Commission on Enhancing Cybersecurity Report Calls for Greater Investment

computer with lockOn Friday December 2nd the President’s Commission on Enhancing Cybersecurity (“Commission”) released their long-awaited Report on Securing and Growing the Digital Economy. The nonpartisan Commission was created in April by President Obama with the objective of examining U.S. cybersecurity policy and the determining “actionable recommendations” to secure the increasingly interdependent cyber infrastructure.  Given the increasingly number of intrusions, disruptions, manipulations and thefts due to cyber vulnerabilities, the report is apt in its expression that technological advancement is outpacing U.S. cybersecurity practices and policies. President-elect Trump had pledged to adopt several cybersecurity policies, one being a commission, very much like the Commission on Enhancing Cybersecurity. Thus this report should be welcomed by President-elect Trump as a formative step in his cybersecurity reform.

The report offers 16 recommendations and 53 “associated actions.” The recommendations are broken down into six major categories, including, protecting and securing information infrastructure; building cybersecurity workforce capabilities; and ensuring an open, fair and secure global digital economy. Amongst the recommendations, two are notable for different reason: the creation and appointment of an Ambassador for Cybersecurity, “to lead U.S. engagement with the international community on cybersecurity strategies, standards and practices;” and a larger focus on training and hiring cybersecurity professionals. The recommendation for a cyber ambassador is a major acknowledgment that cyber issues know no boundaries and the interconnected nature of the global economy presents a serious and international threat to trade and businesses. Meanwhile, the Commission placed a premium on introducing new incentives and investments in innovation to attract new cyber security professionals, signifying its intention to increase U.S. capabilities. In specific numbers, the report recommended creating a national cybersecurity workforce program with the aim of training 100,000 new cybersecurity professionals by 2020.

These major recommendations are not specifically what the President-elect called for during the campaign, but the general tone regarding the importance of stepping up the United States’ cyber capabilities, is reflective of his proposals. Both the report and Trump have been clear that U.S. is not reaching its greatest cyber potential and needs to be if it seeks to maintain its position as a global leader. This report provides a comprehensive plan to increasing U.S. focus and capabilities on cybersecurity.

Overall the report calls for investment in cybersecurity mechanisms, greater attention to the foibles that plague current U.S. cybersecurity policy, and strengthening of public–private sector dialogues involving cybersecurity. The Commission, although an Obama administration installation, is geared towards gaining the attention of President-elect Trump. However, until his intentions are made clear, the report will remain simply recommendations.

Tagged with: , ,
Posted in Standards

NIST Releases Comprehensive Cyber Security Guidelines for the Internet of Things

internet of thingsAs the Internet of Things continues to grow and expand, the fact that guidance on security measures and protections is a necessity has become increasingly evident. Recently, the National Institute of Standards and Technology (NIST) released a lengthy set of IoT guidelines, known as NIST Special Publication 800-160. NIST unveiled the nearly 260-page publication at the Splunk GovSummit 2016 conference. The announcement came on the heels of the Dyn attack in late October, which further highlighted the immediate need for standards and guidance.

The strictly voluntary guidelines work to address questions and concerns about protections for devices connected to the internet. It is estimated that there are currently approximately 7 billion things connected to the Internet, but experts expect that number to triple by 2020. NIST described IoT as a “powerful and complex” system which is “inexorably linked to [our] economic and national security interests.”

Given the enormous nature of this ever-growing sector of the digital world, it must be in the forefront of cyber-security discussions. IoT not only must be actually secure, but users must have a sense of trustworthiness in the security and protections. One drafter said that users must have the same confidence in the security of IoT as they do the safety of a bridge they cross or an airplane they board. However, not only do policies and protections need to build up users’ confidences, but they need to simultaneously degrade the confidence that cyber-criminals have in their own abilities and operations.

NIST expressly stated in Special Publication 800-160 that its objective is to “address security issues” and “to use established engineering processes to ensure that needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner.”

As is the case behind most cyber-security policies, NIST is striving to limit the damage of inevitable, successful breaches. It recognizes that preventing breaches or attacks is not a realistic goal. Therefore, the drafters focused on emphasizing that necessary protections must be incorporated at the design stage and built into devices rather than being an afterthought, analogous to an airbag being built into the dashboard of a car. The protections also must be capable of keeping the device secure throughout its life-cycle.

Although the guidelines are voluntary, they should spawn valuable conversation and discussion. In order for the guidelines to have the desired effect, industry, government, and academia must all join forces to promote their benefits and vouch for their necessity.

Lawyers can use the guidelines to facilitate conversations with clients about cybersecurity measures. The guidelines can be presented to boards of directors and executives and positioned as a detailed overview of what must be done to implement security measures. Because the guidelines are government-backed and have been approved by the federal government, they can also be a tool used to get the support, including the financial support, necessary to implement security measures. They can also be used as a reference point when evaluating cyber insurance policies, as underwriters can refer to them during the underwriting process.

Lawyers should also caution clients that there will likely be regulators and litigants who point to the guidelines when attempting to impose liability on device manufacturers following a breach. Failure to follow the standards, it will be argued, is evidence of negligence or lackadaisical security. Whether the guidelines will create a standard of care remains to be seen, but they should certainly become part of the conversation as the IoT – with all of its inherent risks – continues to expand.

For a copy of the guidelines, follow this link: NIST Guidelines

Tagged with: , ,
Posted in Standards

Commercial Trucking Goes Green for Safer Streets

A new federal mandate requires most commercial truck drivers to “go green” by trading in their old paper logs for electronic logging devices (ELDs) by December 18, 2017. Thought to affect roughly 3.5 million truck drivers, the new mandate is intended to increase driver compliance with federal drive-time regulations and decrease burdensome paperwork.

Commercial truck drivers are legally required to take a lengthy break after 11 hours of consecutive driving, but drivers have admitted to driving longer hours and falsifying their logs. The ELD mandate is expected to improve compliance with the federally required hours of service because the logs will be electronically linked to vehicle engines. Reports have shown that on average each year, there are 1,800 crashes (resulting in 60 injuries and 25 deaths) from driving while tired, and the hope is that new ELD requirements will decrease the number of fatigue-related accidents.

When the engine is on, the ELD records the date, time and location of the truck within a one-mile radius. It also records the drivers’ identification and motor carrier information. It does not record continuously, but automatically logs this information once per hour. The ELD is also intended to document when a driver changes status from “driving,” “on duty but not driving,” “moving to the sleeper berth,” and “off duty.” The driver is responsible for inputting the status information, since an entirely automatic option was considered too invasive. Recorded ELD data is stored and subject to access by authorized safety vehicles during inspections or audits.

Driver monitoring, of course, is nothing new. Truckers are already required to manually log most of this information and make it available upon request. Nonetheless, the ELD mandate was not warmly received by many in the commercial trucking community. A contentious relationship has existed between the commercial trucking industry and the Department of Transportation (DOT) since 1995, when Congress directed the DOT to revise the hours of service requirements. From 1995 to 2012, the DOT proposed many rules changes, all of which were challenged and struck down—three times in federal court, once in the Seventh Circuit.

In 2012, Congress stepped in again and passed the Motor Vehicle Enhancement Act, explicitly directing the DOT to come up with an ELD rule. In December 2015, when the new ELD rule was first released, it was promptly challenged by two professional truck drivers and the Owner-Operator Independent Drivers Association (OOIDA). This time, however, on October 31, 2016, the Seventh Circuit upheld the ELD mandate.

Petitioners argued the ELD mandate should be struck down for numerous reasons, including their contention that it constitutes an unreasonable search and/or seizure and thereby violates the Fourth Amendment. The Seventh Circuit responded to the Fourth Amendment challenge by noting that it “need not resolve whether the ELD mandate constitutes a search or seizure. Even if it did, it would be reasonable under the Fourth Amendment exception for pervasively regulated industries.”

The Court used a three-part analysis to conclude that the commercial trucking industry is pervasively regulated: (1) the history of the regulation in commercial trucking; (2) the comprehensiveness of commercial trucking regulations; and (3) the inherent dangers in the commercial trucking industry.

To each of these points, respectively, the Court noted that the industry has been government regulated since 1935. It said that commercial trucking regulations are comprehensive and extensive, governing everything from driver qualifications to vehicle inspections. And, lastly, the Court cited its own opinion from 2007 upholding random drug testing for truck drivers to show that commercial trucking is inherently dangerous activity. In 2007, it stated that trucking is “fraught with such risks of injury to others that even a momentary lapse of attention could have disastrous consequences.”

The Seventh Circuit also established that the ELD mandate is a reasonable way to regulate the commercial trucking industry. It found that the government has a substantial interest in the commercial trucking industry and that ELDs are a necessary advance because paper logs are subject to falsification, forgery, and human error—not to mention motor carrier pressure on drivers to drive for longer hours than legally allowed. It also considered the ELD mandate a constitutionally adequate substitute for a warrant largely because it is not any different than the current search of paper logs.

In response to the petitioner’s other arguments, the Seventh Circuit ruled that (1) ELDs do not need to be entirely automatic because, if they were, they would be “breathtakingly invasive;” (2) the ELD mandate sufficiently protects drivers from ELD-related harassment by motor carriers; (3) no cost-benefit analysis was necessary for implementing the ELD mandate because it was done at Congress’s direction; and (4) ELD information will be kept sufficiently confidential as per the statutory requirement.

The OOIDA has not said whether it will appeal the Seventh Circuit’s decision, but the organization has made clear its disappointment with the ruling. Its displeasure notwithstanding, it appears that the commercial trucking industry will be going green. The hope is that ELDs will collect information more efficiently and accurately, while creating safer roads, but without introducing new or unforeseen privacy concerns for drivers.

Tagged with:
Posted in Privacy, Regulations

Understanding the Role of Connected Devices in Recent Cyber Attacks

Connected Devices On November 16, 2016 the House Committee on Energy and Commerce’s Subcommittee on Commerce, Manufacturing, and Trade and the Subcommittee on Communications and Technology held a hearing on “Understanding the Role of Connected Devices in Recent Cyber Attacks.” The hearing was in response to the unprecedented distribution denial of service (DDos) on October 21, 2016 which saw consumer websites such as Netflix, Twitter and CNN as well as others go down following a botnet attack directed from malware in millions of American devices. The hacked devices used maliciously, (known as bots or collectively as botnets) flooded these websites with junk traffic, overwhelming the sites and preventing them from being able to distinguish from legitimate traffic. The hearing focused on what vulnerabilities are present, possible solutions, possible ramifications of attacks on consumer devices, critical infrastructure and public safety mechanisms from a wide array of malicious actors.

The witnesses were industry experts, Dale Drew, of  Level 3 Communications; Kevin Fu, of  Virta Labs, and the University of Michigan; and Bruce Schneier, from the Berkman Klein Center, at Harvard University.

Chairman Greg Walden began the hearing highlighting the increasing use of technology in Americans daily lives, the dependence of Americans on the internet of things, devices that allow them to control elements of their lives, such as applications and devices that remotely unlock doors, baby monitors, and smart appliances. Many members of the subcommittee remarked how the DDoS attack stressed the importance to secure these devices without losing the benefits, the balance between functionality, innovation and security. Representative Marsha Blackburn made the important point that the internet of things is growing extremely quickly, the average American has more than three devices. This illustrates the widening gap of insecurity.

The expert witnesses were firm in their recommendations that while the DDoS attack in October 2016 was just on popular websites and not critical elements, that attacks towards critical apparatuses such as public safety mechanisms, hospital systems, and critical infrastructure points are highly likely. The internet of things devices have major security flaws that do not have built in security updates or patch mechanisms and consumers are greatly unaware of the threat posed by their devices. Mr. Schneier pointed out that many of these devices are the same, having the same basic configuration which, limits consumer control. He also pointed out the various elements that need to be secure, from software to hardware to internet communications. All three panelists discussed the lack of incentives for manufacturers to secure the devices or integrate security mechanism into the production. The panelist urged action for oversight due to the growth of the issue and inevitable nature of growth in vulnerabilities.

Mr. Fu added that regulations, standards and liabilities for security need to be “built in, not bolted on.” All panelists stressed the importance of addressing the vulnerabilities posed by the internet of things and the unprecedented threat that the United States faces. As in almost every cybersecurity field the government is clearly very far behind. As experts point out vulnerabilities in basic systems have and will only grow exponentially fast. The government is behind addressing these issues, these vulnerabilities. Greater oversight is called for because of the critical consequences attacks can and will have on both the public and private sectors.

Tagged with: ,
Posted in Cyberattack

Trump’s New Cyber Security Plan?

With the recent news regarding Yahoo’s massive data breach and the continuing posting of Clinton Foundation emails by Wikileaks, cybersecurity policy is beginning to get the discourse it is due. Secretary Clinton’s campaign was swift to publish a lengthy briefing on her cybersecurity policy agenda when she declared her candidacy. Much of it focuses on investment and development in science and technology. In a speech in August Clinton called for cyber-attacks to be treated as an assault on the country and should require “a serious political, economic and military response.” However, the plurality of Secretary Clinton cyber proposals would likely continue much of the Obama Administration’s own cybersecurity policy.

Mr. Trump had no cybersecurity platform available or had even discussed a policy platform until a recent speech to the Retired American Warriors PAC in Virginia in early October. Prior to the speech Trump had said little other than to admonish the failure of U.S. cybersecurity policy. In his speech, Mr. Trump outlined cybersecurity as “an immediate and top priority” for his administration and put forward his plan for strengthening American cybersecurity. At the core of Mr. Trump’s policy suggestions was a panel of “our best military, civilian and private sector cybersecurity experts.” This Cyber Review Team would undertake a “comprehensive review” of U.S. cybersecurity systems and technologies. Among its responsibilities would be to “establish detailed protocols” and “remaining current on evolving methods of cyber-attack.”

What’s the issue with this seemingly harmless and possibly efficient idea?

President Obama had the idea first and it’s already underway. In February of this year the White House issued the Cybersecurity National Action Plan. The first order of business was the creation of a “Commission on Enhancing National Cybersecurity.” Like Trump’s, this commission would also be formed of public and private sector thinkers and a bipartisan congressional delegation. The commission’s mandate is to “make recommendations on actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sectors.” The commission members who were announced in April 2016 include: Tom Donilon, former National Security advisor, General Keith Alexander, former Director of the NSA and former Director of U.S. Cyber Command, Joe Sullivan, Chief Security Officer of Uber and former Security Officer of Facebook, Annie Antón, Professor and Chair of the School of Interactive Computing at Georgia Tech, and Ajay Banga, President and CEO of Mastercard. These are only a selected few examples of the twelve member commission but the commission clearly represent military, civilian and private sector experts in cybersecurity.

Other than his Cyber Review Team, Mr. Trump hasn’t offered any other solid cybersecurity recommendations. Neither major party candidate is offering real solutions to a critical crisis that is unfolding. Hackings and intrusions will not dissipate but will only grow in size and aggression barring any serious attention by the federal government. At least in this element Secretary Clinton and Mr. Trump agree: cyber is of increasing importance for U.S. national security, infrastructure and business and should be taken much more seriously. This understanding is not enough to prevent potentially debilitating attacks in the future.

Cybersecurity is a dynamic and fast-paced policy realm. Technology is ever-changing and requires almost constant attention and modernization. The federal government’s bureaucratic nature prevents any meaningful progress, both in establishing policy and enacting it. Because of this much of federal level policy making is playing catch-up. Cybersecurity needs greater attention at the executive level. The federal government needs a greater understanding of cybersecurity’s ever evolving nature and a determination to lead the field. These principles apply to whomever becomes the next President.

Tagged with: ,
Posted in Data Security

Sixth Circuit Eases Plaintiffs’ Burden for Standing in Data Breach Claims

Insurance companies are susceptible to the same sort of data breaches as suffered by many other businesses, such as the recently reported theft from Yahoo of the personal data in half a billion accounts. In a major decision that may have widespread consequences, the Sixth Circuit Court of Appeals in Hancox v. Nationwide Ins. Cos.­, 2016 WL 4728027 (6th Cir. Sep. 12, 2016) recently held that plaintiffs do not have to allege actual identity theft in order to meet Article III’s standing requirements of injury in fact.

In Hancox v. Nationwide, the Court of Appeals reversed the Southern District of Ohio’s dismissal of class claims of negligence, Fair Credit Reporting Act violations, and other torts. The district court had concluded that the increased risk of future harm did not constitute injury in fact. The court followed the majority view, as exemplified in the U.S. Supreme Court’s statement in Clapper v. Amnesty International, 133 S.Ct. 1138, 1146 (2013) that plaintiffs cannot “manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”

In reversing the district court, the Sixth Circuit found that plaintiffs sufficiently pled cognizable injury in the possible mitigation costs that the plaintiffs might incur in the future, such as purchasing credit report and monitoring services, instituting and/or removing credit freezes, and/or closing or modifying financial accounts. The Sixth Circuit concluded that the plaintiffs’ allegations were sufficient because it would be unreasonable to expect plaintiffs to sit around and wait for the information to be misused in the future, and not to take proactive steps to ensure that their personal information and financial security would be protected. The court explained, “There is no need for speculation where plaintiffs allege their data has already been stolen and is now in the hands of ill-intentioned criminals.” That alone provides a basis for drawing a “reasonable inference…that the hackers will use the victims’ data for fraudulent purposes alleged in plaintiffs’ complaints.” Even though it cannot be “literally certain” that the data will in fact be misused in the future, there is nonetheless a “sufficiently substantial risk of harm that incurring mitigation costs is reasonable.”

The claims arose from a 2012 data breach whereby 1.1 million Nationwide consumers’ names, marital statuses, gender, social security numbers, driver licenses numbers, and other personal information was compromised. In response to the incident, Nationwide informed its customers of the breach in a letter that advised them to take steps to prevent or mitigate misuse of the stolen data. Nationwide also provided one year of free credit monitoring and further recommended that its consumers sign up for fraud alerts and set holds on their credit reports. In an example of “no good deed goes unpunished,” the Sixth Court highlighted Nationwide’s mitigation efforts and recommendations as justifying its finding that plaintiffs had adequately shown injury in fact.

The Hancox decision comes just a few months after the Supreme Court’s decision in Spokeo, Inc. v. Robins (May 16, 2016), in which the Supreme Court found that the Ninth Circuit failed to consider the fact that an injury in fact must be concrete as well as particularized. The Sixth Circuit found that plaintiffs met Spokeo’s two-part test: they alleged an injury that likely would be redressed by a favorable decision and their alleged injury was “fairly traceable” to Nationwide’s conduct. We hope that the court will take up this case to further elucidate the standing requirements. In the meantime, be aware that the Sixth Circuit is not a favorable jurisdiction for companies in data breach class action cases.

Tagged with: , , , ,
Posted in Cyberattack, Data Breach, Insurance, Litigation

“Full Employment for CISOs in New York”: New York Proposes the Nation’s First Cybersecurity Regulation

If you’re a CISO living in New York get ready for the phone calls!!! On September 13, 2016, Governor Andrew M. Cuomo proposed the nation’s first cybersecurity regulation. Starting on September 28, 2016 there is a limited 45 day window of opportunity for financial institutions and interested parties to submit public comments before the regulations become final.

Here are the top ten reasons why CISOs in New York will be busier than ever if the regulations are finalized:

10.       If you are a financial institution regulated by the New York Department of Financial Services (“NYDFS”), you are REQUIRED to comply with these new cybersecurity regulations. It is not a “reasonable efforts” or “best practices” standard; it is mandatory. This includes banks, insurance companies, mortgage companies, lenders, and money services companies.

9.         Regulated financial institutions must designate a qualified individual to serve as Chief Information Security Officer (“CISO”). The CISO must report directly to the Board at least two times a year (a) identifying cyber risks; (b) assessing confidentiality, integrity and availability of information systems; (c) evaluating the effectiveness of the cybersecurity program; and (d) proposing steps to remediate any cybersecurity inadequacies.

8.         Regulated financial institutions must develop written policies and procedures for third-party vendors with access to nonpublic information, very broadly defined under Section 500.01(g).

7.         Regulated financial institutions must establish a cybersecurity program and adopt a written cybersecurity policy which includes procedures for protecting: (a) information security; (b) data governance and classification; (c) access controls and identity management; (d) disaster recovery; (e) network security; (f) application development; (g) customer data privacy; (h) vendor management; (i) risk assessments; and (j) incident responses.

6.         CISOs are required to conduct due diligence on third-parties to evaluate whether they have adequate cybersecurity practices. CISOs are also required to perform periodic assessments, at least annually, of third parties.

5.         Regulated financial institutions must implement multi-factor authentication for individuals who have access to internal systems or to support functions.

4.         Annual penetration testing and vulnerability assessments must be included in the financial institution’s cybersecurity program.

3.         Encryption is required for all nonpublic information held or transmitted by the financial institution. For transit data, there is one year to implement the encryption safeguards. For data at rest, there is a five year window to implement the encryption safeguards.

2.         Regulated financial institutions must establish a written incident response plan which effectively responds to a cybersecurity event. Section 500.16 of the proposed regulations provides seven areas that must be included in the incident response plan, including remediation of any identified weaknesses.

1.         Finally, under Section 500.17, regulated financial institutions are required to notify the superintendent of any Cybersecurity Event that has a “reasonable likelihood of materially affecting the normal operation” or “that affects Nonpublic Information.” The notification must be made within 72 hours “after becoming aware” of such a Cybersecurity Event. Additionally, the regulated financial institutions must annually submit a written statement by January 15th certifying that the institution is in compliance with the Cybersecurity regulations.

There are limited exemptions to many of these requirements, such as having fewer than 1000 customers and less than $5 million in gross annual revenues, but given these regulations are directed at NYDFS regulated entities, it is unlikely that many financial institutions will fall within these exemptions.

For more information regarding the NYDFS proposed cybersecurity regulations or for assistance with preparing public comments or developing cybersecurity policies and procedures, please contact Ryan P. Blaney or a member of Cozen O’Connor’s multidisciplinary Privacy, Data & Cybersecurity group.

Tagged with: , , , , , , , , ,
Posted in Data Security, Legislation, Regulations

FTC Overturns ALJ’s LabMD Decision and Reasserts its Role as a Data Security Enforcer

labMD security breachOn July 29, 2016, the Federal Trade Commission (“FTC” or “Commission”) reversed an FTC administrative law judge’s (“ALJ”) opinion which had ruled against the FTC, finding that the Commission had failed to show that LabMD’s conduct caused harm to consumers to satisfy requirements under Section 5 of the FTC Act. In reversing the ALJ, the FTC issued a unanimous opinion and final order that concluded, in part, that public exposure of sensitive health information was, in itself, a substantial injury.

The FTC initially filed a complaint against LabMD in 2013 under Section 5 of the FTC Act, alleging that the laboratory company failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked. The complaint resulted from two security incidents that occurred several years prior, which the FTC claimed were caused by insufficient data security practices.

In its opinion, the FTC concluded that the ALJ had applied the wrong legal standard for unfairness and went on to find that LabMD’s data security practices constituted an unfair act or practice under Section 5 of the FTC Act. Specifically, the Commission found LabMD’s security practices to be unreasonable – “lacking even basic precautions to protect the sensitive consumer information on its computer system.” The Commission stated that “[a]mong other things, [LabMD] failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had protected.” As a result of these alleged shortcomings in data security, medical and other sensitive information for approximately 9,300 individuals was disclosed without authorization.

Further, and perhaps more importantly, the Commission concluded that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n), and thus that LabMD’s disclosure of the [ ] file itself caused substantial injury.” Thus, contrary to the findings of the ALJ, the Commission essentially held that the mere exposure of sensitive personal and health information into the public domain may be enough to constitute a substantial injury for purposes of Section 5, without any proof that the information was ever misused.

As a result, the FTC ordered LabMD to establish a comprehensive information security program, obtain independent third party assessments of the implementation of the information security program for 20 years, and to notify the individuals who were affected by the unauthorized disclosure of their personal information and inform them about how they can protect themselves from identity theft or related harms.

Takeaway: While LabMD has announced its intention to appeal, the FTC’s decision reinforces its role as an enforcer of data security, even in the health care arena, where OCR has been the traditional enforcer of HIPAA and health care data breaches.   Thus, in addition to OCR, health care entities must continue to monitor FTC enforcement actions to see if there are any additional or conflicting data security standards mandated by both agencies.   Any companies handling PHI should, therefore, continue to ensure that their data security policies and procedures are being implemented and followed in accordance with industry standards. Inadequate security safeguards may contribute to data breaches resulting in government investigations and enforcement actions – not just by OCR, but the FTC as well.

Tagged with: , ,
Posted in FTC, HIPAA, OCR

Data Breach Plaintiffs Continue to Face Article III Standing Challenges

Standing remains a high hurdle for individuals whose personal information is compromised as a result of a data breach but who cannot establish that the stolen information was actually used improperly. Class action claims against CareFirst Blue Cross Blue Shield related to a 2014 breach were dismissed by D.C. District Court Judge Christopher R. Cooper last week after finding that they failed to meet Article III’s standing requirement. This ruling comes two months after a similar ruling by a Maryland district court judge in class actions claims related to the same CareFirst breach.

Judge Cooper’s decision does underscore the need to show harmful misuse of data to establish standing, but his opinion also raises the possibility that the type of information stolen may be important to determining the plausibility of alleged harm.

In the CareFirst breach, customers’ names, birthdates, email addresses, and subscriber numbers were compromised, but no social security numbers or credit card information. In his rejection of plaintiffs’ claims of injury, Judge Cooper specifically referenced the type of information that had been stolen in several instances. It is fair to ask: had either the social security numbers or credit card information of this plaintiff group been implicated, might the judge have seen a more plausible imminent harm?

Broadly speaking, Article III standing requires a plaintiff to show injury-in-fact, causation and redressability, and the alleged injury must be particularized, concrete or imminent. In the context of a class action, each named plaintiff must establish that he or she was personally injured.

The CareFirst plaintiffs’ class action complaint alleged various violations of state laws and breach of legal duties associated with protecting personal information. The claimed injuries included, inter alia, (1) an increased risk of identity theft; (2) identity theft in the form of a tax fraud; (3) economic harm through having to purchase credit-monitoring services; (4) economic harm through overpayment for insurance coverage; and (5) loss of intrinsic value of their personal information.

The district court found each claim without merit. Plaintiffs could not show how a hacker could steal their identities without their social security numbers or credit card numbers; could not claim the purchase of credit card monitoring services as an injury since that constitutes a “self-inflicted” harm; could not substantiate their claim that some portion of their insurance premiums are now allocated to paying for security measures; and could not show their personal information had been “devalued.”

With respect to the tax fraud claim, two named plaintiffs alleged that they suffered injury-in-fact because they had not yet received an expected tax refund. The court, however, found that the plaintiffs failed to show that their alleged injury was “fairly traceable” to the breach or how such tax refund fraud could have been carried out without their social security numbers and credit card information.

Tagged with: , , , , ,
Posted in Data Breach, Litigation

OCR Announces New HIPAA Guidance on Ransomware

In response to the increasing prevalence of ransomware cyber-attacks by hackers on electronic health information systems in hospitals and medical practices, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Monday July 11, 2016 its publication of new HIPAA guidance on ransomware (“Ransomware Guidance”). According to OCR:

Ransomware is a type of malware (or malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data.

Notably, the HIPAA Security Rule already requires implementation of security measures to help covered entities and business associates prevent the introduction of malware (e.g., ransomware) into their systems, and to implement policies and procedures to assist in responding to ransomware attacks. The Ransomware Guidance addresses, among other areas, how to implement security measures in order to prevent, mitigate the chances of, or even recover from ransomware attacks. Not surprisingly, conducting a risk analysis (or risk assessment) is at the core of covered entities and business associates implementing security management processes as required by the HIPAA Security Rule. The Ransomware Guidance further notes that maintaining an overall contingency plan, as required by the Security Rule, that includes disaster recovery planning, emergency operations planning and frequent backups of data can also help covered entities and business associates respond to and recover from malware infections, including ransomware attacks.

In addition, the Ransomware Guidance states that ransomware attacks against a covered entity or business associate can be considered a breach under the HIPAA Rules. Specifically, the Ransomware Guidance provides, “[w]hen electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e. unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” Therefore, unless it can be shown that there is a low probability that the PHI involved in the ransomware attack has been compromised based on the factors in the Breach Notification Rule, a breach is presumed to have occurred, which would trigger the applicable breach notification provisions.

Even before OCR’s publication of the Ransomware Guidance, in late June the Secretary of HHS sent a letter (“Letter”) to the attention of chief executive officers at health care entities addressing the threat of ransomware. The Secretary attached interagency guidance to the Letter containing best practices and mitigation strategies integral to combatting ransomware incidents.

Ransomware is immediately disruptive to the day-to-day operation of businesses, as seen by its impact earlier this year on health care systems like MedStar in Washington, D.C. and Hollywood Presbyterian Medical Center in Los Angeles (“HPMC”), resulting for example, in HPMC paying 40 Bitcoins (approximately $17,000) to regain control of its computer system. Although the Ransomware Guidance does not address whether payment or ransom should be paid to regain access to computer systems, the interagency guidance attached to the Letter advises against paying hackers because, among other reasons, paying a ransom doesn’t necessarily guarantee that an entity will regain access to its system. The Ransomware Guidance does recommend that an entity victimized by a ransomware attack contact its local FBI or United States Secret Service field office.

For more information about the Ransomware Guidance contact Gregory M. Fliszar, Ryan Blaney, J. Nicole Martin or a member of Cozen O’Connor’s Health Law team.

Tagged with: , , , , , , , , , , ,
Posted in HIPAA, Privacy
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Receive Email Updates

Email:

Follow Us
Friend me on FacebookFollow my company on LinkedInFollow me on Twitter
Cozen O’Connor Blogs