On October 26, 2016 HIMSS, the leading organization in the US for health information technology and data management, issued a Call to Action for the healthcare industry to work together with cybersecurity experts from different sectors to enhance the preparedness of the healthcare industry to the imminent threat of cyber-attacks. The Call to Action reinforces the very real threat that the healthcare industry faces from internal and external threats. In a blog post announcing the Call to Action, Lee Kim, Director for Privacy and Security at HIMSS North America, and Samantha Burch, Senior Director, Congressional Affairs, HIMSS North America state that “Given the vast amount of data being breached and large numbers of healthcare organizations being compromised by both insider and external threat actors (such as nation state and non-state actors, organized cybercriminals and others), it is clear the health sector needs to change its attitude toward the adoption of cybersecurity practices.”
The HIMSS Call to Action makes clear that risks to the healthcare industry from cyber-attacks go beyond mere financial and reputational damage. “The health sector currently is too vulnerable to cyber-attacks and compromises. Patient safety hangs in the balance. As a critical infrastructure sector, the health sector cannot afford to wait any longer in revolutionizing our collective approach to cybersecurity and working collaboratively with the federal government and others towards a solution. It is only a matter of time before a patient is seriously injured or potentially dies as a result of a cyber-attack or compromise—unless all stakeholders make a commitment to work together to redraw a new baseline for the health sector.”
HIMSS is recommending three key steps as part of its Call to Action:
- Adoption of a Universal Information Privacy and Security Framework for the Health Sector;
- Having Congress create a Cyber Leader role with the US Department of Health and Human Services; and
- Addressing the shortage of qualified cybersecurity professionals.
The HIMSS Call to Action is an important reminder that healthcare is extremely vulnerable to cyber-attack and that everyone in the healthcare sector should be taking immediate steps to prepare for and respond to these attacks. Troutman Sanders Healthcare and Cybersecurity Practices will continue to follow the HIMSS Call to Action and provide updates on significant developments.
BY JULIE D. HOFFMEISTER AND DAVID N. ANTHONY
On September 29, the United States District Court for the Northern District of Illinois preliminarily approved a $76 million Telephone Consumer Protection Act class action against several cruise marketing companies inBirchmeier v. Caribbean Cruise Line, Inc.
According to the class action complaint that was filed more than four years ago, a telemarketing company, ESG and its related entities, placed prerecorded voice calls to class members’ cellular and landline telephones to seek business for defendants Caribbean Cruise Line, Inc.; Vacation Ownership Marketing Tours, Inc.; and Berkley Group, Inc. After certifying two classes, the Court granted partial summary judgment to the plaintiffs, holding that the calls made by ESG to consumers’ cell phones violated the TCPA. One of the only issues left for trial was whether the defendants would be held vicariously liable for the calls placed on their behalf. As the parties were preparing for trial, the defendants moved for summary judgment and to decertify the class based on the Supreme Court’s decision in Spokeo. The Court denied both motions and the parties subsequently settled.
The settlement agreement provides for two classes – one for individuals that received cellular phone calls and another for those who received landline calls – who received calls made by or on behalf of the defendants from August 2011 to August 2012. Each class member who submits a valid claim will be entitled to $500 per call unless the $76 million ceiling is reached. If it is, then class members will receive a pro rata share of the fund based on the number of calls they received. Such relief, commented the parties, is almost unprecedented.
The Birchmeier settlement is one of the largest settlements in TCPA history, and it illustrates the importance of not only ensuring your company’s compliance with TCPA requirements, but also keeping a close eye on any third party vendors who are acting on your behalf.
BY RONALD I. RAETHER, JR., MARK C. MAO, ASHLEY L. TAYLOR, JR. AND C. READE JACOB, JR.
On September 13, the New York Department of Financial Services issued proposed regulations that would require banks, insurance companies, and other financial services institutions to establish and maintain a cybersecurity program and to take other measures to protect against data breaches and cyber attacks.
Among the planned requirements, regulated financial institutions will be required to (a) establish a cybersecurity program and adopt a written cybersecurity policy; (b) designate a Chief Information Security Officer responsible for implementing, overseeing, and enforcing its new program and policy; and (c) have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity, and availability of information systems. Board chairpersons would also be required to file annual certifications with NYDFS, stating, to the best of their knowledge, that their companies’ cyber programs comply with the regulation.
Other measures would include appointing overseers for outside vendors and limiting access of customers’ non-public information, such as Social Security numbers, to employees who need those details, according to the proposal. Systems would have to include multiple steps for verifying user identities.
Notably, the proposed regulations are already called for under guidance set by the Federal Financial Institutions Examination Council, a panel of regulators including the Federal Deposit Insurance Corp., the Federal Reserve, and the Office of the Comptroller of the Currency.
The proposed regulations are also similar to (albeit more comprehensive than) Massachusetts’ Standards for the Protection of Personal Information of Residents of the Commonwealth regulation. That law, which has been in place since 2010, requires every business that licenses or owns personal information of Massachusetts residents to comply with minimum security standards. Those minimum standards include implementing a written information security program (referred to as a “WISP”) with appropriate administrative, technical, and physical safeguards.
The proposed regulation is subject to a 45-day notice and public comment period following the September 28 publication in the New York State register before its final issuance.
BY RONALD I. RAETHER, JR.
You cannot control when a data breach or other cyber incident will occur at your financial institution, but you can control how you prepare for it. Cyberattacks and incidents are increasing across every industry. This holds true for large financial players and small community banks alike. The rise of these incidents will have an impact not only on patron security, but also on the regulations by which financial institutions must abide.
During this complimentary webinar on October 5 at 12 p.m. EST, Troutman Sanders attorneys Shannon Pattersonand Ron Raether will address how action – or inaction – now can affect your company after an attack or incident. The discussion will include incorporating cybersecurity into corporate governance, tools for building a culture of privacy compliance, why you should be preparing for litigation before an event occurs, and best practices for your company’s response.
For more information or to register, please click here. One hour of CLE credit is currently pending.
BY JULIE D. HOFFMEISTER AND RONALD I. RAETHER, JR.
The Third Circuit recently affirmed a District Court’s dismissal of a data breach class action against Benecard Services Inc. (“Benecard”).
Benecard is a prescription benefit administrative services company that provides mail and specialty drug dispensing, managed vision services, and contact lens mail order services to public and private sector organizations. The instant case arose from the 2015 data breach of Benecard’s computer system. Plaintiffs are former employees and customers of Benecard who provided their names, dates of birth, addresses, and Social Security numbers as a prerequisite to employment or use of Benecard’s services. Plaintiffs’ personal information was compromised during the breach. Specifically, Plaintiffs’ personal information was used by unknown third parties to file fraudulent tax returns, and the IRS subsequently issued tax refunds to the unknown third parties rather than to Plaintiffs. Plaintiffs brought claims against Benecard for negligence and breach of implied contract under Pennsylvania law.
The District Court held that Pennsylvania’s economic loss doctrine barred Plaintiffs’ negligence claim, and that Plaintiffs’ breach of contract claim failed to state a claim for relief. The Third Circuit affirmed the District Court’s decision.
First, Pennsylvania’s economic loss doctrine provides that “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.” Because Plaintiffs’ negligence claim sounds only in economic loss resulting from the fraudulent tax returns filed with their information, the economic loss doctrine bars their claim, affirmed the Third Circuit.
The Third Circuit also shot down Plaintiffs’ alternative theory that Benecard breached an implied contract by failing to adequately safeguard Plaintiffs’ confidential information that Plaintiffs entrusted to Benecard as a condition of employment or doing business with the company. “This requirement alone did not create a contractual promise to safeguard that information, especially from third party hackers,” held the Third Circuit. Plaintiffs did not offer evidence of “any company-specific documents or policies from which one could infer an implied contractual duty to protect Plaintiffs’ information.” In other words, “[m]erely claiming that an implied contract arose ‘from the course of conduct’ between Plaintiffs and Benecard is insufficient to defeat a motion to dismiss.”
The class action is now dismissed in its entirety.
BY JULIE D. HOFFMEISTER AND RONALD I. RAETHER, JR.
A plaintiff filed a complaint against an online university, alleging claims under the Telephone Consumer Protection Act and the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”) relating to the defendant’s alleged repeated and unsolicited calls to the plaintiff’s cell phone.
The defendant, Ashford University, LLC, allegedly called plaintiff Melissa Nelson’s cell phone on at least 50 different occasions in an attempt to solicit her business. Nelson claimed that “her life and well-being were disrupted by the constant calls to her cell phone,” and that the repeated calls resulted in “emotional distress, mental anguish, invasion of privacy, increased anxiety, increased depression, general aggravation, increased usage of her cell service, and diminished data storage on her cell [phone].”
Ashford University filed a motion to dismiss Nelson’s ICFA claims. The ICFA requires a plaintiff to show they suffered “actual damage” due to a defendant’s violation of the Act, and demands that “‘[a]ctual damages’ must arise from ‘purely economic injuries.’” Ashford University argued that Nelson did not allege any actual damages in her complaint. The Court agreed.
With respect to the plaintiff’s claim of increased usage of her telephone service and diminished space for data storage, the Court pointed out that Nelson had not alleged that she had suffered any monetary cost that would not have otherwise occurred, such as overage charges for telephone or data services. As to her claim of emotional distress, the ICFA provides that emotional distress damages are only compensable “when they are part of a total award that includes actual economic damages.” Because Nelson failed to prove any pure economic damages, her emotional distress claims failed to suffice.
The Court therefore granted Ashford University’s motion to dismiss the ICFA claim. Nelson’s TCPA claim is still pending. Troutman Sanders will continue to monitor the developments in this case.
BY MEGAN C. NICHOLLS, RONALD I. RAETHER, JR. AND MARK C. MAO
The Federal Trade Commission announced on August 29 that it is seeking public comment on its Standards for Safeguarding Customer Information, commonly known as the Safeguards Rule, as part of the FTC’s periodic retrospective review of the rules. The Safeguards Rule, effective May 23, 2003, was issued under the Gramm-Leach-Bliley Act and places certain requirements on financial institutions to safeguard their customer information. Financial institutions are those entities significantly engaged in activities that the Federal Reserve Board has determined to be financial in nature, such as lending or investing money, providing financial advice, and brokering, underwriting, or servicing loans. Financial activities do not include activities that the FRB determined to be incidental activities or activities that were determined to be financial in nature after enactment of the GLBA – two issues the FTC has suggested require reconsideration in requesting comments on whether the scope should be expanded.
The Safeguards Rule requires that a financial institution develop, implement, and maintain a comprehensive written information security program consisting of administrative, technical, and physical safeguards that the financial institution uses in all stages of the customer information lifecycle. In developing a written information security program, financial institutions must inventory customer information in their possession and identify any reasonably foreseeable internal and external risks which could compromise the security, confidentiality, or integrity of the information. Once the risks have been identified, a financial institution should then design and implement safeguards appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of the customer information at issue. Financial institutions are required to test and monitor the effectiveness of implemented safeguards and make adjustments as necessary to continuously combat developing threats.
The FTC has asked for comment, and corresponding evidence, on several general and specific issues posed by the Safeguards Rule as provided in the Federal Register Notice. There are two particularly interesting issues raised by the FTC. First is continued consideration of the impact the Safeguards Rule has on small businesses. Comments to the original Safeguards Rule suggested that it would create burdens, including financial, on small businesses that potentially lack the expertise needed to develop, implement, and maintain required safeguards – expertise that larger entities arguably have. The FTC addressed these comments in 2003 by taking a flexible approach with the final Safeguards Rule, allowing businesses to implement safeguards appropriate to the size and complexity of the business. It is clear from the questions posed in this periodic review that the FTC remains interested in how small businesses are coping with the requirements, from both financial and compliance perspectives.
The second issue is whether the Safeguards Rule should be modified to include more detailed requirements for information security programs. Specifically, the FTC asked about whether the rule should require information security programs to include a response plan in the event of a breach to the security, integrity, or confidentiality of customer information, and whether the rule should rely on other information security standards or frameworks, such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Payment Card Industry Data Security Standards. The questions raised by the FTC account for the overall impact such prescriptive changes could have on the costs imposed on and benefits to consumers and businesses, including small businesses. It is a logical question to then ask, if the rule is modified to contain more detailed requirements, whether the FTC might consider including a safe harbor under the rule to balance out any increase in cost to comply – a question that remains unanswered for now.
The FTC will be accepting public comment until November 7.
Troutman Sanders’ cybersecurity, information governance, and privacy team monitors developments in various information security standards, and advises clients on compliance with such standards and how to address new and emerging threats.
BY RYAN A. LEWIS AND MARK C. MAO
The United States Department of Health and Human Services, Office for Civil Rights (“OCR”), has assessed a $5.55 million fine against an Illinois healthcare provider for alleged HIPAA data privacy violations. Thesettlement is the largest to date between the OCR and any single entity, and is one of several multi-million dollar settlements obtained by the OCR this year.
Advocate Health Care Network (“Advocate”), a nonprofit organization and the largest healthcare organization in Illinois, came under OCR scrutiny in 2013 after it submitted breach notification reports relating to three distinct data security incidents involving its subsidiary, Advocate Medical Group (“AMG”). According to the OCR, the three incidents affected the electronic protected health information (EPHI) of over four million individuals. Advocate first reported that four desktop computers containing the EPHI of approximately four million users were stolen from an administrative office building. In the second incident, Advocate notified HHS that the EPHI of approximately 2,000 patients had been potentially exposed to an unauthorized third party via an associated billing services provider. The third incident consisted of the theft of a laptop containing the unencrypted EPHI of approximately 2,000 individuals from an unlocked employee vehicle.
According to the OCR, the EPHI included individuals’ demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. As a result of its investigation, the OCR found, among other things, that Advocate had failed to conduct an accurate and thorough risk analysis of its facilities, IT equipment, applications, and its data systems handling EPHI, that it failed to limit physical access to certain electronic information systems, and that it failed to obtain an adequate assurance from its associated billing services provider regarding the safeguarding of EPHI.
As a “covered entity” under HIPAA, Advocate is subject to OCR regulation. Under the terms of the settlement, Advocate admits no liability, and in addition to the fine, Advocate has entered into a mandatory corrective action plan set forth by the OCR.
BY RONALD I. RAETHER, JR., MARK C. MAO AND RYAN A. LEWIS
Reversing the findings of an Administrative Law Judge, the FTC has found that LabMD, Inc., a former provider of clinical laboratory testing services to physicians, violated Section 5 of the FTC Act by failing to maintain proper data security practices. The final order, issued on July 29, is notable in its position suggesting that the FTC has broad power to regulate even the extremely limited disclosure of personal medical information.
LabMD operated as a provider of laboratory testing services for physicians from 2001 to 2014. The company maintained sensitive patient samples and testing information. In 2013, the FTC issued a complaint against LabMD, which alleged that LabMD failed to provide reasonable and appropriate security for personal information stored on its computer network. The complaint was based on an alleged vulnerability identified in 2008 by a forensic analyst working for Tiversa, a data security company. While the Office of Civil Rights might be expected to take charge had the event happened today, the FTC asserted jurisdiction.
The Tiversa analyst allegedly located a copy of a LabMD insurance aging report via a peer-to-peer (P2P) application. The file, referred to in the opinion as the “1718” file, supposedly contained “1,718 pages of sensitive personal information for approximately 9,300 consumers, including their names, dates of birth, social security numbers, ‘CPT’ codes designating specific medical tests and procedures for lab tests conducted by LabMD, and, in some instances, health insurance company names, addresses, and policy numbers.” The forensic analyst alleges that he was also able to download other shared files from the same LabMD IP address. The 1718 file was allegedly exposed because a LabMD billing manager was given administrator rights and downloaded a P2P application to her computer. The billing manager had allowed the P2P application to share the entire contents of her “My Documents” folder with other users.
The ALJ held that under Section 5(n), LabMD’s computer data security practices had not been shown to have “caused” or have been “likely to cause” “substantial consumer injury” sufficient to invoke the FTC’s jurisdiction. In pertinent part, the ALJ found that the limited disclosure of the 1718 file to Tiversa (and to an affiliated academic researcher) did not constitute sufficient injury under Section 5(n). The ALJ also noted that Complaint Counsel relied on unsubstantiated evidence provided by Tiversa in bringing its original complaint.
In reversing the ALJ, the Commission determined that the ALJ improperly interpreted Section 5(n) of the FTC Act, and it disagreed with the ALJ’s findings. Specifically, the Commission found that LabMD’s unauthorized disclosure of the 1718 file itself caused substantial injury under Section 5(n), even though the 1718 file disclosure was limited to only Tiversa and one other researcher. The Commission noted that “substantial” consumer injury under Section 5(n) could include “an intangible but very real harm like a privacy harm resulting from the disclosure of sensitive health or medical information.” The mere disclosure of the 1718 file itself was therefore sufficient injury under Section 5(n).
Further, the Commission concluded that the disclosure of the 1718 file via a peer-to-peer file sharing application “was likely to cause substantial injury and that the disclosure of sensitive medical information did cause substantial injury” under Section 5(n). The opinion noted that physical or economic harm was not required, at least when medical information is at issue. “[T]he disclosure of sensitive health or medical information causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n).” Finally, as to whether substantial injury was “likely” to occur, the Commission stated that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”
The Commission also pointed to specific shortcomings in the company’s data security procedures. Those issues included LabMD’s failure to employ adequate risk assessment tools, including intrusion detection, file integrity monitoring, and penetration testing. The opinion also noted that LabMD failed to provide data security training to its employees, and that it failed to adequately restrict or monitor employee administrator access. The Commission also stated that the security tools LabMD had used to mitigate risk were inadequate under the circumstances, and that its “antivirus programs, firewall logs, and manual computer inspections … could identify only a limited scope of vulnerabilities” and were often used ineffectively.
The problem with the Commission’s ruling is that it turned the “likely to cause substantial consumer injury” test on its head, finding unfairness where an unlikely risk may be theoretically large in potential scope. This conclusion is at odds with the statutory requirement that there was actual – or even likely – harm. The test for jurisdiction under Section 5 in no way suggests that the likelihood of harm test (causation) requires a lower standard if the consumer injury is somehow potentially more “substantial.”
LabMD has 60 days in which to file a petition for review of the FTC’s decision with the U.S. Court of Appeals. Michael Daugherty, president and CEO of now-defunct LabMD, recently expressed his desire to take the legal battle to federal court on appeal.
BY DAVID M. GETTINGS, TIM J. ST. GEORGE, ALAN D. WINGFIELD AND DAVID N. ANTHONY
In Cour v. Life360, Inc., the United States District Court for the Northern District of California granted a defendant’s motion to dismiss a claim under the Telephone Consumer Protection Act, finding that the defendant’s system for sending text messages did not constitute “making” a call under the statute. In reaching its decision, the Court advanced a narrow interpretation of what it means to “make” a call under the TCPA.
Cour involved allegedly unsolicited text messages. According to the plaintiff, he received a text message from Life360 saying “TJ, check this out….”, despite not being a Life360 user and never downloading the Life360 app. Because he claimed that this text message was unwelcome, the plaintiff sued Life360 for allegedly “mak[ing]” a call without express consent – a practice generally restricted under the TCPA.
For purposes of the Court’s decision, it presumed that Life360 works in the following manner: (1) Life360 asks users for permission to access their phone’s contacts; (2) users who allow such access are brought to a screen giving them the option to “add members;” (3) users are then given the option to “invite” specific members of their contacts to join Life360; and (4) Life360 sends text messages to those contacts “invited” by a member.
In deciding to dismiss the plaintiff’s claims, the Court’s analysis turned on whether Life360 “makes” calls under the TCPA. It held that Life360 does not. According to the Court, the fact that Life360 requires users to choose which of their contacts should receive an invitation, and then requires users to press the “invite” button before the text message is sent, means that Life360 is not making “calls” under the TCPA.
In reaching this conclusion, the Court was guided by the Federal Communication Commission’s July 10, 2015 order, wherein the FCC analyzed whether two companies, TextMe and Glide, “make” calls under the TCPA. The Court found the FCC’s analysis “[o]f particular relevance” because it clarified for the Court the type of actions that constitute “making” calls in the context of apps sending invitational text messages. For example, the Court noted the FCC’s conclusion in an analogous situation that the “app user’s actions and choices effectively program the cloud-based dialer to such an extent that he or she is so involved in the making of the call as to be deemed the initiator of the call … .”
Ultimately, in the Court’s view, the goal of the TCPA is to prevent the invasion of privacy. When considering the facts of the case and the FCC’s interpretation of the TCPA, the Court concluded that the person who chooses to send an unwanted invitation through Life360, and not Life 360 itself, “is responsible for invading the recipient’s privacy.” As a result, the Court dismissed the plaintiff’s TCPA claims.