TNHFMA 2016 Fall InstituteOctober 20, 2016
Tatiana MelnikMelnik Legal PLLC
Tampa, FL
I. Regulating Privacy and Data Security
II. Enforcement Landscape 1) Federal Enforcement2) State Enforcement3) Private Enforcement
III. What does the enforcement tell us?
Outline
I. Regulating Privacy and Data Security
II. Enforcement Landscape 1) Federal Enforcement2) State Enforcement3) Private Enforcement
III. What does the enforcement tell us?
Outline
The Foundation of Privacy
U.S. Constitution
Federal Statutes & Regulations
State Laws
The Foundation of Privacy
No explicit mention of any right of
privacy
The Foundation of Privacy
No explicit mention of any right of
privacy
The Foundation of Privacy
U.S. Constitution
Federal Statutes & Regulations
State Laws
FTC Act Section 5
GLBA
SOXHIPAA
HITECHAnd more…
Based on Context− Targeted Information− Targeted Constituency− Segregate Highly
Sensitive Information
COPAA
The Foundation of Privacy
U.S. Constitution
Federal Statutes & Regulations
State Laws
FTC Act Section 5
GLBA
SOXHIPAA
HITECHAnd more…
Based on Context− Targeted Information− Targeted Constituency− Segregate Highly
Sensitive Information
COPAA
The Foundation of Privacy
U.S. Constitution
Federal Statutes & Regulations
State Laws
o International Laws Individuals countries have their own laws Changes to the “Safe Harbor” due to the
European Court of Justice decision in October 2015 (for details see http://www.export.gov/safeharbor)
New framework is called the “EU-U.S. Privacy Shield Framework” (for details, see https://www.privacyshield.gov)
The Foundation of Privacy
o Industry Standards PCI-DSS
Relied on by FTC in the Wyndham Hotels settlement
FTC to study data security auditing practices• In March 2016 sent out letters requesting information
from PCI-DSS auditors “auditors and their policies, practices, and procedures”
• Mandiant, PricewaterhouseCoopers, Verizon/ CyberTrust, plus 6 others
NIST Generally the de-facto standards throughout
industry because NIST sets standards for U.S. federal agencies and encryption per Breach Notification Rule
The Foundation of Privacy
I. Regulating Privacy and Data Security
II. Enforcement Landscape 1) Federal Enforcement2) State Enforcement3) Private Enforcement
III. What does the enforcement tell us?
Outline
Federal Trade Commission
HHS Office of Civil Rights
State’s Attorneys’ General
o Complex Enforcement Environment
Enforcement Landscape
Consumers
o **CFPB (Dwolla, Mar. 2, 2016)
o Credit Unionso Bankso Credit Card
Companieso Insurance Regulatorso FFIECo NYDFS
o **SEC (Morgan Stanley, June 8, 2016)
o **FCC (Cox, Nov. 5, 2015)
o OIG Auditso GAO Audits (Sept.
26, 2016 Report of OCR - GAO-16-771)
Federal Trade Commission
Federal Trade Commission
• Works for consumers to prevent fraudulent, deceptive, and unfair business practices
• Section 5 – “unfair or deceptive acts or practices in or affecting commerce ...are... declared unlawful.”
• Has authority to pursue any company
• Has pursued companies across a number of industries
Federal Trade Commission
15
Federal Trade Commission
• Practices the FTC finds problematic– Improper use of data– Retroactive changes– Deceitful data collection– Unfair data security practices
• FTC will settle with Company and Owner(s)―Company – 20 years―Owners – 10 years
For a more detailed analysis on practices the FTC finds problematic, seeDaniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, Columbia Law Review (2014)
Federal Trade Commission
Federal Trade Commission
• Notable Cases/Settlements―Practice Fusion
Settlement: June 8, 2016 Wanted to develop provider
directory; began sending e-mails to patients in April 2012 Appeared to be sent on
behalf of the patients’ doctors, and asked consumers to rate their provider “[t]o help improve your service in the future”
Federal Trade Commission
Federal Trade Commission
• Notable Cases/Settlements―Practice Fusion
Settlement: June 8, 2016 Wanted to develop provider
directory; began sending e-mails to patients in April 2012 Appeared to be sent on
behalf of the patients’ doctors, and asked consumers to rate their provider “[t]o help improve your service in the future”
Federal Trade Commission
Federal Trade Commission
• Notable Cases/Settlements―Practice Fusion “Because patients likely
thought the information was only shared with their provider” they shared very sensitive information that was then posted online(e.g., Xanax prescription, suicidal child, etc.)
Federal Trade Commission
Federal Trade Commission
• Notable Cases/Settlements― Practice Fusion
FTC alleged that Practice Fusion “misled consumers by soliciting reviews for their doctors, without disclosing adequately that these reviews would be publicly posted on the Internet resulting in the public disclosure of patients’ sensitive personal and medical information”
Practice Fusion must “prior to making consumers’ information publicly available, clearly and conspicuously disclose – separate and apart from a privacy policy, terms of use or other similar document – that it is making such information publicly available and obtain consumers’ affirmative consent.”
Federal Trade Commission
Federal Trade Commission
• Notable Cases/Settlements― Practice Fusion
FTC alleged that Practice Fusion “misled consumers by soliciting reviews for their doctors, without disclosing adequately that these reviews would be publicly posted on the Internet resulting in the public disclosure of patients’ sensitive personal and medical information”
Practice Fusion must “prior to making consumers’ information publicly available, clearly and conspicuously disclose – separate and apart from a privacy policy, terms of use or other similar document – that it is making such information publicly available and obtain consumers’ affirmative consent.”
Isn’t Practice Fusion a Business Associate?
• April 2012 - Practice Fusion started contacting patients
• March 26, 2013 – HIPAA Omnibus Rule Effective Date
• Sept. 23, 2013 – Compliance Date
What does this mean for providers who use Practice Fusion?
Federal Trade Commission
Federal Trade Commission
• Notable Cases/Settlements―Wyndham Hotels
FTC won in the Third Circuit, Aug. 24, 2015
Wyndham settled in Dec. 2015 – the Stipulated Order makes for interesting reading; FTC looked to the PCI-DSSstandards
―LabMD FTC Lost (Nov. 13, 2015; FTC
appealed to the full Commission) – see the included expert report on acceptable security practices for guidance
o Enforces HIPAAo HITECH Act (2009)
expanded the scope of coverage to authorize enforcement authority over certain vendors (BAs) By OCR State AGs
o Mandatory penalties
HHS Office of Civil Rights
HHS Office of Civil Rights
o Enforces HIPAAo HITECH Act (2009)
expanded the scope of coverage to authorize enforcement authority over certain vendors (BAs) By OCR State AGs
o Mandatory penalties
HHS Office of Civil Rights
HHS Office of Civil Rights
HHS Office of Civil Rights
o Enforcement by HHS Office of Civil Rights To date ~34 organizations have paid out a total $25M+ in
settlements (with two fines)o Cignet Health ($4.3M) (fine)o UCLA Health System ($865,500) (employees
talking)o Blue Cross Blue Shield of TN ($1.5) (stolen
servers left at former office)o Alaska Dept. of Health & Human Services
($1.7M) (stolen USB hard drive)o Massachusetts Eye & Ear Infirmary ($1.5M) (lost
laptop)o New York & Presbyterian Hospital ($3M)o Columbia University ($1.5M) (server
configuration, records on search engine)o Anchorage Community Mental Health Services
($150K) (unpatched and unsupported software malware)
o Cornell Prescription Pharmacy ($125K) (paper)o St. Elizabeth’s Medical Center ($218K)
(document sharing software)
o Triple-S Management Corp. ($3.5M) (settlement) (also fined by $6.8M by Puerto Rico insurance regulator)
o Cancer Care Group ($750K) (stolen laptop)o Lincare, Inc. ($239K) (Feb. 3, 2016) (fine; case
initiated on June 23, 2009)o Complete P.T., Pool & Land Physical Therapy ($25K)
(Feb. 16, 2016) (testimonials)o North Memorial Health Care of Minnesota ($1.55M)
(March 16, 2016) (no BAA)o Raleigh Orthopaedic Clinic, P.A. of North Carolina
($750K) (April 19, 2016) (no BAA)o Catholic Health Care Services of the Archdioceses of
Philadelphia (June 29, 2016) ($650K)o Oregon Health & Science Univ. (July 18) ($2.7M)o Univ. of Miss. Medical Center (July 21) ($2.75M)o Advocate Health Care Network (Aug. 4) ($5.55M)o Care New England Health System (Sept. 23) ($400K)
(old BAA)
Private Enforcement: Consumers
Class Actions
Negligence
Breach of warranty
False advertising
Unreasonable delay in notification / remedying breach
Individual Claims
Negligence
Intentional infliction of emotional distress
Invasion of privacy
Negligent supervision
Consumers
Private Enforcement: Consumers
Class Actions
Negligence
Breach of warranty
False advertising
Unreasonable delay in notification / remedying breach
Individual Claims
Negligence
Intentional infliction of emotional distress
Invasion of privacy
Negligent supervision
ConsumersAbigail E. Hinchy v. Walgreen Co. et al. (Indiana Superior Ct., 2013)
• Pharmacist improperly accessed medical records of one patient
• Patient reported the incident to Walgreen but Walgreen’s software did not log accesses
• Once Walgreen learned of the employee, it did not disable the pharmacist’s access
• Jury awarded $1.8 million, with $1.4M of that to be paid by Walgreens (this decision is now final)
o Target as a case study Sued by at least 5 banks Sued by each of the 4 major payment card
networks Settled with Visa to pay up to $67M
More than 100 lawsuits filed Settled the consumer class action for $10M
Investigated by State Attorneys General, the FTC and the SEC
Through Aug. 1, 2015, the data breach has cost Target ~$400 million (with $150 million covered by insurance) (see Form 10-Q from 8/25/2015)
o Another to consider: Office Depot
Private Enforcement: Banks & Credit Unions
o Cyberliability Coverage A data breach is inevitable Insurance = risk reduction But, how do insurance companies reduce
risk?
Private Enforcement: Insurance Carriers
o Cyberliability Coverage A data breach is inevitable Insurance = risk reduction But, how do insurance companies reduce
risk?
Private Enforcement: Insurance Carriers
Complete a “Risk Control Self Assessment” in which it made the following relevant representations• Whenever you entrust sensitive information to 3rd parties
do you...• contractually require all such 3rd parties to protect this
information with safeguards at least as good as your own [YES]• perform due diligence on each such 3rd party to ensure that
their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) [YES]
• audit all such 3rd parities at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information? [YES]
• require them to either have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality. [YES]
o Cyberliability Coverage A data breach is inevitable Insurance = risk reduction But, how do insurance companies reduce
risk?
Private Enforcement: Insurance Carriers
Complete a “Risk Control Self Assessment” in which it made the following relevant representations• Whenever you entrust sensitive information to 3rd parties
do you...• contractually require all such 3rd parties to protect this
information with safeguards at least as good as your own [YES]• perform due diligence on each such 3rd party to ensure that
their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) [YES]
• audit all such 3rd parities at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information? [YES]
• require them to either have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality. [YES]
Columbia Casualty Co. v. Cottage Health Systems (C.D. California) – Filed May 7, 2015(first case of its kind)• Columbia paid $4.125M to settle a class action
stemming from a breach (32,500 records disclosed; settlement class of 50,917)
• “The complaint alleges that the breach occurred because Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc. (“INSYNC”), stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.”
o Cyberliability Coverage A data breach is inevitable Insurance = risk reduction But, how do insurance companies reduce
risk?
Private Enforcement: Insurance Carriers
Complete a “Risk Control Self Assessment” in which it made the following relevant representations• Whenever you entrust sensitive information to 3rd parties
do you...• contractually require all such 3rd parties to protect this
information with safeguards at least as good as your own [YES]• perform due diligence on each such 3rd party to ensure that
their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) [YES]
• audit all such 3rd parities at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information? [YES]
• require them to either have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality. [YES]
Columbia Casualty Co. v. Cottage Health Systems (C.D. California) – Filed May 7, 2015(first case of its kind)• Columbia paid $4.125M to settle a class action
stemming from a breach (32,500 records disclosed; settlement class of 50,917)
• “The complaint alleges that the breach occurred because Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc. (“INSYNC”), stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.”
Columbia Casualty Co. v. Cottage Health Systems • “Columbia seeks a declaration that it is not obligated
to provide Cottage with a defense or indemnificationin connection with any and all claims stemming from the data breach at issue.”
• Columbia also seeks a declaration of its entitlement to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses Columbia has paid or will pay in connection with the defense and settlement of the class action lawsuit . .”
o Cyberliability Coverage A data breach is inevitable Insurance = risk reduction But, how do insurance companies reduce
risk?
Private Enforcement: Insurance Carriers
Complete a “Risk Control Self Assessment” in which it made the following relevant representations• Whenever you entrust sensitive information to 3rd parties
do you...• contractually require all such 3rd parties to protect this
information with safeguards at least as good as your own [YES]• perform due diligence on each such 3rd party to ensure that
their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) [YES]
• audit all such 3rd parities at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information? [YES]
• require them to either have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality. [YES]
Columbia Casualty Co. v. Cottage Health Systems (C.D. California) – Filed May 7, 2015(first case of its kind)• Columbia paid $4.125M to settle a class action
stemming from a breach (32,500 records disclosed; settlement class of 50,917)
• “The complaint alleges that the breach occurred because Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc. (“INSYNC”), stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.”
Columbia Casualty Co. v. Cottage Health Systems • “Columbia seeks a declaration that it is not obligated
to provide Cottage with a defense or indemnificationin connection with any and all claims stemming from the data breach at issue.”
• Columbia also seeks a declaration of its entitlement to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses Columbia has paid or will pay in connection with the defense and settlement of the class action lawsuit . .”
Columbia Casualty Co. v. Cottage Health Systems • “Upon information and belief, INSYNC does not
maintain sufficient liquid assets to contribute towards the proposed settlement fund and does not maintain liability insurance that applies with respect to the privacy claims asserted in the Underlying Action.”
• The Policy excluded coverage for any failure by the insured to “continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance…”
I. Regulating Privacy and Data Security
II. Enforcement Landscape 1) Federal Enforcement2) State Enforcement3) Private Enforcement
III. What does the enforcement tell us?
Outline
o HIPAA is permissive, but not THAT permissive… Complete P.T., Pool & Land Physical Therapy, Inc.
OCR settlement: $25K (Feb. 16, 2016) Complaint alleged that “Complete P.T. had impermissibly
disclosed numerous individuals’ [PHI], when it posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations”
New York Presbyterian Hospital OCR settlement: $2.2M (April 21, 2016) As described by OCR: “for the egregious disclosure of two
patients’ [PHI] to film crews and staff during the filming of “NY Med,” an ABC television series, without first obtaining authorization from the patients”
Second settlement in two years; first one was in May 2014 for $3M
Use Common Sense
o Organizations must undertake a Risk Analysis to understand where they are exposed to risks
o Must - Conduct an initial risk analysis Conduct a risk analysis in response to a
change in the environment that impacts PII implementation of new technology, software
upgrades, move of office, etc.
Perform a Risk Analysis
Be sure the Risk Analysis includes a vulnerability scan and/or a pen test (many vendors will not include this in the initial pricing proposal; you need to ask!)
o Pitfall(s) cited by enforcers Failure to “use readily available measures to
identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks (e.g., by not using measures such as penetration tests, LabMD could not adequately assess the extent of the risks and vulnerabilities of its networks)” (FTC v. LabMD)
Perform a Risk Analysis
Security Risks are Everywhere…
• Processed and analyzed over 100 terabytes of traffic daily
• 49,917 unique malicious events
• 723 unique malicious source IP
o Common cause of data breaches (and enforcement actions) OCR
Massachusetts Eye and Ear Infirmary - $1.5 (stolen laptop) Concentra Health Services - $1,725,220 (stolen laptop) QCA Health Plan, Inc. of Arkansas - $250K (stolen laptop)
o Pitfall(s) cited by enforcers Lack of appropriate policies and procedures
Incident identification, reporting, and response (OCR, MEEI, $1.5M)
Restrict access to authorized users (OCR, MEEI) Failure “[t]o provide [organization] with a reasonable
means of knowing whether or what type of portable devices were being used to access its network” (OCR, MEEI)
Failure to secure devices for litigation
Portable Devices Create Risks
o Secure portable devices Encrypt, encrypt, encrypt (use
technology that is FIPS 140-2 validated)o Develop policies and procedures that
address use of mobile deviceso Have employees sign a BYOD
Agreement Reduce spoliation risks Clarify need to maintain access to device
Portable Devices Create Risks
o Contracts with vendors must address privacy and security obligations Obligations to maintain policies and procedures? Scope of authorization to use data
How does the grant of rights compare to the indemnification obligations?
Who determines when there is a “breach”? Is there a requirement to notify in the event of a “security
incident” Timeline must be considered, particularly if entity operating
in multiple states Is the vendor required to encrypt data? Who pays for responses to a subpoena? Caps on liability? Should there be? Insurance requirements?
What is your process to make sure policies are maintained?
Flow Down Obligations to Vendors
o Pitfall(s) cited by enforcers OCR
HIPAA requires covered entities and business associates implement BAAs with their vendors
Lack of BAA or Old BAA cited as the major deficiency in three OCR settlements this year• North Memorial Health Care of Minnesota ($1.55M) (March 16, 2016)
(no BAA)• Raleigh Orthopaedic Clinic, P.A. of North Carolina ($750K) (April 19,
2016) (no BAA)• Care New England Health System (Sept. 23) ($400K) (old BAA)
FTC Company failed to “require [that vendor] by contract …
adopt and implement appropriate security measures to protect personal information in medical audio and transcript files, such as by requiring that files be securely stored and securely transmitted to typists (e.g., through encryption) and authenticating typists (e.g., through unique user credentials) before granting them access to such files” (FTC v. GMR Transcription)
Flow Down Obligations to Vendors
o A data breach is inevitable and costs continue to increase
Buy Your Own Insurance
Source: Ponemon Institute, 2016 Cost of a Data Breach Study (US only data)
o …. But, don’t forget to read the policyo Some policies exclude coverage
for damages that arise out of activity that is contrary to your “Privacy Policy” … What does your Privacy Policy say exactly?
for agents or vendors where there are no contracts
for losses if the data is stored “in the cloud” for work done by “independent contractors” if laptops are not “encrypted” (using FIPS 140-
2 validated encryption algorithm)o How much is an indemnification provision from
a judgment proof company worth?
Buy Your Own Insurance
Final Wrap Up - Ways to Lower Risks
Source: Ponemon Institute, 2016 Cost of a Data Breach Study (US only data)
This slide presentation is informational only and was prepared to provide a brief overview of enforcement efforts related to data privacy and security. It does not constitute legal or professional advice.
You are encouraged to consult with an attorney if you have specific questions relating to any of the topics covered in this presentation, and Melnik Legal PLLC would be pleased to assist you on these matters.
Disclaimer
Tatiana MelnikAttorney, Melnik Legal PLLC
Based in Tampa, FL734.358.4201
Questions?