Data Breaches – Prevention

and Response Strategies

Milada R. Goturi

Thompson Coburn LLP

Troy D. Cahill

LaserShip, Inc.

Who is at Risk?

Everyone

2

Commonly Targeted Industries

▪ Financial Services

▪ Retail

▪ Healthcare

▪ Education

▪ Manufacturing

▪ IT Services

▪ Business Services

▪ Government

▪ Media

3

Recently Reported Data Breaches

▪ University of Idaho (2017)

• 257 records with employee personal

information compromised in phishing

attack

▪ Glastonbury School District (2017)

• W-2 records of 1,600 employees released in

e-mail scam

▪ Ellwood Thompson’s Local Market (2017)

• Personal information of 360 employees

released in e-mail scam

4

MultiCare breach allows access to personal

records for 1,200 patients

“TACOMA, Wash. – A data breach in November 2016 at MultiCare Health System allowed access to 1,200 patients’ personal records, the non-profit reported Thursday.

An unauthorized person may have gained access to an employee’s email account on Nov. 27, 2016. The account may have contained personal patient information, including name, date of birth, address, gender, date of service, account balance, and diagnosis and treatment information.

When MultiCare learned of the breach, they secured the email account, change the password, and investigated the incident.”

http://www.king5.com/news/health/multicare-breach-allows-access-to-personal-records-for-1200-patients/393722371

5

Theft of Unencrypted Laptop Exposes

Wonderful Health and Wellness Patients’ ePHI

POSTED BY HIPAA JOURNAL / JAN. 24, 2017

“Los Angeles-based Wonderful Health and Wellness has notified patents that their

electronic protected health information (ePHI) was exposed in early December,

2016 when an unencrypted laptop computer was stolen from the company’s

Wonderful Center for Health Innovation.

The laptop contained a range of protected health information including patients’

names along with their home addresses, telephone numbers, dates of birth, email

addresses, clinical account numbers, medical conditions, treatment information,

treatment dates, and test results. No Social Security numbers or financial

information were stored on the device.

While the laptop computer was not encrypted, software had been installed which

allows data on the device to be remotely deleted, although only if the laptop is

used to connect to the Internet. Wonderful Health and Wellness has programmed

the software to delete all sensitive data on the device the next time the device

connects.”

6

Hacker impersonates Sunrun CEO, nabs

employee W-2 tax forms

By David R. Baker, Friday, January 27, 2017

“A hacker posing as Sunrun CEO Lynn Jurich obtained the W-2

tax forms—including Social Security numbers and salary details—

for many employees of the San Francisco solar firm, the company said Friday.

Someone pretending to be Jurich sent Sunrun’s payroll department an email on

Jan. 20 requesting employee W-2 forms, which companies typically send their

employees this month.

‘Unfortunately, the phishing email wasn’t recognized for what it was—a scam—

and employee W-2s for 2016 were disclosed externally,’ the real Jurich wrote to

Sunrun employees in a memo this week.”

http://www.sfgate.com/business/article/Sunrun-hack-nabs-employee-W-2-tax-

forms-10889441.php

7

Common Causes of Data Breaches

▪ Lost or stolen devices

▪ Malware/Ransomware

▪ Unsecured website login systems

▪ Use of unapproved, insecure software

▪ Insecure IT infrastructure

▪ Phishing/e-mail scam

▪ Employees mishandling data

▪ Human factor/negligence

8

Goals of a Breach?

▪ Money

▪ Theft of personal information• Purchase of goods with stolen credit

card information

• Filing of fraudulent tax returns

• Opening of fraudulent loans

▪ Sale of personal information

▪ Disgruntled employee use of information

9

Consequences of a Data Breach

▪ Reputation threat

▪ Substantial costs in breach response

▪ Contractual obligations

▪ Governmental fines

▪ Private lawsuits

10

A reputation that took decades to build can be threatened by a single event.

Statistics

▪ 2016 Cost of Data Breach Study: US

• Average organizational cost = $7M

• Up 29.8% since 2013

• Per compromised record cost = $221

• Up 17.6% since 2013

http://ibm.co/2b771w7

11

Key Enforcers

▪ State Attorney General Office

• State data breach laws

▪ US Department of Health and Human Services, Office of Civil Rights (OCR)

• HIPAA, HITECH

▪ Federal Trade Commission (FTC)

• Section 5(a) of FTC Act – prohibits unfair or deceptive acts or practices in or affecting commerce

▪ Private lawsuits

12

What is a Data Breach?

▪ Data Breach/Security Breach =

unauthorized access to, disclosure or

acquisition of personal information

▪ Definitions vary by state

▪ Must check applicable state law

13

State Data Breach Laws – Key Elements

▪ Personal information

▪ In unencrypted form (some laws also apply to

paper records)

▪ Accessed, acquired or improperly disclosed

▪ An unauthorized party

• Enacted by 48 states

• The holdouts – South Dakota, Alabama

• Some state laws contain a risk of harm threshold

• Updates/amendments common

14

What is Personal Information?

▪ “Personal Information” or “Personally

Identifying Information” (“PI” or “PII”):

• Individual’s name and one of the following:

• Social security number

• Account number with access # or PIN

• State identification/driver’s license number

• Credit card number

• Additional identifiers vary by state (e.g., health

information, insurance information)

15

State Breach Notification Requirements

▪ Requirements vary by state

• All states require notification to

the affected individuals

• Many states require notification

of the State’s Attorney General

or Credit Reporting Agencies

• Some states impose timeframe for notification

• Must check state law

16

Breach Notification Letters to State Residents

▪ Content requirements vary by state but generally need to include:

• What happened and when?

• What information was exposed?

• What the company is doing in response and to prevent it from reoccurring?

• Contact information to ask questions

▪ Free credit monitoring services requirement/consideration

▪ Beware of “form” letters

17

Multi State Breach Challenges

▪ Residents of multiple states affected

• Crafting breach notice letter

• Incident meets definition of Data Breach in

some but not all of the affected states – will you

notify all?

▪ Customers affected

▪ Employees affected

18

HIPAA Breach Notification Requirements

▪ Affects Covered Entities and Business Associates (i.e., vendors)

▪ Important terms to know:• PHI – protected health information

• Unsecured PHI

• Breach of Unsecured PHI

• Covered Entity

• Business Associate

• Security Rule

• Privacy Rule

• Breach Notification Rule

19

Who Must Comply With HIPAA?

▪ Covered Entities – covered healthcare providers,

health plans, and healthcare clearinghouses

• Consider: Do you have self-funded health plans, EAP,

flexible spending account?

▪ Business Associates – vendors that perform for or

on behalf of a covered entity a function or service

that involves access to PHI (e.g., IT company,

records storage company, delivery couriers,

consultants)

20

What is Protected Health Information?

▪ Protected Health Information:

• Medical information

• Demographic information

• Billing information

▪ Unsecured Protected Health

Information:

• Un-shredded paper records

• Unencrypted electronic information

21

What are Breach Notification Rules?

▪ HIPAA Breach Notification Rules require notice of Breach to the individual, OCR and (in some cases) media

▪ Business associates must notify Covered entities if a “Breach” occurs

▪ “Breach of Unsecured PHI” = acquisition, access, use or disclosure of Unsecured PHI not permitted under the Privacy Rules that compromise the security or privacy of PHI

▪ Risk assessment required

22

Breach Notification to Patients

▪ Without unreasonable delay

▪ In no event more than 60 days

after discovery of breach

▪ Business Associates must notify

covered entities within 60 days of

breach discovery (but often much shorter

timeframe specified in a business associate

agreement)

23

Breach Notification to OCR and Media

▪ Breach affecting 500 or more individuals = notify OCR without unreasonable delay and no later than 60 days following a breach

▪ Breach affecting fewer than 500 individuals = notify OCR no later than 60 days after the end of the calendar year in which the breach discovered• OCR investigates all breaches involving 500 or more

patients; increased investigation of smaller breaches expected

▪ Media notice required for breaches involving 500 or more state residents

24

HIPAA Enforcement Examples

▪ February 1, 2017 – Children’s Medical Center of Dallas paid $3.2 million to settle potential violations of the HIPAA and agreed to implement a corrective action plan• Loss of unencrypted blackberry with PHI of 3,800 patients in

airport; theft of unencrypted laptop from hospital premises

▪ November 22, 2016 – University of Massachusetts paid $650,000 to settle potential violations of HIPAA and agreed to implement a corrective action plan • Workstation affected by malware caused breach of 1,670 patients

▪ October 17, 2016 – St. Joseph Health agreed to pay $2,140,500 to settle potential violations of HIPAA and agreed to implement a corrective action plan • Files containing PHI were publicly accessible through internet

search engines from 2011 until 2012

25

FTC and AG Enforcement Examples

▪ Ashley Madison (December 14, 2016) • $1.6M settlement; comprehensive data security

plan required (FTC)

▪ Henry Schein Practice Solutions, Inc., In the Matter of (May 23, 2016) • Allegation of deceptive data encryption

• $250,000 payment under consent order (FTC)

▪ 2/2017 – Acer (December 2017)

• PII stored in unsecure format

• $115,000 settlement, required to improve security practices (NY Attorney General)

26

Legislative Developments

▪ February 23, 2017 – bill to enact Active

Cyber Defense Certainty Act

• “To amend Title 18, United States Code, to

provide a defense to prosecution for fraud and

related activity in connection with computers for

persons defending against unauthorized

intrusions into their computers”

• Active cyber defense measure = defense to

prosecution

27

Case Studies

• Stolen laptop

• Data files sent to incorrect recipient

• Un-shredded documents recycled

• Data sent to personal email

• Employee errors

• Disgruntled employee leaves with data

• Lost luggage

• Missing FedEx

• Malware

• Ransomware

• Facebook

• Community garage sale

Each incident must be evaluated on its own facts!

28

Breach Prevention Strategies

▪ Know your Data

• What data is collected?

• How is data stored?

• Where are backups?

• How are backups created?

• Is data encrypted?

• Who has access?

• How long do you maintain records?

▪ Consider Data Flow Chart

29

Breach Prevention Strategies

▪ Assess and address risks and vulnerabilities – do you: • Collect, store or transmit any PII or PHI?

• Transport PII or PHI on portable devices or paper files?

• Outsource computer network operations, data or network management?

• Share data with vendors?

• Allow remote access?

• Have data on mobile electronic devices?

• Allow use of personal devices?

• Have current intrusion detection software/protocol?

• Have a posted privacy policy that aligns with your internal data management practices?

30

Breach Prevention Strategies

▪ Establish solid data privacy and security policies and procedures• Access control

• Password requirements/selection guidelines

• Workstation use and security

• Data integrity/protection from malicious software

• Facility security

• Remote access

• Removal of data

• Transmission of data

• Data backup

• Data disposal

• Disaster recovery

• Vendor contracts

• Audit control

• Security incident reporting and management

• Sanctions

• Training

31

Breach Prevention Strategies

▪ Minimize personal information collected and retained

▪ Invest in encryption technology

▪ Require vendors to safeguard confidential information

• Vendor screening process

• Indemnity obligations

▪ Perform cybersecurity audits

▪ Penetration testing

▪ Vulnerability scanning

▪ Use available resources (e.g., NIST)

▪ Know applicable legal requirements

32

Breach Prevention Strategies

▪ Educate employees – cannot be overemphasized

• Limits the scope or frequency of breaches

• Reflects commitment to compliance

• Training = part of orientation, annual, periodic

• Document training

▪ Limit access to data based on job requirements

• Minimum Necessary Standard

▪ Enforce security and privacy policies

• Part of evaluation, sanctions for noncompliance

33

Breach Preparation – Insurance

Considerations

▪ General liability insurance

▪ Cybersecurity/breach insurance

• Is the policy appropriate for your organization?

• What are the carve outs?

• What are the limits and deductibles?

• Counsel and expert panels

34

Breach Preparation – Incident Response Plan

▪ Create an Incident Response Plan

• Will differ based on the company, structure and

the information handled

• Creates a blueprint of steps and responsibilities

following a breach

• Allows the company to assess the breach and

craft an efficient, timely response

▪ Test the plan!

• Tabletop exercises and drills

35

Incident Response Plan

▪ Identify the Incident Response Team and responsibilities

• Legal, IT, Human Resources, PRrepresentatives

▪ Create mechanism for employees to report security incidents and require reporting

▪ Outline procedure for assessing reported incidents

▪ Create internal notification program for notifying the Incident Response Team, insurers, etc.

▪ Outline process for bringing forensics experts into the response

36

Incident Response Plan

▪ Define a process for identifying and implementing remediation measures

▪ Identify the process for notifying impacted individuals

▪ Identify what process will be used to determine whether notification is appropriate where not legally required

▪ Create a process for concluding the incident and retaining documentation of the incident and the response

37

Continuously Assess Readiness

▪ Monitor compliance• Employees

• Organization

• Vendors

• Coordination between legal and IT

▪ Sign up for security issues alerts (e.g., NIST Computer Security Resource Center alerts http://csrc.nist.gov/; US CERT mailing list https://www.us-cert.gov/mailing-lists-and-feeds)• Share with IT and employees – periodic security reminders

▪ Hit refresh• Update policies

• Update Incident Response Plan

• Evaluate and update IT security

38

What if there is a breach?

Response – Lifecycle of a Breach

Identification

Containment

Remediation

Notification

Contain and mitigate

Take steps to prevent reoccurrence

Provide notifications

Determine whether a breach has occurred

40

Response – Know Whom to Call

▪ Incident Response Team

▪ Management

▪ Legal counsel

▪ IT support

▪ Public relations

▪ Forensic support

▪ Insurance

▪ Consider contractual obligations

41

Identification – Determine if Breach Occurred

▪ Question: Is the incident a data breach?

▪ Investigate promptly• Consider relevant facts

• Inside or outside threat?

• Conduct interviews

• Analyze compromised systems

• Identify malware employed, if applicable

• Engage forensic experts, as appropriate

• Reconstruct the incident

• Analyze applicable legal standards

42

Identification – Determine if Breach Occurred

▪ Evaluate the nature, extent and scope of incident

• What information was improperly disclosed?

• Was the information recovered?

• When and how did the incident happen?

• How many individuals were affected?

• Does the incident involve residents of multiple states?

▪ Document the investigation findings, conclusion and rationale

▪ Consider attorney-client privilege

▪ What if the incident is not a breach?

43

Breach Response – Contain and Remediate

▪ Contain the breach

• E.g., identify and remove malware for analysis

• E.g., if theft of mobile device, inform law enforcement

• E.g., close unsecure website portal log in

▪ Prepare internal and external communications

▪ Strengthen data security policies

▪ Have a plan to prevent reoccurrence

▪ Provide additional training on data security

▪ Maintain documentation of actions

▪ Considerations for breaches caused by a vendor

44

Response – Provide Required Notices

▪ Notify impacted individuals

• Legally required vs business reasons for notification

• Prevents customers from finding out about the breach from someone other than the business

• Credit monitoring/identity monitoring

▪ Dedicate trained personnel to handle calls/call centers

▪ Consider address location issues/returned mail management

▪ Notify AG, OCR, etc. – if required

• Notices must be timely

• Must follow legal requirements

▪ Consider contractual notices and obligations

45

Expect an Investigation

▪ Attorney General, Office of Civil Rights, FTC

• Cooperate with investigators

• Provide prompt and accurate responses

• Do not withhold information

• Be prepared for on-site interviews

• Demonstrate data security policies and practices

• Demonstrate employee training

• Demonstrate actions taken in response to the breach

46

Questions?

Milada GoturiPartner

Thompson Coburn LLP

Washington D.C.

mgoturi@thompsoncoburn.com

202-585-6051

Troy Cahill

General Counsel

Lasership, Inc.

Washington, D.C.

tcahill@lasership.com

703-761-9030, ext. 8188

Milada Goturi

Milada is a Partner at Thompson Coburn practicing in the areas of Health Care and Cybersecurity. She advises clients on complex regulatory compliance matters and has significant experience in HIPAA compliance and data privacy and security. Milada has helped numerous healthcare and other clients establish privacy and security compliance programs, including developing privacy and security policies and conducting privacy and security training programs. Should any compliance concerns or data breach matters occur, Milada assists clients to manage the incident and ensure an appropriate response.

Milada also represents organizations faced with investigations by various government enforcement agencies, including the U.S. Department of Justice, U.S. Department of Health and Human Services, State Attorney General, Office of Civil Rights and others. She works closely with clients on developing appropriate responses and successfully negotiating timely and favorable outcomes.

48

Troy Cahill

Troy serves as General Counsel and Director of the Legal Department at LaserShip, Inc. In this capacity, he advises LaserShip’s management and Board of Directors on all legal affairs and issues that involve or relate to the company operations. In addition to his prior presentations relating to legal department management for the Association of Corporate Counsel, Troy has published and presented on a broad range of legal issues, with a particular emphasis on constitutional law and labor and employment law.

Prior to beginning work at LaserShip, Troy was in private practice in Washington, D.C. and, prior to that, served as Clerk’s Office Staff Counsel at the Supreme Court of the United States. He received his Juris Doctor with honors from the Wake Forest University School of Law.

49