tnhfma 2016 fall institute - s3.amazonaws.combreaches_fi2016.pdf · u.s. constitution federal...

TNHFMA 2016 Fall InstituteOctober 20, 2016

Tatiana MelnikMelnik Legal PLLC

[email protected]

Tampa, FL

I. Regulating Privacy and Data Security

II. Enforcement Landscape 1) Federal Enforcement2) State Enforcement3) Private Enforcement

III. What does the enforcement tell us?

Outline

The Foundation of Privacy

U.S. Constitution

Federal Statutes & Regulations

State Laws


No explicit mention of any right of

privacy


U.S. Constitution


State Laws

FTC Act Section 5

GLBA

SOXHIPAA

HITECHAnd more…

Based on Context− Targeted Information− Targeted Constituency− Segregate Highly

Sensitive Information

COPAA


U.S. Constitution


State Laws

o International Laws Individuals countries have their own laws Changes to the “Safe Harbor” due to the

European Court of Justice decision in October 2015 (for details see http://www.export.gov/safeharbor)

New framework is called the “EU-U.S. Privacy Shield Framework” (for details, see https://www.privacyshield.gov)


o Industry Standards PCI-DSS

Relied on by FTC in the Wyndham Hotels settlement

FTC to study data security auditing practices• In March 2016 sent out letters requesting information

from PCI-DSS auditors “auditors and their policies, practices, and procedures”

• Mandiant, PricewaterhouseCoopers, Verizon/ CyberTrust, plus 6 others

NIST Generally the de-facto standards throughout

industry because NIST sets standards for U.S. federal agencies and encryption per Breach Notification Rule





Outline

Federal Trade Commission

HHS Office of Civil Rights

State’s Attorneys’ General

o Complex Enforcement Environment

Enforcement Landscape

Consumers

o **CFPB (Dwolla, Mar. 2, 2016)

o Credit Unionso Bankso Credit Card

Companieso Insurance Regulatorso FFIECo NYDFS

o **SEC (Morgan Stanley, June 8, 2016)

o **FCC (Cox, Nov. 5, 2015)

o OIG Auditso GAO Audits (Sept.

26, 2016 Report of OCR - GAO-16-771)



• Works for consumers to prevent fraudulent, deceptive, and unfair business practices

• Section 5 – “unfair or deceptive acts or practices in or affecting commerce ...are... declared unlawful.”

• Has authority to pursue any company

• Has pursued companies across a number of industries


15


• Practices the FTC finds problematic– Improper use of data– Retroactive changes– Deceitful data collection– Unfair data security practices

• FTC will settle with Company and Owner(s)―Company – 20 years―Owners – 10 years

For a more detailed analysis on practices the FTC finds problematic, seeDaniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, Columbia Law Review (2014)



• Notable Cases/Settlements―Practice Fusion

Settlement: June 8, 2016 Wanted to develop provider

directory; began sending e-mails to patients in April 2012 Appeared to be sent on

behalf of the patients’ doctors, and asked consumers to rate their provider “[t]o help improve your service in the future”



• Notable Cases/Settlements―Practice Fusion “Because patients likely

thought the information was only shared with their provider” they shared very sensitive information that was then posted online(e.g., Xanax prescription, suicidal child, etc.)



• Notable Cases/Settlements― Practice Fusion

FTC alleged that Practice Fusion “misled consumers by soliciting reviews for their doctors, without disclosing adequately that these reviews would be publicly posted on the Internet resulting in the public disclosure of patients’ sensitive personal and medical information”

Practice Fusion must “prior to making consumers’ information publicly available, clearly and conspicuously disclose – separate and apart from a privacy policy, terms of use or other similar document – that it is making such information publicly available and obtain consumers’ affirmative consent.”



• Notable Cases/Settlements― Practice Fusion

FTC alleged that Practice Fusion “misled consumers by soliciting reviews for their doctors, without disclosing adequately that these reviews would be publicly posted on the Internet resulting in the public disclosure of patients’ sensitive personal and medical information”

Practice Fusion must “prior to making consumers’ information publicly available, clearly and conspicuously disclose – separate and apart from a privacy policy, terms of use or other similar document – that it is making such information publicly available and obtain consumers’ affirmative consent.”

Isn’t Practice Fusion a Business Associate?

• April 2012 - Practice Fusion started contacting patients

• March 26, 2013 – HIPAA Omnibus Rule Effective Date

• Sept. 23, 2013 – Compliance Date

What does this mean for providers who use Practice Fusion?



• Notable Cases/Settlements―Wyndham Hotels

FTC won in the Third Circuit, Aug. 24, 2015

Wyndham settled in Dec. 2015 – the Stipulated Order makes for interesting reading; FTC looked to the PCI-DSSstandards

―LabMD FTC Lost (Nov. 13, 2015; FTC

appealed to the full Commission) – see the included expert report on acceptable security practices for guidance

o Enforces HIPAAo HITECH Act (2009)

expanded the scope of coverage to authorize enforcement authority over certain vendors (BAs) By OCR State AGs

o Mandatory penalties




o Enforcement by HHS Office of Civil Rights To date ~34 organizations have paid out a total $25M+ in

settlements (with two fines)o Cignet Health ($4.3M) (fine)o UCLA Health System ($865,500) (employees

talking)o Blue Cross Blue Shield of TN ($1.5) (stolen

servers left at former office)o Alaska Dept. of Health & Human Services

($1.7M) (stolen USB hard drive)o Massachusetts Eye & Ear Infirmary ($1.5M) (lost

laptop)o New York & Presbyterian Hospital ($3M)o Columbia University ($1.5M) (server

configuration, records on search engine)o Anchorage Community Mental Health Services

($150K) (unpatched and unsupported software malware)

o Cornell Prescription Pharmacy ($125K) (paper)o St. Elizabeth’s Medical Center ($218K)

(document sharing software)

o Triple-S Management Corp. ($3.5M) (settlement) (also fined by $6.8M by Puerto Rico insurance regulator)

o Cancer Care Group ($750K) (stolen laptop)o Lincare, Inc. ($239K) (Feb. 3, 2016) (fine; case

initiated on June 23, 2009)o Complete P.T., Pool & Land Physical Therapy ($25K)

(Feb. 16, 2016) (testimonials)o North Memorial Health Care of Minnesota ($1.55M)

(March 16, 2016) (no BAA)o Raleigh Orthopaedic Clinic, P.A. of North Carolina

($750K) (April 19, 2016) (no BAA)o Catholic Health Care Services of the Archdioceses of

Philadelphia (June 29, 2016) ($650K)o Oregon Health & Science Univ. (July 18) ($2.7M)o Univ. of Miss. Medical Center (July 21) ($2.75M)o Advocate Health Care Network (Aug. 4) ($5.55M)o Care New England Health System (Sept. 23) ($400K)

(old BAA)

Private Enforcement: Consumers

Class Actions

Negligence

Breach of warranty

False advertising

Unreasonable delay in notification / remedying breach

Individual Claims

Negligence

Intentional infliction of emotional distress

Invasion of privacy

Negligent supervision

Consumers

Private Enforcement: Consumers

Class Actions

Negligence

Breach of warranty

False advertising

Unreasonable delay in notification / remedying breach

Individual Claims

Negligence

Intentional infliction of emotional distress

Invasion of privacy

Negligent supervision

ConsumersAbigail E. Hinchy v. Walgreen Co. et al. (Indiana Superior Ct., 2013)

• Pharmacist improperly accessed medical records of one patient

• Patient reported the incident to Walgreen but Walgreen’s software did not log accesses

• Once Walgreen learned of the employee, it did not disable the pharmacist’s access

• Jury awarded $1.8 million, with $1.4M of that to be paid by Walgreens (this decision is now final)

o Target as a case study Sued by at least 5 banks Sued by each of the 4 major payment card

networks Settled with Visa to pay up to $67M

More than 100 lawsuits filed Settled the consumer class action for $10M

Investigated by State Attorneys General, the FTC and the SEC

Through Aug. 1, 2015, the data breach has cost Target ~$400 million (with $150 million covered by insurance) (see Form 10-Q from 8/25/2015)

o Another to consider: Office Depot

Private Enforcement: Banks & Credit Unions

o Cyberliability Coverage A data breach is inevitable Insurance = risk reduction But, how do insurance companies reduce

risk?

Private Enforcement: Insurance Carriers


risk?


Complete a “Risk Control Self Assessment” in which it made the following relevant representations• Whenever you entrust sensitive information to 3rd parties

do you...• contractually require all such 3rd parties to protect this

information with safeguards at least as good as your own [YES]• perform due diligence on each such 3rd party to ensure that

their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) [YES]

• audit all such 3rd parities at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information? [YES]

• require them to either have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality. [YES]


risk?








Columbia Casualty Co. v. Cottage Health Systems (C.D. California) – Filed May 7, 2015(first case of its kind)• Columbia paid $4.125M to settle a class action

stemming from a breach (32,500 records disclosed; settlement class of 50,917)

• “The complaint alleges that the breach occurred because Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc. (“INSYNC”), stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.”


risk?











Columbia Casualty Co. v. Cottage Health Systems • “Columbia seeks a declaration that it is not obligated

to provide Cottage with a defense or indemnificationin connection with any and all claims stemming from the data breach at issue.”

• Columbia also seeks a declaration of its entitlement to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses Columbia has paid or will pay in connection with the defense and settlement of the class action lawsuit . .”


risk?











Columbia Casualty Co. v. Cottage Health Systems • “Columbia seeks a declaration that it is not obligated

to provide Cottage with a defense or indemnificationin connection with any and all claims stemming from the data breach at issue.”

• Columbia also seeks a declaration of its entitlement to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses Columbia has paid or will pay in connection with the defense and settlement of the class action lawsuit . .”

Columbia Casualty Co. v. Cottage Health Systems • “Upon information and belief, INSYNC does not

maintain sufficient liquid assets to contribute towards the proposed settlement fund and does not maintain liability insurance that applies with respect to the privacy claims asserted in the Underlying Action.”

• The Policy excluded coverage for any failure by the insured to “continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance…”




Outline

o HIPAA is permissive, but not THAT permissive… Complete P.T., Pool & Land Physical Therapy, Inc.

OCR settlement: $25K (Feb. 16, 2016) Complaint alleged that “Complete P.T. had impermissibly

disclosed numerous individuals’ [PHI], when it posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations”

New York Presbyterian Hospital OCR settlement: $2.2M (April 21, 2016) As described by OCR: “for the egregious disclosure of two

patients’ [PHI] to film crews and staff during the filming of “NY Med,” an ABC television series, without first obtaining authorization from the patients”

Second settlement in two years; first one was in May 2014 for $3M

Use Common Sense

o Organizations must undertake a Risk Analysis to understand where they are exposed to risks

o Must - Conduct an initial risk analysis Conduct a risk analysis in response to a

change in the environment that impacts PII implementation of new technology, software

upgrades, move of office, etc.

Perform a Risk Analysis

Be sure the Risk Analysis includes a vulnerability scan and/or a pen test (many vendors will not include this in the initial pricing proposal; you need to ask!)

o Pitfall(s) cited by enforcers Failure to “use readily available measures to

identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks (e.g., by not using measures such as penetration tests, LabMD could not adequately assess the extent of the risks and vulnerabilities of its networks)” (FTC v. LabMD)

Perform a Risk Analysis

Security Risks are Everywhere…

• Processed and analyzed over 100 terabytes of traffic daily

• 49,917 unique malicious events

• 723 unique malicious source IP

o Common cause of data breaches (and enforcement actions) OCR

Massachusetts Eye and Ear Infirmary - $1.5 (stolen laptop) Concentra Health Services - $1,725,220 (stolen laptop) QCA Health Plan, Inc. of Arkansas - $250K (stolen laptop)

o Pitfall(s) cited by enforcers Lack of appropriate policies and procedures

Incident identification, reporting, and response (OCR, MEEI, $1.5M)

Restrict access to authorized users (OCR, MEEI) Failure “[t]o provide [organization] with a reasonable

means of knowing whether or what type of portable devices were being used to access its network” (OCR, MEEI)

Failure to secure devices for litigation

Portable Devices Create Risks

o Secure portable devices Encrypt, encrypt, encrypt (use

technology that is FIPS 140-2 validated)o Develop policies and procedures that

address use of mobile deviceso Have employees sign a BYOD

Agreement Reduce spoliation risks Clarify need to maintain access to device

Portable Devices Create Risks

o Contracts with vendors must address privacy and security obligations Obligations to maintain policies and procedures? Scope of authorization to use data

How does the grant of rights compare to the indemnification obligations?

Who determines when there is a “breach”? Is there a requirement to notify in the event of a “security

incident” Timeline must be considered, particularly if entity operating

in multiple states Is the vendor required to encrypt data? Who pays for responses to a subpoena? Caps on liability? Should there be? Insurance requirements?

What is your process to make sure policies are maintained?

Flow Down Obligations to Vendors

o Pitfall(s) cited by enforcers OCR

HIPAA requires covered entities and business associates implement BAAs with their vendors

Lack of BAA or Old BAA cited as the major deficiency in three OCR settlements this year• North Memorial Health Care of Minnesota ($1.55M) (March 16, 2016)

(no BAA)• Raleigh Orthopaedic Clinic, P.A. of North Carolina ($750K) (April 19,

2016) (no BAA)• Care New England Health System (Sept. 23) ($400K) (old BAA)

FTC Company failed to “require [that vendor] by contract …

adopt and implement appropriate security measures to protect personal information in medical audio and transcript files, such as by requiring that files be securely stored and securely transmitted to typists (e.g., through encryption) and authenticating typists (e.g., through unique user credentials) before granting them access to such files” (FTC v. GMR Transcription)

Flow Down Obligations to Vendors

o A data breach is inevitable and costs continue to increase

Buy Your Own Insurance

Source: Ponemon Institute, 2016 Cost of a Data Breach Study (US only data)

o …. But, don’t forget to read the policyo Some policies exclude coverage

for damages that arise out of activity that is contrary to your “Privacy Policy” … What does your Privacy Policy say exactly?

for agents or vendors where there are no contracts

for losses if the data is stored “in the cloud” for work done by “independent contractors” if laptops are not “encrypted” (using FIPS 140-

2 validated encryption algorithm)o How much is an indemnification provision from

a judgment proof company worth?

Buy Your Own Insurance

Final Wrap Up - Ways to Lower Risks

Source: Ponemon Institute, 2016 Cost of a Data Breach Study (US only data)

This slide presentation is informational only and was prepared to provide a brief overview of enforcement efforts related to data privacy and security. It does not constitute legal or professional advice.

You are encouraged to consult with an attorney if you have specific questions relating to any of the topics covered in this presentation, and Melnik Legal PLLC would be pleased to assist you on these matters.

Disclaimer

Tatiana MelnikAttorney, Melnik Legal PLLC

Based in Tampa, FL734.358.4201

[email protected]

Questions?

tnhfma 2016 fall institute - s3.amazonaws.combreaches_fi2016.pdf · u.s. constitution federal...

Documents