Colorado Casualty: Stolen Health Records Not a Covered Event

As detailed by the Salt Lake Tribune, Colorado Casualty Insurance Co. contends it is not obligated to cover costs incurred in 2008 by the University of Utah after tapes containing electronic medical billings records on 1.7 million patients were stolen from a car.   The insurer filed a declaratory judgment action on April 9, 2010 seeking a declaration that the commercial package insurance purchased by the vendor who was to safeguard the records, Perpetual Storage, did provide coverage for the claims made against the insurer.   A review of the seven-page complaint provides no insight as to the terms of the policy in question. 

The claim is ultimately based on first-party costs incured by the University of Utah.   Not including 6,232 in personnel hours responding to the breach, the University allegedly spent over $3.2 million on:  (1) $646,149 in printing and mailing costs; (2) $81,389 for a call center that fielded over 11,000 calls within two weeks; and (3) $2.5 million for credit-monitoring services. 

Notwithstanding what the Colorado Casualty policy may actually state, the above claim would have been covered under most network security and privacy policies.   Lesson learned:   It is critical to confirm a vendor’s insurance clause lists the necessary coverages — including NSAP coverage if they are to handle sensitive data.

White House Cyber Security Plan Focuses on EHR Management

According to an article in Government Health IT, the White House is looking to develop a network security strategy “that pays particular heed to the importance of building a trusted arena for electronic health care transactions.”    Howard Schmidt, the White House Cyber Security Czar, said at a May 11 HIPAA conference on privacy and security that the administration will roll out a “trust framework” based on  technologies, standards, services and policies that will eventually be adopted by the government, industry and consumers. 

According to Schmidt, “[o]ne-person physician offices have to be part of this system.  They have to have the capacity to trust identity and to trust medical records and information because they don’t have infrastructure and they don’t have a CIO.”  The White House’s ultimate goal is to instill enough “trust” in the system so that small practice groups and individual providers would be willing to adopt electronic health records (EHRs).   This initiative comes on the heels of the HITECH Act’s goal of prodding the use of EHRs throughout the health care food chain.

Since the passage of the HITECH Act, there has been much criticism regarding the utility of EHRs (the time needed to transcribe notes, mistakes made in such transcriptions, content limitations, etc.) so it remains to be seen whether widespread use will ever take hold notwithstanding the HITECH Act’s stick/carrot approach to prodding implementation.  Indeed, some have argued that one of the goals of the Act, i.e.,  the improvement of health care by changing patient behavior, will likely take a turn for the worse after EHR implementation.  

To the extent practice groups and providers actually take the plunge and devote resources to a new EHR implementation, they should likely apply a holistic approach to security and privacy that applies general risk management principles.   This article recently published by AHRMNY in its Risk Management Quarterly provides an EHR risk management overview that can help start that process.   As well, here is a link to the presentations from the recent HIPAA conference (minus Mr. Schmidt’s keynote address).   There are several linked presentations that talk to risk assessments and other security considerations of interest to providers and those folks who advise them.

Law Firms Feel the Data Breach Heat and Start Buying Insurance

Here are just a few of the many network security and privacy (NSAP) headline incidents that have hit law firms over the years:

  • “Employee at a Palo Alto law firm steals 90 laptops and 120 desktop computers and sells them”
  • “Eighteen laptops stolen from the Orlando office of a major law firm”
  • “Paralegal at a New York law firm downloads a 400 page trial plan in a major case and offers to sell it to the adverse party.”
  • “Employee of a vendor at the Los Angeles office of a major law firm steals a client’s highly confidential encryption data and posts it on hacker websites.”
  • “Thief remains in the offices of a Phoenix law firm after it closes and steals 3 laptops.”
  • “Laptop is stolen from a Cincinnati law firm and is found on eBay.”

Although some insurers are now offering network security and privacy coverage endorsements on their Lawyers Professional Liability (LPL) policies, the vast majority of law firms are generally without any coverage for data loss or theft.   For many years, the old guard broker heaviest in LPL told its clients that coverage for data breach events would be covered under the traditional LPL coverage grant given any breach of confidentiality – including one involving a data breach – would trigger coverage as the provision of legal services.   Fast forward to today and the tune has changed.  It is pretty much standard now for law firms to at least evaluate NSAP options.   Here are just a few of the reasons why NSAP options make sense for law firms: 

  • There is no other available coverage for post-breach expenses such as forensics.
  • Coverage for data and other non-physical perils is routinely excluded under Property policies.
  • The “intentional acts” exclusion found in the standard LPL policy might eliminate coverage if the breach was caused by an insider.
  • Coverage may be unavailable for acts that are outside the provision of professional services.
  • Liability arising out of the destruction of electronic data is not typically covered under the standard General Liability or Property policies.
  • Direct losses caused by vendors may not be covered under crime policies.
  • Crime policies generally only cover theft of money, securities or other tangible property – not information theft or the destruction of electronic data.

For a more “in depth” look at the relevant digital coverage gaps for law firms, read this now timely article written over six years ago.

The $60 Email

By now most have heard of the lady who fumed when a courtesy eight word e-mail response (“I hope everything is O.K.  Take your time.”) was billed by her attorney at $60 (.2 hours x $300 hourly rate).   Her experience left her asking one question:  “How does anyone treat people like this and still manage to stay in business?”  That is the problem in a nutshell.  Lawyers are trained to be lawyers and not profit-focused business people.   In other words, they are not focused on staying in business.

Ignoring for a second the fact that taking twelve minutes to compose such a response may not have been very efficient use of time, the associate who wrote it was just thinking like a lawyer when it came to billing his or her time.   The time was spent so it should be billed.  Whereas a profit-focused law firm would have likely collected such non-substantive email, tallied the time, put all such time on the bill — and then assign a zero charge to this “non-billable time”, more often than not such over-the-top charges fall through the cracks and end up actually going out to clients.  A profit-focused law firm would never have let such a bill leave its doors given such a business realizes just how damaging it would be to its bottom line to charge for eight word emails that involve no true billable time.

Regulatory and Judicial Enforcement of “Reasonable Security”

On April 12, 2010, Brokerage firm D.A. Davidson & Co. was hit by The Financial Industry Regulatory Authority (FINRA) with a $375,000 fine due to a 2007 data breach.    The breach potentially impacted 192,000 customers and involved social security numbers, dates of birth and other confidential information.  In what has been for years now a fairly  common occurrence, the firm was exploited by a SQL injection vulnerability that allowed hackers to break into a database server holding the data.

Davidson learned of the breach after it received an extortion note from one of the hackers seeking money to keep silent.  According to FINRA, the breach was caused by Davidson’s failure to implement “well-known and recommended security measures for protecting customer data.”   It said that Davidson had failed to encrypt sensitive customer data, and had kept its customer database on a Web server with a default vendor password and a “constant open Internet connection.”

This case should not be looked upon in isolation.  A failure to implement reasonable security is giving rise to a  growing regulatory risk.   For example, on March 25, 2010, the FTC settled a case claiming that the Dave & Busters restaurant and arcade chain failed to inadequately protect consumer information.  The FTC alleged in its complaint that a hacker exploited vulnerabilities in Dave & Buster’s systems to install unauthorized software and access approximately 130,000 credit and debit cards. 

Negligence claims based on the lack of “reasonble security” has also been gaining ground in the courts.  For example, last year the U.S. District Court for the Northern District of Illinois allowed suit to proceed against Citizens Financial Bank given that plaintiffs’ home equity loan was depleted to the tune of $26,500 by an online thief who transferred the money to a bank in Austria.  The negligence claim against Citizens Financial Bank was allowed to proceed given there was a factual issue as to whether the bank utilized adequate security controls.  There are other pending cases where the court has reasoned that the lack of reasonable security can be the underpining of a negligence claim.   The moving target in all of these cases is determining what exactly constitutes “reasonable security”.

UPDATE:  February 22, 2021

The Sedona Conference (TSC) – a nonpartisan, nonprofit charitable research and educational institute “dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation and intellectual property rights”, released in February 2022 what it perceived to be the proper definition of “reasonable security”.  As a reminder, TSC famously previously helped Courts determine the proper contours of e-discovery.  

Recognizing that cybersecurity reasonableness crosses both legal and technology issues, the Technology Resource Panel of TSC recognized that a reasonableness test would help to bridge that divide.  The Sedona Conference, Commentary on a Reasonable Security Test, 22 SEDONA CONF. J. 345, 355 (forthcoming 2021).  Accordingly, the proposed test for reasonable security was designed to be consistent with “models for determining reasonableness that have been used in various other contexts by courts, in legislative and regulatory oversight, and in information security control frameworks.”  Id. at 358.

The Sedona Conference Commentary on a Reasonable Security Test consists of the following formula:  “B2 – B1 < (P x H)1 – (P x H)2” where B represents the burden, P represents the probability of harm, H represents the magnitude of harm, subscript 1 represents the controls (or lack thereof) at the time the information steward allegedly had unreasonable security in place, and subscript 2 represents the alternative or supplementary control.  Id. at 360.  This test is ultimately based on the landmark Learned Hand negligence test in United States v. Carroll Towing Co., 159 F.2d 169, 173 (2nd Cir. 1947).  

TSC’s Commentary should be studied for numerous reasons, including the fact it is applied to actual recent enforcement actions and provides solid arguments for its judicial application.  No different than the highly cited TSC e-discovery initiatives, this new TSC reasonable security test may very well be relied on by future courts tackling this important question.

CLT: Law Firms Resort to Suing Their Clients to Collect Fees

According to an article in the Connecticut Law Tribune, during the past several years there has been an uptick in the instances of law firms suing to recover their fees.  O’Connell, Flaherty & Attmore based in Hartford, Connecticcut, has been suing clients since 2008, and the firm “has 29 pending cases seeking about $523,000 in unpaid fees.”   The Hartford office of Bingham McCutchen, “is seeking $764,000 in fees from former client Richard D. Cohen of Capital Properties.”   And, Pepe & Hazard, now part of McElroy, Deutsch, Mulvaney & Carpenter, filed three collections lawsuits in the past two years –  which is one more than it filed in the past ten years.    

As recognized in the article, some of the largest law firms nationwide have been filing collection actions during the past few months, including Debevoise & Plimpton, McDermott Will & Emery, and Williams & Connolly. And, earlier this year, a jury awarded Drinker Biddle & Reath $1.8 million in a fee dispute case.

This agressive collection strategy has been criticized by some.  According to Bill Jawitz, a law firm consultant in Milford, Connecticut, more law firms are asking Jawitz about the strategy of filing lawsuits against clients.  He is quoted in the article as saying he “strongly” advises against it given such suits can lead to bad publicity for a firm and often invites malpractice counterclaims.  As well, he says, “It sucks up time and money to fight these battles.  It’s a sign of bad financial management.” 

Although it is true that law firms have traditionally been hesitant to file a claim against clients for fear of being hit with a counterclaim sounding in malpractice, the article’s author points out that a check of Connecticut court records “revealed no pending malpractice claims filed by clients sued over past-due bills.”   More than likely at least a few such counterclaims exist and the author merely missed them.  On the other hand, plaintiff’s burden in proving a malpractice claim is not slight.   A plaintiff often needs to prove “a case within a case” in order to recover. 

And, getting plaintiff’s counsel to take on a malpractice counterclaim may not be as easy as it once was given the costs involved in battling  a law firm hungry for its fees and seeking to protect its reputation.   In other words, maybe the counterclaims are really not as frequent as they once were.  In any event, professional liability insurers should be pursuaded not to penalize those law firms who fight to recover fees.

It is clear that malpractice insurers currently take notice of fee disputes.  Indeed, a common question found in most any professional liability application is:  “How many suits for collection of fees have been filed by the Applicant Firm during the past 2 years?”  The obvious assumption being that such suits bring with them malpractice claims.  And, whether frivolous or not, such suits must be defended. 

There are strategies that exist which completely obviate the need to file suit against a client.  These strategies apply risk management techniques usually undertaken by manufacturers and not professional service firms.   Moreover, not only would they help on the collection backend, they would help on the front-end when a decision is made to take on the client in the first instance.   As a final added benefit, these strategies will also serve to lower professional liability insurance rates.

NJ Supreme Court Sides with Employee on Email Privacy Case

On March 30, 2010, the New Jersey Supreme Court issued its opinion in Stengart v. LovingCare Agency, Inc., 2010 WL 1189458 (N.J. March 30, 2010).  This hotly anticipated ruling was a clear win for employee privacy rights.  It was also clearly the right decision given the facts.  

In its decision, the Court affirmed the Appellate Court’s ruling that an employer was precluded from accessing  attorney-client privileged email.  The email was deemed protected by way of the attorney-client privilege even though the employee accessed the email during work hours using an employer’s laptop.  The key factor in creating a reasonable expectation of  privacy was the plaintiff’s use of her personal Yahoo! webmail service to send and receive the email.   In other words, although the laptop computer used was employer property, the information remained “employee property” given it was password protected via the Yahoo! website.   Moreover, she never stored the password on the company laptop.   The Appellate Divison and Supreme Court were likely also swayed by the fact the attorney-client privileged email in question were used by the employer’s counsel in a pending litigation involving plaintiff.

The Court went into detail regarding how the employer’s Electronic Communications Policy (which was part of its employee handbook) did not provide notice regarding any lack of privacy in a webmail service.  Specifically, the Court ruled:

It is not clear from that language whether the use of personal, password-protected, web-based e-mail accounts via company equipment is covered. The Policy uses general language to refer to its “media systems and services” but does not define those terms. Elsewhere, the Policy prohibits certain uses of “the e-mail system,” which appears to be a reference to company e-mail accounts. The Policy does not address personal accounts at all. In other words, employees do not have express notice that messages sent or received on a personal, web-based e-mail account are subject to monitoring if company equipment is used to access the account.

 The Policy also does not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved and read by Loving Care.

 The Policy goes on to declare that e-mails “are not to be considered private or personal to any individual employee.” In the very next point, the Policy acknowledges that “[o]ccasional personal use [of e-mail] is permitted.” As written, the Policy creates ambiguity about whether personal e-mail use is company or private property.

Id. at 13 – 14.

A more carefully crafted employee manual would have not likely led to a different result.  It appears as if the Court  provides a roadmap for employers but one in which attorney client communications would always remain sacrosanct.   For example, although many employee manuals already outright preclude employees from accessing webmail via company computers, such a blanket prohibition would likely not be enough going forward given this ruling.  See Id. at 28 – 29 (“[E]mployers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy.  Because of the important public policy concerns underlying the attorney – client privilege, even a more clearly written company manual  – that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney client communications, if accessed on a personal, password protected e-mail account using the company’s computer system – would not be enforceable.”).

It appears as if the correct approach for employers looking to access certain employee email exchanged via a webmail service is to  provide even more specific guidance regarding what may or may not be done by the employee.   For example, it may help to provide an explicit warning that all email exchanged via a webmail service is subject to the general email policy of the firm.  Banning pornography and “hate speech” email would clearly not be a problem under this ruling.  When it comes to attorney-client material, a warning regarding the insecure nature of such  communication may be warranted as well as a reminder that non-business communications are deemed inappropriate and can possibly lead to termination.  Nothing in the ruling would preclude using non-business activity against an employee.  As well, transmitting proprietary company material with insecure, un-archived, and non-sanctioned forms of communication such as webmail services would likely still be considered against corporate policy under this ruling.  Finally, when drafting a policy, it should be made clear that the company cannot and will not guarantee the confidentiality of any communications made using a webmail service. 

Given many employees blur personal and company time, it is often the case that employees are checking their personal email on company time.  Indeed, the advent of webmail services from Yahoo!, Google, Microsoft and others makes it an almost a trivial task to check personal email on company PCs, laptops, and smart phones.  Given the Stengart decision, New Jersey employers should evaluate their current procedures regarding use of webmail services with an understanding that attorney-client email may be strictly off limits to corporate eyes.

New Ponemon Survey Shows 77% of UK Firms Sustained a Data Breach

As reported in Information Week, “[s]eventy-seven percent of C-level executives in a 115-person survey conducted in the U.K. say their organization has experienced a data breach at some point and all of them report attacks targeting corporate data in the past 12 months.”   This Ponemon Institute survey was sponsored by IBM. 

Interestingly, 75% of the survey’s respondents viewed the CIO as being responsible for data protection while 82% of respondents would not fire the CIO if he or she failed to stop a data breach.  This is a not so subtle recognition that companies are unable to completely avoid a cyber attack so firing for an inevitable outcome would be unfair.  This mature perspective provides yet another reason to evaluate network security and privacy insurance.

Law Firm Management of Network Security – Proactive or Reactive?

Several recent articles – one in the March 2010 issue of the ABA Journal and another in the March 9, 2010 issue of The National Law Journal – offer a study in contrast regarding how law firms are dealing with data security exposures.  The ABA Journal takes the position that law firms are proactive in managing this exposure by, for example, barring use of the iPhone.  The National Law Journal article takes the position that although attacks against law firms have been increasing the past several years, “[w]hen it comes to network security, however, law firms in general do not invest as heavily as do other industries.”

A review of the law firm procedures and attitudes related to data security indicates a wide gulf that is really hard to find consensus on.  Some law firms absolutely do not focus on this as an issue and really go about their business as if their network security is an autonomous part of the office that can take care of itself.   On a relative scale, revenue generation for these firms is number one or two while data security is between ten and twenty.  That is not to say there aren’t some small firms who actually do understand how rainmaking can be enhanced with a strong data management system in place.  They are just in the minority.

Given the economic downward spiral that has not let up for the past several years, law firms must obviously be judicious with their resources.  It is clear to some, however, that spending time and money improving the network security and privacy posture of a firm can ultimately help improve its financial position.   As with most things in business (go ask Steve Jobs), it is about the proper marketing of your services.  Running a tight data security ship is no different from being well-versed in environmental law prior to advising clients who may have an environmental exposure.  It should be considered part of the advance work necessary to be a successful attorney.  On the flip side, if you are one of the hundreds of law firms to have sustained a data breach during the past several years, there is no need for further prodding.   The old adage “once bitten, twice shy” will certainly apply and money to improve data security will flow quite easily.

Hotels Remain a Hot Hacker Target

The Westin Bonaventure in Los Angeles is the latest publicly disclosed hotel hacker target.  Unfortunately, there are likely ten or more hotels hit this month that don’t even know about it.   For years now, the hospitality industry has been hit hard with malicious attackers looking to gain access by whatever means necessary – whether via point-of-sale (as they did with the Bonaventure) or directly into a network server far removed from the restaurant or hotel’s location.   In fact, according to one leading security vendor, in 2009 hackers broke into hotel networks more so than in any other industry.  More importantly, the organizations hit by attacks didn’t discover breaches for an average of 156 days.   This Trustwave report was compiled from data breach investigations across the world.

Given their data loss exposures, it is not surprising that some hotel brands have been purchasing network security and privacy insurance for years now.   One leading luxury brand has bought such coverage for over six years.  The covered claims for some of these insurance purchases have more than paid for the premium.  The question remains whether an independent owner or franchisee needs to purchase its own coverage. 

First of all, if you are a franchisee, the reservation networks are usually maintained by the franchisor.  Why should a franchisee pay for coverage on a system maintained by another party – albeit a party with a strong relationship to the franchisee?  To answer that question, the franchisee needs to review its Franchise Disclosure Document (FDD) to ensure that data loss indemnifications are in place.  For example, under the FDD, who is liable for a breach if it’s point-of-sale and your employee was somehow negligent?

Secondly, what if your property collects information based on client preferences, health needs, or other sensitive data?  Where and how is that information stored?  Is it encrypted?  Will this information ultimately be safeguarded by your franchisor partner.  Although most recent hacks have focused on credit card information given that this financial information is so easy to monetize, what about the “cyber-extortion” threat potential should other sensitive client data be in the hands of those same hackers.  Cyber-extortion has become a somewhat common insurance coverage grant.

As is a sound business strategy for any company, a “back up” plan should be in place that takes into consideration the potential your franchisor’s network may likely be compromised at some point.  Not only should a back up network security and privacy plan be in place, but all related risks should be quantified.   After this risk analysis is completed, an evaluation should be made determining whether separate NSAP insurance makes sense to protect your own interests.

Legal and Business Advocacy