Category Archives: Small Business

Electronic Health Records, Network Security, Privacy, Risk Management, Small Business

CT AG Successfully Uses HITECH Act to Settle HIPAA Breach

Taking advantage of a federal law passed last year, Connecticut’s Attorney General, Richard Blumenthal, announced yesterday a settlement with HMO Health Net that includes a corrective action plan, a $250,000 payment to the State of Connecticut (with an additional potential pot of $500,000), and increased credit monitoring and ID theft insurance to potential victims.  According to Blumenthal’s original lawsuit, Health Net lost or had stolen a disk drive last year containing sensitive information from 1.5 million persons – including 446,000 Connecticut residents.  The drive contained names, addresses, social security numbers, HIPAA-protected health information and financial information. 

The underlying federal statute relied upon by Blumenthal when bringing suit against Health Net is Title XIII of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act (the HITECH Act).  The HITECH Act not only offers financial incentives to prod the use of electronic health records (EHR) but also greatly expands the protections afforded such information.  For example, it creates the first federal breach notification law.   Covered Entities and Business Associates that “access, maintain, retain, modify, record, store, destroy or otherwise hold, use or disclose” unsecured personal health information must disclose to the owner notice of a breach.  See Sections 13402(a) and (b) of the HITECH Act.    

In obtaining yesterday’s settlement, Blumenthal was the first Attorney General to take advantage of the HITECH Act’s grant of HIPAA compliance jurisdiction to state Attorney Generals.   It is entirely likely that other states will now jump on this bandwagon – especially those with AGs seeking higher political office.   In fact, last month AG’s from across the country were scheduled to receive training on HIPAA compliance from Booz Allen Hamilton

As for the Health Net settlement, the amounts paid to Connecticut are small compared to what has been spent to date dealing with the breach.  According to the settlement agreement, Health Net allegedly has already spent more than $7 million to investigate what happened to the disk drive, notify members and provide credit monitoring and identity-theft insurance to those potentially impacted.   It is incidents like these that showcase the value of requiring strong indemnification language backed by an equally strong requirement of data breach insurance coverage for those firms managing or holding your patients’ or members’ sensitive medical information.

Litigation Management, Middle Market Business, Risk Management, Small Business

No Need to Pierce Corporate Veil Under NJ Consumer Fraud Act

A New Jersey Appellate Division panel ruled on June 23, 2010 that principals of a company can be found personally liable under New Jersey’s Consumer Fraud Act (CFA) even without actual knowledge about alleged unlawful practices sufficient to pierce the corporate veil.   As well, the court ruled that there was no need to prove intent before triggering the treble damages regulations under the statute. 

The case involved a poorly constructed landscape project.  The lower court allowed the claims against the landscaping company to go to a jury because, in violation of CFA regulations, there was no written contract and the workers accepted final payment without obtaining permission from the plaintiffs after the construction plans were changed.   The claims against the principals of the defendant company were dismissed because the lower court found they did not directly participate in the project sufficient to pierce the corporate veil.

A jury found in favor of the plaintiffs and trebled damages to $490,000.  The plaintiffs appealed seeking to get the principals to pay the award.  The Appellate Division reversed the lower court’s decision and remanded to determine if the principals had any personal participation in any of the two regulatory violations.  In other words, there was no need to determine if there was culpable conduct sufficient to pierce the corporate veil but there was the need to at least show they participated in the conduct that gave rise to the regulatory violations.

This is a significant decision.  It evaporates by way of the New Jersey CFA the protections normally afforded directors and officers of a company.  The corporate immunity protecting principals of a company is usually only tossed aside for fraudulent conduct that is sufficient to pierce the corporate veil.   By allowing treble damages against principals without any such showing, this decision becomes yet another loud wake-up call for New Jersey private companies as to the benefits of Directors and Officers insurance.

Middle Market Business, Network Security, Privacy, Risk Management, Small Business

Symantec Survey: SMBs Invest in Addressing Data Security Threats

In the recently published Symantec survey of 2,500 executives with responsibility for IT security – half from companies of less than 100 employees – cyber-attacks were ranked as their top business risk.  And, of those polled by Symantec, 74 percent said they were “somewhat or extremely concerned” about losing sensitive electronic data.  In fact, 42 percent lost confidential or proprietary information sometime in the past and 73 percent of the respondents were victims of cyber-attacks just this past year.  

Addressing this challenge, SMBs are now spending an average of $51,000 a year, or about two-thirds of IT staff time, working on “information protection, including computer security, backup, recovery, and archiving, as well as disaster preparedness.”  This seems like a sound investment given that the average cost of a breach to these SMBs was $188,242.

All of this fear seems to be somewhat well placed given that 95 percent of security and compliance professionals recently polled by nCircle believe that data breaches have been and will continue to increase in 2010. Knowing what to do in the event of a data breach is not necessarily intuitive.

Law Firm, Network Security, Privacy, Risk Management, Small Business

Here We Go Again — FTC Extends Red Flags Enforcement Deadline

It what has come to be a now common event, the FTC has decided to extend again the enforcement of its Red Flags Regulations.  Succumbing to Congressional pressure, the FTC has decided to extend the prior deadline – which was last slated for June 1, 2010 – until December 31, 2010.   Most privacy professionals have probably lost track by now as to how many times the enforcement of these regulations has been pushed back.   The original date was November 1, 2008!  According to the FTC press release, “If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.”

Given that Congress will now “clarify” who is subject to these regulations, it is highly likely that those companies who have not yet complied will wait until such clarification comes down the pike.  Who can blame them?  Certainly not the FTC.

Middle Market Business, Network Security, PCI Compliance, Risk Management, Small Business

Most Important Lesson Learned from Supermarket Data Breach

It has been over two years since the grocery chain Hannaford Brothers announced a breach of its network security that exposed over 4 million credit card numbers and led to 1,800 cases of fraud.   In fact, a quick review of the Privacy Clearinghouse’s Chronology of Data Breaches shows that Hannaford is not the only supermarket chain to have sustained a data breach. 

Several years ago, Ahold USA (parent company of Stop & Shop and Giant stores) sustained a breach via its subcontractor Electronic Data Systems.   Numerous Stop & Shop Supermarkets in Rhode Island and Massachusetts had credit and debit card account information stolen, including PIN numbers, by thieves who apparently tampered with checkout-line card readers and PIN pads.  Albertsons (Save Mart Supermarkets) in Alameda, California also had credit and debit card numbers stolen using bogus checkout-line card readers.   And, Lunardi’s Supermarket in Los Gatos, California had a similar experience with  ATM and credit card readers that quickly led to the theft of  $300,000.  

What makes the Hannaford incident noteworthy is the fact that the chain was supposedly PCI compliant at the time.  According to the indictment filed against the Hannaford mastermind, the theft was a result of a hack into corporate computer networks that allowed placement of malware which, in turn, provided backdoor access to the networks — and credit card information.  The means of attack was the commonly used SQL Injection Attack. 

In other words, being PCI compliant should never be the ultimate goal of your security strategy.   Whether you are a supermarket chain or a large law firm, a risk management approach to network security and privacy should always take precedent.   Most companies — large and small — still apply a uniform approach to security that treats all data the same.  The ultimate lesson learned from the Hannaford breach:   Always make sure your most valuable data is always most protected.   It really does not matter whether your company sells fruits and vegetables or builds nuclear missiles.

Accounting Firm, Law Firm, Middle Market Business, Network Security, Privacy, Risk Management, Small Business

Small Professional Service Firms Put Implementation of FTC Red Flags Regs on Hold

According to a recent article in Lawyers USA, small and middle market business owners are so jaded by the number of times the FTC has delayed enforcement of its Red Flags Regulations, they have pushed compliance to the back burner.  Tanya Forsheit, of InformationLawGroup, is quoted in the article as saying, “I suspect a lot of small businesses were hoping this ultimately wouldn’t happen.”   As it stands, all businesses that bill for goods and services and accept payment on a deferred basis are covered by these regulations.  Unfortunately, most such firms do not have any sort of written procedure or policy specifically dealing with identity theft — a main requirement of these regulations.   Moreover, as recognized in the article, “[s]mall businesses without extensive in-house resources have found it challenging to comply with the specifics of the rules, such as the recommendations for data encryption, regular review and annual updates of the policy, procedures for responding to red flags, training of staff, and approval of the policy by the company’s board of directors.” 

Professional service firms have been fighting hard to avoid compliance.  Lawyers successfully challenged the applicability of the regulations to law firms with an appeal currently pending.  Accountants filed suit last year and are still waiting for a decision.   Doctors and dentists have sought a legislative answer by seeking a statutory exemption.    Come the date of enforcement – June 1st- only law firms currently have a free pass.

It is recommended that all professional or consulting businesses who defer payment should immediately consult with their professional advisers to see how a cost effective compliance solution can be implemented.

Law Firm, Network Security, Privacy, Risk Management, Small Business

Law Firms Feel the Data Breach Heat and Start Buying Insurance

Here are just a few of the many network security and privacy (NSAP) headline incidents that have hit law firms over the years:

  • “Employee at a Palo Alto law firm steals 90 laptops and 120 desktop computers and sells them”
  • “Eighteen laptops stolen from the Orlando office of a major law firm”
  • “Paralegal at a New York law firm downloads a 400 page trial plan in a major case and offers to sell it to the adverse party.”
  • “Employee of a vendor at the Los Angeles office of a major law firm steals a client’s highly confidential encryption data and posts it on hacker websites.”
  • “Thief remains in the offices of a Phoenix law firm after it closes and steals 3 laptops.”
  • “Laptop is stolen from a Cincinnati law firm and is found on eBay.”

Although some insurers are now offering network security and privacy coverage endorsements on their Lawyers Professional Liability (LPL) policies, the vast majority of law firms are generally without any coverage for data loss or theft.   For many years, the old guard broker heaviest in LPL told its clients that coverage for data breach events would be covered under the traditional LPL coverage grant given any breach of confidentiality – including one involving a data breach – would trigger coverage as the provision of legal services.   Fast forward to today and the tune has changed.  It is pretty much standard now for law firms to at least evaluate NSAP options.   Here are just a few of the reasons why NSAP options make sense for law firms: 

  • There is no other available coverage for post-breach expenses such as forensics.
  • Coverage for data and other non-physical perils is routinely excluded under Property policies.
  • The “intentional acts” exclusion found in the standard LPL policy might eliminate coverage if the breach was caused by an insider.
  • Coverage may be unavailable for acts that are outside the provision of professional services.
  • Liability arising out of the destruction of electronic data is not typically covered under the standard General Liability or Property policies.
  • Direct losses caused by vendors may not be covered under crime policies.
  • Crime policies generally only cover theft of money, securities or other tangible property – not information theft or the destruction of electronic data.

For a more “in depth” look at the relevant digital coverage gaps for law firms, read this now timely article written over six years ago.

Law Firm, Middle Market Business, Small Business

The $60 Email

By now most have heard of the lady who fumed when a courtesy eight word e-mail response (“I hope everything is O.K.  Take your time.”) was billed by her attorney at $60 (.2 hours x $300 hourly rate).   Her experience left her asking one question:  “How does anyone treat people like this and still manage to stay in business?”  That is the problem in a nutshell.  Lawyers are trained to be lawyers and not profit-focused business people.   In other words, they are not focused on staying in business.

Ignoring for a second the fact that taking twelve minutes to compose such a response may not have been very efficient use of time, the associate who wrote it was just thinking like a lawyer when it came to billing his or her time.   The time was spent so it should be billed.  Whereas a profit-focused law firm would have likely collected such non-substantive email, tallied the time, put all such time on the bill — and then assign a zero charge to this “non-billable time”, more often than not such over-the-top charges fall through the cracks and end up actually going out to clients.  A profit-focused law firm would never have let such a bill leave its doors given such a business realizes just how damaging it would be to its bottom line to charge for eight word emails that involve no true billable time.

Middle Market Business, Network Security, Privacy, Risk Management, Small Business, Technology Law

Regulatory and Judicial Enforcement of “Reasonable Security”

On April 12, 2010, Brokerage firm D.A. Davidson & Co. was hit by The Financial Industry Regulatory Authority (FINRA) with a $375,000 fine due to a 2007 data breach.    The breach potentially impacted 192,000 customers and involved social security numbers, dates of birth and other confidential information.  In what has been for years now a fairly  common occurrence, the firm was exploited by a SQL injection vulnerability that allowed hackers to break into a database server holding the data.

Davidson learned of the breach after it received an extortion note from one of the hackers seeking money to keep silent.  According to FINRA, the breach was caused by Davidson’s failure to implement “well-known and recommended security measures for protecting customer data.”   It said that Davidson had failed to encrypt sensitive customer data, and had kept its customer database on a Web server with a default vendor password and a “constant open Internet connection.”

This case should not be looked upon in isolation.  A failure to implement reasonable security is giving rise to a  growing regulatory risk.   For example, on March 25, 2010, the FTC settled a case claiming that the Dave & Busters restaurant and arcade chain failed to inadequately protect consumer information.  The FTC alleged in its complaint that a hacker exploited vulnerabilities in Dave & Buster’s systems to install unauthorized software and access approximately 130,000 credit and debit cards. 

Negligence claims based on the lack of “reasonble security” has also been gaining ground in the courts.  For example, last year the U.S. District Court for the Northern District of Illinois allowed suit to proceed against Citizens Financial Bank given that plaintiffs’ home equity loan was depleted to the tune of $26,500 by an online thief who transferred the money to a bank in Austria.  The negligence claim against Citizens Financial Bank was allowed to proceed given there was a factual issue as to whether the bank utilized adequate security controls.  There are other pending cases where the court has reasoned that the lack of reasonable security can be the underpining of a negligence claim.   The moving target in all of these cases is determining what exactly constitutes “reasonable security”.

UPDATE:  February 22, 2021

The Sedona Conference (TSC) – a nonpartisan, nonprofit charitable research and educational institute “dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation and intellectual property rights”, released in February 2022 what it perceived to be the proper definition of “reasonable security”.  As a reminder, TSC famously previously helped Courts determine the proper contours of e-discovery.  

Recognizing that cybersecurity reasonableness crosses both legal and technology issues, the Technology Resource Panel of TSC recognized that a reasonableness test would help to bridge that divide.  The Sedona Conference, Commentary on a Reasonable Security Test, 22 SEDONA CONF. J. 345, 355 (forthcoming 2021).  Accordingly, the proposed test for reasonable security was designed to be consistent with “models for determining reasonableness that have been used in various other contexts by courts, in legislative and regulatory oversight, and in information security control frameworks.”  Id. at 358.

The Sedona Conference Commentary on a Reasonable Security Test consists of the following formula:  “B2 – B1 < (P x H)1 – (P x H)2” where B represents the burden, P represents the probability of harm, H represents the magnitude of harm, subscript 1 represents the controls (or lack thereof) at the time the information steward allegedly had unreasonable security in place, and subscript 2 represents the alternative or supplementary control.  Id. at 360.  This test is ultimately based on the landmark Learned Hand negligence test in United States v. Carroll Towing Co., 159 F.2d 169, 173 (2nd Cir. 1947).  

TSC’s Commentary should be studied for numerous reasons, including the fact it is applied to actual recent enforcement actions and provides solid arguments for its judicial application.  No different than the highly cited TSC e-discovery initiatives, this new TSC reasonable security test may very well be relied on by future courts tackling this important question.

Accounting Firm, Law Firm, Litigation Management, Middle Market Business, Network Security, Privacy, Risk Management, Small Business

NJ Supreme Court Sides with Employee on Email Privacy Case

On March 30, 2010, the New Jersey Supreme Court issued its opinion in Stengart v. LovingCare Agency, Inc., 2010 WL 1189458 (N.J. March 30, 2010).  This hotly anticipated ruling was a clear win for employee privacy rights.  It was also clearly the right decision given the facts.  

In its decision, the Court affirmed the Appellate Court’s ruling that an employer was precluded from accessing  attorney-client privileged email.  The email was deemed protected by way of the attorney-client privilege even though the employee accessed the email during work hours using an employer’s laptop.  The key factor in creating a reasonable expectation of  privacy was the plaintiff’s use of her personal Yahoo! webmail service to send and receive the email.   In other words, although the laptop computer used was employer property, the information remained “employee property” given it was password protected via the Yahoo! website.   Moreover, she never stored the password on the company laptop.   The Appellate Divison and Supreme Court were likely also swayed by the fact the attorney-client privileged email in question were used by the employer’s counsel in a pending litigation involving plaintiff.

The Court went into detail regarding how the employer’s Electronic Communications Policy (which was part of its employee handbook) did not provide notice regarding any lack of privacy in a webmail service.  Specifically, the Court ruled:

It is not clear from that language whether the use of personal, password-protected, web-based e-mail accounts via company equipment is covered. The Policy uses general language to refer to its “media systems and services” but does not define those terms. Elsewhere, the Policy prohibits certain uses of “the e-mail system,” which appears to be a reference to company e-mail accounts. The Policy does not address personal accounts at all. In other words, employees do not have express notice that messages sent or received on a personal, web-based e-mail account are subject to monitoring if company equipment is used to access the account.

 The Policy also does not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved and read by Loving Care.

 The Policy goes on to declare that e-mails “are not to be considered private or personal to any individual employee.” In the very next point, the Policy acknowledges that “[o]ccasional personal use [of e-mail] is permitted.” As written, the Policy creates ambiguity about whether personal e-mail use is company or private property.

Id. at 13 – 14.

A more carefully crafted employee manual would have not likely led to a different result.  It appears as if the Court  provides a roadmap for employers but one in which attorney client communications would always remain sacrosanct.   For example, although many employee manuals already outright preclude employees from accessing webmail via company computers, such a blanket prohibition would likely not be enough going forward given this ruling.  See Id. at 28 – 29 (“[E]mployers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy.  Because of the important public policy concerns underlying the attorney – client privilege, even a more clearly written company manual  – that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney client communications, if accessed on a personal, password protected e-mail account using the company’s computer system – would not be enforceable.”).

It appears as if the correct approach for employers looking to access certain employee email exchanged via a webmail service is to  provide even more specific guidance regarding what may or may not be done by the employee.   For example, it may help to provide an explicit warning that all email exchanged via a webmail service is subject to the general email policy of the firm.  Banning pornography and “hate speech” email would clearly not be a problem under this ruling.  When it comes to attorney-client material, a warning regarding the insecure nature of such  communication may be warranted as well as a reminder that non-business communications are deemed inappropriate and can possibly lead to termination.  Nothing in the ruling would preclude using non-business activity against an employee.  As well, transmitting proprietary company material with insecure, un-archived, and non-sanctioned forms of communication such as webmail services would likely still be considered against corporate policy under this ruling.  Finally, when drafting a policy, it should be made clear that the company cannot and will not guarantee the confidentiality of any communications made using a webmail service. 

Given many employees blur personal and company time, it is often the case that employees are checking their personal email on company time.  Indeed, the advent of webmail services from Yahoo!, Google, Microsoft and others makes it an almost a trivial task to check personal email on company PCs, laptops, and smart phones.  Given the Stengart decision, New Jersey employers should evaluate their current procedures regarding use of webmail services with an understanding that attorney-client email may be strictly off limits to corporate eyes.