All posts by Paul E. Paray

Middle Market Business, Small Business

Patient Protection and Affordable Care Act Changes Begin Today

It’s been six months since passage of the administration’s healthcare reform act — the Patient Protection and Affordability Care Act (PPACA).   As reported in newspapers around the country, that means that for those health plans that begin today: 

  • Parents will be able to keep their young adult children on their group health plan up to age 26, regardless of whether the adult child lives with the parent, is a full-time student, disabled or married.
  • Insurance companies will be banned from dropping coverage when an enrollee gets sick.
  • All new plans must offer free preventive services, such as mammograms, colonoscopies and certain child preventive health-care services, meaning plans can’t charge deductibles, co-pays or co-insurance.
  • All employer plans and new plans in the individual market will be prohibited from denying coverage to children under age 19 with pre-existing conditions.
  • Parents will be able to select a pediatrician as the primary care provider for their children.
  • Female enrollees will be able to obtain obstetrical/gynecological specialist services without a referral from another primary care provider.
  • Group plans will be banned from imposing lifetime benefit limits and will start gradually eliminating annual benefit limits.
  • New plans must provide consumers access to an internal and external claims appeals process.

For plans operating on the calendar year, these new PPACA requirements will take effect on January 1, 2011.

Electronic Health Records, Privacy, Risk Management

CA Hospital Appeals Fine of $250,000 for Failure to Report a Laptop Theft

Lucile Packard Children’s Hospital (LPCH) at Stanford is appealing a California Department of Public Health (CDPH) penalty issued on April 23, 2010.  The fine of $250,000 was levied as a result of a late reporting of a security incident.  According to a September 9, 2010 press release issued by the hospital, the incident was related to “the apparent theft earlier in the year of a password-protected desktop computer that contained information about 532 patients.”  The press release further states:

The computer in question was used by an employee whose job required access to patient information. Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.
 
As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients. The hospital also provided to the families identity theft protection and other support services.   Theft charges have been filed against the former employee.

The LPCH data breach is generally considered the most common form of breach, namely one that involves a stolen or lost laptop.  No matter how much training you provide or how many times you emphasize there is zero tolerance for mishandling laptops, there will always be negligent or reckless conduct involving laptops.    On top of all the hard forensics and notification costs associated with such events, California hospitals also now have to deal with significant regulatory penalties for these mistakes.  Thankfully, incidents have been slightly decreasing due to better practices and there exist low-cost insurance solutions that pick up breach expenses/fines on those occasions when an incident is not avoided.

Middle Market Business, Network Security, Risk Management

FBI Warns “Here you have” Worm Hits Agencies and Businesses

Here is an FBI warning that was sent out yesterday to all FBI agents and FBI Infragard members.  It is worth repeating verbatim.

From: HQ INFORMATION TECHNOLOGY BRANCH
Sent: Sat Sep 11 22:08:33 2010
Subject: Computer Security Alert

A new Computer “worm” attacked several federal agencies and Fortune 500 companies yesterday.  The malicious email messages contain the subject line “Here you have” or “Just For You” and contain a link to a seemingly legitimate PDF file. If users click on this link, they will be redirected to a malicious website that will prompt them to download and install a screensaver (.scr) file. If they agree to install this file, they will become infected with an email worm that will continue to propagate through their email contacts.

Even though we are protected, sometimes the adversaries change the email to look a little different so they can get past defenses.  The Bureau is asking all users to carefully watch your emails here at work and on your home machine.  To reduce the risk of compromising your FBI workstation, be alert for unsolicited e-mail messages and keep in mind the following traits common to malicious e-mail messages:

  • Subject matter related to recipient’s work, possibly containing actual U.S. Government information
  • A sense of urgency to convince the recipient to open an attachment or click a link within the message
  • Convincing content such as upcoming meeting agendas, reports, information on current events or policy issues
  • Seemingly-legitimate sender (government and commercial addresses, including @fbi.gov) using legitimate signature and contact information
  • Receiving an email with just a link
  • An attachment (typically a .pdf or .zip file) or link

Thank you for your assistance and vigilance in protecting the FBI’s networks.

Enterprise Security Operations Center (ESOC)

JEH-HQ

Law Firm, Middle Market Business

Location, Firm Size Key to Legal Billing Rates

Released on September 1, 2010, CT TyMetrix’s Real Rate Report, which is based on empirical data “gathered from $4.1 billion in invoicing generated by over 3,500 law firm and 90,000 individual billers over three years (2007-2009),” provides unique insight on the billing practices of law firms around the country.   This report demonstrates  that it may not necessarily be the skills set or experience of an attorney that drives his or her billable rate.  Given that the 92-page report costs $4,500, a cost-effective way to learn what’s in the report is to review the September issue of The American Lawyer

As detailed in the article, “legal bills increased at rates that exceeded inflation, in-house lawyers who spent more at a particular law firm were not getting any discounts, and partner status added nearly $100 on average to a lawyer’s rate regardless of experience.”  What was even more interesting was the report’s finding that 85% of lawyers charge clients different rates for the same work and the “location of the biller and the size of the biller’s firm – not the biller’s experience – are the variables that most influence how much a client will pay.” 

Although geographic location obviously impacts law firm and employee living expenses, clients may perceive no real justification for paying more qualified lawyers in mid-sized suburban firms less pay simply because of their firm size and location.   It also does not appear to make sense to charge $100 more an hour simply because of a change in ownership rights.   What if the associate was made partner largely on the basis of being a great rainmaker?   How does that justify being a higher-priced M&A lawyer?

When it comes to the business of law, if law firms are going to continue to tie their collective hitches to the billable hour, they need to do a better job of meshing their actual expenses with their hourly fees and communicating their results to clients.   If there is an expense associated with tapping into a large New York City law firm, i.e., higher rents, increased costs of hiring, etc., firms need to communicate those additional costs.   Although doing that might make it more difficult to later reduce fees by 30% when in-house counsel balks on a given bill, it will end up leading to more consistency and a better relationship with those who actually pay the bills. 

By blanketly adding additional dollars to a billable rate without spelling out exactly why the rates are at that level, law firms are missing a great marketing opportunity.    The more successful manufacturers routinely lay bare their component expenses in order to close large orders.   In other words, widgets should be no different from legal briefs when it comes to transparency of expense.    

Here are some other interesting findings from the report (as listed in the American Lawyer article):

Electronic Health Records, Network Security, Privacy, Risk Management

HITECH Public Data Breaches: Majority Caused by Theft

Last month, the Health Information Trust Alliance published an analysis of the 108 breaches reported to HHS from Sept. 23, 2009 (when reporting first started under the HITECH Act) to mid-July.  This review illustrates the major impact of theft on healthcare providers.   Of 108 total reported breaches, 68 were the result of theft.  Indeed, the only type of breach experienced by every healthcare industry sector was theft.   The most common thefts involved laptops and removable data drives and devices.   The majority of the data found on these devices remains unencrypted.  This lack of encryption is significant given that, as with the breach notification laws in most states, there is a notification safe harbor under the HITECH Act implementation regulations whenever the stolen data is encrypted. 

This review of HHS reported breaches highlights what risk managers have likely known for some time now, namely that it is important to better train employees regarding the use and maintenance of laptops/memory devices.  Although not nearly as “top of mind” as better training, risk managers are now understanding the value in deploying system-wide encryption solutions.  There is obviously much less likelihood of the breach turning into a major financial incident when there is no notification.  In other words, whether the added expense of encryption — both financial and time-driven — is worth it to a healthcare provider gets answered each day there is another publicly noticed breach.

Electronic Health Records, Network Security, Privacy, Risk Management

AON Disclosure Impacts 22,000 Retirees

According to a story published today in the News Journal, Aon Consulting is mailing letters to approximately 22,000 State of Delaware retirees after it inadvertently posted social security numbers, gender information and dates of birth in a Request for Proposal (RFP) the company prepared for the State.  The RFP information was posted by AON to the procurement section of the Delaware website for five days before it was discovered and removed.  This is not the first data breach for Aon Consulting.  In May 2008, an AON laptop containing the names and Social Security numbers of 57,160 people related to a Verizon engagement was stolen from a New York City restaurant. The laptop was never recovered.

Moreover, it is not the first time a global broker has compromised client data.  On May 9, 2006, a Marsh subsidiary lost a personal computer containing records of more than a half million New Yorkers.  The lost data includes social security numbers and dates of birth.   And, in 2008, Willis lost a data tape in India that contained data belonging to numerous clients who, in turn, had to report to their clients

These events are a stark reminder that no one is 100% immune — even those who are in the risk management business are vulnerable to a data breach.  Indeed, Marsh, AON and Willis are the three largest brokers in the world and have built over the years very sophisticated risk management practices to assist clients address their exposures.   Accordingly, the message here is not to think any less of these brokers but rather to recognize the magnitude of the challenges faced by all firms when  managing data risk.  In other words, if a breach can hit these folks, it can hit just about anyone.

Law Firm, Litigation Management, PCI Compliance, Privacy, Risk Management

BigLaw Warning: Law Firms Face Increasing Risks When Handling Personal Information

In a pair of articles sent out by CNA to its law firm insureds, two large law firms showcase (by way of their privacy and risk management departments) the rising data loss exposures faced by all law firms.  An article written by seasoned privacy attorneys from Hunton & Williams provides “an overview of key privacy and information security issues impacting the practice of law.”   And, in an article written by Ann Ostrander, the Senior Director of Loss Prevention at Kirkland & Ellis, we learn of how Kirkland addresses part of its data confidentiality problem by deploying a sophisticated web-based solution. 

Ms. Ostrander provides some good common sense advice when she writes:

With new rules, new precedents and new information technologies continuing to complicate and inflate the ways in which information is created and communicated, the risk of unexpected incidents, breaches or gaps is increasing. Thankfully, educational resources, technology and services exist which can enable organizations to enhance their capabilities and reduce risk. As more firms adopt more rigorous approaches to managing confidentiality and compliance, they’re creating stricter de-facto standards and expectations for the legal industry as a whole.  In this context, every firm should carefully consider the state of confidentiality management in their environment, as this is an issue whose profile will only continue to grow.

Because the Hunton attorneys are very process driven in their approach, they advocate law firms build out new security processes such as those found in a vendor management program.  As with Ms. Ostrander, Hunton’s privacy group, however, ends by providing a baseline of what every law firm should be doing:

For law firms, it is difficult to overemphasize the importance of (i) understanding how the firm collects, uses and otherwise processes personal information, (ii) thoroughly analyzing the firm’s relevant legal obligations, and (iii) implementing a comprehensive privacy and information management strategy to address these obligations. 

Although diminishing billable hours may tear into a firm’s ability to implement the firm-wide technology initiatives found at BigLaw firms such as Kirkland, the rewards found in adequately addressing data loss exposures will pay long-term dividends for any sized law firm.   As chronicled in the Hunton article, there are many regulatory landmines on the horizon.  It may be hard for a client to justify staying with its law firm after the firm is hit with a public rebuke regarding its data security – especially when there are so many other competitors in the water.  

Moreover, all law firms can, and should, be known as stalwarts of data privacy “future” best practices – and not just what is considered a current best practice.   In fact, it can be argued that the smaller the law firm, the easier it is to run such an office.  Although  attorney-client privileged material is already sacrosanct within all law firms, as counsel to banks, retailers, healthcare providers, and other users of sensitive data, law firms should live and breathe data protection on behalf of their clients.  There is a financial silver lining to any upgrade expense given that  new  implementations immediately become marketing fodder for rainmakers.  In other words, as some clients point to their use of sophisticated data management procedures when marketing their services, so should law firms when marketing their own services.

Financial Reporting, Law Firm, Litigation Management, Middle Market Business, Risk Management

NJ Appellate Division Rules Shareholders Can Inspect Board Minutes

An August 17, 2010 New Jersey decision may be negative for businesses in New Jersey despite what on the surface is  a win for a large corporation.   In Cain v. Merck & Co., Inc., the New Jersey Appellate Division addressed whether the New Jersey Business Corporation Act entitles shareholders to inspect the minutes of the board of directors and the minutes of executive committees, and if so, the breadth of that right of inspection.  According to the court, resolution of these questions:  centers on the proper construction of N.J.S.A. 14A:5-28(4) of the Act. In pertinent part, that statute allows shareholders, upon proof of a “proper purpose,” to examine “the books and records of account, minutes, and record of shareholders of a corporation.” N.J.S.A. 14A:5-28(4).

In what appears to be a case of first impression in New Jersey, the Appellate Division concluded that the qualified right of inspection under the statute extends to the minutes of the board of directors and the executive committee – and not just to the minutes of the shareholder meeting.   The court, however, limited this right of inspection to only those portions of the board minutes that address their “proper purpose.”  In other words, shareholders are “not entitled to examine the minutes in order to explore unsubstantiated allegations of general mismanagement.”

It is not clear whether Merck will appeal given that it, in effect, won its alternative argument, namely that the review should be limited to discussions related to a study conducted by Merck rather than a broader review that on its face does not have such a  “proper purpose.”  According to a Merck spokesman, “we’re evaluating our next steps.” 

If left as binding authority, this decision may have huge ramifications for large and public businesses in New Jersey.   As it stands, the decision extends the reach of the statute – which appears on its face to be limited to shareholder meetings – to the much more deliberative board meetings of a corporation.  It gives litigants a new tool and may cause directors to be more restrained when providing advice given their decision-making process may now be opened up to a much greater extent.  Moreover, this obviously potentially increases the liability of directors and officers so there may be a potential increase in claims – with a resulting increase in D&O insurance premiums.   Although the lower court did recognize that the minutes should be redacted for privileged material, now that the door is open, future judges will have free reign to decide what is deemed “a proper purpose” or privileged material.   In other words, there is no guarantee a future judge won’t allow the fishing expedition rejected by the Appellate Division in this case.

Middle Market Business, Network Security, Privacy, Risk Management

Network World: Do You Need Network Security and Privacy Insurance?

Two recent articles have come up with differing viewpoints regarding the merits of buying network security and privacy (NSAP) insurance.  On the one hand, an article in Network World has taken the position that it is almost foolish not to have NSAP insurance given the potential damages, increasing threats and the inability to safeguard against all such threats.  The author reasons:  “Just because you have fire extinguishers and sprinklers in your business doesn’t mean you don’t also buy fire insurance – the potential risk is too high. It’s time many companies considered security insurance too.”

An article in the Monitor titled College Officials Wary of ‘Cyber Insurance’ for Private Data suggests that purchasing NSAP insurance should actually be avoided given it does nothing to solve the ultimate problem, namely safeguarding  data.    Specifically, representatives from the University of Texas-Pan American and South Texas College said they were confident in their information security systems and saw little value in NSAP policies — despite the fact “higher education institutions across the nation have purchased [NSAP insurance] to offset large expenses following a data breach.”  According to Bob Lim, UTPA vice president of information technology, “Rather than spending money at the back end, use your resources to prevent (risk).  There’s better use in working to fight intrusion than being scared of it.”

The thrust of UTPA’s argument runs something like this: 

We need to adequately protect sensitive data in order to safeguard our reputation.  If we sustain a breach, there is something greater at stake than just the cost of the breach – it’s the hit to our reputation, which is very difficult to monetize.  Accordingly, we are better served by spending our resources and money on prevention rather than on the backend for a solution that may not even properly cover us. 

Ironically, this is the very same argument that large financial institutions made years ago when they opted not to buy NSAP insurance.  They believed that their reputations were sacrosanct so they needed to avoid a breach at all costs – buying the insurance was evidence a breach was even possible.  If you asked around today, most of these institutions currently have NSAP insurance – with towers that well exceed $100 million.   Why the change in position?

There are three factors that caused large financial institutions to change their collective tunes.  First, because so many organizations have been hit with very public breaches, the reputational hit became less and less of a reputational concern.  After all, if everyone is being hit, the “before” is not as important as the “after”, i.e., how you treat your customers post-breach.  And, that is the second reason why the insurance option became more attractive.  NSAP insurance quickly funds and allocates resources after a breach.  Sort of like an experienced swat team entering the picture.   Financial institutions started to realize the benefits in having risk professionals assist in the post-breach aftermath.  Finally, the IT departments began to realize insurance was not an indictment on their capabilities but actually a way to fund the costs of a breach without touching their own IT budgets.  In other words, rather than being opponents of the coverage, CTOs and CIOs became champions of it when they saw the direct benefits in obtaining the coverage.  

All of this begs the question.  Are financial insitutions smarter or are the folks from UTPA?  When does NSAP insurance begin to make sense?   As with most questions related to the purchase of insurance, it depends on your risk appetite, exposures, controls, and ability to financially withstand an incident.   Taking such factors into consideration, it is clear that the answer will vary widely.  It is suggested that management at least start the process of determining whether NSAP insurance makes – especially since the options are getting better by the day.   Who knows.  Maybe UTPA will ultimately change its position as more and more breaches of colleges and universities are reported.

Electronic Health Records, Network Security, Risk Management

Healthcare Industry Hit Hard with Data Breaches

According to the ID Theft Resource Center, 97 of the 341 organizations that sustained a significant data breach in the first half of 2010 were in the healthcare industry.  By comparison, only 38 breaches were reported at banking and other financial institutions.   As shown by the breach sustained by BCBS Tennessee, the direct costs for breaches can exceed $10 million.  And, the repercussions for these breaches are not even limited to direct mitigation or liability expense.  For example, the California Department of Health has fined five hospitals a total of $675,000 for repeatedly failing to provide adequate security for patient data. 

Given the HITECH Act’s desire to increase usage of EHRs, healthcare providers are now scrambling with new software systems that leave them quite vulnerable until full tested.  Moreover, the public may be losing patience with healthcare providers given more and more breaches are now being reported.  This can only lead to an emboldened plaintiffs’ bar. 

What’s a healthcare provider to do? 

It can be argued that there is not much a healthcare provider can do to avoid a breach other than improve security and continue to train its staff.   After all, how can you stop an employee from going around security protocols and stealing data?   As for lost or stolen laptops, that will likely never abate — as illustrated by recent laptop thefts in Texas and Oregon.  Having a robust vendor management program in place is helpful but can never fully prevent rogue contractors from losing or stealing data.  In other words, the risk can be mitigated against (somewhat) but never fully removed so long as healthcare data remains valuable, healthcare providers stay in the healthcare business (and not data security business), and workers continue to make mistakes.  There is a risk management approach, however, that should be seriously evaluated by every participant in the healthcare industry. 

In the same manner medical malpractice insurance is standard in the healthcare industry, network security and privacy insurance should be seriously considered as a risk transfer tool.  Depending on the size, sophistication, and needs of an organization, the terms can be very affordable and flexible.  For example, a hospital with $30 million in revenue can now obtain a comprehensive policy that will safeguard against a breach impacting 250,000 patients for under $15,000.   The bad news is that most insurance professionals or brokers are unaware of the correct pricing or terms for such coverage.  Accordingly, they rely on wholesale brokers who are inundated with submissions and have a tough time qualifying leads (given they do not interact directly with  insureds) — which, in turn, prevents some organizations from getting the attention they deserve.  Thankfully, there are risk professionals out there with the right background to help cash-strapped healthcare organizations obtain the right protection at the right price.  At the very least, healthcare providers and plans should reach out to these risk professionals to obtain a “ballpark” quote. 

Armed with a ballpark quote,  organizations are at least able to determine whether it makes sense to pursue coverage.  Getting a ballpark quote requires minimal effort.  In order to obtain a ballpark, please simply provide your revenue.  We will get back to you within several days with a ballpark insurance quote for network security and privacy insurance.