereum will allow for the utilization necessary for the blockchain ecosystem to thrive.

Adoption by financial markets and the Ripple Effect

Ripple/XRP surged at the very end of 2017 and quickly became a rumored stealth initiative by the regulated banking industry to combat unregulated cryptocurrencies.  Ripple promises “end-to-end tracking and certainty” for those banks using its RippleNet closed-loop network.  More than anything, this initiative demonstrates that unregulated ICOs and unregulated “currencies” may have spooked the world’s financial markets sufficiently to justify taking sides by investing in a Ripple contender – a “blockchain-like” service seeking to displace existing cryptocurrency mindshare.  Indeed, Ripple just replaced ETH/Ethereum as the second largest market cap cryptocurrency.   Even though only two financial institutions are listed as investors, that does not mean other financial institutions would not want to prop up this “currency” on the open market – the list of “advisory board members” is telling in that regard.  This bank-sponsored version of Bitcoin certainly looks like it has more legs than Bitcoin given there exists budding utilization – banks are currently already using the RippleNet network, coupled with massive speculation given its ballooning market cap.

In 2018, acceptance of blockchain technology by the financial industry will be indelible proof those mistakes of 1995 made by retail sales and marketing companies will not be repeated by the financial industry or even the server sector represented by the likes of Google – who has invested in Ripple.  More than likely, upcoming technology developments under the Ethereum protocol will beget future tokens with smarter utilization and even greater potential upside than either Bitcoin or Ripple.  In other words, the blockchain ecosystem in 2018 will be no different than the Web ecosystem as it existed in 1995.

Supreme Court will decide Microsoft privacy case

On October 16, 2017, the United States Supreme Court granted the Justice Department’s petition for a writ of certiorari and will hear an appeal from a Second Circuit decision barring the government from accessing user data stored overseas by Microsoft.   As previously suggested, this case brought under the Stored Communications Act (“SCA”) has significant implications for transnational companies who maintain or store data outside the US.

By way of background, the Second Circuit ruled that data stored overseas was not subject to the SCA – which typically allows the government to access the contents of stored communications – including emails, that are more than 180 days old, using a subpoena, court order, or warrant.  Ultimately, the Court of Appeals agreed with Microsoft’s position that absent congressional authorization statutes such as the SCA are presumed to have no extraterritorial effect and given the lack of such statutory authorization, the warrant should have been quashed.

Given that there were a flurry of amicus briefs filed – as well as an animated government brief suggesting that the Second Circuit’s decision was “highly detrimental” to criminal law enforcement, it will be interesting to see which argument the Court ultimately adopts.  Microsoft certainly fought an aggressive PR battle opposing Supreme Court review – seeking instead that its lobbying firms wage war in Congress.  In fact, Microsoft suggests in a blog post that the momentum for a legislative solution continues in Congress despite the Court taking on the case.

In keeping with the Halloween season, Microsoft’s Chief Legal Officer tries to scare up some support for a legislative solution:  “If U.S. law enforcement can obtain the emails of foreigners stored outside the United States, what’s to stop the government of another country from getting your emails even though they are located in the United States?”

Even though his analogy obviously falls flat, the Court’s docket – between this Microsoft case and the SCA location data case previously taken up by the Court in June, may very well ultimately generate a scary result for one or more advocacy groups located on the privacy continuum.

Will Equifax be a boon for the security industry?

According to a statement issued on September 15, 2017, Equifax, noticed “suspicious activity on July 30, 2017” and “took offline the affected web application that day.”  The impacted web application was a web application supporting framework, Apache Struts, ultimately used to create java-based web applications.  After patching, Equifax brought the application back online.

Equifax claims it first became aware of the vulnerability sometime in May 2017.

By way of background, this vulnerability was widely disclosed on March 13, 2017.  At that time, both the United States Computer Readiness Team and NIST issued “high vulnerability” warnings.  More importantly, Apache actually released its open source Struts 2.5.10 General Availability release that fixed this vulnerability a month earlier on February 3, 2017.

All of this is significant given that many mid-sized and large enterprises run Open Source Software (OSS) products and unless they hire staff or retain an outside vendor specifically tasked with tracking security announcements of their deployed software products – including any OSS web-facing tools, these products will likely not be promptly patched and scenarios like what befell Equifax will continue.  In other words, what happened to Equifax can very easily happen again to any number of large enterprises.  There are ways to mitigate this risk that may likely prove a boon to the security industry.

In addition to relying on a battle-tested CIO, CISO, and IT team, there are numerous ways companies can mitigate against an Equifax sort of incident from knocking on their boardroom door.

For example,  companies can hire inside staff or an outside vendor who considers patch management not merely a compliance check off item; evaluate how OSS is deployed and confirm who has final responsibility for patching known vulnerabilities; deploy tools to scan source code on an application level; and most important of all – trade up security priorities from being compliance driven in favor of a proactive security risk management approach that takes into account the type and amount of sensitive data processed,  maintained, and transferred.  There are many other ways of mitigating an Equifax risk but the above approach tends to be the one that best follows a cost-effective 80/20 approach that also satisfies regulators.  Information security funds can also be wisely spent deploying a kill chain approach that  actually works given it deliberately considers the evolutionary nature of security threats.

And finally, be mindful that when going out to market for new technical vendors, firm size has little correlation to the beneficial capabilities of the vendor.   Some smaller security vendors have the capacity to deploy unique skills and tools unavailable to larger vendors – that has always been a little known secret of the security industry.  The most effective players in this industry prefer working in small packs so it is no surprise vendors employing them often lose them within the first year after getting gobbled up by a larger vendor.

CA lawmakers do not pass AB 375 – The California Broadband Internet Privacy Act

Succumbing to the pressure of heavy lobbying, the proposed California Broadband Internet Privacy Act was shelved early this morning by the California Senate:

If enacted, the law would have beginning in 2019 barred ISPs from monetizing consumer browsing data without first obtaining consumer consent.  In essence, large ISPs such as AT&T and Verizon would have been barred from refusing to provide service or limiting service if customers did not waive their privacy rights.  It would have also barred them from charging customers a penalty or offering discounts in exchange for waiving privacy rights.

By way of background, the FCC earlier this year pulled back on those Obama-era regulations that impacted ISPs – regulations that completely ignored the data collection practices of companies such as Google and Facebook given they were not subject to FCC regulation.  The “Net Neutrality” Red Herring previously used by lobbyists to protect those tech companies alleged ISPs deserve different treatment because they curtail broadband usage for certain segments of society – alleging that ISPs closed out the Internet for many in poorer rural communities.

Current FCC policy, however, maintains rules that protect the “openness” of the Internet.  And, the stated intent on the FCC’s May 2017 pullback was a desire to implement a “light-touch regulatory framework” that immediately leveled the field, allow the FTC to continue enforcing privacy infractions, and ultimately defer for a later date the exact parameters of any  federal consumer privacy consent law.

Currently, the privacy infractions of companies like Google and Facebook are policed by the FTC and not the FCC so having the FTC also focus on ISPs is perfectly natural within our current regulatory scheme.  After all, the only reason large ISP’s such as AT&T, Cox and Verizon even came under the FCC’s purview was because they are also telecom and cable operators.  To use this FCC front door to regulate the backdoor Internet businesses of telecom and cable operators was always forced and unnatural.  Indeed, this very public dispute between ISPs and website owners was itself s a subterfuge.  Not surprisingly, AB 375 was also opposed by Google and Facebook because “expanded privacy regulations could indirectly affect the websites’ own ability to gather and monetize user data.

As accurately stated by a libertarian blog:  “By framing this as a dispute between ISPs and websites — instead of accurately presenting it as a struggle between Internet users and anyone who would mine and sell their data, the powers that be (including lawmakers, bureaucrats, corporations, and the media) have muddied the waters to conceal a simple fact: This is actually a struggle between those who value their privacy and those who would profit by violating it.”

Perhaps fearing the demise of AB 375, a California ballot initiative proposed on September 1, 2017 would allow California consumers to know what personal information businesses are collecting from them as well as how that information is used.  As it stands, consumers obviously have no clue who ultimately processes, uses or outright purchases their data.  The California Consumer Privacy Act of 2018 will be placed on the November 2018 statewide ballot if it obtains 365,880 valid voter signatures.  This ballot initiative goes further than AB 375 given it would apply to any business that collects and deals in data for commercial purposes and not just ISPs.

The apparent premise behind this ballot initiative is that there is no longer any such thing as anonymous data – it only takes about 10 visited URLs in total to uniquely identify someone, and there certainly is no difference between what a Google or an AT&T  ultimately do with consumer data.  As it stands, relatively few use a Firefox browser set to its highest privacy setting or a Privacy Badger extension to keep Google scripts from running Google Analytics.  Even fewer users forgo Google in favor of the donation-funded DuckDuckGo search tool that allows users to browse the web without storing search results.

As suggested years ago:  “It may one day be determined, however, that an even more effective means to satisfy all constituent needs of the [online behavioral advertising] ecosystem (consumer, merchant, publisher, agency, etc.) will be to find a means to directly correlate between privacy rights, consumer data, and a merchant’s revenue.”

Until such direct financial correlation takes place – with the ensuing compensation to consumers, the true value of consumer data will never be known.  Very likely, companies who continue pilfering something consumers do not properly value will never do as well as companies that actually pay for what they want.

Given any present mass consumer education necessary to prod these issues forward will rely on online tools provided by companies with the most to gain or lose, the only immediately viable solution necessarily requires agreement from the likes of Google and Facebook.  Unfortunately, given current circumstances, there simply is no financial incentive for these companies to rock a very lucrative boat.

 

 

 

 

AG’s move against Google’s latest cy pres settlement

Without tackling the underlying merits of the case, the Attorneys General of Alaska, Arizona, Arkansas, Louisiana, Mississippi, Missouri, Nevada, Oklahoma, Rhode Island, Tennessee, and Wisconsin asked the Third Circuit to reverse approval of a $5.5 million settlement involving consumer privacy claims against Google.   Relying on Fed. R. Civ. P. 23(e)’s prohibitions against unfair settlements, the AG’s argued in their July 5, 2017 brief, the proposed cy pres settlement fund would be unfair given consumers would not receive a dime from these settlements.

In their brief, the AG’s point out that because “class members extinguish their claims in exchange for settlement funds, the funds belong to class members.”  Brief at 5.  And, simply giving these proceeds to various privacy rights groups chosen by Google and class counsel would be unfair to the actual class members.

The underlying multidistrict lawsuit – which was previously before the Third Circuit (In re: Google Inc. Cookie Placement Consumer Privacy Litigation), was filed in 2012 and alleges that Google deliberately circumvented default privacy settings used to prevent advertisers from tracking the browsing activities of persons using Safari and Internet Explorer.

Google is no stranger to cy pres funds pegged at $5.5 million.  In August 2016, Google settled a privacy suit by paying $5.5 million into a cy pres fund benefiting some of the same privacy groups looking to benefit from this latest settlement.  And, years earlier Google and Quantcast settled yet other privacy matters by way of a cy pres fund.

A cy pres fund provides the best of both worlds for defendants such as Google – it allows resolution of costly disputes while being able to fund non-profit organizations that ultimately help their cause.  Moreover, they have willing partners in class counsel given it really does not matter if an unnamed class plaintiff sees compensation so long as the settlement is approved and counsel’s fees are paid.  Hopefully, the United States Court of Appeals for the Third Circuit issues a well-reasoned opinion that guides courts around the country on this very troublesome practice.

Anthem proposed breach settlement can rise to $115 million

On June 23, 2017, class counsel in the Anthem Inc. data breach litigation filed papers claiming there has been agreement on a $115 million settlement regarding the 2015 data breach involving 80 million Anthem users.  The proposed settlement will provide Anthem’s health insurance customers  two additional years of credit protection and monitoring as well as full reimbursement for losses sustained.  In what is likely the largest data breach settlement to date, plaintiffs’ counsel will end up with a cool $38 million in attorneys’ fees.

In order to get these fees, counsel for plaintiff “filed four consolidated class action complaints; litigated two motions to dismiss and 14 discovery motions; reviewed 3.8 million pages of documents; deposed 18 percipient fact witnesses, 62 corporate designees, and six defense experts; produced reports from four experts and defended their depositions; produced 105 plaintiffs for depositions and produced 29 of those plaintiffs’ computers for forensic examinations; exchanged interrogatories, RFA, and expert reports with Defendants; and fully briefed class certification and related Daubert motions.”

Whether or not there were ever actual damages sustained by the Anthem class is almost beside the point given counsel for both plaintiffs and defendants were allowed to generate fees meriting a $115 million settlement.  Future counsel in massive data incidents will unfortunately view this settlement as a benchmark target. CISOs around the country now simply just have to avoid a massive data incident.

Supreme Court will decide privacy rights in cell location data

On June 5, 2017, the Supreme Court agreed to decide whether the government needs a probable cause warrant before accessing a suspect’s cell phone location history.  Timothy Carpenter was found guilty of aiding and abetting a series of armed robberies but challenged his conviction on the grounds that the cell location data collected pursuant to a court order issued under the Stored Communications Act (“SCA”) required that the government show probable cause rather than merely the SCA’s “reasonable grounds” for believing the records were relevant to an ongoing investigation.

In a split decision, the Sixth Circuit ruled in April 2016 that given the cell phone location data in the case ranged from half-mile to two-mile in distance it did not fall under the Fourth Amendment’s search protections.  Moreover, according to the Sixth Circuit, no probable cause warrant was necessary given that cell location data points are business records subject to the SCA and reveal nothing about the actual content of communications.  Id. at 7. On behalf of Carpenter – the person who “organized most of the robberies and often supplied the guns”, the ACLU filed a Petition for Certiorari asking: “Whether the warrantless seizure and search of historical cell phone records revealing the location and movements of a cell phone user over the course of 127 days is permitted by the Fourth Amendment.”

Apparently looking to push the Supreme Court into making a technology-forward decision, the ACLU points out how data collection methods have improved since the 2011 arrest of Carpenter.  See e.g., Petition at 7 (“Although in this case MetroPCS provided only information identifying Carpenter’s cell site and sector at the start and end of his calls, service providers increasingly retain more granular historical location data, including for text messages and data connections. . . .Location precision is also increasing as service providers deploy millions of “small cells,” “which cover a very specific area, such as one floor of a building, the waiting room of an office, or a single home.””).

This case is noteworthy given that SCA law enforcement actions can sometimes impact future civil matters.  For example, on July 14, 2016, the Second Circuit ruled that the government could not force Microsoft to comply with a search warrant based on the SCA when that warrant required an extraterritorial search and seizure of data stored in Microsoft’s data center in Ireland.  In that case, probable cause was actually set forth in the warrant.  Nevertheless, the Court’s ruling, namely that the SCA-based warrant lacked extraterritorial effect, may allow for the quashing of future SCA civil subpoenas on similar grounds.

It is not clear how far the Supreme Court will reach when deciding the Carpenter case or whether language in the Court’s future decision might mold cases far afield from armed robberies in the Midwest.  Nevertheless, coupled with other cases such as the 2012 case of United States v. Jones where the Supreme Court first took a look at how the Fourth Amendment applies to police use of GPS technology, there may soon coalesce strong judicial guidance for digital marketers.   As recognized by Justice Sotomayor in United States v. Jones:

it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.  This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks…Perhaps, as JUSTICE ALITO notes, some people may find the tradeoff of privacy for convenience worthwhile, or come to accept this diminution of privacy as inevitable, post, at 10, and perhaps not.

The United States v. Carpenter case may offer Justice Sotomayor a new and expanded platform for her 2012 dicta.  Digital marketers take note.

WannaCry provides a wakeup call for more training on email exploits

On May 12, 2017, WannaCry ransomware infections reportedly took hold of 200,000 computer systems in 150 countries.  The rise of ransomware has been a function of how cheap financial data has become to obtain on the dark web and the desire of criminals to branch out with other sources of income.

Ransomware is quite effective given it purposefully seeks to panic victims into clicking additional links thereby causing a user’s system to become infected with more pernicious malware.  For example, after seeing a screen blink on and off several times ransomware victims may next see the following message on their screen:  “Your computer has been infected with a virus. Click here to resolve the issue.”  Clicking on that link, however, will download additional malware to the system – thereby precluding possible quick fixes to the initial exploit.  It is such additional malware – coupled with very vulnerable legacy systems and procedures, that likely helped WannaCry promulgate so quickly.

Given slow patching and continued widespread use of legacy Windows products, Microsoft sought to slow the spread of WannaCry by offering free patches for its older Windows systems such as Windows XP.  Although helpful in curtailing replication, timely patching will not completely stem this threat.   Newer exploits such as WannaCry likely exist – and will continue to exist for some time, given the underlying code was reportedly created by the National Security Agency and is only a small sample of the “treasure trove” of spying tools released by WikiLeaks in March.  In fact, the WikiLeaks released material includes the source code used to evade anti-virus detection so entry-level hackers apparently now have the ability to immediately up their game.

Given that healthcare data is now considered the most valuable data by thieves, it is no surprise that the healthcare industry was especially hit hard by the WannaCry ransomware exploit.  Succumbing to WannaCry, Britain’s hospital network canceled or delayed treatments for thousands of patients.   In an effort to stem the tide in the US, HHS quickly offered covered entities access to loss prevention resources – including a link to its ransomware fact sheet and a link to the US-CERT response to WannaCry.  US-CERT offered last year helpful tips regarding ransomware loss mitigation techniques.

It is suggested that covered entities take to heart HHS’s desire to warn regarding ransomware exploits.  Given that OCR recently fined a covered entity $2.4 million simply for placing the name of a patient on a press release, ignoring HHS warnings regarding ransomware will likely result in significant penalties to HIPAA covered entities should they fall prey to such an exploit.

In addition to security procedures and implementations – such as whitelisting acceptable programs, aggresive email settings, and limiting user permissions, proper training remains the best antidote to both an exploit as well as an OCR or some other regulatory fine if an exploit ultimately succeeds.  And, the best training remains having users react to a continuous barrage of decoy exploits aimed at sharpening their skills.

Today’s phishing exploits that are being used to transmit ransomware often rely on some other person’s scraped contact information so that they can appear to come from known associates of the user.  These exploits may also use content that appear relevant to the user – such as a bar association communication.    And, finally the links themselves are masked so that it is not even possible to accurately determine where a link takes the user.   Given these indicia of authenticity, users often click on the embedded link rather than hit the delete button.  After exposure to numerous training exploits users are in a much better position to make sound decisions on how to treat actual exploits.  During the course of security training, it is suggested that some form of reward be given to those users who score the highest on the phishing training exercises – any money spent today to build an effective training program will pay significant dividends down the road.

OCR’s April settlements reinforce HIPAA priorities

On March 24, 2017, the Office for Civil Rights (OCR) announced the first settlement and corrective action plan involving a wireless health services provider when it announced a $2.5 million settlement with CardioNet –  a provider of “remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.”   According to the Resolution Agreement and Corrective Action Plan, CardioNet sustained breaches of unsecured electronic protected health information (ePHI) resulting from lost laptops.  And, given that the lost laptops in question were unencrypted, CardioNet’s Corrective Action Plan required that CardioNet provide HHS with a certification that “all laptops, flashdrives, SD cards, and other portable media devices are encrypted, together with a description of the encryption methods used.”

In keeping with OCR’s apparent practice of announcing resolutions in groups – with a distinctive lesson to be made with each resolution, there was another settlement announced on April 20, 2017.  This time a fine of $31,000 was levied against the Center for Children’s Digestive Health (“CCDH”) after it could not produce a business associate agreement.  According to the negotiated Resolution Agreement and Corrective Action Plan, protected health information (PHI) was released to a third-party vendor who stored inactive paper medical records for patients of CCDH without satisfactory assurances in the form of a written business associate agreement that the vendor would appropriately safeguard the PHI in the vendor’s possession or control.  As done in the past when it came to the need for properly-worded business associate agreements, OCR made the point that business associate agreements are a necessary component of the HIPAA framework and the failure to have one when necessary would be a costly error.  See 45 C.F.R § 164.502(e).

And finally, on April 12, 2017, OCR announced a settlement and corrective action plan based on a covered entity’s failure to have an adequate risk management plan in place.  Specifically, on January 27, 2012, Metro Community Provider Network (“MCPN”), a federally-qualified health center filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident.

OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.

Despite being a non-profit that provides primary medical care, dental care, pharmacies, social work, and behavioral care services “to approximately 43,000 patients per year, a large majority of who have incomes at or below the poverty level”, MCPN was hit with a $400,000 fine for its lack of an adequate risk management plan.

To sum up, this most recent grouping of OCR settlements highlights yet again the need for encryption, business associate agreements, and a working risk management plan.  Given that OCR settlements often take years to mature, investigative costs and legal expenses should also be factored into the mix when weighing the benefits of initial compliance.   With this latest round of settlements, it, however, appears clearer and clearer that an ounce of prevention is worth a pound of cure.

EU-US Privacy Shield review will take place in September

As set forth in a press release issued on March 31, 2017, Věra Jourová of the European Commission announced that the Privacy Shield will have its first annual review sometime in September.  This press release provides portions of a recent speech given by Ms. Jourová.  And, according to this speech given in Washington, the review “will be an important milestone where we need to check that everything is in place and working well.”

Given that over 2,000 U.S. companies have already committed to Privacy Shield compliance, it is highly unlikely that the EU will disrupt this replacement to Safe Harbor after the September review.   As before, it will likely take a court challenge to rock this crucial agreement for cross-border data flows.