Category Archives: Risk Management

Blockchain in 2018 and beyond

Buoyed by Bitcoin’s latest price and a steady supply of Initial Coin Offerings (ICOs), the blockchain ecosystem in 2018 resembles the Web ecosystem of 1995 – an ecosystem that eventually disrupted advertising and marketing models by having companies such as Amazon, Google and Facebook outplace traditional retail sales and marketing companies.  This time around, however, the financial levers presently held by banks and related financial services firms will be retooled – as well as the present centralized server model so very important to the same companies who previously benefited from the Web ecosystem, namely Amazon, Google and Facebook.

Speculation vs. Utilization

in September 2017, Bitcoin was famously derided by the financial titan Jamie Dimon as “a fraud”.  The JPMorgan CEO went so far as to say he would fire anyone on his trading team who bought Bitcoin.  His gratuitous digs at Bitcoin did not temper the rise of Bitcoin and became noteworthy – and a likely source of friction with his traders, because the Bitcoin cryptocurrency went on to increase in value over three-fold a mere 1Q after Dimon’s public derision.   As of December 31, 2017, Bitcoin sits at a price of near $14,000 whereas when Mr. Dimon’s bold pronouncements were made Bitcoin “only” had a price of $4,115.

Similarly, another banker – Vitor Constancio, the vice president of the European Central Bank, said in July 2017 that Bitcoin “is not a currency but a mere instrument of speculation” – comparing it to tulip bulbs during the 17th century trading bubble in the Netherlands.

In the same way that the World Wide Web was never defined solely by Pets.com, the benefits of blockchain technology should never be defined solely by the latest price of Bitcoin.  Even Mr. Dimon acknowledges as much given during his tirade against the speculative nature of Bitcoin he also said “he supported blockchain technology for tracking payments.”

By way of background, a blockchain is nothing more than an expandable list of records, called blocks, which are linked and secured using cryptography, namely cryptographic hashes that point to each prior block and result in an unbreakable “chain” of hashes surrounding the blocks.  More accurately referred to as a distributed ledger of accounts, a blockchain ecosystem will disrupt more than one industry beginning in 2018.

The inevitable changes that will occur in 2018 spring from several unique attributes of the blockchain ecosystem.  First, because a blockchain ledger is distributed it takes advantage of the vast amount of compute power available in most every computer device.  Similar to how the Mirai botnet distributed denial of service (DDos) attack became the largest DDoS attack by simply using unsecured IoT access, blockchain technology harnesses secure unused compute power in powerful and productive new ways.  Our new IoT ecosystem – which itself is an outgrowth of the Web ecosystem, will only feed into that result.

Secondly, blockchain ledger transactions are the closest thing to an immutable form of transaction accounting we have given the transactions have been verified and cannot be changed once written to the blockchain without evidence of obvious tampering – which was always the reason Bitcoin derived any actual intrinsic value.  In other words, the promise of blockchain coupled with pure speculation has solely driven Bitcoin pricing.  By buying Bitcoin and other cybercurrencies, it is almost as if people were given a chance to turn back the clock and bet on the Web ecosystem in 1995.  Without usage for its intended purpose, namely being a trusted and immutable listing of Bitcoin transactions, Bitcoin would most certainly go to the zero valuation postulated by Morgan Stanley.  The logic is pretty straight forward – without an actual intrinsic store of value, there is no actual intrinsic store of value.  And, without some sort of intrinsic store of value there is no reason to consider Bitcoin an asset.  Accordingly, unless utilized by choice or forced to be used by a government, speculation will never be a sustainable impetus for the pricing of Bitcoin – or any other cryptocurrency for that matter.  Without utilization, tokens/app coins/cryptocurrencies will all die on the vine given external utilization will always be needed to create a store of value.

Utilization under the Ethereum protocol

Disregarding the unlikely scenario of governmental adoption, the future of any blockchain/cryptocurrency ecosystem necessarily ties directly to utilization.  Even though there are several protocols with smart contracts amendable to utilization, there is only one founded by a visionary who understands the issue of scalability and why scalability is the sine qua non of a successful blockchain ecosystem – in the same way a non-scalable Web ecosystem was always a non-starter.  An early December 2017 presentation given by that visionary – Vitalik Buterin,  talks to scalability as being the most important new initiative of Ethereum going forward in 2018.   Mr. Buterin – who will likely take the blockchain ecosystem where Gates took the PC ecosystem and Bezos took the Web ecosystem, suggests that “sharding” using a Validator Manager Contract –  a construct that maintains an internal proof of stake claim using random validators, will eventually solve the problem of scalability.  Simply put, not all blocks/shards will need to be placed under the main chain.  This is a natural evolutionary progression given as it stands now everyone seeking an Ethereum wallet needs to download Ethereum’s entire trove of over four million blocks – hardly a scalable solution for the many app tokens or coins running the Ethereum protocol.  Moreover, each Ethereum block currently also takes about 14.70 seconds to promulgateIn 2014, Buterin anticipated the feasibility of a 12 second block time so has certainly been moving in the right direction.  Given security and propagation issues, work on this remains in the infancy stage with a great deal of work necessary in 2018.  Nevertheless, in 2018 and beyond, smart contracts such as those available under Ethereum will allow for the utilization necessary for the blockchain ecosystem to thrive.

Adoption by financial markets and the Ripple Effect

Ripple/XRP surged at the very end of 2017 and quickly became a rumored stealth initiative by the regulated banking industry to combat unregulated cryptocurrencies.  Ripple promises “end-to-end tracking and certainty” for those banks using its RippleNet closed-loop network.  More than anything, this initiative demonstrates that unregulated ICOs and unregulated “currencies” may have spooked the world’s financial markets sufficiently to justify taking sides by investing in a Ripple contender – a “blockchain-like” service seeking to displace existing cryptocurrency mindshare.  Indeed, Ripple just replaced ETH/Ethereum as the second largest market cap cryptocurrency.   Even though only two financial institutions are listed as investors, that does not mean other financial institutions would not want to prop up this “currency” on the open market – the list of “advisory board members” is telling in that regard.  This bank-sponsored version of Bitcoin certainly looks like it has more legs than Bitcoin given there exists budding utilization – banks are currently already using the RippleNet network, coupled with massive speculation given its ballooning market cap.

In 2018, acceptance of blockchain technology by the financial industry will be indelible proof those mistakes of 1995 made by retail sales and marketing companies will not be repeated by the financial industry or even the server sector represented by the likes of Google – who has invested in Ripple.  More than likely, upcoming technology developments under the Ethereum protocol will beget future tokens with smarter utilization and even greater potential upside than either Bitcoin or Ripple.  In other words, the blockchain ecosystem in 2018 will be no different than the Web ecosystem as it existed in 1995.

Carpenter may prod monetization of consumer data property rights

On November 29, 2017, the United States Supreme Court heard oral argument in U.S. v. Carpenter – a case involving robbery suspects who were convicted using cellphone tracking data obtained without a probable cause warrant.  Subpoenas and warrants available under the Stored Communications Act (“SCA”) allow for access to such records without any probable cause showing.    As previously pointed out, the ACLU is looking to push the Supreme Court into making a technology-forward decision by stressing how data collection methods have improved since the 2011 arrest of Carpenter.

According to Law360, Justice Samuel Alito said at the hour-long oral argument:  “I agree with [Carpenter] that this new technology is raising very serious privacy concerns, but I need to know how much of existing precedent you want us to overrule or declare obsolete.”  Justice Alito referenced the third-party doctrine that offers no added protections to material freely given to third parties given such material is generally provided without any expectation of privacy.

At oral argument, Law360 reports Carpenter’s counsel Nathan Wessler of the ACLU said that the bank records and dialed phone numbers found in third-party doctrine cases were “more limited” and freely given to a business as opposed to cellphone location records, which many users don’t understand can “chart a minute-by-minute account of a person’s locations and movements and associations.”

Law360 also reported that Justice Sonia Sotomayor raised doubt that the third-party doctrine found in prior precedent was applicable given there are instances when sensitive data freely given to third parties – such as medical records, still require consent.  According to Law360, Justice Neil Gorsuch said:  “It seems like your whole argument boils down to if we get it from a third party we’re OK, regardless of property interest.”   And, finally according to the SCOTUS Blog, Justice Stephen Breyer recognized at oral argument: “This is an open box. We know not where we go.”

Despite the third-party doctrine, it seems the Court is leaning towards carving out Constitutional exceptions to the SCA based on data gathering technologies that may give rise to an expectation of privacy.   As often done, the Justices will likely come up with a result that takes into consideration stare decisis while meshing with new technological capabilities far removed from earlier cases.   As recognized by Justice Sotomayor in the U.S. v. Jones case of 2012, “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.  This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

To that end, the most interesting aspect of this case involving robberies in Detroit will be how far the decision goes in helping define property rights for consumers of digital services.  In a nod to Justice Breyer’s Pandora’s Box allusion, this decision might eventually give rise to a newfound consumer awareness mandating a change in how consumer data is used by companies.  In other words, property rights acknowledged in this case may help prod consumers into seeking compensation for their consumer data property rights – something the tech amicus might not have envisioned when filing their brief in U.S. v. Carpenter.

Supreme Court will decide Microsoft privacy case

On October 16, 2017, the United States Supreme Court granted the Justice Department’s petition for a writ of certiorari and will hear an appeal from a Second Circuit decision barring the government from accessing user data stored overseas by Microsoft.   As previously suggested, this case brought under the Stored Communications Act (“SCA”) has significant implications for transnational companies who maintain or store data outside the US.

By way of background, the Second Circuit ruled that data stored overseas was not subject to the SCA – which typically allows the government to access the contents of stored communications – including emails, that are more than 180 days old, using a subpoena, court order, or warrant.  Ultimately, the Court of Appeals agreed with Microsoft’s position that absent congressional authorization statutes such as the SCA are presumed to have no extraterritorial effect and given the lack of such statutory authorization, the warrant should have been quashed.

Given that there were a flurry of amicus briefs filed – as well as an animated government brief suggesting that the Second Circuit’s decision was “highly detrimental” to criminal law enforcement, it will be interesting to see which argument the Court ultimately adopts.  Microsoft certainly fought an aggressive PR battle opposing Supreme Court review – seeking instead that its lobbying firms wage war in Congress.  In fact, Microsoft suggests in a blog post that the momentum for a legislative solution continues in Congress despite the Court taking on the case.

In keeping with the Halloween season, Microsoft’s Chief Legal Officer tries to scare up some support for a legislative solution:  “If U.S. law enforcement can obtain the emails of foreigners stored outside the United States, what’s to stop the government of another country from getting your emails even though they are located in the United States?”

Even though his analogy obviously falls flat, the Court’s docket – between this Microsoft case and the SCA location data case previously taken up by the Court in June, may very well ultimately generate a scary result for one or more advocacy groups located on the privacy continuum.

Will Equifax be a boon for the security industry?

According to a statement issued on September 15, 2017, Equifax, noticed “suspicious activity on July 30, 2017” and “took offline the affected web application that day.”  The impacted web application was a web application supporting framework, Apache Struts, ultimately used to create java-based web applications.  After patching, Equifax brought the application back online.

Equifax claims it first became aware of the vulnerability sometime in May 2017.

By way of background, this vulnerability was widely disclosed on March 13, 2017.  At that time, both the United States Computer Readiness Team and NIST issued “high vulnerability” warnings.  More importantly, Apache actually released its open source Struts 2.5.10 General Availability release that fixed this vulnerability a month earlier on February 3, 2017.

All of this is significant given that many mid-sized and large enterprises run Open Source Software (OSS) products and unless they hire staff or retain an outside vendor specifically tasked with tracking security announcements of their deployed software products – including any OSS web-facing tools, these products will likely not be promptly patched and scenarios like what befell Equifax will continue.  In other words, what happened to Equifax can very easily happen again to any number of large enterprises.  There are ways to mitigate this risk that may likely prove a boon to the security industry.

In addition to relying on a battle-tested CIO, CISO, and IT team, there are numerous ways companies can mitigate against an Equifax sort of incident from knocking on their boardroom door.

For example,  companies can hire inside staff or an outside vendor who considers patch management not merely a compliance check off item; evaluate how OSS is deployed and confirm who has final responsibility for patching known vulnerabilities; deploy tools to scan source code on an application level; and most important of all – trade up security priorities from being compliance driven in favor of a proactive security risk management approach that takes into account the type and amount of sensitive data processed,  maintained, and transferred.  There are many other ways of mitigating an Equifax risk but the above approach tends to be the one that best follows a cost-effective 80/20 approach that also satisfies regulators.  Information security funds can also be wisely spent deploying a kill chain approach that  actually works given it deliberately considers the evolutionary nature of security threats.

And finally, be mindful that when going out to market for new technical vendors, firm size has little correlation to the beneficial capabilities of the vendor.   Some smaller security vendors have the capacity to deploy unique skills and tools unavailable to larger vendors – that has always been a little known secret of the security industry.  The most effective players in this industry prefer working in small packs so it is no surprise vendors employing them often lose them within the first year after getting gobbled up by a larger vendor.

Anthem proposed breach settlement can rise to $115 million

On June 23, 2017, class counsel in the Anthem Inc. data breach litigation filed papers claiming there has been agreement on a $115 million settlement regarding the 2015 data breach involving 80 million Anthem users.  The proposed settlement will provide Anthem’s health insurance customers  two additional years of credit protection and monitoring as well as full reimbursement for losses sustained.  In what is likely the largest data breach settlement to date, plaintiffs’ counsel will end up with a cool $38 million in attorneys’ fees.

In order to get these fees, counsel for plaintiff “filed four consolidated class action complaints; litigated two motions to dismiss and 14 discovery motions; reviewed 3.8 million pages of documents; deposed 18 percipient fact witnesses, 62 corporate designees, and six defense experts; produced reports from four experts and defended their depositions; produced 105 plaintiffs for depositions and produced 29 of those plaintiffs’ computers for forensic examinations; exchanged interrogatories, RFA, and expert reports with Defendants; and fully briefed class certification and related Daubert motions.”

Whether or not there were ever actual damages sustained by the Anthem class is almost beside the point given counsel for both plaintiffs and defendants were allowed to generate fees meriting a $115 million settlement.  Future counsel in massive data incidents will unfortunately view this settlement as a benchmark target. CISOs around the country now simply just have to avoid a massive data incident.

Supreme Court will decide privacy rights in cell location data

On June 5, 2017, the Supreme Court agreed to decide whether the government needs a probable cause warrant before accessing a suspect’s cell phone location history.  Timothy Carpenter was found guilty of aiding and abetting a series of armed robberies but challenged his conviction on the grounds that the cell location data collected pursuant to a court order issued under the Stored Communications Act (“SCA”) required that the government show probable cause rather than merely the SCA’s “reasonable grounds” for believing the records were relevant to an ongoing investigation.

In a split decision, the Sixth Circuit ruled in April 2016 that given the cell phone location data in the case ranged from half-mile to two-mile in distance it did not fall under the Fourth Amendment’s search protections.  Moreover, according to the Sixth Circuit, no probable cause warrant was necessary given that cell location data points are business records subject to the SCA and reveal nothing about the actual content of communications.  Id. at 7. On behalf of Carpenter – the person who “organized most of the robberies and often supplied the guns”, the ACLU filed a Petition for Certiorari asking: “Whether the warrantless seizure and search of historical cell phone records revealing the location and movements of a cell phone user over the course of 127 days is permitted by the Fourth Amendment.”

Apparently looking to push the Supreme Court into making a technology-forward decision, the ACLU points out how data collection methods have improved since the 2011 arrest of Carpenter.  See e.g., Petition at 7 (“Although in this case MetroPCS provided only information identifying Carpenter’s cell site and sector at the start and end of his calls, service providers increasingly retain more granular historical location data, including for text messages and data connections. . . .Location precision is also increasing as service providers deploy millions of “small cells,” “which cover a very specific area, such as one floor of a building, the waiting room of an office, or a single home.””).

This case is noteworthy given that SCA law enforcement actions can sometimes impact future civil matters.  For example, on July 14, 2016, the Second Circuit ruled that the government could not force Microsoft to comply with a search warrant based on the SCA when that warrant required an extraterritorial search and seizure of data stored in Microsoft’s data center in Ireland.  In that case, probable cause was actually set forth in the warrant.  Nevertheless, the Court’s ruling, namely that the SCA-based warrant lacked extraterritorial effect, may allow for the quashing of future SCA civil subpoenas on similar grounds.

It is not clear how far the Supreme Court will reach when deciding the Carpenter case or whether language in the Court’s future decision might mold cases far afield from armed robberies in the Midwest.  Nevertheless, coupled with other cases such as the 2012 case of United States v. Jones where the Supreme Court first took a look at how the Fourth Amendment applies to police use of GPS technology, there may soon coalesce strong judicial guidance for digital marketers.   As recognized by Justice Sotomayor in United States v. Jones:

it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.  This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks…Perhaps, as JUSTICE ALITO notes, some people may find the tradeoff of privacy for convenience worthwhile, or come to accept this diminution of privacy as inevitable, post, at 10, and perhaps not.

The United States v. Carpenter case may offer Justice Sotomayor a new and expanded platform for her 2012 dicta.  Digital marketers take note.

WannaCry provides a wakeup call for more training on email exploits

On May 12, 2017, WannaCry ransomware infections reportedly took hold of 200,000 computer systems in 150 countries.  The rise of ransomware has been a function of how cheap financial data has become to obtain on the dark web and the desire of criminals to branch out with other sources of income.

Ransomware is quite effective given it purposefully seeks to panic victims into clicking additional links thereby causing a user’s system to become infected with more pernicious malware.  For example, after seeing a screen blink on and off several times ransomware victims may next see the following message on their screen:  “Your computer has been infected with a virus. Click here to resolve the issue.”  Clicking on that link, however, will download additional malware to the system – thereby precluding possible quick fixes to the initial exploit.  It is such additional malware – coupled with very vulnerable legacy systems and procedures, that likely helped WannaCry promulgate so quickly.

Given slow patching and continued widespread use of legacy Windows products, Microsoft sought to slow the spread of WannaCry by offering free patches for its older Windows systems such as Windows XP.  Although helpful in curtailing replication, timely patching will not completely stem this threat.   Newer exploits such as WannaCry likely exist – and will continue to exist for some time, given the underlying code was reportedly created by the National Security Agency and is only a small sample of the “treasure trove” of spying tools released by WikiLeaks in March.  In fact, the WikiLeaks released material includes the source code used to evade anti-virus detection so entry-level hackers apparently now have the ability to immediately up their game.

Given that healthcare data is now considered the most valuable data by thieves, it is no surprise that the healthcare industry was especially hit hard by the WannaCry ransomware exploit.  Succumbing to WannaCry, Britain’s hospital network canceled or delayed treatments for thousands of patients.   In an effort to stem the tide in the US, HHS quickly offered covered entities access to loss prevention resources – including a link to its ransomware fact sheet and a link to the US-CERT response to WannaCry.  US-CERT offered last year helpful tips regarding ransomware loss mitigation techniques.

It is suggested that covered entities take to heart HHS’s desire to warn regarding ransomware exploits.  Given that OCR recently fined a covered entity $2.4 million simply for placing the name of a patient on a press release, ignoring HHS warnings regarding ransomware will likely result in significant penalties to HIPAA covered entities should they fall prey to such an exploit.

In addition to security procedures and implementations – such as whitelisting acceptable programs, aggresive email settings, and limiting user permissions, proper training remains the best antidote to both an exploit as well as an OCR or some other regulatory fine if an exploit ultimately succeeds.  And, the best training remains having users react to a continuous barrage of decoy exploits aimed at sharpening their skills.

Today’s phishing exploits that are being used to transmit ransomware often rely on some other person’s scraped contact information so that they can appear to come from known associates of the user.  These exploits may also use content that appear relevant to the user – such as a bar association communication.    And, finally the links themselves are masked so that it is not even possible to accurately determine where a link takes the user.   Given these indicia of authenticity, users often click on the embedded link rather than hit the delete button.  After exposure to numerous training exploits users are in a much better position to make sound decisions on how to treat actual exploits.  During the course of security training, it is suggested that some form of reward be given to those users who score the highest on the phishing training exercises – any money spent today to build an effective training program will pay significant dividends down the road.

OCR’s April settlements reinforce HIPAA priorities

On March 24, 2017, the Office for Civil Rights (OCR) announced the first settlement and corrective action plan involving a wireless health services provider when it announced a $2.5 million settlement with CardioNet –  a provider of “remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.”   According to the Resolution Agreement and Corrective Action Plan, CardioNet sustained breaches of unsecured electronic protected health information (ePHI) resulting from lost laptops.  And, given that the lost laptops in question were unencrypted, CardioNet’s Corrective Action Plan required that CardioNet provide HHS with a certification that “all laptops, flashdrives, SD cards, and other portable media devices are encrypted, together with a description of the encryption methods used.”

In keeping with OCR’s apparent practice of announcing resolutions in groups – with a distinctive lesson to be made with each resolution, there was another settlement announced on April 20, 2017.  This time a fine of $31,000 was levied against the Center for Children’s Digestive Health (“CCDH”) after it could not produce a business associate agreement.  According to the negotiated Resolution Agreement and Corrective Action Plan, protected health information (PHI) was released to a third-party vendor who stored inactive paper medical records for patients of CCDH without satisfactory assurances in the form of a written business associate agreement that the vendor would appropriately safeguard the PHI in the vendor’s possession or control.  As done in the past when it came to the need for properly-worded business associate agreements, OCR made the point that business associate agreements are a necessary component of the HIPAA framework and the failure to have one when necessary would be a costly error.  See 45 C.F.R § 164.502(e).

And finally, on April 12, 2017, OCR announced a settlement and corrective action plan based on a covered entity’s failure to have an adequate risk management plan in place.  Specifically, on January 27, 2012, Metro Community Provider Network (“MCPN”), a federally-qualified health center filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident.

OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.

Despite being a non-profit that provides primary medical care, dental care, pharmacies, social work, and behavioral care services “to approximately 43,000 patients per year, a large majority of who have incomes at or below the poverty level”, MCPN was hit with a $400,000 fine for its lack of an adequate risk management plan.

To sum up, this most recent grouping of OCR settlements highlights yet again the need for encryption, business associate agreements, and a working risk management plan.  Given that OCR settlements often take years to mature, investigative costs and legal expenses should also be factored into the mix when weighing the benefits of initial compliance.   With this latest round of settlements, it, however, appears clearer and clearer that an ounce of prevention is worth a pound of cure.

Privacy Shield Is not in play

On March 2, 2017, Věra Jourová – the Justice on the European Commission tasked with “Consumers and Gender Equality” recently raised a vague concern as to whether the Privacy Shield could withstand President Trump’s recent immigration executive order.  She said “If there is a significant change, we will suspend”.  This minimalist threat, however, seems more like an attempt to play up her visit to the White House in late March.

Privacy Shield is the data-transfer agreement negotiated by the United States and the European Union in February 2016 that is now relied upon by many international firms transferring and maintaining personal data between the EU and US.   Given that it was a court challenge that ultimately gave rise to Privacy Shield, it will always be subject to threat from legal action.  In fact, the ACLU and Human Rights Watch has already tried to stir the pot by sending a letter to the EU Commission after Trump’s recent executive action on immigration.  It is not clear why the American Civil Liberties Union would care about the privacy rights of those in the EU but that is left for a separate discussion.

To nip all of this in the bud, on February 22, 2017, Acting Federal Trade Commission Chairman Maureen Ohlhausen previously said that the immigration order would not in any way affect the FTC’s enforcement of the Privacy Shield given that order does not impact commercial activity.  To that end, Commissioner Jourová also previously said she was “not worried” but remained vigilant regarding the order.

There are lawyers who believe that Privacy Shield may be in play due to the President’s activities.  For example,  Aaron Tantleff of Foley & Lardner LLP is reported as saying “certain actions being taken by this administration could lead to the suspension of Privacy Shield. We may leave the EU Commission and Parliament with no choice.”  Such vague missives may be good at percolating new business but do not represent a pragmatic perspective regarding Privacy Shield’s real threat.

Given the now entrenched nature of Privacy Shield and the vested interest EU and US business interests have in its continued implementation, it appears only another judicial blow based on the lack of data security will derail it – requiring the same sort of EU court ruling based on NSA data collection that ultimately cut down the predecessor Safe Harbor rules in the first place.  Simply put, until the new Administration’s activities adversely impact the security of personal data by mass collecting data or forcing companies to compromise data security features there is not much to worry about.

Horizon settles state HIPAA claims based on lost laptops

On February 15, 2017, Horizon Healthcare Services, Inc. (“Horizon”) agreed to pay New Jersey authorities $1.1 million to resolve alleged HIPAA Privacy and Security Rule violations based on the November 2013 theft of two unencrypted laptops.  The stolen laptops compromised the privacy of 687,838 New Jersey policyholders.  This settlement comes on the heels of the Third Circuit reversing the dismissal of a putative class action filed against Horizon based on the same laptop incident.

After acknowledging that vendor moving company employees may have stolen the laptops, the Complaint recounts numerous alleged HIPAA violations.   Complaint ¶ 17, 43.  Horizon ultimately agreed by way of its consent judgment to a corrective action plan (“CAP”) and third-party audit – with $150,000 of the consent judgment as a “suspended penalty” that would be automatically vacated if the CAP was in material compliance two-years after entry of the judgment.

This costly Horizon incident provides several takeaways that never get old – encrypt all laptops and use an IT asset management plan that ensures the IT team can track all laptops with network access.   Most importantly, unlike Horizon never make any exceptions.  Complaint ¶ 23 (“As a result of the procurement of the MacBooks outside of Horizon BCBSNJ’s established process, certain MacBooks were not configured with approved encryption, data deletion and other software required by corporate policy.”).