![Page 1: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/1.jpg)
TNHFMA 2016 Fall InstituteOctober 20, 2016
Tatiana MelnikMelnik Legal PLLC
Tampa, FL
![Page 2: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/2.jpg)
I. Regulating Privacy and Data Security
II. Enforcement Landscape 1) Federal Enforcement2) State Enforcement3) Private Enforcement
III. What does the enforcement tell us?
Outline
![Page 3: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/3.jpg)
I. Regulating Privacy and Data Security
II. Enforcement Landscape 1) Federal Enforcement2) State Enforcement3) Private Enforcement
III. What does the enforcement tell us?
Outline
![Page 4: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/4.jpg)
The Foundation of Privacy
U.S. Constitution
Federal Statutes & Regulations
State Laws
![Page 5: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/5.jpg)
The Foundation of Privacy
No explicit mention of any right of
privacy
![Page 6: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/6.jpg)
The Foundation of Privacy
No explicit mention of any right of
privacy
![Page 7: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/7.jpg)
The Foundation of Privacy
U.S. Constitution
Federal Statutes & Regulations
State Laws
FTC Act Section 5
GLBA
SOXHIPAA
HITECHAnd more…
Based on Context− Targeted Information− Targeted Constituency− Segregate Highly
Sensitive Information
COPAA
![Page 8: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/8.jpg)
The Foundation of Privacy
U.S. Constitution
Federal Statutes & Regulations
State Laws
FTC Act Section 5
GLBA
SOXHIPAA
HITECHAnd more…
Based on Context− Targeted Information− Targeted Constituency− Segregate Highly
Sensitive Information
COPAA
![Page 9: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/9.jpg)
The Foundation of Privacy
U.S. Constitution
Federal Statutes & Regulations
State Laws
![Page 10: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/10.jpg)
o International Laws Individuals countries have their own laws Changes to the “Safe Harbor” due to the
European Court of Justice decision in October 2015 (for details see http://www.export.gov/safeharbor)
New framework is called the “EU-U.S. Privacy Shield Framework” (for details, see https://www.privacyshield.gov)
The Foundation of Privacy
![Page 11: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/11.jpg)
o Industry Standards PCI-DSS
Relied on by FTC in the Wyndham Hotels settlement
FTC to study data security auditing practices• In March 2016 sent out letters requesting information
from PCI-DSS auditors “auditors and their policies, practices, and procedures”
• Mandiant, PricewaterhouseCoopers, Verizon/ CyberTrust, plus 6 others
NIST Generally the de-facto standards throughout
industry because NIST sets standards for U.S. federal agencies and encryption per Breach Notification Rule
The Foundation of Privacy
![Page 12: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/12.jpg)
I. Regulating Privacy and Data Security
II. Enforcement Landscape 1) Federal Enforcement2) State Enforcement3) Private Enforcement
III. What does the enforcement tell us?
Outline
![Page 13: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/13.jpg)
Federal Trade Commission
HHS Office of Civil Rights
State’s Attorneys’ General
o Complex Enforcement Environment
Enforcement Landscape
Consumers
o **CFPB (Dwolla, Mar. 2, 2016)
o Credit Unionso Bankso Credit Card
Companieso Insurance Regulatorso FFIECo NYDFS
o **SEC (Morgan Stanley, June 8, 2016)
o **FCC (Cox, Nov. 5, 2015)
o OIG Auditso GAO Audits (Sept.
26, 2016 Report of OCR - GAO-16-771)
![Page 14: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/14.jpg)
Federal Trade Commission
Federal Trade Commission
• Works for consumers to prevent fraudulent, deceptive, and unfair business practices
• Section 5 – “unfair or deceptive acts or practices in or affecting commerce ...are... declared unlawful.”
• Has authority to pursue any company
• Has pursued companies across a number of industries
![Page 15: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/15.jpg)
Federal Trade Commission
15
Federal Trade Commission
• Practices the FTC finds problematic– Improper use of data– Retroactive changes– Deceitful data collection– Unfair data security practices
• FTC will settle with Company and Owner(s)―Company – 20 years―Owners – 10 years
For a more detailed analysis on practices the FTC finds problematic, seeDaniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, Columbia Law Review (2014)
![Page 16: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/16.jpg)
Federal Trade Commission
Federal Trade Commission
• Notable Cases/Settlements―Practice Fusion
Settlement: June 8, 2016 Wanted to develop provider
directory; began sending e-mails to patients in April 2012 Appeared to be sent on
behalf of the patients’ doctors, and asked consumers to rate their provider “[t]o help improve your service in the future”
![Page 17: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/17.jpg)
Federal Trade Commission
Federal Trade Commission
• Notable Cases/Settlements―Practice Fusion
Settlement: June 8, 2016 Wanted to develop provider
directory; began sending e-mails to patients in April 2012 Appeared to be sent on
behalf of the patients’ doctors, and asked consumers to rate their provider “[t]o help improve your service in the future”
![Page 18: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/18.jpg)
Federal Trade Commission
Federal Trade Commission
• Notable Cases/Settlements―Practice Fusion “Because patients likely
thought the information was only shared with their provider” they shared very sensitive information that was then posted online(e.g., Xanax prescription, suicidal child, etc.)
![Page 19: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/19.jpg)
Federal Trade Commission
Federal Trade Commission
• Notable Cases/Settlements― Practice Fusion
FTC alleged that Practice Fusion “misled consumers by soliciting reviews for their doctors, without disclosing adequately that these reviews would be publicly posted on the Internet resulting in the public disclosure of patients’ sensitive personal and medical information”
Practice Fusion must “prior to making consumers’ information publicly available, clearly and conspicuously disclose – separate and apart from a privacy policy, terms of use or other similar document – that it is making such information publicly available and obtain consumers’ affirmative consent.”
![Page 20: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/20.jpg)
Federal Trade Commission
Federal Trade Commission
• Notable Cases/Settlements― Practice Fusion
FTC alleged that Practice Fusion “misled consumers by soliciting reviews for their doctors, without disclosing adequately that these reviews would be publicly posted on the Internet resulting in the public disclosure of patients’ sensitive personal and medical information”
Practice Fusion must “prior to making consumers’ information publicly available, clearly and conspicuously disclose – separate and apart from a privacy policy, terms of use or other similar document – that it is making such information publicly available and obtain consumers’ affirmative consent.”
Isn’t Practice Fusion a Business Associate?
• April 2012 - Practice Fusion started contacting patients
• March 26, 2013 – HIPAA Omnibus Rule Effective Date
• Sept. 23, 2013 – Compliance Date
What does this mean for providers who use Practice Fusion?
![Page 21: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/21.jpg)
Federal Trade Commission
Federal Trade Commission
• Notable Cases/Settlements―Wyndham Hotels
FTC won in the Third Circuit, Aug. 24, 2015
Wyndham settled in Dec. 2015 – the Stipulated Order makes for interesting reading; FTC looked to the PCI-DSSstandards
―LabMD FTC Lost (Nov. 13, 2015; FTC
appealed to the full Commission) – see the included expert report on acceptable security practices for guidance
![Page 22: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/22.jpg)
o Enforces HIPAAo HITECH Act (2009)
expanded the scope of coverage to authorize enforcement authority over certain vendors (BAs) By OCR State AGs
o Mandatory penalties
HHS Office of Civil Rights
HHS Office of Civil Rights
![Page 23: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/23.jpg)
o Enforces HIPAAo HITECH Act (2009)
expanded the scope of coverage to authorize enforcement authority over certain vendors (BAs) By OCR State AGs
o Mandatory penalties
HHS Office of Civil Rights
HHS Office of Civil Rights
![Page 24: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/24.jpg)
HHS Office of Civil Rights
o Enforcement by HHS Office of Civil Rights To date ~34 organizations have paid out a total $25M+ in
settlements (with two fines)o Cignet Health ($4.3M) (fine)o UCLA Health System ($865,500) (employees
talking)o Blue Cross Blue Shield of TN ($1.5) (stolen
servers left at former office)o Alaska Dept. of Health & Human Services
($1.7M) (stolen USB hard drive)o Massachusetts Eye & Ear Infirmary ($1.5M) (lost
laptop)o New York & Presbyterian Hospital ($3M)o Columbia University ($1.5M) (server
configuration, records on search engine)o Anchorage Community Mental Health Services
($150K) (unpatched and unsupported software malware)
o Cornell Prescription Pharmacy ($125K) (paper)o St. Elizabeth’s Medical Center ($218K)
(document sharing software)
o Triple-S Management Corp. ($3.5M) (settlement) (also fined by $6.8M by Puerto Rico insurance regulator)
o Cancer Care Group ($750K) (stolen laptop)o Lincare, Inc. ($239K) (Feb. 3, 2016) (fine; case
initiated on June 23, 2009)o Complete P.T., Pool & Land Physical Therapy ($25K)
(Feb. 16, 2016) (testimonials)o North Memorial Health Care of Minnesota ($1.55M)
(March 16, 2016) (no BAA)o Raleigh Orthopaedic Clinic, P.A. of North Carolina
($750K) (April 19, 2016) (no BAA)o Catholic Health Care Services of the Archdioceses of
Philadelphia (June 29, 2016) ($650K)o Oregon Health & Science Univ. (July 18) ($2.7M)o Univ. of Miss. Medical Center (July 21) ($2.75M)o Advocate Health Care Network (Aug. 4) ($5.55M)o Care New England Health System (Sept. 23) ($400K)
(old BAA)
![Page 25: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/25.jpg)
Private Enforcement: Consumers
Class Actions
Negligence
Breach of warranty
False advertising
Unreasonable delay in notification / remedying breach
Individual Claims
Negligence
Intentional infliction of emotional distress
Invasion of privacy
Negligent supervision
Consumers
![Page 26: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/26.jpg)
Private Enforcement: Consumers
Class Actions
Negligence
Breach of warranty
False advertising
Unreasonable delay in notification / remedying breach
Individual Claims
Negligence
Intentional infliction of emotional distress
Invasion of privacy
Negligent supervision
ConsumersAbigail E. Hinchy v. Walgreen Co. et al. (Indiana Superior Ct., 2013)
• Pharmacist improperly accessed medical records of one patient
• Patient reported the incident to Walgreen but Walgreen’s software did not log accesses
• Once Walgreen learned of the employee, it did not disable the pharmacist’s access
• Jury awarded $1.8 million, with $1.4M of that to be paid by Walgreens (this decision is now final)
![Page 27: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/27.jpg)
o Target as a case study Sued by at least 5 banks Sued by each of the 4 major payment card
networks Settled with Visa to pay up to $67M
More than 100 lawsuits filed Settled the consumer class action for $10M
Investigated by State Attorneys General, the FTC and the SEC
Through Aug. 1, 2015, the data breach has cost Target ~$400 million (with $150 million covered by insurance) (see Form 10-Q from 8/25/2015)
o Another to consider: Office Depot
Private Enforcement: Banks & Credit Unions
![Page 28: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/28.jpg)
o Cyberliability Coverage A data breach is inevitable Insurance = risk reduction But, how do insurance companies reduce
risk?
Private Enforcement: Insurance Carriers
![Page 29: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/29.jpg)
o Cyberliability Coverage A data breach is inevitable Insurance = risk reduction But, how do insurance companies reduce
risk?
Private Enforcement: Insurance Carriers
Complete a “Risk Control Self Assessment” in which it made the following relevant representations• Whenever you entrust sensitive information to 3rd parties
do you...• contractually require all such 3rd parties to protect this
information with safeguards at least as good as your own [YES]• perform due diligence on each such 3rd party to ensure that
their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) [YES]
• audit all such 3rd parities at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information? [YES]
• require them to either have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality. [YES]
![Page 30: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/30.jpg)
o Cyberliability Coverage A data breach is inevitable Insurance = risk reduction But, how do insurance companies reduce
risk?
Private Enforcement: Insurance Carriers
Complete a “Risk Control Self Assessment” in which it made the following relevant representations• Whenever you entrust sensitive information to 3rd parties
do you...• contractually require all such 3rd parties to protect this
information with safeguards at least as good as your own [YES]• perform due diligence on each such 3rd party to ensure that
their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) [YES]
• audit all such 3rd parities at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information? [YES]
• require them to either have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality. [YES]
Columbia Casualty Co. v. Cottage Health Systems (C.D. California) – Filed May 7, 2015(first case of its kind)• Columbia paid $4.125M to settle a class action
stemming from a breach (32,500 records disclosed; settlement class of 50,917)
• “The complaint alleges that the breach occurred because Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc. (“INSYNC”), stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.”
![Page 31: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/31.jpg)
o Cyberliability Coverage A data breach is inevitable Insurance = risk reduction But, how do insurance companies reduce
risk?
Private Enforcement: Insurance Carriers
Complete a “Risk Control Self Assessment” in which it made the following relevant representations• Whenever you entrust sensitive information to 3rd parties
do you...• contractually require all such 3rd parties to protect this
information with safeguards at least as good as your own [YES]• perform due diligence on each such 3rd party to ensure that
their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) [YES]
• audit all such 3rd parities at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information? [YES]
• require them to either have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality. [YES]
Columbia Casualty Co. v. Cottage Health Systems (C.D. California) – Filed May 7, 2015(first case of its kind)• Columbia paid $4.125M to settle a class action
stemming from a breach (32,500 records disclosed; settlement class of 50,917)
• “The complaint alleges that the breach occurred because Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc. (“INSYNC”), stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.”
Columbia Casualty Co. v. Cottage Health Systems • “Columbia seeks a declaration that it is not obligated
to provide Cottage with a defense or indemnificationin connection with any and all claims stemming from the data breach at issue.”
• Columbia also seeks a declaration of its entitlement to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses Columbia has paid or will pay in connection with the defense and settlement of the class action lawsuit . .”
![Page 32: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/32.jpg)
o Cyberliability Coverage A data breach is inevitable Insurance = risk reduction But, how do insurance companies reduce
risk?
Private Enforcement: Insurance Carriers
Complete a “Risk Control Self Assessment” in which it made the following relevant representations• Whenever you entrust sensitive information to 3rd parties
do you...• contractually require all such 3rd parties to protect this
information with safeguards at least as good as your own [YES]• perform due diligence on each such 3rd party to ensure that
their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) [YES]
• audit all such 3rd parities at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information? [YES]
• require them to either have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality. [YES]
Columbia Casualty Co. v. Cottage Health Systems (C.D. California) – Filed May 7, 2015(first case of its kind)• Columbia paid $4.125M to settle a class action
stemming from a breach (32,500 records disclosed; settlement class of 50,917)
• “The complaint alleges that the breach occurred because Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc. (“INSYNC”), stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.”
Columbia Casualty Co. v. Cottage Health Systems • “Columbia seeks a declaration that it is not obligated
to provide Cottage with a defense or indemnificationin connection with any and all claims stemming from the data breach at issue.”
• Columbia also seeks a declaration of its entitlement to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses Columbia has paid or will pay in connection with the defense and settlement of the class action lawsuit . .”
Columbia Casualty Co. v. Cottage Health Systems • “Upon information and belief, INSYNC does not
maintain sufficient liquid assets to contribute towards the proposed settlement fund and does not maintain liability insurance that applies with respect to the privacy claims asserted in the Underlying Action.”
• The Policy excluded coverage for any failure by the insured to “continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance…”
![Page 33: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/33.jpg)
I. Regulating Privacy and Data Security
II. Enforcement Landscape 1) Federal Enforcement2) State Enforcement3) Private Enforcement
III. What does the enforcement tell us?
Outline
![Page 34: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/34.jpg)
o HIPAA is permissive, but not THAT permissive… Complete P.T., Pool & Land Physical Therapy, Inc.
OCR settlement: $25K (Feb. 16, 2016) Complaint alleged that “Complete P.T. had impermissibly
disclosed numerous individuals’ [PHI], when it posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations”
New York Presbyterian Hospital OCR settlement: $2.2M (April 21, 2016) As described by OCR: “for the egregious disclosure of two
patients’ [PHI] to film crews and staff during the filming of “NY Med,” an ABC television series, without first obtaining authorization from the patients”
Second settlement in two years; first one was in May 2014 for $3M
Use Common Sense
![Page 35: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/35.jpg)
o Organizations must undertake a Risk Analysis to understand where they are exposed to risks
o Must - Conduct an initial risk analysis Conduct a risk analysis in response to a
change in the environment that impacts PII implementation of new technology, software
upgrades, move of office, etc.
Perform a Risk Analysis
![Page 36: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/36.jpg)
Be sure the Risk Analysis includes a vulnerability scan and/or a pen test (many vendors will not include this in the initial pricing proposal; you need to ask!)
o Pitfall(s) cited by enforcers Failure to “use readily available measures to
identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks (e.g., by not using measures such as penetration tests, LabMD could not adequately assess the extent of the risks and vulnerabilities of its networks)” (FTC v. LabMD)
Perform a Risk Analysis
![Page 37: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/37.jpg)
Security Risks are Everywhere…
• Processed and analyzed over 100 terabytes of traffic daily
• 49,917 unique malicious events
• 723 unique malicious source IP
![Page 38: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/38.jpg)
o Common cause of data breaches (and enforcement actions) OCR
Massachusetts Eye and Ear Infirmary - $1.5 (stolen laptop) Concentra Health Services - $1,725,220 (stolen laptop) QCA Health Plan, Inc. of Arkansas - $250K (stolen laptop)
o Pitfall(s) cited by enforcers Lack of appropriate policies and procedures
Incident identification, reporting, and response (OCR, MEEI, $1.5M)
Restrict access to authorized users (OCR, MEEI) Failure “[t]o provide [organization] with a reasonable
means of knowing whether or what type of portable devices were being used to access its network” (OCR, MEEI)
Failure to secure devices for litigation
Portable Devices Create Risks
![Page 39: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/39.jpg)
o Secure portable devices Encrypt, encrypt, encrypt (use
technology that is FIPS 140-2 validated)o Develop policies and procedures that
address use of mobile deviceso Have employees sign a BYOD
Agreement Reduce spoliation risks Clarify need to maintain access to device
Portable Devices Create Risks
![Page 40: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/40.jpg)
o Contracts with vendors must address privacy and security obligations Obligations to maintain policies and procedures? Scope of authorization to use data
How does the grant of rights compare to the indemnification obligations?
Who determines when there is a “breach”? Is there a requirement to notify in the event of a “security
incident” Timeline must be considered, particularly if entity operating
in multiple states Is the vendor required to encrypt data? Who pays for responses to a subpoena? Caps on liability? Should there be? Insurance requirements?
What is your process to make sure policies are maintained?
Flow Down Obligations to Vendors
![Page 41: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/41.jpg)
o Pitfall(s) cited by enforcers OCR
HIPAA requires covered entities and business associates implement BAAs with their vendors
Lack of BAA or Old BAA cited as the major deficiency in three OCR settlements this year• North Memorial Health Care of Minnesota ($1.55M) (March 16, 2016)
(no BAA)• Raleigh Orthopaedic Clinic, P.A. of North Carolina ($750K) (April 19,
2016) (no BAA)• Care New England Health System (Sept. 23) ($400K) (old BAA)
FTC Company failed to “require [that vendor] by contract …
adopt and implement appropriate security measures to protect personal information in medical audio and transcript files, such as by requiring that files be securely stored and securely transmitted to typists (e.g., through encryption) and authenticating typists (e.g., through unique user credentials) before granting them access to such files” (FTC v. GMR Transcription)
Flow Down Obligations to Vendors
![Page 42: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/42.jpg)
o A data breach is inevitable and costs continue to increase
Buy Your Own Insurance
Source: Ponemon Institute, 2016 Cost of a Data Breach Study (US only data)
![Page 43: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/43.jpg)
o …. But, don’t forget to read the policyo Some policies exclude coverage
for damages that arise out of activity that is contrary to your “Privacy Policy” … What does your Privacy Policy say exactly?
for agents or vendors where there are no contracts
for losses if the data is stored “in the cloud” for work done by “independent contractors” if laptops are not “encrypted” (using FIPS 140-
2 validated encryption algorithm)o How much is an indemnification provision from
a judgment proof company worth?
Buy Your Own Insurance
![Page 44: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/44.jpg)
Final Wrap Up - Ways to Lower Risks
Source: Ponemon Institute, 2016 Cost of a Data Breach Study (US only data)
![Page 45: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/45.jpg)
This slide presentation is informational only and was prepared to provide a brief overview of enforcement efforts related to data privacy and security. It does not constitute legal or professional advice.
You are encouraged to consult with an attorney if you have specific questions relating to any of the topics covered in this presentation, and Melnik Legal PLLC would be pleased to assist you on these matters.
Disclaimer
![Page 46: TNHFMA 2016 Fall Institute - s3.amazonaws.comBreaches_FI2016.pdf · U.S. Constitution Federal Statutes & Regulations State Laws FTC Act Section 5 GLBA SOX HIPAA HITECH And more](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aac650d7f8b9a59658cf4a5/html5/thumbnails/46.jpg)
Tatiana MelnikAttorney, Melnik Legal PLLC
Based in Tampa, FL734.358.4201
Questions?