Category Archives: Privacy

Electronic Health Records, Network Security, Privacy, Risk Management, Small Business

CT AG Successfully Uses HITECH Act to Settle HIPAA Breach

Taking advantage of a federal law passed last year, Connecticut’s Attorney General, Richard Blumenthal, announced yesterday a settlement with HMO Health Net that includes a corrective action plan, a $250,000 payment to the State of Connecticut (with an additional potential pot of $500,000), and increased credit monitoring and ID theft insurance to potential victims.  According to Blumenthal’s original lawsuit, Health Net lost or had stolen a disk drive last year containing sensitive information from 1.5 million persons – including 446,000 Connecticut residents.  The drive contained names, addresses, social security numbers, HIPAA-protected health information and financial information. 

The underlying federal statute relied upon by Blumenthal when bringing suit against Health Net is Title XIII of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act (the HITECH Act).  The HITECH Act not only offers financial incentives to prod the use of electronic health records (EHR) but also greatly expands the protections afforded such information.  For example, it creates the first federal breach notification law.   Covered Entities and Business Associates that “access, maintain, retain, modify, record, store, destroy or otherwise hold, use or disclose” unsecured personal health information must disclose to the owner notice of a breach.  See Sections 13402(a) and (b) of the HITECH Act.    

In obtaining yesterday’s settlement, Blumenthal was the first Attorney General to take advantage of the HITECH Act’s grant of HIPAA compliance jurisdiction to state Attorney Generals.   It is entirely likely that other states will now jump on this bandwagon – especially those with AGs seeking higher political office.   In fact, last month AG’s from across the country were scheduled to receive training on HIPAA compliance from Booz Allen Hamilton

As for the Health Net settlement, the amounts paid to Connecticut are small compared to what has been spent to date dealing with the breach.  According to the settlement agreement, Health Net allegedly has already spent more than $7 million to investigate what happened to the disk drive, notify members and provide credit monitoring and identity-theft insurance to those potentially impacted.   It is incidents like these that showcase the value of requiring strong indemnification language backed by an equally strong requirement of data breach insurance coverage for those firms managing or holding your patients’ or members’ sensitive medical information.

Middle Market Business, Network Security, Privacy, Risk Management, Small Business

Symantec Survey: SMBs Invest in Addressing Data Security Threats

In the recently published Symantec survey of 2,500 executives with responsibility for IT security – half from companies of less than 100 employees – cyber-attacks were ranked as their top business risk.  And, of those polled by Symantec, 74 percent said they were “somewhat or extremely concerned” about losing sensitive electronic data.  In fact, 42 percent lost confidential or proprietary information sometime in the past and 73 percent of the respondents were victims of cyber-attacks just this past year.  

Addressing this challenge, SMBs are now spending an average of $51,000 a year, or about two-thirds of IT staff time, working on “information protection, including computer security, backup, recovery, and archiving, as well as disaster preparedness.”  This seems like a sound investment given that the average cost of a breach to these SMBs was $188,242.

All of this fear seems to be somewhat well placed given that 95 percent of security and compliance professionals recently polled by nCircle believe that data breaches have been and will continue to increase in 2010. Knowing what to do in the event of a data breach is not necessarily intuitive.

Accounting Firm, Financial Reporting, Network Security, Privacy, Risk Management

CyLab Survey: Corporate Protection of Digital Assets Not a Priority

The recently released Carnegie Mellon CyLab 2010 Corporate Governance survey confirms that there is little change in senior management’s views towards data security – it’s not really a priority.   The CyLab annual survey, which measures board and management attitudes towards the protection of digital assets, is based upon results received from respondents at the board or senior executive level from Fortune 1000 companies.   Given public filing requirements, you would think protection of digital and related intangible assets – which now comprise the bulk of a firm’s value – would be a top of mind issue.  It’s not. 

When asked to identify their boards’ three top priorities, “improving computer and data security” was not selected by 98% of the respondents.  The respondents also indicated that their boards were not “actively addressing” IT operations or vendor management.  In essence, privacy and security of data inside or at outside vendors is receiving little oversight from management.  

Interestingly, 65% of the respondents also indicated that their boards were not reviewing their companies’ insurance coverage for data risks even though most standard policies offer little or no coverage.   Standing alone, this approach may not be an example of sound business judgment given the availability of specific insurance policies able to cover loss or destruction of digital assets. 

Not quite sure if this survey is a real wake up call or not.  The only thing for certain is that these attitudes are hardly what one would consider a best practice.  Sarbanes Oxley Section 404 requires a “top down” audit on internal controls which should provide some guidance on how digital assets are protected.  Indeed, under 15 U.S.C. § 7262(a), the Section 404 report must “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.”  It is difficult to see how management can in good conscious sign off on these assessments while still maintaining that “improving computer and data security” is not a priority.  

Notwithstanding how firms may perceive their Section 404 obligations, recognizing the potential “materiality” of computer security failings, Google, Intel, Symantec and Northrop Grumman recently added new warnings to their SEC filings informing investors of such risk.  The fact that some companies have come forward to detail recent breaches and the possibility of future breaches should indicate to other companies the need to address this reporting issue in a more proactive manner.  And, once risk disclosures are publicly made, the next obvious step is to ensure that proper protections are in place to address the risk.   Reporting uncoupled with affirmative preventive action is simply fodder for class action litigation the next time an event takes place.  What may be even worse is completely turning a blind eye to the entire problem.

Law Firm, Middle Market Business, Network Security, Privacy, Risk Management

iPad Exploit Exposes Email Addresses of 114,000 Users

According to a Gawker exclusive, a simple online request made on the AT&T network allowed access to user account information.  The information exposed in the breach “included subscribers’ email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T’s network, known as the ICC-ID.”   One security consultant offered that “recent holes discovered in the GSM cell phone standard mean that it might be possible to spoof a device on the network or even intercept traffic using the ICC ID.”  It is unclear whether that is the case but there is no denying that some heavy hitting iPad users now have exposed email addresses and ICC IDs.

The article points out that one impacted iPad user is William Eldredge, who “commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force.”  Here is a listing of some others:

Apple's Worst Security Breach: 114,000 iPad Owners Exposed

In the media and entertainment industries, “affected accounts belonged to top executives at the New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, News Corporation, HBO and Hearst.”

Apple's Worst Security Breach: 114,000 iPad Owners Exposed

The lesson here is that AT&T did not anticipate a hack that was apparently pretty obvious while Apple did no wrong — other than align its fortunes to AT&T.

Law Firm, Network Security, Privacy, Risk Management, Small Business

Here We Go Again — FTC Extends Red Flags Enforcement Deadline

It what has come to be a now common event, the FTC has decided to extend again the enforcement of its Red Flags Regulations.  Succumbing to Congressional pressure, the FTC has decided to extend the prior deadline – which was last slated for June 1, 2010 – until December 31, 2010.   Most privacy professionals have probably lost track by now as to how many times the enforcement of these regulations has been pushed back.   The original date was November 1, 2008!  According to the FTC press release, “If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.”

Given that Congress will now “clarify” who is subject to these regulations, it is highly likely that those companies who have not yet complied will wait until such clarification comes down the pike.  Who can blame them?  Certainly not the FTC.

Accounting Firm, Law Firm, Middle Market Business, Network Security, Privacy, Risk Management, Small Business

Small Professional Service Firms Put Implementation of FTC Red Flags Regs on Hold

According to a recent article in Lawyers USA, small and middle market business owners are so jaded by the number of times the FTC has delayed enforcement of its Red Flags Regulations, they have pushed compliance to the back burner.  Tanya Forsheit, of InformationLawGroup, is quoted in the article as saying, “I suspect a lot of small businesses were hoping this ultimately wouldn’t happen.”   As it stands, all businesses that bill for goods and services and accept payment on a deferred basis are covered by these regulations.  Unfortunately, most such firms do not have any sort of written procedure or policy specifically dealing with identity theft — a main requirement of these regulations.   Moreover, as recognized in the article, “[s]mall businesses without extensive in-house resources have found it challenging to comply with the specifics of the rules, such as the recommendations for data encryption, regular review and annual updates of the policy, procedures for responding to red flags, training of staff, and approval of the policy by the company’s board of directors.” 

Professional service firms have been fighting hard to avoid compliance.  Lawyers successfully challenged the applicability of the regulations to law firms with an appeal currently pending.  Accountants filed suit last year and are still waiting for a decision.   Doctors and dentists have sought a legislative answer by seeking a statutory exemption.    Come the date of enforcement – June 1st- only law firms currently have a free pass.

It is recommended that all professional or consulting businesses who defer payment should immediately consult with their professional advisers to see how a cost effective compliance solution can be implemented.

Electronic Health Records, Middle Market Business, Network Security, Privacy, Risk Management

Colorado Casualty: Stolen Health Records Not a Covered Event

As detailed by the Salt Lake Tribune, Colorado Casualty Insurance Co. contends it is not obligated to cover costs incurred in 2008 by the University of Utah after tapes containing electronic medical billings records on 1.7 million patients were stolen from a car.   The insurer filed a declaratory judgment action on April 9, 2010 seeking a declaration that the commercial package insurance purchased by the vendor who was to safeguard the records, Perpetual Storage, did provide coverage for the claims made against the insurer.   A review of the seven-page complaint provides no insight as to the terms of the policy in question. 

The claim is ultimately based on first-party costs incured by the University of Utah.   Not including 6,232 in personnel hours responding to the breach, the University allegedly spent over $3.2 million on:  (1) $646,149 in printing and mailing costs; (2) $81,389 for a call center that fielded over 11,000 calls within two weeks; and (3) $2.5 million for credit-monitoring services. 

Notwithstanding what the Colorado Casualty policy may actually state, the above claim would have been covered under most network security and privacy policies.   Lesson learned:   It is critical to confirm a vendor’s insurance clause lists the necessary coverages — including NSAP coverage if they are to handle sensitive data.

Electronic Health Records, Middle Market Business, Network Security, Privacy, Risk Management

White House Cyber Security Plan Focuses on EHR Management

According to an article in Government Health IT, the White House is looking to develop a network security strategy “that pays particular heed to the importance of building a trusted arena for electronic health care transactions.”    Howard Schmidt, the White House Cyber Security Czar, said at a May 11 HIPAA conference on privacy and security that the administration will roll out a “trust framework” based on  technologies, standards, services and policies that will eventually be adopted by the government, industry and consumers. 

According to Schmidt, “[o]ne-person physician offices have to be part of this system.  They have to have the capacity to trust identity and to trust medical records and information because they don’t have infrastructure and they don’t have a CIO.”  The White House’s ultimate goal is to instill enough “trust” in the system so that small practice groups and individual providers would be willing to adopt electronic health records (EHRs).   This initiative comes on the heels of the HITECH Act’s goal of prodding the use of EHRs throughout the health care food chain.

Since the passage of the HITECH Act, there has been much criticism regarding the utility of EHRs (the time needed to transcribe notes, mistakes made in such transcriptions, content limitations, etc.) so it remains to be seen whether widespread use will ever take hold notwithstanding the HITECH Act’s stick/carrot approach to prodding implementation.  Indeed, some have argued that one of the goals of the Act, i.e.,  the improvement of health care by changing patient behavior, will likely take a turn for the worse after EHR implementation.  

To the extent practice groups and providers actually take the plunge and devote resources to a new EHR implementation, they should likely apply a holistic approach to security and privacy that applies general risk management principles.   This article recently published by AHRMNY in its Risk Management Quarterly provides an EHR risk management overview that can help start that process.   As well, here is a link to the presentations from the recent HIPAA conference (minus Mr. Schmidt’s keynote address).   There are several linked presentations that talk to risk assessments and other security considerations of interest to providers and those folks who advise them.

Law Firm, Network Security, Privacy, Risk Management, Small Business

Law Firms Feel the Data Breach Heat and Start Buying Insurance

Here are just a few of the many network security and privacy (NSAP) headline incidents that have hit law firms over the years:

  • “Employee at a Palo Alto law firm steals 90 laptops and 120 desktop computers and sells them”
  • “Eighteen laptops stolen from the Orlando office of a major law firm”
  • “Paralegal at a New York law firm downloads a 400 page trial plan in a major case and offers to sell it to the adverse party.”
  • “Employee of a vendor at the Los Angeles office of a major law firm steals a client’s highly confidential encryption data and posts it on hacker websites.”
  • “Thief remains in the offices of a Phoenix law firm after it closes and steals 3 laptops.”
  • “Laptop is stolen from a Cincinnati law firm and is found on eBay.”

Although some insurers are now offering network security and privacy coverage endorsements on their Lawyers Professional Liability (LPL) policies, the vast majority of law firms are generally without any coverage for data loss or theft.   For many years, the old guard broker heaviest in LPL told its clients that coverage for data breach events would be covered under the traditional LPL coverage grant given any breach of confidentiality – including one involving a data breach – would trigger coverage as the provision of legal services.   Fast forward to today and the tune has changed.  It is pretty much standard now for law firms to at least evaluate NSAP options.   Here are just a few of the reasons why NSAP options make sense for law firms: 

  • There is no other available coverage for post-breach expenses such as forensics.
  • Coverage for data and other non-physical perils is routinely excluded under Property policies.
  • The “intentional acts” exclusion found in the standard LPL policy might eliminate coverage if the breach was caused by an insider.
  • Coverage may be unavailable for acts that are outside the provision of professional services.
  • Liability arising out of the destruction of electronic data is not typically covered under the standard General Liability or Property policies.
  • Direct losses caused by vendors may not be covered under crime policies.
  • Crime policies generally only cover theft of money, securities or other tangible property – not information theft or the destruction of electronic data.

For a more “in depth” look at the relevant digital coverage gaps for law firms, read this now timely article written over six years ago.

Middle Market Business, Network Security, Privacy, Risk Management, Small Business, Technology Law

Regulatory and Judicial Enforcement of “Reasonable Security”

On April 12, 2010, Brokerage firm D.A. Davidson & Co. was hit by The Financial Industry Regulatory Authority (FINRA) with a $375,000 fine due to a 2007 data breach.    The breach potentially impacted 192,000 customers and involved social security numbers, dates of birth and other confidential information.  In what has been for years now a fairly  common occurrence, the firm was exploited by a SQL injection vulnerability that allowed hackers to break into a database server holding the data.

Davidson learned of the breach after it received an extortion note from one of the hackers seeking money to keep silent.  According to FINRA, the breach was caused by Davidson’s failure to implement “well-known and recommended security measures for protecting customer data.”   It said that Davidson had failed to encrypt sensitive customer data, and had kept its customer database on a Web server with a default vendor password and a “constant open Internet connection.”

This case should not be looked upon in isolation.  A failure to implement reasonable security is giving rise to a  growing regulatory risk.   For example, on March 25, 2010, the FTC settled a case claiming that the Dave & Busters restaurant and arcade chain failed to inadequately protect consumer information.  The FTC alleged in its complaint that a hacker exploited vulnerabilities in Dave & Buster’s systems to install unauthorized software and access approximately 130,000 credit and debit cards. 

Negligence claims based on the lack of “reasonble security” has also been gaining ground in the courts.  For example, last year the U.S. District Court for the Northern District of Illinois allowed suit to proceed against Citizens Financial Bank given that plaintiffs’ home equity loan was depleted to the tune of $26,500 by an online thief who transferred the money to a bank in Austria.  The negligence claim against Citizens Financial Bank was allowed to proceed given there was a factual issue as to whether the bank utilized adequate security controls.  There are other pending cases where the court has reasoned that the lack of reasonable security can be the underpining of a negligence claim.   The moving target in all of these cases is determining what exactly constitutes “reasonable security”.

UPDATE:  February 22, 2021

The Sedona Conference (TSC) – a nonpartisan, nonprofit charitable research and educational institute “dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation and intellectual property rights”, released in February 2022 what it perceived to be the proper definition of “reasonable security”.  As a reminder, TSC famously previously helped Courts determine the proper contours of e-discovery.  

Recognizing that cybersecurity reasonableness crosses both legal and technology issues, the Technology Resource Panel of TSC recognized that a reasonableness test would help to bridge that divide.  The Sedona Conference, Commentary on a Reasonable Security Test, 22 SEDONA CONF. J. 345, 355 (forthcoming 2021).  Accordingly, the proposed test for reasonable security was designed to be consistent with “models for determining reasonableness that have been used in various other contexts by courts, in legislative and regulatory oversight, and in information security control frameworks.”  Id. at 358.

The Sedona Conference Commentary on a Reasonable Security Test consists of the following formula:  “B2 – B1 < (P x H)1 – (P x H)2” where B represents the burden, P represents the probability of harm, H represents the magnitude of harm, subscript 1 represents the controls (or lack thereof) at the time the information steward allegedly had unreasonable security in place, and subscript 2 represents the alternative or supplementary control.  Id. at 360.  This test is ultimately based on the landmark Learned Hand negligence test in United States v. Carroll Towing Co., 159 F.2d 169, 173 (2nd Cir. 1947).  

TSC’s Commentary should be studied for numerous reasons, including the fact it is applied to actual recent enforcement actions and provides solid arguments for its judicial application.  No different than the highly cited TSC e-discovery initiatives, this new TSC reasonable security test may very well be relied on by future courts tackling this important question.