1 responding to privacy breaches: required actions and their costs september 8, 2010 randy gainer

1

Responding to Privacy Breaches: Required Actions and Their Costs

September 8, 2010

Randy Gainer

2

Topics covered

Legally mandated actions you must take when protected health information (“PHI”) or personal information is lost or stolen;

Steps you should take to respond to data breaches; and

Examples of what it cost to respond to data breaches.

3

HIPAA regs.

HIPAA requires covered health care entities (e.g., hospitals, clinics, doctors) to notify patients and the HHS if unsecured PHI is disclosed to an unauthorized person and the breach poses a significant risk of harm.

See 42 U.S.C. § 17932 and 45 CFR 164.400-.414 (interim final rule).

4

HIPAA regs. (cont.)

PHI is individually identifiable info. related to physical or mental health or condition, care provided, or payment for care.

Includes info. maintained or transmitted electronically and in any other form.

5

HIPAA regs.

“Unsecured” PHI means protected health info. not rendered unusable to unauthorized individuals through use of a technology approved by HHS.

“Unusable” means unreadable or indecipherable by unauthorized persons. E.g., encrypted PHI.

6

HIPAA regs. (cont.)

The “significant risk of harm” that will require notice to potentially affected patients and HHS includes financial, reputational, or other harm to the patient.

The covered entity must determine if the breach poses such a risk.

7

HIPAA regs. (cont.)

Requiring notice only if there is significant risk of harm is termed a “soft trigger.”

Other statutes have “hard triggers.” HHS pulled the final data breach notice rules

from OMB on July 27, 2010. Some speculate that the soft trigger may be

replaced by a hard trigger. The interim rules remain in effect for now.

8

HIPAA regs. (cont.)

Notice to patients must be in writing, though urgent oral notice is o.k.

Written notice to patients must occur without unreasonable delay and not later than 60 days after discovery of the breach.

9

HIPAA regs. (cont.)

If 500 or more patients are affected, notify HHS at the same time patients are notified. Notice should be given via the HHS website: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.

Smaller breaches must be reported to HHS annually.

10

HIPAA regs. (cont.)

Press releases regarding the breach must be sent to prominent media outlets serving the state without unreasonable delay, within 60 days of discovery.

11

State notice requirements

State data breach laws require entities that own or license unencrypted computerized personal information to promptly notify individuals if a breach of the security of the computerized system compromises the security of the information.

12

State notice req’ts (cont’d)

State data breach laws typically define “personal information” as a person’s first name or initial, plus last name, plus SSN, Driver’s license or state ID card number, or Financial account number. Some state statutes include “medical information.”

13


As of Sept. 2, 2010, 46 states, Washington, D.C., and Puerto Rico have data breach notification laws. Alabama, Kentucky, New Mexico, and

South Dakota have not yet enacted data breach notice laws.

14


Massachusetts, North Carolina, New Hampshire, New York, and Puerto Rico also require that government officials in those jurisdictions be notified of a breach that affects large numbers of their residents.

15


California Health and Safety Code Section 1280.15 Applies to hospitals, skilled-nursing facilities,

psychiatric health facilities, clinics, home health agencies, and hospices licensed under Ca. laws.

Covers individually-identifiable information, in electronic or physical form.

Pertains to any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information.

16


Ca. H & S Code, § 1280.15 (cont’d) “Unauthorized” means the inappropriate access,

review, or viewing of medical information without a direct need for medical diagnosis, treatment, or other lawful purpose under any state or federal law.

Requires notice to patient and Ca. Dept. of Public Health within five business days after detection.

H & S Code § 1280.15 is a “hard trigger” statute.

17

PCI DSS

Businesses that accept credit and debit cards are required by their contracts with their banks to comply with the Payment Card Industry Data Security Standard (“PCI DSS”).

The PCI DSS requires that merchants notify card associations immediately if payment card data are stolen from the merchant.

18

Purposes of notice requirements

To protect individuals from fraud 11.1 million Americans were victims of

identity theft in 2009, a crime wave that cost consumers and businesses more than $54 billion in 2009 (Javelin)

Identity theft is the fastest growing white collar crime in America

It takes a person an average 150 hours and $900 to resolve fraudulent charges

19

Purposes for notices (cont’d)

To encourage businesses to improve their information security practices by mandating disclosure of data thefts.

20

Types of fraud

Common types of fraud: Current account fraud – credit card, debit

card, phone card

Identity theft using an individual’s name and SSN:

To establish new credit

To commit other crimes

21

Types of fraud (cont’d)

Other types of fraud: Driver’s licenses Health benefits Insurance fraud Rental housing Utilities Government

benefits Fraudulent W-2s

These may not show up on credit reports for years

22

Types of fraud (cont’d)

Targets include anyone with a SSN or payment card

The thieves’ modus operandi: Gain access to large numbers of potential victims Keep a low profile Victimize average consumers over long periods Sell victims’ personal information

23

Actions required after a breach

1. Senior management, board members, and counsel must be notified and must plan a response

2. The breach must be investigated to determine what information was obtained, lost, or disclosed, and how the breach occurred.

3. Management must determine who else should notified – patients, law enforcement, HHS, employees, others?

4. Management must determine how the notices will be sent and must manage the notice process.

5. Inquiries and lawsuits must be responded to.

6. Security flaws must be corrected, damages paid, and all mitigation efforts documented.

24

Actions required (cont’d): Step 1

1. Notify internal senior management, counsel, and develop:

a communication plan to contact other internal officials

a plan to identify, prioritize, assign, and manage tasks, e.g.,

who will direct and manage the investigation, who, if necessary, will contact law enforcement (if there

was a theft), who, if necessary, will coordinate media strategy, and who will supervise the notification and inquiry process.

25


2. Investigate: Coordinate investigative steps consistent with the

initial plan: What information was accessed or stolen? Were PHI or “computerized data” obtained by an

unauthorized person – internal/external?

If computer forensics, network security, or private investigators are needed, they should be hired by counsel to permit him or her to advise you. The consultants’ reports should be privileged.

26

Actions required, Step 2 (cont’d):

Determine what information was stolen or lost, and how:

Lost or stolen laptop, CD, thumb drive, iPod, PDA, smartphone

Lost back-up data Paper files Hacking or extortion Rogue employee, internal fraud Email sent to wrong address FTP file transfer Theft from or loss by third party

27


3. Determine whom to notify outside of the organization:

Notify law enforcement of any theft. Discuss with law enforcement whether to delay

notifying others. Create a list of any potentially affected

individuals, with notice addresses. Notify employees, media?

28

Actions required, Step 3. (cont’d)

Determine if you’re required to notify customers, government officials, or both If so, decide how you will provide notice

Most statutes require postal mail notice in most circumstances.

Will you send postal notices yourself? Will you send email notices as well?

Notify accurately rather than notifying quickly.

29


4. Determine how to send notifications: If individuals are to be notified:

decide whether to outsource notice decide whether to offer credit monitoring and other services

(one year of credit monitoring is standard) draft notice letters with potential litigation in mind train operators for a call-in center, draft scripts, and post important info. and FAQs on your website

Any notices to regulators should concisely explain what occurred and what remediation steps have been and are being taken.

30

Actions required: Step 4 (cont’d)

For notices to patients or customers, what is your deliverable? “Your data has been lost or stolen and

here is a list of things you can do to protect yourself” or

Here’s some assistance to resolve potential problems.

31


Consider hiring one of the companies that provide notices and other services. It will help minimize the disruption of your

business. Specialists can better assist your customers.

32


5. Respond to inquiries and to litigation:

Respond to individuals, employees, and the media honestly but with an understanding that everything you say may be used in court.

Be prepared to defend against a class action lawsuit if lost or stolen information is misused.

33


6. Correct security flaws and remediate damages:

Correct all vulnerabilities, e.g., institute secure transport and storage of backup tapes; encrypt personal information on all portable devices; install “lojack” (“call home”) software on laptops; deploy software to prevent data leakage through

outgoing emails; ensure that audit logs are retained; implement automated auditing of logs;

34


Correct all vulnerabilities, e.g. (cont’d): ensure that video surveillance of areas where

info. is stored is functioning; hire staff to implement and monitor firewalls or

outsource that work; install and monitor intrusion detection and

prevention systems; ensure that anti-virus software is consistently

maintained and patches are always installed; and harden servers and operating system software by

turning off unneeded features.

35


If your computer network was penetrated, Prepare for additional attacks when the breach is

disclosed. If individuals can show they suffered fraud

related to the breach, compensate them. Your claims specialists should review fraud

claims. Experts estimate that 1-4% of the population have

experienced “identity theft.” You should compensate only fraud that was

probably caused by the breach at your company, not by another event.

36

Prices for contracted-out notices and other services

E.g., Kroll, Inc. provides: Address verification, if address data are

more than one year old: 50¢ per record; Mailing notices, plus 12 months of call

center coverage and access to investigators: $4.50 per person impacted;

37

Prices for contracted-out notices and other services (cont’d)

Kroll prices (cont’d) Credit reports and credit monitoring: $22 to $75

per person, depending on deliverables (price depends on usage; for 275 cases in 2009, Kroll’s average usage or “take-rate” was 17%); and

Identity “restoration” (resolving fraudulent charges or identity theft): $500 per approved case (approval requires an investigation and a determination that the person is a victim of fraud and the fraudulent activity began after the breach).

38

Examples of costs incurred

In December 2005, a thief stole backup discs and tapes from the vehicle of an employee of Providence Health & Services.

The tapes and discs contained unencrypted information about 365,000 patients.

39

Examples of costs incurred (cont’d)

A few patients filed a putative class action case against Providence in Oregon state court.

The trial court dismissed the case because the patients could not show they incurred any damages.

An appeal is pending.

40


HHS investigated the backup disc and tape theft, as well as several incidents in which Providence laptops were stolen. HHS investigators sent document requests

and interviewed witnesses. HHS officials negotiated a Resolution

Agreement in 2008.

41


The Resolution Agreement included a three-year Corrective Action Plan (“CAP”) that requires Providence to improve its information security practices, train its workforce, monitor compliance with the CAP, and report any additional breaches.

42


Providence backup theft costs 2006-08: approximately $7 million.

43


Providence is meeting its responsibilities under the CAP.

The key to Providence’s success was management’s decision to plan, build, and operate first-class information security practices across the five-state, 50,000-employee organization.

44


That led to Hiring a CISO, Creating a new information security management

structure, Increasing the number of its info. security

employees from five to 18, Rewriting info sec. policies and procedures, and Deploying and managing state-of-the-art info. sec.

software.

45


Providence’s annual information security costs increased by more than 800% from 2005 to 2009.

46


Online theft of 35,000 payment card datasets (2010):

Additional employee wages $94,893 Temp. staffing $82,773 Forensic investigation $93,020 PCI DSS compliance review $22,200 New hosting service $185,880 Network redesign

$17,000 New hardware $65,460 New software $27,241 Legal $30,000 Customer notices, call center,

credit restoration services ($6.25/customer) $218,750

Lost business during temporary shutdown $159,784

Total $997,001

47


These cost examples amounted to $18.94 and $28.49 per patient or customer.

That’s less than reported average costs -- E.g., Ponemon Institute, for records stolen in

2008: direct costs per record: $50; indirect costs per record (lost productivity, stock

price decrease, etc.): $152.

48

Questions?

49

Contact information

Randy Gainer

Davis Wright Tremaine LLP

(206) 757-8047

[email protected]

1 responding to privacy breaches: required actions and their costs september 8, 2010 randy gainer

Documents

hipaa regs

final data breach notice

written notice

requiring notice

state statutes

health information phi

data breaches

randy gainer slide