Category Archives: Risk Management

Electronic Health Records, Middle Market Business, Network Security, Privacy, Risk Management

HHS Issues Proposed New HIPAA Regulations and Breach Portal

Using a lavish press conference as the backdrop, HHS officials announced yesterday proposed changes to the HIPAA regulations as well as an updated web page listing those breaches impacting more than 500 individuals.  The purpose of the new Rules issued yesterday is to align the HIPAA rules with the HITECH Act passed last year.   Specifically, the press announcement states: 

The proposed modifications to the HIPAA Rules issued today include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans.  In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Under the proposed Rules (which are 234 pages in length), (1) individuals would have more convenient access to their protected health information (PHI) if available in electronic format; (2) covered entities would only need to protect the health information of decedents for 50 years after their death, as opposed to protecting the information in perpetuity as is required by current HIPAA requirements; and (3) the definition of who constitutes a business associate is expanded.

If these proposed rules are adopted, the expanded view of what constitutes a business associate will include the following:

We propose to add language in paragraph (3)(iii) of the definition of “business associate” to provide that subcontractors of a covered entity – i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also propose to include a definition of “subcontractor” in §160.103 to make clear that a subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we use the term “subcontractor,” which implies there is a contract in place between the parties, we note that the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person.

During the coming weeks there will be much analysis given to these proposed Rules but when it is all sorted out, it is anticipated that the above-listed three changes will be deemed to be among the more significant.  Giving individuals the ability to access their PHI in a particular electronic format will drive up costs, limiting record keeping to 50 years will reduce costs given current encryption technologies, and expanding the definition of business associates to a vague circular definition will throw a monkey wrench to just about any entity looking to comply with HIPAA.  These proposed Rules are certainly a nice gift to privacy lawyers looking to boost their summer hourly billing.

Copyright Infringement, Intellectual Property, Middle Market Business, Risk Management, Small Business

Exposure to Software Copyright Claims

Claims arising out of internally-used software continue to be a significant retained IT risk factor.  When President Obama picked the Business Software Alliance’s General Counsel Neil MacBride for a senior Justice Department post, it was a clear message that we will see increased software compliance audits – and possible new penalties.  The increasing use of open source software is also leading to unanticipated software copyright exposures. In other words, the reasons continue to mount why users of desktop software should carefully monitor their use of software and maintain careful records of each license.

Electronic Health Records, Network Security, Privacy, Risk Management, Small Business

CT AG Successfully Uses HITECH Act to Settle HIPAA Breach

Taking advantage of a federal law passed last year, Connecticut’s Attorney General, Richard Blumenthal, announced yesterday a settlement with HMO Health Net that includes a corrective action plan, a $250,000 payment to the State of Connecticut (with an additional potential pot of $500,000), and increased credit monitoring and ID theft insurance to potential victims.  According to Blumenthal’s original lawsuit, Health Net lost or had stolen a disk drive last year containing sensitive information from 1.5 million persons – including 446,000 Connecticut residents.  The drive contained names, addresses, social security numbers, HIPAA-protected health information and financial information. 

The underlying federal statute relied upon by Blumenthal when bringing suit against Health Net is Title XIII of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act (the HITECH Act).  The HITECH Act not only offers financial incentives to prod the use of electronic health records (EHR) but also greatly expands the protections afforded such information.  For example, it creates the first federal breach notification law.   Covered Entities and Business Associates that “access, maintain, retain, modify, record, store, destroy or otherwise hold, use or disclose” unsecured personal health information must disclose to the owner notice of a breach.  See Sections 13402(a) and (b) of the HITECH Act.    

In obtaining yesterday’s settlement, Blumenthal was the first Attorney General to take advantage of the HITECH Act’s grant of HIPAA compliance jurisdiction to state Attorney Generals.   It is entirely likely that other states will now jump on this bandwagon – especially those with AGs seeking higher political office.   In fact, last month AG’s from across the country were scheduled to receive training on HIPAA compliance from Booz Allen Hamilton

As for the Health Net settlement, the amounts paid to Connecticut are small compared to what has been spent to date dealing with the breach.  According to the settlement agreement, Health Net allegedly has already spent more than $7 million to investigate what happened to the disk drive, notify members and provide credit monitoring and identity-theft insurance to those potentially impacted.   It is incidents like these that showcase the value of requiring strong indemnification language backed by an equally strong requirement of data breach insurance coverage for those firms managing or holding your patients’ or members’ sensitive medical information.

Litigation Management, Middle Market Business, Risk Management, Small Business

No Need to Pierce Corporate Veil Under NJ Consumer Fraud Act

A New Jersey Appellate Division panel ruled on June 23, 2010 that principals of a company can be found personally liable under New Jersey’s Consumer Fraud Act (CFA) even without actual knowledge about alleged unlawful practices sufficient to pierce the corporate veil.   As well, the court ruled that there was no need to prove intent before triggering the treble damages regulations under the statute. 

The case involved a poorly constructed landscape project.  The lower court allowed the claims against the landscaping company to go to a jury because, in violation of CFA regulations, there was no written contract and the workers accepted final payment without obtaining permission from the plaintiffs after the construction plans were changed.   The claims against the principals of the defendant company were dismissed because the lower court found they did not directly participate in the project sufficient to pierce the corporate veil.

A jury found in favor of the plaintiffs and trebled damages to $490,000.  The plaintiffs appealed seeking to get the principals to pay the award.  The Appellate Division reversed the lower court’s decision and remanded to determine if the principals had any personal participation in any of the two regulatory violations.  In other words, there was no need to determine if there was culpable conduct sufficient to pierce the corporate veil but there was the need to at least show they participated in the conduct that gave rise to the regulatory violations.

This is a significant decision.  It evaporates by way of the New Jersey CFA the protections normally afforded directors and officers of a company.  The corporate immunity protecting principals of a company is usually only tossed aside for fraudulent conduct that is sufficient to pierce the corporate veil.   By allowing treble damages against principals without any such showing, this decision becomes yet another loud wake-up call for New Jersey private companies as to the benefits of Directors and Officers insurance.

Middle Market Business, Network Security, Privacy, Risk Management, Small Business

Symantec Survey: SMBs Invest in Addressing Data Security Threats

In the recently published Symantec survey of 2,500 executives with responsibility for IT security – half from companies of less than 100 employees – cyber-attacks were ranked as their top business risk.  And, of those polled by Symantec, 74 percent said they were “somewhat or extremely concerned” about losing sensitive electronic data.  In fact, 42 percent lost confidential or proprietary information sometime in the past and 73 percent of the respondents were victims of cyber-attacks just this past year.  

Addressing this challenge, SMBs are now spending an average of $51,000 a year, or about two-thirds of IT staff time, working on “information protection, including computer security, backup, recovery, and archiving, as well as disaster preparedness.”  This seems like a sound investment given that the average cost of a breach to these SMBs was $188,242.

All of this fear seems to be somewhat well placed given that 95 percent of security and compliance professionals recently polled by nCircle believe that data breaches have been and will continue to increase in 2010. Knowing what to do in the event of a data breach is not necessarily intuitive.

Accounting Firm, Financial Reporting, Network Security, Privacy, Risk Management

CyLab Survey: Corporate Protection of Digital Assets Not a Priority

The recently released Carnegie Mellon CyLab 2010 Corporate Governance survey confirms that there is little change in senior management’s views towards data security – it’s not really a priority.   The CyLab annual survey, which measures board and management attitudes towards the protection of digital assets, is based upon results received from respondents at the board or senior executive level from Fortune 1000 companies.   Given public filing requirements, you would think protection of digital and related intangible assets – which now comprise the bulk of a firm’s value – would be a top of mind issue.  It’s not. 

When asked to identify their boards’ three top priorities, “improving computer and data security” was not selected by 98% of the respondents.  The respondents also indicated that their boards were not “actively addressing” IT operations or vendor management.  In essence, privacy and security of data inside or at outside vendors is receiving little oversight from management.  

Interestingly, 65% of the respondents also indicated that their boards were not reviewing their companies’ insurance coverage for data risks even though most standard policies offer little or no coverage.   Standing alone, this approach may not be an example of sound business judgment given the availability of specific insurance policies able to cover loss or destruction of digital assets. 

Not quite sure if this survey is a real wake up call or not.  The only thing for certain is that these attitudes are hardly what one would consider a best practice.  Sarbanes Oxley Section 404 requires a “top down” audit on internal controls which should provide some guidance on how digital assets are protected.  Indeed, under 15 U.S.C. § 7262(a), the Section 404 report must “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.”  It is difficult to see how management can in good conscious sign off on these assessments while still maintaining that “improving computer and data security” is not a priority.  

Notwithstanding how firms may perceive their Section 404 obligations, recognizing the potential “materiality” of computer security failings, Google, Intel, Symantec and Northrop Grumman recently added new warnings to their SEC filings informing investors of such risk.  The fact that some companies have come forward to detail recent breaches and the possibility of future breaches should indicate to other companies the need to address this reporting issue in a more proactive manner.  And, once risk disclosures are publicly made, the next obvious step is to ensure that proper protections are in place to address the risk.   Reporting uncoupled with affirmative preventive action is simply fodder for class action litigation the next time an event takes place.  What may be even worse is completely turning a blind eye to the entire problem.

Law Firm, Middle Market Business, Network Security, Privacy, Risk Management

iPad Exploit Exposes Email Addresses of 114,000 Users

According to a Gawker exclusive, a simple online request made on the AT&T network allowed access to user account information.  The information exposed in the breach “included subscribers’ email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T’s network, known as the ICC-ID.”   One security consultant offered that “recent holes discovered in the GSM cell phone standard mean that it might be possible to spoof a device on the network or even intercept traffic using the ICC ID.”  It is unclear whether that is the case but there is no denying that some heavy hitting iPad users now have exposed email addresses and ICC IDs.

The article points out that one impacted iPad user is William Eldredge, who “commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force.”  Here is a listing of some others:

Apple's Worst Security Breach: 114,000 iPad Owners Exposed

In the media and entertainment industries, “affected accounts belonged to top executives at the New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, News Corporation, HBO and Hearst.”

Apple's Worst Security Breach: 114,000 iPad Owners Exposed

The lesson here is that AT&T did not anticipate a hack that was apparently pretty obvious while Apple did no wrong — other than align its fortunes to AT&T.

Law Firm, Network Security, Privacy, Risk Management, Small Business

Here We Go Again — FTC Extends Red Flags Enforcement Deadline

It what has come to be a now common event, the FTC has decided to extend again the enforcement of its Red Flags Regulations.  Succumbing to Congressional pressure, the FTC has decided to extend the prior deadline – which was last slated for June 1, 2010 – until December 31, 2010.   Most privacy professionals have probably lost track by now as to how many times the enforcement of these regulations has been pushed back.   The original date was November 1, 2008!  According to the FTC press release, “If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.”

Given that Congress will now “clarify” who is subject to these regulations, it is highly likely that those companies who have not yet complied will wait until such clarification comes down the pike.  Who can blame them?  Certainly not the FTC.

Accounting Firm, Financial Reporting, Law Firm, Middle Market Business, Risk Management

Lehman, D&O Liability and Mark-to-Market Reporting

The Devil’s Casino, Vicky Ward’s first book, is the latest account of the fall of Lehman Brothers.  Released in April, this Lehman tome applies  a gossipy approach to storytelling.  Although we learn much about the shopping habits of some Lehman wives, repo transactions are nowhere to be found.   The book, however, becomes noteworthy when Ward details a September 9, 2008 meeting between JPMorgan’s Jamie Dimon and the Fed’s head Ben Bernake (on page 200) that purportedly directly led to JPMorgan’s request that Lehman provide $5 billion more in collateral. Less than a week later, Lehman filed its bankruptcy petition (the largest in US history) ostensibly given its lack of liquidity brought on by the collateral call of its clearing bank, JPMorgan. 

In a Report by Lehman’s bankruptcy examiner, dated March 11, 2010, the issue of JPMorgan’s collateral demand was analyzed and determined to be barely actionable.  The Report states: 

the Examiner concludes that the evidence may support the existence of a colorable claim – but not a strong claim – that JPMorgan breached the implied covenant of good faith and fair dealing by making excessive collateral requests to Lehman in September 2008.  A trier of fact would have to consider evidence that the collateral requests were reasonable and that Lehman waived any claims by complying with the requests.  

(Report of Anton R. Valukas, Examiner at page 1073)

On the heels of this Report and the Ward book, on May 27, 2010, the Lehman estate sued JPMorgan.  The suit takes a different position regarding the relationship between JPMorgan and Lehman by alleging that JPMorgan’s breach of duty was actionable. 

Unlike JPMorgan, Lehman’s board and officers were essentially given a free pass by Lehman’s bankruptcy estate as well as all regulators.  The Lehman Examiner’s Report actually spends much ink analyzing Delaware fiduciary law yet concludes numerous potential fiduciary lapses were not colorable claims.   On the other hand, a bank that potentially obtains crucial information from a third party (a governmental third party with a near real-time raw account of Lehman’s financial status) and merely seeks to protect its own interests, is forced to defend itself in a costly legal battle.   To many, it makes little sense that Lehman’s directors and officers were exonerated by regulators and Lehman’s bankruptcy Examiner.  Although the existing shareholder suits and claims made by those who sustained direct harm may eventually hit their mark, it is just not the same as potential jail time or a large personal SEC fine.  Not even close.  It is easy to argue that some Lehman folks should have paid with more than the inconvenience of a deposition.

If FASB had acted a bit more aggressively two years ago, maybe none of this would have even happened.  It would have been interesting to have seen FASB actually go through with its Exposure Draft of two years ago regarding FASB Statement 5 (loss contingency accounting) and FASB Statement 133 (hedging strategy accounting).  The vast opposition to the drafts caused FASB to abandon its plans.   Much of the opposition was typified in the McDermott Will & Emery letter that opined if the suggested changes to FASB Statement 5 were made, the opposing side to a filing entity would be able to learn litigation strategy.  If the proposed changes had matured (FASB Statement 5 has not changed since 1975) some of the decisions made by Lehman may have been altered or some of the actions may have been more cleanly delineated as wrongful.  Either way, there would have been more clarity regarding the propriety of their actions. 

As it stands, the Lehman saga provides some guidance to directors and officers looking to see how insulated they are from their financial accounting decisions.  They are pretty insulated given current standards. 

FASB may now be ready to change that dynamic.  It will revive the FASB Statement 5 Exposure Draft in the second quarter of 2010 – now with only a 30-day comment period.  And, FASB issued on May 26, 2010 an Exposure Draft that provides guidance regarding the financial reporting of derivative instruments and hedging strategies.  The overall approach taken moves towards a “mark-to-market” approach for derivative instruments that will have a “seismic effect” on how banks value loan portfolios beginning in 2013 (for large banks) and 2017 (for regional and community banks).  It remains to be seen what FASB will ultimately do given the negative comments it is certain to receive prior to the September 30, 2010 comment deadline.   The takeaway is that FASB  is finally taking a serious look at how companies report on loss contingencies and asset valuations.

All reporting companies – not just financial institutions – should obviously monitor how this and other related financial reporting initiatives evolve.   To a large degree, these accounting standards dictate the extent to which firms such as Lehman can push the envelope.  Although a widening of the reporting net may bring with it a separate set of problems, the change will certainly cause executives to think twice before being coy about a lack of liquidity.  As seasoned investors themselves, reporting officers should probably apply a “Would I want to know this information?” test the next time they are on the fence about the materiality of an item.  True mark-to-market reporting (not Lehman’s “mark-to-make believe” strategy) may bring on headaches for companies with many assets  having big value swings.  Nevertheless, it certainly seems to be part of the reporting standard of the future so you might as well get used to it.

Middle Market Business, Network Security, PCI Compliance, Risk Management, Small Business

Most Important Lesson Learned from Supermarket Data Breach

It has been over two years since the grocery chain Hannaford Brothers announced a breach of its network security that exposed over 4 million credit card numbers and led to 1,800 cases of fraud.   In fact, a quick review of the Privacy Clearinghouse’s Chronology of Data Breaches shows that Hannaford is not the only supermarket chain to have sustained a data breach. 

Several years ago, Ahold USA (parent company of Stop & Shop and Giant stores) sustained a breach via its subcontractor Electronic Data Systems.   Numerous Stop & Shop Supermarkets in Rhode Island and Massachusetts had credit and debit card account information stolen, including PIN numbers, by thieves who apparently tampered with checkout-line card readers and PIN pads.  Albertsons (Save Mart Supermarkets) in Alameda, California also had credit and debit card numbers stolen using bogus checkout-line card readers.   And, Lunardi’s Supermarket in Los Gatos, California had a similar experience with  ATM and credit card readers that quickly led to the theft of  $300,000.  

What makes the Hannaford incident noteworthy is the fact that the chain was supposedly PCI compliant at the time.  According to the indictment filed against the Hannaford mastermind, the theft was a result of a hack into corporate computer networks that allowed placement of malware which, in turn, provided backdoor access to the networks — and credit card information.  The means of attack was the commonly used SQL Injection Attack. 

In other words, being PCI compliant should never be the ultimate goal of your security strategy.   Whether you are a supermarket chain or a large law firm, a risk management approach to network security and privacy should always take precedent.   Most companies — large and small — still apply a uniform approach to security that treats all data the same.  The ultimate lesson learned from the Hannaford breach:   Always make sure your most valuable data is always most protected.   It really does not matter whether your company sells fruits and vegetables or builds nuclear missiles.