Social Engineering Cons: Which Insurance Policy Pays?

New York partner Laurie Kamaiko was published in the article, “Social Engineering Cons: Which Insurance Policy Pays?” published September 25, 2016, in Carrier Management. Ms. Kamaiko provides an overview of the coverage debate and court rulings to date, which include coverage for cyber crimes, creating cyber policies and covering the gaps in coverage with the increase of these types of crimes.

 

Snowden, The Espionage Act and The Media

Concurrent with the release of Oliver Stone’s film starring Joseph Gordon-Levy have come a number of calls for President Obama to pardon Edward Snowden for his violations of the Espionage Act. There has been a good deal of editorializing on the issue by various media outlets.  The New York Times, for example published an op ed calling for a pardon.  The Washington Post editorial board, on the other hand, while acknowledging that Snowden’s actions have produced some public benefits, has taken the position that Snowden should stand trial on espionage charges or, as a “second-best solution,” accept “a measure of criminal responsibility for his excesses and the U.S. government offers a measure of leniency.”  The Post’s position was not lost on Glenn Greenwald (played in the movie by Zachary Quinto), who wrote in The Intercept that the Post “has achieved an ignominious feat in U.S. media history: the first-ever paper to explicitly editorialize for the criminal prosecution of its own source.”  So, why is Snowden, who gave this information to several media entities likely facing the choice of a long term residency in Moscow or trial for violation of the Espionage Act, and the Post, which published much of this information to a worldwide audience, the recipient of a Pulitzer Prize?

The issue of prosecution of a media entity on espionage charges for publishing classified information has never been squarely addressed. The Espionage Act was directly invoked against the press by the Nixon Administration in an effort to obtain an injunction to prevent publication of what are now known as the Pentagon Papers — classified documents relating to Vietnam policy leaked by defense analyst Daniel Ellsberg that showed material inconsistencies between the government’s public assertions and private misgivings regarding a successful conclusion of the war.  The government’s lawsuit invoked as statutory authority for injunctive relief section 793(e) of the Espionage Act, which makes it unlawful for anyone who has “unauthorized possession of” information “relating to the national defense” with “reason to believe [it] could be used to the injury of the United States or to the advantage of any foreign nation” to “willfully communicate” the information to persons not entitled to receive it.  Accordingly, when the case reached the Supreme Court, the issue was not whether the press could be criminally prosecuted under the Espionage Act but, rather, whether the government was entitled to a prior restraint on publication.  The Court, in a very brief, per curium order, ruled that the government had not met its burden of showing that it was entitled to an injunction against publication of newsworthy information.

The concurring and dissenting opinions showed a wide divergence on the underlying issues, however, and Justices Stewart, White and Marshall suggested (in dicta) that the press could be prosecuted after-the-fact. As Justice White put it, “failure by the Government to justify prior restraints does not measure its constitutional entitlement to a conviction for criminal publication. That the Government mistakenly chose to proceed by injunction does not mean that it could not successfully proceed in another way. . . . I would have no difficulty in sustaining convictions under these sections on facts that would not justify the intervention of equity and the imposition of a prior restraint.”

The legal terrain of this issue has been further formed by the cases of Steven J. Rosen and Keith Weissman, officials with the lobbying group American Israel Public Affairs Committee (“AIPAC”) who were charged under Espionage Act sections 793(d) (unauthorized possession of national defense information transmitted to unauthorized recipients) and 793(g) (conspiracy). The leaker was Lawrence Franklin, an official working in the office of Secretary of Defense, who orally transmitted the information to Rosen and Weissman.  Franklin pleaded guilty under these same sections.  U.S. District Court Judge T.S. Ellis denied Rosen’s and Weissman’s motion to dismiss the indictment, holding the Espionage Act was constitutional on its face and as applied to Rosen and Weissman.  However, Judge Ellis rejected the government’s argument that no First Amendment issue was presented by such an indictment holding  that “the mere invocation” of national security or government secrecy’ does not foreclose a First Amendment inquiry, and that the analysis was dependent upon the circumstances in which the act was done. He held that (1) the term “information related to the national defense” was limited to information “closely held” by the government, (2) that the Espionage Act applies only to disclosures, and (3) the government must prove that the defendant acted with the specific intent to violate the statute.  Further, where a prosecution rests on the catch-all phrase “other information related to the national defense” and involves intangible information (here, orally transmitted information as opposed to specific documents), the government must prove that the defendant subjectively intended “to either harm the United States or to aid a foreign government.”  The government, on the basis of these heightened intent requirements, eventually had the cases against Rosen and Weissman dismissed.

Rosen and Weissman, as mentioned, were lobbyists. Closer to the issue of potential media liability under the Espionage Act are the releases of classified documents by Wikileaks.  While Julian Assange, the founder and “editor in chief” of Wikileaks, like Snowden, has passionate supporters and detractors, unlike Snowden, Assange himself was not the leaker – that was largely done by Chelsea (fka Bradley) Manning who is currently serving time in Fort Leavenworth for (among other things) violation of the Espionage Act.  To date, Assange has not been indicted with violations of the Espionage Act, despite calls to label Wikipedia a “terrorist organization” and rumors of a secret grand jury.

While one might justly refuse to put Wikileaks and the Washington Post in the same category, in the current media environment it is increasingly difficult to draw a line between “the press” and any number of online blogs and other disseminators of information and opinion — a difficulty which has impacted many legal issues notably including “shield laws” that give qualified protection to “the media” from having to testify and/or disclose sources to prosecutors and law enforcement.

In terms of applicability of the Espionage Act, both Wikileaks and the Washington Post have put copies of the leaked documents online where they can be viewed by anybody, including hostile powers. Thus both appear to have intended to and did disseminate to people not entitled to receive or possess them, tangible documents related to the national defense, and that at least some of these documents were both secret and objectively of a kind the disclosure of which had the potential to harm the security of the United States, and that both entities were aware of the secret nature of the documents. If this could be proven, then under Judge Ellis’ formulation, the only remaining element under the government’s burden would be whether they, respectively,  knew that disclosure of the documents “was illegal, but proceeded nonetheless”—that they acted with a purpose either to disobey or to disregard the law.

The Washington Post and the Guardian, the New York Times, and The Intercept, the four news organs that received and published large numbers of secret documents provided by Snowden, would no doubt urge that their intent was to bring necessary sunshine to what has been widely held to be illegal activity on the part of the government and to promote government by the people. It goes without saying that Snowden and Assange have articulated the same goals.  Snowden, as the leaker, is in a different category, and as an employee of a government contractor, has lower First Amendment protections, if any at all.  The odds of the Washington Post being prosecuted for violating the Espionage Act appear, at present, vanishingly small.  But these odds would appear to be greater than zero.  The Supreme Court decision in Bartnicki v. Vopper, which arose under the Federal Wiretap Act, holds that “a stranger’s illegal conduct does not suffice to remove the First Amendment shield about a matter of public concern.”  However, this holding may not address the issue raised by Justice White in his concurring opinion in the Pentagon Papers case that a publisher’s actions in and of themselves may be illegal under the Espionage Act.  I am left humming to myself the lyrics to a song by Elton John and Bernie Taupin – “keep your auditions for somebody who hasn’t got so much to lose, ’cause you can tell by the lines I’m reciting, that I’ve seen that movie, too.”

Sovereign Immunity Shields Native America Tribes from Fair Credit Reporting Act Liability

In 2014, Jeremy Meyers used his credit card to make purchases at the Green Bay Oneida Travel Center and Oneida One Stop retail locations, owned and operated by the federally‐recognized Oneida Indian tribe. He received electronically printed receipts that included more than the last five digits of his credit card and the card’s expiration date.

Meyers alleged, in a putative class action filed in April 2014, that the Tribe issued these receipts in violation of the Fair and Accurate Credit Transaction Act, which states that “[n]o person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction, 15 U.S.C. 1681c(g)(1).” FACTA defines a person as “any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.”

U.S. District Judge William C. Griesbach granted the tribe’s motion to dismiss the suit in September 2015, finding Congress did not waive Native American tribes’ immunity in the FCRA because the tribes are not mentioned in the statute. The district court also found Meyers failed to state a claim because he did not suffer an injury from the information being printed on the receipts.

Meyers appealed the district court decision, arguing that Native American tribes should be treated as governments under FACTA, claiming the court made previous exceptions to sovereign immunity in similar cases and separately found that immunity is not available to “any government” under the FCRA.

The tribe argued that because the Fair and Accurate Credit Transactions Act does not specifically mention Native Americans, U.S. District Judge William C. Griesbach rightly tossed the suit in September, and courts are prohibited from assuming Congress wanted to undermine sovereign immunity unless that intention is made plain.

“Congress did not clearly, unequivocally and unambiguously reference Indian tribes when it enacted the FCRA and FACTA and, therefore, it has not evinced an intent to waive a tribe’s sovereign immunity,” the tribe said in its brief.

The Oneida tribe also argued that substantial statutory damages from the proposed class action would affect the tribe’s right to self-governance and deprive the tribal treasury of essential funds for member services. The tribe also contended that if Congress intended FACTA to apply to them, it would have explicitly included Native American tribes under the amendment’s definition of “person,” as it did in the Fair Debt Collection Practices Act, but Meyers contends that precedent shows otherwise.

The Seventh Circuit affirmed, noting that whether a tribe is subject to a statute and whether the tribe may be sued for violating the statute are two different questions. Any ambiguity must be resolved in favor of immunity; “government or governmental subdivision or agency” does not unambiguously refer to tribes.

“Meyers argues that the district court dismissed his claim based on its erroneous conclusion that Indian tribes are not governments … [but] misses the point,” the circuit court panel said. “The district court did not dismiss his claim because it concluded that Indian tribes are not governments. It dismissed his claim because it could not find a clear, unequivocal statement in FACTA that Congress meant to abrogate the sovereign immunity of Indian tribes.”

House Committee Report Details Extent of OPM Security Failures Resulting In Breach of Over 30 Million Records

According to a report by the Republicans on the U.S. House Oversight & Government Reform Committee, the hack of the Office of Personnel Management (OPM) was the direct result of the agency’s long-standing failure to properly “prioritize cybersecurity and adequately secure high value data.”

The breach, which has been attributed to at least two Chinese government operatives, resulted in the exfiltration of personnel files of 4.2 former and current government employees, security clearance background investigation on 21.5 million individuals, and fingerprint data on 5.6 million people. The background checks, which “are designed to identify the type of information that could be used to coerce an individual to betray their country,” included information on applicants’ work histories, home addresses, financial information, and the names of relatives.  Among the extremely sensitive information included in security clearance background checks was treatment information for mental or emotional health conditions, information on alcohol abuse or illegal drug use, and financial information relating to applicant gambling habits.

In addition to making multiple findings regarding the cause of the breach, the 241-page report also provided a detailed chronology of the attack. Beginning in November 2013, one of the two attackers (“Hacker X1”) began engaging in adversarial activity on OPM’s network. On March 20, 2014, US-CERT (Computer Emergency Readiness Team) alerted OPM that Hacker X1 was exfiltrating data (including manuals and IT system architecture information) from OPM’s network.  The two agencies developed a strategy to monitor Hacker X1’s movements in order to gather counterintelligence.  However, on May 7, 2014, a second attacker (“Hacker X2”) succeeded in gaining a foothold to OPM’s network by posing as a background investigations contractor, using OPM credentials to remotely access OPM’s network and install malware to create a network backdoor.  The report notes that “OPM did not identify [Hacker X2]’s May 7 foothold despite the fact that OPM was monitoring and removing [Hacker X1]” from the network.

On May 27, 2014, after OPM observed Hacker X1 load a keylogger onto several database administrators’ workstations with access to the PIPs system (holding background investigation data), OPM executed its “Big Bang” plan, shutting down its compromised systems in order to remove Hacker X1 from the network. However, undetected Hacker X2 continued to move freely through the OPM network, installing malware on a KeyPoint web server, registering opmlearning.org as its command-and-control center for malware operations, and conducting an RDP (remote desktop protocol) session in June 2014.  By July 2014, OPM thought that it had fully resolved the breach, disclosing to the New York Times that an exfiltration had occurred in March 2014 but stating that no PII (personally identifiable information) had been lost and without disclosing the exfiltration of the IT manuals.  During this same time, Hacker X2 began exfiltrating the background investigation data from the OPM environment in the Department of Interior’s (DOI) data center.  By December 2014, 4.2 million personnel records had been exfiltrated from OPM network and DOI’s databases.  As of March 26, 2015, Hacker X2 began downloading the stored fingerprint data as well.  On or about April 18, 2015, a vendor’s deployment of an endpoint detection tool resulted in the discovery of widespread malicious activities in the OPM network.  By April 23, 2015, OPM had concluded that there had been a “major incident” involving the exfiltration of personnel records, pursuant to which it notified Congress on April 30, 2015. On June 4, 2015, OPM briefed the media and issued a press release disclosing the release of 4.2 million records on current and former federal employees, which resulted in the filing of multiple lawsuits that have since been consolidated as a multidistrict litigation in D.C.’s federal circuit.

The report’s ire was focused squarely on OPM’s lax security protocols dating back to at least 2005. It notes that the OPM Inspector General had been warning the agency since at least 2005 that its vast treasure trove of valuable information was vulnerable to hackers. According to the report, “OPM consistently reported spending less than other federal agencies on cybersecurity.”  It was not until US-CERT notified OPM of the breach in March 2014 that OPM sought additional funds for network security.  In addition, OPM failed to implement the Office of Management and Budget’s (OMB) longstanding requirement of multi-factor authentication for employees and contractors with access to the network.  Overall, the Committee found that had OPM implemented basic cybersecurity protocols and deployed more advanced security tools when it became clear that attackers were targeting critical data, the extent and severity of the breach could have been prevented or at least substantially mitigated.  According to the report, “[t]he data breach by Hacker X1 should have sounded a high level multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest-value data … Swifter action by OPM to harden the defenses of its IT architecture could have prevented or mitigated the damage that OPM’s systems incurred.”

The report also acknowledged that OPM’s cybersecurity maturity has improved since the breach was initially disclosed. In June 2016, OPM reported to the Committee that it had “taken significant steps to enhance its cybersecurity posture, protect individuals who had their data stolen in the incidents last summer, and reestablish confidence in its ability to deliver on OPM’s core missions.”  Those steps included complete deployment of two-factor authentication for all users, implementation of a continuous monitoring program for all IT systems, hiring of a cybersecurity advisor that reports to OPM Acting Director Beth Cobert, modifying the OPM network to limit remote access exclusively to government-owned computers, and deployment of a Data Loss Prevention System to automatically prevent sensitive information from leaving the network without proper authorization.  They also established a new agency-wide centralized IT security workforce under a newly hired CISO and provided enhanced security awareness training relating to phishing and social engineering attacks.

However, the report also made broader recommendations for the federal government as a whole, including strategies to retain qualified Chief Information Officers (CIOs) for longer terms, reduction in the use of social security numbers by federal agencies, utilization of “critical position pay” to recruit and retain IT security specialists, and elimination of bureaucratic roadblocks to swift implementation of IT security policies and cyber tools. The Committee also recommended that federal agencies promote a “zero trust IT security model,” under which users inside the network are not deemed any more trustworthy than users outside the network.  This model would require agencies to strictly enforce authentication, user access controls, and closely monitor all network traffic.  The report noted that, because OPM was unable to visualize and log its network traffic, it was also unable to determine exactly how much data had been actually exfiltrated by its attackers.

While the attack on OPM could be discounted as the targeting of a government agency by foreign government operatives, there remains a broader lesson for all organizations.  In OPM’s case, they were in possession of vast stores of valuable data, whose value to attackers they apparently failed to appreciate.  As a result, they neglected to expend the resources necessary to adequately protect that data, ignoring the recommendations of industry experts and even standards adopted by other similarly-situated agencies.  When they became aware that they were under attack, they still failed to take the steps necessary to discover the full extent to which their network had been breached.  The consequences of OPM’s inaction will be borne not only by the current and former federal employees who trusted their data to their government and are now vulnerable to identity theft and extortion;  this breach has also resulted in breaches of valuable intelligence data (the CIA was forced to pull several officers from its embassy in Beijing) and expenditure of substantial government resources to discover the full extent of the data exfiltrated.  Hopefully this incident was the wake-up call needed to improve systems throughout the federal government and prevent (or mitigate) similar future attacks.

Spokeo’s Impact on Article III Standing

It has now been just over three months since the Supreme Court in Spokeo v. Robins made clear that “Article III standing requires a concrete injury even in the context of a statutory violation.” Since then, federal courts have begun to consider what impact is necessary to constitute a concrete injury-in-fact. Thus far, courts have varied in their application of Spokeo and in what is required to satisfy the concreteness requirement.

Luckily for defendants, several recent decisions support dismissal in cases alleging bare procedural violations. Below, we summarize many of these recent decisions:

  • Hancock v. Urban Outfitters, Inc., No. 14-7047, 2016 WL 3996710 (D.C. Cir. July 26, 2016) involved the defendant’s alleged violation of District of Columbia’s data collection statutes, by requesting the plaintiff’s zip code at the point-of-sale. The D.C. Circuit found that the plaintiffs failed to allege any injury that they suffered as result of having their information collected, and thus lacked Article III standing. The D.C. Circuit remanded the case to state court.
  • Attias v. CareFirst, Inc., No. 15-CV-00882 (CRC), 2016 WL 4250232 (D.D.C. Aug. 10, 2016) is a data breach case, in which the plaintiffs alleged a number of injuries, including an increased risk of identity theft, actual identity theft (for two of the plaintiffs), economic harm through purchasing credit-monitoring services and insurance coverage, loss of intrinsic value of their personal information, and violation of their statutory rights under consumer protection acts. The court rejected each of these arguments, and dismissed the case for lack of Article III standing with leave to amend. As to plaintiff’s statutory claim, the court, citing Spokeo, explained that “Where a violation of a statute may result in no harm, that mere violation is insufficient to confer standing. Even if Plaintiffs’ rights under applicable consumer protection acts have been violated, because they do not plausibly allege concrete harm, they have not demonstrated that they have standing to press their claims.” (Internal citations and quotation marks omitted).
  • Similarly, in Khan v. Children’s National Health Sys., No. TDC-15-2125, 2016 WL 2946165 (D. Md. May 19, 2016), the court held that the plaintiff lacked standing, in part, because she failed to connect the alleged statutory and common-law violations arising from a data breach to a concrete harm.
  • In Gubala v. Time Warner Cable, Inc., No. 15-cv-1078, 2016 WL 3390415 (E.D. Wis. June 17, 2016), the court dismissed the plaintiff’s claim under the Cable Communications Policy Act (CCPA), holding that defendant’s mere failure to dispose of ex-customers’ personally identifiable information in violation of the CCPA, without more, was not enough to confer Article III standing on plaintiff, where plaintiff did not allege that defendant distributed the information or that its retention caused plaintiff any harm.
  • In McCollough v. Smarte Carte, Inc., No. 16 C 03777, 2016 WL 4077108 (N.D. Ill. Aug. 1, 2016), the plaintiff claimed that the defendant violated the Illinois Biometric Information Privacy Act (BIPA) by storing her fingerprint information without obtaining her advance consent. The defendant was a locker rental company, where users used their fingerprint information to check out a locker, and to open it after it had locked (thus, the renter’s fingerprint acted as a key to the locker). The court dismissed the plaintiff’s claim for lack of standing, finding that she failed to allege how the defendant’s retention of plaintiff’s fingerprint data could constitute a concrete harm, especially where the defendant “undoubtedly understood” when she first used the system that her fingerprint data would have to be retained until she retrieved her belongings from the locker. The court found that the plaintiff also failed to establish statutory standing, but held that even with statutory standing, the plaintiff would lack Article III standing “Since a state statute cannot confer constitutional standing.”
  • Romero v. Dep’t Stores Nat’l Bank, No. 15-CV-193-CAB-MDD, 2016 WL 4184099 (S.D. Cal. Aug. 5, 2016) involved claims under the Telephone Consumer Protection Act (TCPA). Here, the plaintiff claimed to have been injured as result of being called by defendant through an automated telephone dialing system (ATDS). The plaintiff argued that this statutory violation was sufficient to establish an injury-in-fact, because she suffered the exact harm that Congress wanted to eliminate with the TCPA. The court disagreed. First, the court found that the plaintiff could not have been injured by calls she did not know were made, such as calls that she did not hear or that were made when her phone was turned off. Second, the court found that the plaintiff failed to establish any injury from calls that she did hear ring or actually answered, since she “does not offer any evidence of a concrete injury caused by the use of an ATDS, as opposed to a manually dialed call.” Additionally, the court also rejected the plaintiff’s claims to have been injured as a result of “invasion of privacy” and “trespass to chattels,” because these are not injuries in and of themselves, but instead torts, for which an injury is an element of the claim.
  • Sartin v. EKF Diagnostics, Inc., No. CV 16-1816, 2016 WL 3598297 (E.D. La. July 5, 2016), is another TCPA case dismissed for lack of standing. The plaintiff in Sartin claimed to have been injured as a result of receiving unsolicited faxes by the defendant. The defendant’s 12(b)(1) motion argued that the plaintiff lacked standing because he failed to plead an injury in fact divorced from the defendant’s alleged violations of the TCPA. The court agreed, explaining that although the plaintiff had plausibly alleged a claim under the TCPA, “Congress may not erase the requirements of Article III by legislative fiat,” and the plaintiff failed to plead facts demonstrating how the defendant’s statutory violation caused him concrete harm. The court dismissed the complaint with leave to amend.
  • In Smith v. Ohio State Univ., No. 2:15-CV-3030, 2016 WL 3182675 (S.D. Ohio June 8, 2016), the plaintiffs sought statutory damages on behalf of a putative class for violations of Fair Credit Reporting Act (FCRA), alleging that defendant obtained consumer reports on them “without first providing [them] a clear and conspicuous written disclosure, in a document consisting solely of the disclosure, that a consumer report may be obtained for employment purposes.” More specifically, the plaintiffs alleged that the defendant provided a disclosure and authorization during the job hiring process that “improperly included extraneous information such as a liability release.” The defendant challenged the plaintiffs’ claims under Rule 12(b)(1), arguing that the alleged violations amounted to FCRA procedural requirements that result in no harm. The plaintiffs, in response, attempted to establish a concrete injury by arguing that the extraneous material invaded their privacy and misled them as to their rights under the FCRA. The court found that the plaintiffs failed to alleged any concrete consequential damage.
  • Similarly, in Groshek v. Time Warner Cable, Inc., No. 15-C-157, 2016 WL 4203506 (E.D. Wis. Aug. 9, 2016), the plaintiff argued that the defendant violated the FCRA by obtaining his consumer report without first providing him with a standalone document warning him that it was going to do so. As in Smith, the court found that the plaintiff had failed to allege any concrete harm, and dismissed the case with leave to amend.
  • Jamison v. Bank of Am., N.A., No. 2:16-CV-00422-KJM-AC, 2016 WL 3653456 (E.D. Cal. July 7, 2016) also concerned a defendant’s alleged failure to make certain disclosures, but in a different context. Here, the plaintiff alleged that the defendant violated the Truth in Lending Act (TILA) by failing to disclose insurance claim proceeds in its mortgage payoff and periodic statements. The court dismissed the plaintiff’s claim for lack of Article III standing, finding that the plaintiff did not allege any injury caused by the defendant’s failure to disclose the insurance claim proceeds on the statements. The court specifically noted that the plaintiff failed to allege that she could not have gotten the proceeds information through other means.

Plaintiffs will be quick to distinguish these cases, arguing that they have adequately alleged a concrete injury separate from the statutory violation. And because many of these decisions were granted without prejudice, the plaintiffs in these cases may be successful in alleging concrete injuries not included in the complaints above. Regardless, these decisions offer welcome ammunition to defendants seeking dismissal in “gotcha” cases lacking any actual harm.

Size Does Not Matter When It Comes to OCR Investigations of HIPAA Violations

In the past, the focus of regulatory investigations for HIPAA violations has generally been perceived as focusing resources on breaches and other violations involving a large number of individuals or presenting a particularly egregious issue. Recent announcements of initiative by the Health & Human Resources‘ (HHS) Office of Civil Rights (OCR) has made it clear that its determination of which reported incidents it will investigate is not going to depend on size.

On August 18, 2016, the OCR announced an initiative to “more widely investigate the root causes of breaches affecting fewer than 500 individuals.” Breaches affecting fewer than 500 individuals are not subject to the same timing of notification to HHS as larger breaches. While if a covered entity sustains a breach of unsecured Protected Health Information (PHI) affecting 500 or more it must notify HHS “without unreasonable delay” and in no case later than 60 days from discovery, for breaches affecting fewer than 500 individuals, the covered entity can notify HSS within 60 days after the end of the calendar year and report all such breaches for the prior calendar year at the same time. 45 CFR §164.408. Regional offices generally have discretion on whether to investigate such smaller breaches.

Now, however, OCR has indicated concern that smaller breaches may not be isolated instances of minimal impact, but rather, may have a root cause that indicates entity- or industry-wide causes of non-compliance with HIPAA. Thus, each regional office is, according to the August 18 announcement, to increase its efforts to identify entity and systemic non-compliance including through investigation of such smaller breaches, and obtain corrective action. Factors the OCR identified for consideration in Regional Offices’ determination of whether to investigate a breach are:

  • The size of the breach
  • Theft of or improper disposal of unencrypted PHI
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking)
  • The amount, nature and sensitivity of the PHI involved
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues
  • Theft of or improper disposal of unencrypted PHI
  • Lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates

Earlier this year, OCR announced Phase II of its Audit Program in which it was reviewing the policies and procedures adopted and employed by covered entities and their business associates to meet the standards and implement the applicable Privacy, Security and Breach Notification Rules.

“Check Your Mail” — OCR Phase II HIPAA Audits May Be Coming to You!, July 19, 2016 — http://www.cybersecuritytodayblog.com/2016/07/19/check-your-mail-ocr-phase-ii-hipaa-audits-may-be-coming-to-you/

OCR 2016 HIPAA Audits Underway, March 21, 2016 —http://www.cybersecuritytodayblog.com/2016/03/21/ocr-2016-hipaa-audits-underway/

The increased aggressiveness of OCR with regard to HIPAA violations is also demonstrated by the size of fines being levied, with five of the twelve largest fines reported levied in 2016 alone. Fines have also been levied against business associates, and not just against covered entities.

Since the compliance date of the Privacy Rule in April 2003, OCR has received over 134,246 HIPAA complaints and has initiated more than 879 compliance reviews. According to the HHS website, OCR has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or its business associate, which may include settling with the entity in lieu of imposing a civil money penalty. As of May 31, 2016, OCR reports that it settled 35 such cases resulting in a total amount of $36,639,200.00. OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains and small provider offices. OCR also reports that it referred 575 cases involving the knowing disclosure or obtaining of PHI in violation of the Rules to the Department of Justice (DOJ) for criminal investigation.

Not all investigations result in fines or penalties. In 11,018 cases, OCR reported that its investigations found no violation had occurred. Additionally, in 13,748 cases, OCR has intervened early and provided technical assistance to HIPAA-covered entities, their business associates and individuals exercising their rights under the Privacy Rule, without the need for an investigation. OCR reports that in the rest of its completed cases, (79,865) OCR determined that the complaint did not present an eligible case for enforcement.

If you have any questions, please feel free to email a member of our Cybersecurity team at Laurie.Kamaiko@sedgwicklaw.com or Cinthia.Motley@sedgwicklaw.com

Sedgwick’s Cinthia Motley speaking at ACI’s 14th Advanced Forum on Cyber & Data Risk Insurance

Coverage, Underwriting and Claims Strategies for Managing Privacy/Security, Data and Network Risk and Liability

Who Should Attend: Insurance professionals, in-house counsel, and outside counsel specializing in technology, products, pricing, coverage options, prevention strategies and more.

Where: Park Central Hotel, San Francisco, CA

When: November 30 – December 1, 2016

Register at: www.AmericanConference.com/CyberRiskSNF

In its 14th year, the Cyber & Data Risk Insurance Conference is the premier event to learn the latest in federal and state enforcement, regulatory initiatives as well as take away invaluable information you can use in your practice, matters of critical importance and best practices for preparation, provisions, policies and response.

Sedgwick partner, Cinthia Granados Motley will participate on a panel discussion Doing Business with Europe: An Examination of the Implications of the GDPR and the Privacy Shield on Thursday, December 1 at 9:35am.

This panel will discuss and review the following:

  • What are the operational impacts of the GDPR?
    • Cybersecurity and data breach notification obligations
    • The mandatory data protection officer requirement
    • Consent and cross-border data transfers
    • Profiling and vendor management
    • Codes of conduct and certifications
    • Consequences for GDPR violations
  • The EU Privacy Shield and its impact on the US companies
  • The Network and Information Security Directive (NIS Directive) and its impact
  • What are some of the more practical ways in which businesses can understand various rules in different locations where they do business?

MICROS POS Systems Exposed By Malware Attack Which Targets Retail Merchants

MICROS, a point-of-sale (POS) payment systems vendor owned by Oracle, has suffered a malware attack according to security news site KrebsOnSecurity reported August 8, 2016.  MICROS is one of the three largest POS systems used globally by many companies in the retail and hospitality industry. It appears that Carbanak (aka Anunak), a Russian cybercriminal gang known to hack into retailers, penetrated up to 700 computer systems at Oracle, also compromising a customer support portal for companies using Oracle’s MICROS POS credit card payment systems.

Krebs indicated that Oracle first began investigating this incident on July 25, 2016 after receiving an email from a MICROS customer and reader who reported hearing about a potentially large breach at Oracle’s retail division.

Notably, while the extent of the incident is still under investigation, Oracle has acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems”  and is asking all MICROS customers to reset their passwords for the MICROS online support portal as well as the passwords for any account that was used by a MICROS representative to access their on-premises systems. Oracle also indicated that its corporate network and other cloud and service offerings were not impacted and that “payment card data is encrypted both at rest and in transit in the MICROS hosted customer environments.”

Oracle’s statements and use of the term “on-premise” (which refers to POS devices that are physically connected to cash registers at MICROS customer stores) raises some questions as to whether Oracle is concerned that compromised credentials for customer accounts at the MICROS support portal could be used to remotely administer and upload card-fraud malware to customer point-of-sale systems, thus making the customer’s on-premise devices vulnerable as a result of the malware attack.

While it is not yet known how, or if, retail companies have been affected, retail and hospitality MICROS customers should consider conducting the following:

  • Confer with their IT department and/or forensic consultants.
  • Follow Oracle’s instructions to reset their passwords for the MICROS online support portal and their passwords for any account that was used by Oracle to access their on-premises systems.
  • Check their POS systems for any installed malware.
  • Should there be an infiltration as a result of this vulnerability, or for any other reason, companies would be wise to consult with their insurance broker as to whether they have potentially applicable insurance and, if so, notify their insurer.
  • Comply with any applicable regulatory obligations, including notifying their customers of any confirmed breach of their security systems.

FTC Takes LabMD to Task for Inadequate Computer Security Practices in Violation of Section 5(n)

In a unanimous opinion, the Federal Trade Commission ruled that an Administrative Law Judge erred when he concluded that the FTC failed to prove that LabMD, a Georgia-based clinical testing laboratory, had engaged in an “unfair or deceptive trade practice” based on inadequate computer security for records containing protected health information (PHI) and sensitive personally identifiable information (PII). The FTC’s Opinion, written by Chairwoman Edith Ramirez, concluded that the wrong legal standard for unfairness had been applied and that “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.” According to the FTC, LabMD’s failures included, but were not limited to: 1) failing to use an intrusion detection system or file integrity monitoring; 2) neglecting to monitor firewall traffic; 3) failing to provide data security training to its employees; and 4) failing to delete any of the 750,000 patient records it had collected between 2008 and 2014, including records culled from its physician-clients’ databases despite never having performed testing for those patients. The Opinion also clarified the FTC’s position on when an inadequate security program is “likely to cause substantial injury to consumers” sufficient to invoke its jurisdiction. Ultimately, the message for businesses was clear: the FTC has jurisdiction to pre-emptively investigate and prosecute inadequate computer security, regardless of whether a breach has occurred.

THE HISTORY
In February 2008, a security firm named Tiversa discovered that a LabMD billing computer on the Gnutella peer-to-peer file-sharing network was inadvertently sharing an insurance aging report containing PHI and sensitive PII on approximately 9,300 patients, including their names, dates of birth, Social Security numbers, CPT codes for laboratory tests conducted, and in some cases, health insurance company names, addresses, and policy numbers. This file was referred to in the matter as the “1718 File” because it was 1,718 pages long. After locating the 1718 File, the Tiversa researcher used the “browse host” function to reveal 950 other shared files in the “My Documents” directory on the LabMD computer, most of which consisted of music and video files. However, eighteen documents were also being shared at the same time, three of which also contained patient PHI.

Tiversa disclosed its download of the 1718 File to LabMD and offered its remediation services, which LabMD ultimately rejected. Instead, LabMD proceeded to conduct an internal investigation without disclosing the breach to its affected patients. The FTC’s Opinion cites to LabMD’s engagement of an independent security firm to conduct penetration testing and vulnerability mapping on its network. Their report identified a number of urgent and critical vulnerabilities on four of LabMD’s seven servers and rated the overall security of each server as “poor.” Meanwhile, a Civil Investigative Demand (CID) served on Tiversa’s affiliate, The Privacy Institute, resulted in the production of a spreadsheet of companies whom Tiversa claimed had exposed the personal information of 100 or more individuals, including LabMD and a copy of the 1718 File. This led the FTC to open an investigation of LabMD, which resulted in an action against them for failing to implement reasonable security, an alleged “unfair” practice.

THE PROCEEDING
In November 2015, Administrative Law Judge D. Michael Chappell dismissed the FTC’s claims following an administrative trial, concluding that the FTC failed to prove that LabMD’s security practices were “likely to cause substantial consumer injury.” The FTC presented substantial expert witness testimony on the potential injuries that could result from a theft of PHI including not only identity theft and fraud but also the potential for misdiagnosis and drug interactions caused by a merger of the patient’s actual medical records with the records of the identity thief. However, rather than considering the threats posed by the practices at the time of the disclosure, the Initial Decision instead remarked that “the absence of any evidence that any consumer has suffered harm as a result of [LabMD]’s alleged unreasonable data security, even after the passage of many years, undermines the persuasiveness of [the FTC]’s claim that such harm is nevertheless ‘likely’ to occur.” Adopting a post-hoc analysis, the Initial Decision concluded that because actual harm had not yet been demonstrated from the allegedly unreasonable security practices, then the practices were not “likely” to cause substantial consumer harm. The Initial Decision also held that “privacy harms, allegedly arising from an unauthorized exposure of sensitive medical information … unaccompanied by any tangible injury such as monetary harm or health and safety risks, [do] not constitute ‘substantial injury’ within the meaning of Section 5(n).” Claiming that the “substantial consumer injury” required by Section 5(n) could not be satisfied by “hypothetical” or “theoretical” harm or “where the claim is predicated on expert opinion that essentially only theorizes how consumer harm could occur,” Judge Chappell opined that “[f]airness dictates that reality must trump speculation based on mere opinion.”

The FTC’s opinion rejected not only Judge Chappell’s analysis, but also his overly narrow view of what constitutes “harm” in the case of a security breach. According to the FTC, “[w]e conclude that the disclosure of sensitive health or medical information causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n).” The Commission pointed out that its very first data security case was brought against the pharmaceutical company Eli Lilly, where lax security practices resulted in the inadvertent disclosure of the e-mail addresses of Prozac users. The opinion also identified “established public policies” in both state and federal law protecting sensitive health and medical information from public disclosure, as well as the recognition of privacy harms in tort law which do not require either economic or physical harm.

More importantly, the FTC ruled that a showing of “significant risk” of injury is sufficient to satisfy the “likely to cause” standard set forth in the Act. According to Chairwoman Ramirez, Judge Chappell’s post-hoc analysis focusing on the injuries suffered by patients (whom were never notified of the breach) “comes perilously close to reading the term ‘likely’ out of the statute. When evaluating a practice, we judge the likelihood that the practice will cause harm at the time the practice occurred, not on the basis of actual future outcomes. This is particularly true in the data security context. Consumers typically have no way of finding out that their personal information has been part of a data breach.” The FTC also re-emphasized that they are authorized to act pre-emptively in order to prevent harm, explaining that “Section 5 very clearly has a ‘prophylactic purpose’ and authorizes the Commission to take ‘preemptive action.’ We need not wait for consumers to suffer known harm at the hands of identity thieves.” (citations omitted).

In addition to concluding that LabMD’s inadequate security practices were likely to cause substantial harm to the 750,000 patients in their databases, the Commission also concluded that consumers had no reasonable ability to avoid the resulting harm. It noted that most patients were wholly unaware that their records were being collected by LabMD, who obtained them directly from their physician-clients, including records for which no testing was ever performed. LabMD attempted to counter that consumers could mitigate any injury “after the fact”; however, the Commission rejected this argument outright. According to the Opinion, “[o]ur inquiry centers on whether consumers can avoid harm before it occurs … even assuming arguendo that the ability to mitigate harm does factor into its avoidability, there is nothing LabMD has pointed to that demonstrates mitigation after the fact would have been possible here. Without notice of a breach, consumers can do little to mitigate its harms.” (emphasis in original). The Commission also pointed out that “it may be difficult or impossible to mitigate or avoid further harm, since [consumers] have ‘little, if … any, control over who may access that information’ in the future, and tools such as credit monitoring and fraud alerts cannot foreclose the possibility of future identity theft over a long period of time.”

As to the third factor of its analysis (i.e. whether countervailing benefits to consumers or to competition outweighs the cost of implementing adequate practices), the FTC pointed to the ubiquity of “free or low cost software tools and hardware devices available for detecting vulnerabilities, including antivirus programs, firewalls, vulnerability scanning tools, intrusion detection devices, penetration testing programs, and file integrity monitoring tools,” as well as free or low-cost availability of IT security training courses and free notifications available from vendors, the Computer Emergency Response Team (CERT), the Open Source Vulnerability Data Base, and the National Institute of Science and Technology. From an operational security standpoint, the FTC identified that LabMD could have easily implemented access controls based on the “principle of least privilege,” limiting employees’ access to only the types of data necessary to perform their particular job functions and preventing employees from installing software such as the LimeWire application without administrative privileges. They could also have purged data for consumers for whom they had never performed testing because there was no legal obligation for them to retain this data.

The FTC’s Final Order required LabMD “to establish, implement, and maintain a comprehensive information security program that is reasonably designed to protect the security and confidentiality of consumers’ personal information” for the next 20 years, with biennial assessments and reporting. The Opinion recognized that while LabMD has ceased operations for the time being, it continues to exist as a corporation and still maintains records on approximately 750,000 consumers. Accordingly, the required information security program needs only be appropriate “for the nature and scope of LabMD’s activities,” noting that “a reasonable and appropriate information security program for LabMD’s current operations with a computer that is shut down and not connected to the Internet will undoubtedly differ from an appropriate comprehensive information security program if LabMD resumes more active operations.” The Final Order also required LabMD to notify all “individuals whose personal information LabMD has reason to believe was or could have been exposed about the unauthorized disclosure of their personal information” and “notify the health insurance companies for these individuals of the information disclosure.” LabMD has sixty (60) days after service of the Opinion and Final Order to file a petition for review with the U.S. Court of Appeals.

THE TAKEAWAY
The FTC’s authority to regulate the adequacy of computer security practices continues to solidify. In its action against Wyndham Worldwide Corp., the 3rd U.S. Circuit Court of Appeal held in 2015 that the FTC could prosecute claims of deficient security practices without first issuing regulations advising businesses how to comply with its expectations. In the reversal of Judge Chappell’s Initial Decision in the LabMD case, the FTC made it clear that its authority would not be confined by an Article III-based standing analysis requiring proof of actual injury after the fact. This pre-emptive investigative and prosecutorial authority could be further tested in cases such as where disgruntled whistleblowers report the lax security practices of their former employers, without the necessity of a public data breach. For businesses eager to demonstrate their compliance with FTC expectations, the Commission’s Opinion points to the large body of freely-available consent decrees and prior decisions outlining practices to be avoided, as well as free resources whereby businesses can improve their processes and procedures for little or no cost. When all appeals have been exhausted, LabMD will likely serve as an cautionary tale for others – if they had put only a fraction of the effort they have expended defending themselves into preventative improvement of their security processes, they might still be in business today.

“Check Your Mail” – OCR Phase II HIPAA Audits May Be Coming to You!

As reported in the March 21, 2016 Blog Post, the 2016 HIPAA Audits Season had begun. As stated on its website, “OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations.”  The OCR intends to use the audits as a proactive measure, in conjunction with its ongoing complaint investigations and compliance reviews, to identify problems before they result in breaches.  Phase II of the OCR audit program has been underway for several months.

On July 12, 2016, the OCR announced that it sent email letters to 167 Covered Entities, including health plans, health care providers, and health care clearinghouses, that they would be subject to desk audits. Recipients of this recent notification will have 10 days (or until July 22, 2016) to comply with the documents requests.  After these documents are received, the OCR auditor will review the information and provide the Covered Entity with draft findings.  The Covered Entity will then have 10 days to provide any written comments to the auditor.  Thereafter, it is expected that the OCR auditor will then complete a final audit report within 30 business days. The desk audit is intended to evaluate the Covered Entity’s compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.  The email letter notified the Covered Entity of the subject(s) of the audit, which reportedly include whether the Covered Entity has required documents under the following areas:

  • Privacy Rule

Notice of Privacy Practices & Content Requirements

Provision of Notice – Electronic Notice

Right to Access

  • Breach Notification Review

Timeliness of Notification

Content of Notification

  • Security Rule

Security Management Process – Risk Analysis

Security Management Process – Risk Management

Based on the designated sections at issue with the HIPAA desk audits, the focus seems to be on the Covered Entity’s understanding and compliance with the requirements directed to patient rights under HIPAA and their ability to access their medical records.

As in the past, the OCR recommends that Covered Entities check their spam filter to make sure email from OSOCRAudi@hhs.gov lands in your “in-box” and it responded to in a timely manner. The same advice should be followed by Business Associates who will be the subject of desk audits in the fall.  Now is the time to conduct a HIPAA risk analysis to ensure that your organization is HIPAA compliant regardless of whether you organization is the recipient of the July 11, 2016 “desk audit” email.

LexBlog