Category Archives: Risk Management

Anthem proposed breach settlement can rise to $115 million

On June 23, 2017, class counsel in the Anthem Inc. data breach litigation filed papers claiming there has been agreement on a $115 million settlement regarding the 2015 data breach involving 80 million Anthem users.  The proposed settlement will provide Anthem’s health insurance customers  two additional years of credit protection and monitoring as well as full reimbursement for losses sustained.  In what is likely the largest data breach settlement to date, plaintiffs’ counsel will end up with a cool $38 million in attorneys’ fees.

In order to get these fees, counsel for plaintiff “filed four consolidated class action complaints; litigated two motions to dismiss and 14 discovery motions; reviewed 3.8 million pages of documents; deposed 18 percipient fact witnesses, 62 corporate designees, and six defense experts; produced reports from four experts and defended their depositions; produced 105 plaintiffs for depositions and produced 29 of those plaintiffs’ computers for forensic examinations; exchanged interrogatories, RFA, and expert reports with Defendants; and fully briefed class certification and related Daubert motions.”

Whether or not there were ever actual damages sustained by the Anthem class is almost beside the point given counsel for both plaintiffs and defendants were allowed to generate fees meriting a $115 million settlement.  Future counsel in massive data incidents will unfortunately view this settlement as a benchmark target. CISOs around the country now simply just have to avoid a massive data incident.

Supreme Court will decide privacy rights in cell location data

On June 5, 2017, the Supreme Court agreed to decide whether the government needs a probable cause warrant before accessing a suspect’s cell phone location history.  Timothy Carpenter was found guilty of aiding and abetting a series of armed robberies but challenged his conviction on the grounds that the cell location data collected pursuant to a court order issued under the Stored Communications Act (“SCA”) required that the government show probable cause rather than merely the SCA’s “reasonable grounds” for believing the records were relevant to an ongoing investigation.

In a split decision, the Sixth Circuit ruled in April 2016 that given the cell phone location data in the case ranged from half-mile to two-mile in distance it did not fall under the Fourth Amendment’s search protections.  Moreover, according to the Sixth Circuit, no probable cause warrant was necessary given that cell location data points are business records subject to the SCA and reveal nothing about the actual content of communications.  Id. at 7. On behalf of Carpenter – the person who “organized most of the robberies and often supplied the guns”, the ACLU filed a Petition for Certiorari asking: “Whether the warrantless seizure and search of historical cell phone records revealing the location and movements of a cell phone user over the course of 127 days is permitted by the Fourth Amendment.”

Apparently looking to push the Supreme Court into making a technology-forward decision, the ACLU points out how data collection methods have improved since the 2011 arrest of Carpenter.  See e.g., Petition at 7 (“Although in this case MetroPCS provided only information identifying Carpenter’s cell site and sector at the start and end of his calls, service providers increasingly retain more granular historical location data, including for text messages and data connections. . . .Location precision is also increasing as service providers deploy millions of “small cells,” “which cover a very specific area, such as one floor of a building, the waiting room of an office, or a single home.””).

This case is noteworthy given that SCA law enforcement actions can sometimes impact future civil matters.  For example, on July 14, 2016, the Second Circuit ruled that the government could not force Microsoft to comply with a search warrant based on the SCA when that warrant required an extraterritorial search and seizure of data stored in Microsoft’s data center in Ireland.  In that case, probable cause was actually set forth in the warrant.  Nevertheless, the Court’s ruling, namely that the SCA-based warrant lacked extraterritorial effect, may allow for the quashing of future SCA civil subpoenas on similar grounds.

It is not clear how far the Supreme Court will reach when deciding the Carpenter case or whether language in the Court’s future decision might mold cases far afield from armed robberies in the Midwest.  Nevertheless, coupled with other cases such as the 2012 case of United States v. Jones where the Supreme Court first took a look at how the Fourth Amendment applies to police use of GPS technology, there may soon coalesce strong judicial guidance for digital marketers.   As recognized by Justice Sotomayor in United States v. Jones:

it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.  This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks…Perhaps, as JUSTICE ALITO notes, some people may find the tradeoff of privacy for convenience worthwhile, or come to accept this diminution of privacy as inevitable, post, at 10, and perhaps not.

The United States v. Carpenter case may offer Justice Sotomayor a new and expanded platform for her 2012 dicta.  Digital marketers take note.

WannaCry provides a wakeup call for more training on email exploits

On May 12, 2017, WannaCry ransomware infections reportedly took hold of 200,000 computer systems in 150 countries.  The rise of ransomware has been a function of how cheap financial data has become to obtain on the dark web and the desire of criminals to branch out with other sources of income.

Ransomware is quite effective given it purposefully seeks to panic victims into clicking additional links thereby causing a user’s system to become infected with more pernicious malware.  For example, after seeing a screen blink on and off several times ransomware victims may next see the following message on their screen:  “Your computer has been infected with a virus. Click here to resolve the issue.”  Clicking on that link, however, will download additional malware to the system – thereby precluding possible quick fixes to the initial exploit.  It is such additional malware – coupled with very vulnerable legacy systems and procedures, that likely helped WannaCry promulgate so quickly.

Given slow patching and continued widespread use of legacy Windows products, Microsoft sought to slow the spread of WannaCry by offering free patches for its older Windows systems such as Windows XP.  Although helpful in curtailing replication, timely patching will not completely stem this threat.   Newer exploits such as WannaCry likely exist – and will continue to exist for some time, given the underlying code was reportedly created by the National Security Agency and is only a small sample of the “treasure trove” of spying tools released by WikiLeaks in March.  In fact, the WikiLeaks released material includes the source code used to evade anti-virus detection so entry-level hackers apparently now have the ability to immediately up their game.

Given that healthcare data is now considered the most valuable data by thieves, it is no surprise that the healthcare industry was especially hit hard by the WannaCry ransomware exploit.  Succumbing to WannaCry, Britain’s hospital network canceled or delayed treatments for thousands of patients.   In an effort to stem the tide in the US, HHS quickly offered covered entities access to loss prevention resources – including a link to its ransomware fact sheet and a link to the US-CERT response to WannaCry.  US-CERT offered last year helpful tips regarding ransomware loss mitigation techniques.

It is suggested that covered entities take to heart HHS’s desire to warn regarding ransomware exploits.  Given that OCR recently fined a covered entity $2.4 million simply for placing the name of a patient on a press release, ignoring HHS warnings regarding ransomware will likely result in significant penalties to HIPAA covered entities should they fall prey to such an exploit.

In addition to security procedures and implementations – such as whitelisting acceptable programs, aggresive email settings, and limiting user permissions, proper training remains the best antidote to both an exploit as well as an OCR or some other regulatory fine if an exploit ultimately succeeds.  And, the best training remains having users react to a continuous barrage of decoy exploits aimed at sharpening their skills.

Today’s phishing exploits that are being used to transmit ransomware often rely on some other person’s scraped contact information so that they can appear to come from known associates of the user.  These exploits may also use content that appear relevant to the user – such as a bar association communication.    And, finally the links themselves are masked so that it is not even possible to accurately determine where a link takes the user.   Given these indicia of authenticity, users often click on the embedded link rather than hit the delete button.  After exposure to numerous training exploits users are in a much better position to make sound decisions on how to treat actual exploits.  During the course of security training, it is suggested that some form of reward be given to those users who score the highest on the phishing training exercises – any money spent today to build an effective training program will pay significant dividends down the road.

OCR’s April settlements reinforce HIPAA priorities

On March 24, 2017, the Office for Civil Rights (OCR) announced the first settlement and corrective action plan involving a wireless health services provider when it announced a $2.5 million settlement with CardioNet –  a provider of “remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.”   According to the Resolution Agreement and Corrective Action Plan, CardioNet sustained breaches of unsecured electronic protected health information (ePHI) resulting from lost laptops.  And, given that the lost laptops in question were unencrypted, CardioNet’s Corrective Action Plan required that CardioNet provide HHS with a certification that “all laptops, flashdrives, SD cards, and other portable media devices are encrypted, together with a description of the encryption methods used.”

In keeping with OCR’s apparent practice of announcing resolutions in groups – with a distinctive lesson to be made with each resolution, there was another settlement announced on April 20, 2017.  This time a fine of $31,000 was levied against the Center for Children’s Digestive Health (“CCDH”) after it could not produce a business associate agreement.  According to the negotiated Resolution Agreement and Corrective Action Plan, protected health information (PHI) was released to a third-party vendor who stored inactive paper medical records for patients of CCDH without satisfactory assurances in the form of a written business associate agreement that the vendor would appropriately safeguard the PHI in the vendor’s possession or control.  As done in the past when it came to the need for properly-worded business associate agreements, OCR made the point that business associate agreements are a necessary component of the HIPAA framework and the failure to have one when necessary would be a costly error.  See 45 C.F.R § 164.502(e).

And finally, on April 12, 2017, OCR announced a settlement and corrective action plan based on a covered entity’s failure to have an adequate risk management plan in place.  Specifically, on January 27, 2012, Metro Community Provider Network (“MCPN”), a federally-qualified health center filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident.

OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.

Despite being a non-profit that provides primary medical care, dental care, pharmacies, social work, and behavioral care services “to approximately 43,000 patients per year, a large majority of who have incomes at or below the poverty level”, MCPN was hit with a $400,000 fine for its lack of an adequate risk management plan.

To sum up, this most recent grouping of OCR settlements highlights yet again the need for encryption, business associate agreements, and a working risk management plan.  Given that OCR settlements often take years to mature, investigative costs and legal expenses should also be factored into the mix when weighing the benefits of initial compliance.   With this latest round of settlements, it, however, appears clearer and clearer that an ounce of prevention is worth a pound of cure.

Privacy Shield Is not in play

On March 2, 2017, Věra Jourová – the Justice on the European Commission tasked with “Consumers and Gender Equality” recently raised a vague concern as to whether the Privacy Shield could withstand President Trump’s recent immigration executive order.  She said “If there is a significant change, we will suspend”.  This minimalist threat, however, seems more like an attempt to play up her visit to the White House in late March.

Privacy Shield is the data-transfer agreement negotiated by the United States and the European Union in February 2016 that is now relied upon by many international firms transferring and maintaining personal data between the EU and US.   Given that it was a court challenge that ultimately gave rise to Privacy Shield, it will always be subject to threat from legal action.  In fact, the ACLU and Human Rights Watch has already tried to stir the pot by sending a letter to the EU Commission after Trump’s recent executive action on immigration.  It is not clear why the American Civil Liberties Union would care about the privacy rights of those in the EU but that is left for a separate discussion.

To nip all of this in the bud, on February 22, 2017, Acting Federal Trade Commission Chairman Maureen Ohlhausen previously said that the immigration order would not in any way affect the FTC’s enforcement of the Privacy Shield given that order does not impact commercial activity.  To that end, Commissioner Jourová also previously said she was “not worried” but remained vigilant regarding the order.

There are lawyers who believe that Privacy Shield may be in play due to the President’s activities.  For example,  Aaron Tantleff of Foley & Lardner LLP is reported as saying “certain actions being taken by this administration could lead to the suspension of Privacy Shield. We may leave the EU Commission and Parliament with no choice.”  Such vague missives may be good at percolating new business but do not represent a pragmatic perspective regarding Privacy Shield’s real threat.

Given the now entrenched nature of Privacy Shield and the vested interest EU and US business interests have in its continued implementation, it appears only another judicial blow based on the lack of data security will derail it – requiring the same sort of EU court ruling based on NSA data collection that ultimately cut down the predecessor Safe Harbor rules in the first place.  Simply put, until the new Administration’s activities adversely impact the security of personal data by mass collecting data or forcing companies to compromise data security features there is not much to worry about.

Horizon settles state HIPAA claims based on lost laptops

On February 15, 2017, Horizon Healthcare Services, Inc. (“Horizon”) agreed to pay New Jersey authorities $1.1 million to resolve alleged HIPAA Privacy and Security Rule violations based on the November 2013 theft of two unencrypted laptops.  The stolen laptops compromised the privacy of 687,838 New Jersey policyholders.  This settlement comes on the heels of the Third Circuit reversing the dismissal of a putative class action filed against Horizon based on the same laptop incident.

After acknowledging that vendor moving company employees may have stolen the laptops, the Complaint recounts numerous alleged HIPAA violations.   Complaint ¶ 17, 43.  Horizon ultimately agreed by way of its consent judgment to a corrective action plan (“CAP”) and third-party audit – with $150,000 of the consent judgment as a “suspended penalty” that would be automatically vacated if the CAP was in material compliance two-years after entry of the judgment.

This costly Horizon incident provides several takeaways that never get old – encrypt all laptops and use an IT asset management plan that ensures the IT team can track all laptops with network access.   Most importantly, unlike Horizon never make any exceptions.  Complaint ¶ 23 (“As a result of the procurement of the MacBooks outside of Horizon BCBSNJ’s established process, certain MacBooks were not configured with approved encryption, data deletion and other software required by corporate policy.”).

FTC settles major IoT privacy case with smart TV maker VIZIO

On February 6, 2017, smart TV maker VIZIO entered into a stipulated Order granting injunctive relief and a monetary judgment to the FTC and New Jersey Division of Consumer Affairs.  The FTC brought its claims pursuant to Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and the New Jersey DCA brought claims pursuant to the New Jersey Consumer Fraud Act, N.J. Stat. Ann. § 56:8-1 et seq.  VIZIO and a subsidiary will pay $2.2 million to settle claims that the companies improperly tracked consumers’ viewing habits and sold this information without compensating viewers.  According to the Complaint filed the same day as the stipulated Order, Vizio and its subsidiary since February 2014 continuously collected viewing data on a “second-by-second” basis without any notice to the consumer.  Complaint at ¶ 14.  This action comes on the heels of the FTC’s smart TV workshop this past December.

Pursuant to the Order, all viewing data obtained by VIZIO prior to March 1, 2016 must be destroyed.  As for obtaining future viewing data, VIZIO must first prominently disclose to the consumer, separate and apart from any “privacy policy” or “terms of use” page: “(1) the types of Viewing Data that will be collected and used, (2) the types of Viewing Data that will be shared with third parties; (3) the identity or specific categories of such third parties; and (4) all purposes for Defendants’ sharing of such information.”  And, VIZIO will be able to collect such information only after the consumer affirmatively consents to such collection.

It is not entirely clear what incentive currently exists for consumers to voluntarily provide their viewing data to VIZIO given their initial smart TV purchases exist apart from any potential future relationship with VIZIO.  In other words, VIZIO really has nothing new to offer for this viewing data – it can only offer something on behalf of those who buy or broker this data.  Accordingly, VIZIO may act in the future as a new stream of commercials.  It has already been suggested that Netflix could make billions by bringing ads to its streaming offerings.

It has been reported that over half of US households use an internet-enabled television.  The VIZIO settlement with the FTC and New Jersey DCA does a great job of highlighting the peril of collecting IoT data such as TV viewing data without proper consent.  Samsung and LG faced similar pressure in 2015 but that was far from a clarion call given the lack of any hefty fine.

The VIZIO resolution may actually be more similar to the major shift brought on after CardSystems was breached over a decade ago.  CardSystems had no excuse for unsecurely maintaining track 2 data for its potential marketing purposes so that breach definitely helped promulgate the PCI data security standard.  Similarly, the VIZIO settlement may lead to more safeguards regarding the use of IoT data.  Rather than Visa or Mastercard waiting in the wings to enforce compliance we would have the FTC and state regulatory bodies.  Nevertheless, such efforts will still have to garner consumer support given the backdoor of affirmative consent that still exists even after the VIZIO resolution.  In other words, there may still have to be something in it for the consumer.

As previously suggested, it may finally be time for consumers to just be paid cash for their consumer data.

Third Circuit reinstates data breach case alleging FCRA violation

On January 20, 2017, the Third Circuit reversed the dismissal of a putative class action filed against Horizon Healthcare Services, Inc. (“Horizon”).  The suit was brought after two laptops containing personally identifiable information were stolen in 2013 from Horizon’s Newark offices.  The four named Plaintiffs filed suit on behalf of themselves and 839,000 other Horizon customers whose unencrypted personal information was stored on those laptops.  Plaintiffs alleged willful and negligent violations of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681, et seq., claiming that Horizon inadequately protected their personal information.

The District Court dismissed the suit under Fed. R. Civ. P. 12(b)(1) for lack of Article III standing.  According to the lower Court, none of the Plaintiffs had claimed a cognizable injury because, although their personal information had been stolen, none of them had adequately alleged that the information was actually used to their detriment.

According to the Third Circuit, in light of the congressional decision to create a remedy for the unauthorized transfer of personal information, an alleged violation of FCRA gives rise to an injury sufficient for Article III standing purposes.  And, even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury. Accordingly, the Court ruled that all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Fed. R. Civ. P. 12(b)(1).  The fact that Horizon offered credit monitoring and identity theft protection services to those affected was not of any import to the majority or concurring opinion.

Reviewing the matter de novo, the Third Circuit first recognized that FCRA was enacted in 1970 “to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy.” In Re: Horizon Healthcare Services Inc. Data Breach Litigation, No. 15-2309, Slip Op. at 8 (3d Cir. January 20, 2017) (citing Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47, 52 (2007)). With respect to consumer privacy, the statute imposes certain requirements on any “consumer reporting agency” that “regularly … assembl[es] or evaluat[es] consumer credit information . . . for the purpose of furnishing consumer reports to third parties.” 15 U.S.C. § 1681a(f).  Id.  And, any such agency that either willfully or negligently “fails to comply with any requirement imposed under [FCRA] with respect to any consumer is liable to that consumer.” Id.  (citing 15 U.S.C. §§ 1681n(a) (willful violations); 1681o(a) (negligent violations)).  See also Id. at 27 (“But with the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself – whether or not the disclosure of that information increased the risk of identity theft or some other future harm.”); Id. at 29, n. 20 (“Congress has elevated the unauthorized disclosure of information into a tort. And so there is nothing speculative about the harm that Plaintiffs allege.”).

Horizon did not challenge the validity of any of the Plaintiffs’ factual claims as part of its standing motion – arguing instead that that the allegations of the Complaint, even accepted as true, are insufficient to establish the Plaintiffs’ Article III standing.  Id. at 13.  This is significant given that the Third Circuit was only hearing the standing issue and not the substantive motion to dismiss.  See Id. at 13, n. 9 (“In its 12(b)(6) motion, which is not before us, Horizon questions whether it is bound by FCRA. In particular, Horizon suggests that it is not a “consumer reporting agency” and therefore is not subject to the requirements of FCRA. . . . Because we are faced solely with an attack on standing, we do not pass judgment on the merits of those questions. Our decision should not be read as expanding a claimant’s rights under FCRA. Rather, we assume for purposes of this appeal that FCRA was violated, as alleged, and analyze standing with that assumption in mind. Likewise, our decision regarding Article III standing does not resolve whether Plaintiffs have suffered compensable damages.”) (emphasis added).

It was this alleged substantive FCRA violation – which again was assumed to exist for purposes of its standing ruling, that ultimately caused the Third Circuit to find in favor of plaintiffs.     See Id. at 22, n. 16 (“Again, whether that injury is actionable under FCRA is a different question, one which we are presently assuming (without deciding) has an affirmative answer. See supra note 9.”); Id. at 28 – 29 (“So the Plaintiffs here do not allege a mere technical or procedural violation of FCRA. They allege instead the unauthorized dissemination of their own private information – the very injury that FCRA is intended to prevent.”) (footnotes omitted).

In reviewing the allegations found in the Complaint, the Third Circuit reasoned that the “trifle of injury” necessary to determine standing was met by virtue of the alleged FCRA violation.  Id. at 15.  Moreover, it found that its prior recent cases of In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015) and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016) reconciled with such a result.  Id. at 22 (“In light of those two rulings, our path forward in this case is plain. The Plaintiffs here have at least as strong a basis for claiming that they were injured as the plaintiffs had in Google and Nickelodeon.”).

In a strong nod to what it perceived to be the stare decisis injury-in-fact precedents rendered prior to the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the Third Circuit reconciled that decision with the following:  “Although it is possible to read the Supreme Court’s decision in Spokeo as creating a requirement that a plaintiff show a statutory violation has caused a “material risk of harm” before he can bring suit, id. at 1550, we do not believe that the Court so intended to change the traditional standard for the establishment of standing.”  Id. at 24See also Id. at 25 (“Spokeo itself does not state that it is redefining the injury-in-fact requirement. Instead, it reemphasizes that Congress “has the power to define injuries,” 136 S. Ct. at 1549 (citation and internal quotation marks omitted), “that were previously inadequate in law.” Id.”).

In Re: Horizon Healthcare Services Inc. Data Breach Litigation is an important decision for numerous reasons – not the least of which is the fact the Third Circuit is one of the most influential circuit courts in the country.  First, notwithstanding the fact Defendant is a health insurer, in their Complaint, the Plaintiffs successfully asserted for standing purposes Horizon is also a consumer reporting agency.  This is significant given that the very first count of Plaintiffs’ Complaint claims that Horizon committed a willful violation of FCRA.  And, FCRA permits statutory damages for willful violations. See 15 U.S.C. § 1681n(a) (“Any person who willfully fails to comply with any requirement imposed under this subchapter with respect to any consumer is liable to that consumer in an amount equal to the sum of … any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000. . . .”).

In other words, counsel recognized that statutory damages are a necessary predicate to successfully pursuing a class action based on a data breach claim and that merely alleging that a company is a consumer reporting agency will now be sufficient to get in the courthouse.   Even though retail breaches may be too difficult a stretch, there is nothing stopping class counsel from branching out from health insurers.   In the future, defense counsel may be forced to simply forego the previously successful standing motions and go straight to a Fed. R. Civ. P. 12(b)(6) substantive motion.   And, given that such motions are quite difficult to win, the end result may be many more “cost of suit” settlements ranging significantly upward.

This decision may ultimately end up being more noteworthy for the concurring opinion of Judge Shwartz.   According to Judge Shwartz, there was no reason to even rely on FCRA to reverse the lower court’s decision.  According to Judge Shwartz, the mere “loss of privacy” was sufficient to demonstrate injury in fact.  See Id. at 1, n. 4 (Shwartz, J., concurring) (“Plaintiffs allege that the theft of the laptops caused a loss of privacy, which is itself an injury in fact.”).    Moreover, the lack of encryption was deemed the efficient cause of this loss.  Id. at 5, n. 4 (Shwartz, J., concurring) (“I also conclude that Plaintiffs have sufficiently alleged that the injury was traceable, in part, to the failure to encrypt the data, and am satisfied that if proven, the injury could be redressable.”).

Judge Shwartz was not persuaded that there was sufficient reconciliation with prior cases or that there was even the need to have such reconciliation based on her view of the law.  Id. at 5, n. 3  (Shwartz, J., concurring) (“My colleagues view In re Google Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016), as providing a basis for Plaintiffs to assert that a violation of the FCRA, without any resulting harm, satisfies the injury-in-fact requirement.  I do not rely on the possible existence of a statutory violation as the basis for standing, and am not persuaded that these cases support that particular point.”).   As a result, Judge Shwartz’ concurring opinion will likely be heavily cited by plaintiffs in data breach cases involving unencrypted data whether or not there are any possible FCRA violations.

All in all, January 20, 2017 was a very good day for class counsel pursuing data breach litigation.

OCR’s latest expensive HIPAA lessons

On January 18, 2017, the Office for Civil Rights (OCR) announced a HIPAA settlement based on the disclosure of unsecured electronic protected health information (ePHI) by MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) stored in a USB storage device.    Simply put, a thumb drive stolen in 2011 from MAPFRE’s IT department cost it an astounding $2.2 million as a “resolution amount” in addition to a fairly onerous corrective action plan.

Apparently, the fact that MAPFRE is the U.S. subsidiary of a large “global multinational insurance company headquartered in Spain” played some role in the harsh fine.  The USB data storage device included complete names, dates of birth and Social Security numbers and impacted 2,209 individuals.   Given that MAPFRE’s lack of encryption was an adverse mitigating factor for OCR, covered entities should bite the bullet and continue to encrypt all devices touching ePHI no matter what the budget constraints.

Another recent HIPAA settlement allowed OCR to shine a light on something else of concern to HHS, namely the need to report breaches within the 60-day reporting window applicable to breaches impacting 500 or more patients.  On January 9, 2017, OCR issued a press release that says it all:  “First HIPAA enforcement action for lack of timely breach notification settles for $475,000”.  Rather than report within 60 days, Presence Health – a large health care network serving Illinois, took 104 days to report the loss of “paper-based operating room schedules, which contained the PHI of 836 individuals.”  A spokesman from Presence Health said in a statement that contact and financial information were not even compromised.

As done in the past when it came to the need for properly-worded business associate agreements, undergoing a comprehensive risk analysis, and cooperating in investigations, covered entities should be appreciate the examples made of MAPFRE and Presence Health – encrypt and timely report after a breach.

New York’s DFS provides a two-month reprieve

On December 28, 2016 – after a very public outcry from the financial community it regulates, New York’s Department of Financial Services (“DFS”) pushed to March 1, 2017 the January 1, 2017 deadline to comply with its proposed data security standards.  These security standards and related regulatory requirements – which are unique in the country, were first disclosed by DFS this past September and include a data breach reporting deadline that is a mere three days in length.

After reviewing 150 comments, the DFS doubled down on its proposed standards and only gave two more months for compliance.  As it now stands, the regulation will be officially implemented on March 1, 2017 and impacted firms will have 180 days to begin compliance – September 1, 2017.  And, by February 15, 2018, firms will be required to submit a certificate of compliance to DFS.

Despite vigorous opposition found in the submitted comments, the DFS retained several important aspects of its proposed regulations, including the three-day window to report a “cybersecurity event” – broadly defined to also include unsuccessful attempts, and the need to file annual certifications of compliance.

Another key component of these proposed regulations requires the designation of a Chief Information Security Officer.  Even though most large financial institutions already have that position filled, many firms subject to DFS jurisdiction will now have to allocate resources to either hire such an employee or reassign an existing employee to take on these new challenges.

All in all, the new DFS regulations – implementing specific security standards on New York’s largest business sector, will immediately generate significant business for those tech vendors and privacy lawyers offering gap-filling solutions that actually work.