Organized crime and other criminal enterprises consider cyber-intrusions to be a “low-risk, high-reward proposition” that pose a serious threat to every business that is connected to the internet or uses electronic systems. The U.S. Department of Justice (DOJ) has joined the growing list of federal agencies to weigh in on cyber-security “best practices.” On the heels of The Federal Trade Commission and the HHS Office of Civil Rights and Office of the National Coordinator, DOJ just released its own guidance on steps to take before a cyber-intrusion or data breach occurs, as well as a template response for cyber-intrusions and attacks. Following an accepted protocol of “Preparedness, Response and Recovery” the Guidance identifies steps a business should take before, during and after cyber-intrusions to minimize risk and defuse the impact of breaches when they do occur. [Read more →]
May 7, 2015 No Comments
Supreme Court Grants Certiorari In Spokeo Case – Set To Address Article III Standing In Cases With No Concrete Harm
On April 27, 2015, the United States Supreme Court granted certiorari in Spokeo Inc. v. Robins, a case which could have wide-ranging implications for lawsuits, including class actions, against businesses under a number of consumer protection statutes.
In a case that the Supreme Court will hear and decide in its next term, the Court will address the question of whether Congress may confer Article III standing on a plaintiff who suffers no concrete harm, by simply authorizing a private right of action based on the violation of a federal statute alone. If the Court reverses the lower court’s decision, it could mean the death-knell of “no harm” class action lawsuits that have proliferated under statutes that allow for statutory damages without proof of actual harm. [Read more →]
April 28, 2015 No Comments
Lately there’s been a flurry of activity related to health IT in the 114th Congress. At the end of March, the House passed the SGR bill, or “Doc Fix,” by an overwhelming vote of 392-37. If there are no hang-ups, the Senate is expected to pass it Tuesday night.
The SGR bill repeals the old formula to pay doctors and creates a new formula for a value-based Medicare payment system. The bill also includes a few key HIT measures: it requires HHS to create metrics to determine if EHRs are interoperable by July 2016, it defines interoperability as the ability of two health systems to exchange clinical data, and it includes language requiring providers to show they are not blocking information – just to name a few provisions. [Read more →]
April 15, 2015 No Comments
The Office of the National Coordinator for Health Information Technology (ONC) has just issued a new Guide to Privacy and Security of Electronic Health Information to help everyone that deals with electronic health information better incorporate federal health information privacy and security requirements into their organization.
The Guide is broadly applicable to anyone that is a HIPAA Covered Entity or Business Associate as well as Medicare Eligible Professionals under the CMS Electronic Health Record (EHR) Incentive Programs (the “Meaningful Use” program).
April 13, 2015 No Comments
On April 8, Bill No. A06866, sponsored by Assemblyman Jeffrey Dinowitz (D-Bronx) was introduced in the New York State Assembly.
The bill would amend the General Business Law to add a new section, 899-BB, that would require persons and businesses that conduct business in New York State and own or license computerized data which includes “private information” of a New York State resident, to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of the information, including data disposal.
April 10, 2015 No Comments
On March 12, 2015, bipartisan members of the powerful House Energy and Commerce Committee, Subcommittee on Commerce, Manufacturing, and Trade announced draft legislation to address increasing concerns about data security vulnerabilities and challenges.
The “Data Security and Breach Notification Act” (the “Act”), authored by Energy and Commerce Committee Vice Chairman Marsha Blackburn (R-TN) and Representative Peter Welch (D-VT), would create a national standard for safeguarding electronic personal information, and mandate notification and reporting of possible breaches, specifically preempting current state laws.
Here are some highlights of the discussion draft: [Read more →]
March 19, 2015 No Comments
Last week’s Global Privacy Summit presented by the International Association of Privacy Professionals provided attendees with many important insights and practical tips for protecting the privacy and security of information. In case you missed it, here are some of the highlights:
March 13, 2015 No Comments
Last week’s Privacy & Security Forum presented by HIMSS Media and Healthcare IT News provided attendees with many important insights and practical tips for protecting the privacy and security of digital health information.
In case you missed it, here are some of the highlights:
March 9, 2015 No Comments
Everyone by now has heard the rhetoric, foreign policy debate and Hollywood gossip surrounding the massive data breach at Sony Pictures Entertainment, reportedly engineered by the government of North Korea. While its immediate impact affects popular culture — withdrawal of the film The Interview from its U.S. premiere and theatrical exhibition — far less discussed have been the likely effects of the high-profile intrusion and theft on cybersecurity issues at the corporate officer and Board of Directors level.
For five reasons, this episode may well (and to this author, should) turn out to be a tipping point in the adoption by corporate boards and officers of strong cyber threat prevention, detection and remediation practices.
- Corporate IP and Trade Secrets Are Valuable. In addition to the internal and embarassing hacked emails, the Sony Pictures cyber intruders also absconded with the script of a forthcoming, new James Bond film along with internal Sony P&Ls, and actual expense compilations, for movie productions. These are intellectual property (IP) and very sensitive trade secrets, different and far more valuable corporate assets than routine customer social security or credit card information; they represent the results of R&D, thus directly undercutting profitability, and reflect non-public business information subject to extremely limited distribution. Per-picture budgets and profitability, for instance, have been a huge Hollywood issue for decades, with writers, stars and directors all jockeying for a share of profits but largely lacking documentation of actual profit margins. That’s bad enough, but imagine (as a hypothetical) that hackers manage to steal the digital plans for Boeing’s next commercial aircraft or source code for Microsoft’s next release of Windows or the even more secret formula for Coca-Cola? Those jewels of corporate intellectual property could be the Chernobyl of cyber breaches if hacked by competitors, extortionists or both.
- Plaintiffs Have Standing to Sue. The federal courts to date have largely been unresponsive to consumer class actions arising from merchant and retailer data breaches, on the theory that until stolen data is actually used against a victim, he or she has not been directly injured and thus lacks standing to sue. That is not the case where it is corporate IP that is hacked, because (a) the stock market quickly adjusts share prices downwards for the costs of legal defense and likely loss of sales revenue, and (b) stockholders by definition have standing to sue where share prices fall, which is classic financial “injury.” This means that claims under the federal securities laws for misleading statements or lack of disclosure related to cybersecurity incidents, as well as so-called derivative actions against directors and officers for negligence or breach of fiduciary duty, are far more likely to be filed and make it to the merits, that is trial. The 100+ lawsuits against Target for its late-2013 consumer breach could understate the claims potentially leveled against Sony management and directors by an order of magnitude.
- Insurance May Not Cover the Losses. Many corporate boards are indemnified by the company, for all but malfeasance or gross negligence, which increases the costs of corporate legal claims arising from cyber breaches. Yet those costs may or may not be covered by ordinary liability and “errors or omissions” insurance policies. The coverage question is complicated, and beyond the scope of this blog, but it’s a fervent area of insurance law with lots of room for missteps, on both sides. Without insurance coverage, management and corporate boards will be forced to take significant charges or reserves against earnings to cover those potentially huge expenses, which only reinforces the financial and likely stock price impacts of hacking.
- State-Sponsored Corporate Hacking is Warfare. The major cybersecurity public policy issue in 2014 was whether threat information should be shared between the private sector and government. Legislation (the Cybersecurity Information Sharing Act or “CISA”) to jump-start threat sharing, by creating public records release and antitrust exemptions, failed in the U.S. Senate. Now it seems that the most immediate result of the Sony Pictures breach will be a non-partisan push for enactment of that bill ASAP, with expansion to include the Department of Defense as well as DHS being rumored. The Washington Post has already reported that “As the fallout from the cyberattack against Sony Pictures grows amid reports that the hack may be linked to the North Korean government, lawmakers and the Obama administration are calling on Congress to focus heavily on cybersecurity legislation after the holiday recess.” Where the cyber threat is from a foreign state, in other words, even the robust capabilities available in private sector data protection are likely insufficient to robustly guard a company’s IP. State-sponsored hacking is corporate espionage on steroids.
- Even Embarrassing Stuff Has Big Legal Consequences. State law has established a number of torts related to the publication of true but embarrassing, or private, information on people, often compiled into a catch-all “invasion of privacy” moniker. Ordinarily it is the publisher or speaker who is liable and the target of litigation claims. But those same torts apply to anyone with a duty of care to the plaintiff, and it is difficult to see how a company does not have a duty to keep private and potentially embarrassing email discussions reasonably safe from theft by outsiders. The legal framework is complicated by more archaic doctrines of ownership of corporate email content, but the risk is extremely large where the industry is a lucrative one. Silicon Valley executives make as much, if not more via stock and options, than their Hollywood counterparts. So the consequence is that more of the privacy tort claims already filed agianst Sony will become commonplace if internal corporate communications become — as the publicity surrounding Sony Pictures executives’ racially insensitive jokes suggests clearly — a target of hackers looking for blackmail evidence.
Like all prognostications, these are predictions, not guarantees. But the one certain thing is that after the Sony Pictures breach, corporate boards and management will be paying much closer attention to cybersecurity, at the very least because it is now hitting them where it hurts the most: in the pocketbook and bank account.
For more information, please contact Glenn Manishin.
December 19, 2014 No Comments
September 23, 2014 is fast approaching! It is the date by which all Business Associate Agreements (BAAs) must be brought into compliance with the HIPAA Omnibus Final Rule. On January 17, 2013, HHS published the Omnibus Rule which made significant modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules. Covered entities and business associates generally had until September 23, 2013 to comply with the changes made by the Omnibus Rule. This included bringing certain of their BAAs into compliance. Recognizing, however, that covered entities and business associates may have many BAAs, the Omnibus Rule included an alternative compliance date of September 23, 2014 to update BAAs where (1) there was a compliant BAA in place on January 25, 2013, and (2) the BAA was not modified between March 26, 2013 and September 23, 2013.
With the September 2014 deadline looming, covered entities and business associate are refocusing their attention on BAAs. Covered entities are trying to ensure that they have the appropriate agreements in place with their business associates. Likewise, business associates are making sure that they have proper agreements with their subcontractors.
August 28, 2014 1 Comment