Spokeo’s Impact on Article III Standing

It has now been just over three months since the Supreme Court in Spokeo v. Robins made clear that “Article III standing requires a concrete injury even in the context of a statutory violation.” Since then, federal courts have begun to consider what impact is necessary to constitute a concrete injury-in-fact. Thus far, courts have varied in their application of Spokeo and in what is required to satisfy the concreteness requirement.

Luckily for defendants, several recent decisions support dismissal in cases alleging bare procedural violations. Below, we summarize many of these recent decisions:

  • Hancock v. Urban Outfitters, Inc., No. 14-7047, 2016 WL 3996710 (D.C. Cir. July 26, 2016) involved the defendant’s alleged violation of District of Columbia’s data collection statutes, by requesting the plaintiff’s zip code at the point-of-sale. The D.C. Circuit found that the plaintiffs failed to allege any injury that they suffered as result of having their information collected, and thus lacked Article III standing. The D.C. Circuit remanded the case to state court.
  • Attias v. CareFirst, Inc., No. 15-CV-00882 (CRC), 2016 WL 4250232 (D.D.C. Aug. 10, 2016) is a data breach case, in which the plaintiffs alleged a number of injuries, including an increased risk of identity theft, actual identity theft (for two of the plaintiffs), economic harm through purchasing credit-monitoring services and insurance coverage, loss of intrinsic value of their personal information, and violation of their statutory rights under consumer protection acts. The court rejected each of these arguments, and dismissed the case for lack of Article III standing with leave to amend. As to plaintiff’s statutory claim, the court, citing Spokeo, explained that “Where a violation of a statute may result in no harm, that mere violation is insufficient to confer standing. Even if Plaintiffs’ rights under applicable consumer protection acts have been violated, because they do not plausibly allege concrete harm, they have not demonstrated that they have standing to press their claims.” (Internal citations and quotation marks omitted).
  • Similarly, in Khan v. Children’s National Health Sys., No. TDC-15-2125, 2016 WL 2946165 (D. Md. May 19, 2016), the court held that the plaintiff lacked standing, in part, because she failed to connect the alleged statutory and common-law violations arising from a data breach to a concrete harm.
  • In Gubala v. Time Warner Cable, Inc., No. 15-cv-1078, 2016 WL 3390415 (E.D. Wis. June 17, 2016), the court dismissed the plaintiff’s claim under the Cable Communications Policy Act (CCPA), holding that defendant’s mere failure to dispose of ex-customers’ personally identifiable information in violation of the CCPA, without more, was not enough to confer Article III standing on plaintiff, where plaintiff did not allege that defendant distributed the information or that its retention caused plaintiff any harm.
  • In McCollough v. Smarte Carte, Inc., No. 16 C 03777, 2016 WL 4077108 (N.D. Ill. Aug. 1, 2016), the plaintiff claimed that the defendant violated the Illinois Biometric Information Privacy Act (BIPA) by storing her fingerprint information without obtaining her advance consent. The defendant was a locker rental company, where users used their fingerprint information to check out a locker, and to open it after it had locked (thus, the renter’s fingerprint acted as a key to the locker). The court dismissed the plaintiff’s claim for lack of standing, finding that she failed to allege how the defendant’s retention of plaintiff’s fingerprint data could constitute a concrete harm, especially where the defendant “undoubtedly understood” when she first used the system that her fingerprint data would have to be retained until she retrieved her belongings from the locker. The court found that the plaintiff also failed to establish statutory standing, but held that even with statutory standing, the plaintiff would lack Article III standing “Since a state statute cannot confer constitutional standing.”
  • Romero v. Dep’t Stores Nat’l Bank, No. 15-CV-193-CAB-MDD, 2016 WL 4184099 (S.D. Cal. Aug. 5, 2016) involved claims under the Telephone Consumer Protection Act (TCPA). Here, the plaintiff claimed to have been injured as result of being called by defendant through an automated telephone dialing system (ATDS). The plaintiff argued that this statutory violation was sufficient to establish an injury-in-fact, because she suffered the exact harm that Congress wanted to eliminate with the TCPA. The court disagreed. First, the court found that the plaintiff could not have been injured by calls she did not know were made, such as calls that she did not hear or that were made when her phone was turned off. Second, the court found that the plaintiff failed to establish any injury from calls that she did hear ring or actually answered, since she “does not offer any evidence of a concrete injury caused by the use of an ATDS, as opposed to a manually dialed call.” Additionally, the court also rejected the plaintiff’s claims to have been injured as a result of “invasion of privacy” and “trespass to chattels,” because these are not injuries in and of themselves, but instead torts, for which an injury is an element of the claim.
  • Sartin v. EKF Diagnostics, Inc., No. CV 16-1816, 2016 WL 3598297 (E.D. La. July 5, 2016), is another TCPA case dismissed for lack of standing. The plaintiff in Sartin claimed to have been injured as a result of receiving unsolicited faxes by the defendant. The defendant’s 12(b)(1) motion argued that the plaintiff lacked standing because he failed to plead an injury in fact divorced from the defendant’s alleged violations of the TCPA. The court agreed, explaining that although the plaintiff had plausibly alleged a claim under the TCPA, “Congress may not erase the requirements of Article III by legislative fiat,” and the plaintiff failed to plead facts demonstrating how the defendant’s statutory violation caused him concrete harm. The court dismissed the complaint with leave to amend.
  • In Smith v. Ohio State Univ., No. 2:15-CV-3030, 2016 WL 3182675 (S.D. Ohio June 8, 2016), the plaintiffs sought statutory damages on behalf of a putative class for violations of Fair Credit Reporting Act (FCRA), alleging that defendant obtained consumer reports on them “without first providing [them] a clear and conspicuous written disclosure, in a document consisting solely of the disclosure, that a consumer report may be obtained for employment purposes.” More specifically, the plaintiffs alleged that the defendant provided a disclosure and authorization during the job hiring process that “improperly included extraneous information such as a liability release.” The defendant challenged the plaintiffs’ claims under Rule 12(b)(1), arguing that the alleged violations amounted to FCRA procedural requirements that result in no harm. The plaintiffs, in response, attempted to establish a concrete injury by arguing that the extraneous material invaded their privacy and misled them as to their rights under the FCRA. The court found that the plaintiffs failed to alleged any concrete consequential damage.
  • Similarly, in Groshek v. Time Warner Cable, Inc., No. 15-C-157, 2016 WL 4203506 (E.D. Wis. Aug. 9, 2016), the plaintiff argued that the defendant violated the FCRA by obtaining his consumer report without first providing him with a standalone document warning him that it was going to do so. As in Smith, the court found that the plaintiff had failed to allege any concrete harm, and dismissed the case with leave to amend.
  • Jamison v. Bank of Am., N.A., No. 2:16-CV-00422-KJM-AC, 2016 WL 3653456 (E.D. Cal. July 7, 2016) also concerned a defendant’s alleged failure to make certain disclosures, but in a different context. Here, the plaintiff alleged that the defendant violated the Truth in Lending Act (TILA) by failing to disclose insurance claim proceeds in its mortgage payoff and periodic statements. The court dismissed the plaintiff’s claim for lack of Article III standing, finding that the plaintiff did not allege any injury caused by the defendant’s failure to disclose the insurance claim proceeds on the statements. The court specifically noted that the plaintiff failed to allege that she could not have gotten the proceeds information through other means.

Plaintiffs will be quick to distinguish these cases, arguing that they have adequately alleged a concrete injury separate from the statutory violation. And because many of these decisions were granted without prejudice, the plaintiffs in these cases may be successful in alleging concrete injuries not included in the complaints above. Regardless, these decisions offer welcome ammunition to defendants seeking dismissal in “gotcha” cases lacking any actual harm.

Size Does Not Matter When It Comes to OCR Investigations of HIPAA Violations

In the past, the focus of regulatory investigations for HIPAA violations has generally been perceived as focusing resources on breaches and other violations involving a large number of individuals or presenting a particularly egregious issue. Recent announcements of initiative by the Health & Human Resources‘ (HHS) Office of Civil Rights (OCR) has made it clear that its determination of which reported incidents it will investigate is not going to depend on size.

On August 18, 2016, the OCR announced an initiative to “more widely investigate the root causes of breaches affecting fewer than 500 individuals.” Breaches affecting fewer than 500 individuals are not subject to the same timing of notification to HHS as larger breaches. While if a covered entity sustains a breach of unsecured Protected Health Information (PHI) affecting 500 or more it must notify HHS “without unreasonable delay” and in no case later than 60 days from discovery, for breaches affecting fewer than 500 individuals, the covered entity can notify HSS within 60 days after the end of the calendar year and report all such breaches for the prior calendar year at the same time. 45 CFR §164.408. Regional offices generally have discretion on whether to investigate such smaller breaches.

Now, however, OCR has indicated concern that smaller breaches may not be isolated instances of minimal impact, but rather, may have a root cause that indicates entity- or industry-wide causes of non-compliance with HIPAA. Thus, each regional office is, according to the August 18 announcement, to increase its efforts to identify entity and systemic non-compliance including through investigation of such smaller breaches, and obtain corrective action. Factors the OCR identified for consideration in Regional Offices’ determination of whether to investigate a breach are:

  • The size of the breach
  • Theft of or improper disposal of unencrypted PHI
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking)
  • The amount, nature and sensitivity of the PHI involved
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues
  • Theft of or improper disposal of unencrypted PHI
  • Lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates

Earlier this year, OCR announced Phase II of its Audit Program in which it was reviewing the policies and procedures adopted and employed by covered entities and their business associates to meet the standards and implement the applicable Privacy, Security and Breach Notification Rules.

“Check Your Mail” — OCR Phase II HIPAA Audits May Be Coming to You!, July 19, 2016 — http://www.cybersecuritytodayblog.com/2016/07/19/check-your-mail-ocr-phase-ii-hipaa-audits-may-be-coming-to-you/

OCR 2016 HIPAA Audits Underway, March 21, 2016 —http://www.cybersecuritytodayblog.com/2016/03/21/ocr-2016-hipaa-audits-underway/

The increased aggressiveness of OCR with regard to HIPAA violations is also demonstrated by the size of fines being levied, with five of the twelve largest fines reported levied in 2016 alone. Fines have also been levied against business associates, and not just against covered entities.

Since the compliance date of the Privacy Rule in April 2003, OCR has received over 134,246 HIPAA complaints and has initiated more than 879 compliance reviews. According to the HHS website, OCR has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or its business associate, which may include settling with the entity in lieu of imposing a civil money penalty. As of May 31, 2016, OCR reports that it settled 35 such cases resulting in a total amount of $36,639,200.00. OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains and small provider offices. OCR also reports that it referred 575 cases involving the knowing disclosure or obtaining of PHI in violation of the Rules to the Department of Justice (DOJ) for criminal investigation.

Not all investigations result in fines or penalties. In 11,018 cases, OCR reported that its investigations found no violation had occurred. Additionally, in 13,748 cases, OCR has intervened early and provided technical assistance to HIPAA-covered entities, their business associates and individuals exercising their rights under the Privacy Rule, without the need for an investigation. OCR reports that in the rest of its completed cases, (79,865) OCR determined that the complaint did not present an eligible case for enforcement.

If you have any questions, please feel free to email a member of our Cybersecurity team at Laurie.Kamaiko@sedgwicklaw.com or Cinthia.Motley@sedgwicklaw.com

Sedgwick’s Cinthia Motley speaking at ACI’s 14th Advanced Forum on Cyber & Data Risk Insurance

Coverage, Underwriting and Claims Strategies for Managing Privacy/Security, Data and Network Risk and Liability

Who Should Attend: Insurance professionals, in-house counsel, and outside counsel specializing in technology, products, pricing, coverage options, prevention strategies and more.

Where: Park Central Hotel, San Francisco, CA

When: November 30 – December 1, 2016

Register at: www.AmericanConference.com/CyberRiskSNF

In its 14th year, the Cyber & Data Risk Insurance Conference is the premier event to learn the latest in federal and state enforcement, regulatory initiatives as well as take away invaluable information you can use in your practice, matters of critical importance and best practices for preparation, provisions, policies and response.

Sedgwick partner, Cinthia Granados Motley will participate on a panel discussion Doing Business with Europe: An Examination of the Implications of the GDPR and the Privacy Shield on Thursday, December 1 at 9:35am.

This panel will discuss and review the following:

  • What are the operational impacts of the GDPR?
    • Cybersecurity and data breach notification obligations
    • The mandatory data protection officer requirement
    • Consent and cross-border data transfers
    • Profiling and vendor management
    • Codes of conduct and certifications
    • Consequences for GDPR violations
  • The EU Privacy Shield and its impact on the US companies
  • The Network and Information Security Directive (NIS Directive) and its impact
  • What are some of the more practical ways in which businesses can understand various rules in different locations where they do business?

MICROS POS Systems Exposed By Malware Attack Which Targets Retail Merchants

MICROS, a point-of-sale (POS) payment systems vendor owned by Oracle, has suffered a malware attack according to security news site KrebsOnSecurity reported August 8, 2016.  MICROS is one of the three largest POS systems used globally by many companies in the retail and hospitality industry. It appears that Carbanak (aka Anunak), a Russian cybercriminal gang known to hack into retailers, penetrated up to 700 computer systems at Oracle, also compromising a customer support portal for companies using Oracle’s MICROS POS credit card payment systems.

Krebs indicated that Oracle first began investigating this incident on July 25, 2016 after receiving an email from a MICROS customer and reader who reported hearing about a potentially large breach at Oracle’s retail division.

Notably, while the extent of the incident is still under investigation, Oracle has acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems”  and is asking all MICROS customers to reset their passwords for the MICROS online support portal as well as the passwords for any account that was used by a MICROS representative to access their on-premises systems. Oracle also indicated that its corporate network and other cloud and service offerings were not impacted and that “payment card data is encrypted both at rest and in transit in the MICROS hosted customer environments.”

Oracle’s statements and use of the term “on-premise” (which refers to POS devices that are physically connected to cash registers at MICROS customer stores) raises some questions as to whether Oracle is concerned that compromised credentials for customer accounts at the MICROS support portal could be used to remotely administer and upload card-fraud malware to customer point-of-sale systems, thus making the customer’s on-premise devices vulnerable as a result of the malware attack.

While it is not yet known how, or if, retail companies have been affected, retail and hospitality MICROS customers should consider conducting the following:

  • Confer with their IT department and/or forensic consultants.
  • Follow Oracle’s instructions to reset their passwords for the MICROS online support portal and their passwords for any account that was used by Oracle to access their on-premises systems.
  • Check their POS systems for any installed malware.
  • Should there be an infiltration as a result of this vulnerability, or for any other reason, companies would be wise to consult with their insurance broker as to whether they have potentially applicable insurance and, if so, notify their insurer.
  • Comply with any applicable regulatory obligations, including notifying their customers of any confirmed breach of their security systems.

FTC Takes LabMD to Task for Inadequate Computer Security Practices in Violation of Section 5(n)

In a unanimous opinion, the Federal Trade Commission ruled that an Administrative Law Judge erred when he concluded that the FTC failed to prove that LabMD, a Georgia-based clinical testing laboratory, had engaged in an “unfair or deceptive trade practice” based on inadequate computer security for records containing protected health information (PHI) and sensitive personally identifiable information (PII). The FTC’s Opinion, written by Chairwoman Edith Ramirez, concluded that the wrong legal standard for unfairness had been applied and that “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.” According to the FTC, LabMD’s failures included, but were not limited to: 1) failing to use an intrusion detection system or file integrity monitoring; 2) neglecting to monitor firewall traffic; 3) failing to provide data security training to its employees; and 4) failing to delete any of the 750,000 patient records it had collected between 2008 and 2014, including records culled from its physician-clients’ databases despite never having performed testing for those patients. The Opinion also clarified the FTC’s position on when an inadequate security program is “likely to cause substantial injury to consumers” sufficient to invoke its jurisdiction. Ultimately, the message for businesses was clear: the FTC has jurisdiction to pre-emptively investigate and prosecute inadequate computer security, regardless of whether a breach has occurred.

In February 2008, a security firm named Tiversa discovered that a LabMD billing computer on the Gnutella peer-to-peer file-sharing network was inadvertently sharing an insurance aging report containing PHI and sensitive PII on approximately 9,300 patients, including their names, dates of birth, Social Security numbers, CPT codes for laboratory tests conducted, and in some cases, health insurance company names, addresses, and policy numbers. This file was referred to in the matter as the “1718 File” because it was 1,718 pages long. After locating the 1718 File, the Tiversa researcher used the “browse host” function to reveal 950 other shared files in the “My Documents” directory on the LabMD computer, most of which consisted of music and video files. However, eighteen documents were also being shared at the same time, three of which also contained patient PHI.

Tiversa disclosed its download of the 1718 File to LabMD and offered its remediation services, which LabMD ultimately rejected. Instead, LabMD proceeded to conduct an internal investigation without disclosing the breach to its affected patients. The FTC’s Opinion cites to LabMD’s engagement of an independent security firm to conduct penetration testing and vulnerability mapping on its network. Their report identified a number of urgent and critical vulnerabilities on four of LabMD’s seven servers and rated the overall security of each server as “poor.” Meanwhile, a Civil Investigative Demand (CID) served on Tiversa’s affiliate, The Privacy Institute, resulted in the production of a spreadsheet of companies whom Tiversa claimed had exposed the personal information of 100 or more individuals, including LabMD and a copy of the 1718 File. This led the FTC to open an investigation of LabMD, which resulted in an action against them for failing to implement reasonable security, an alleged “unfair” practice.

In November 2015, Administrative Law Judge D. Michael Chappell dismissed the FTC’s claims following an administrative trial, concluding that the FTC failed to prove that LabMD’s security practices were “likely to cause substantial consumer injury.” The FTC presented substantial expert witness testimony on the potential injuries that could result from a theft of PHI including not only identity theft and fraud but also the potential for misdiagnosis and drug interactions caused by a merger of the patient’s actual medical records with the records of the identity thief. However, rather than considering the threats posed by the practices at the time of the disclosure, the Initial Decision instead remarked that “the absence of any evidence that any consumer has suffered harm as a result of [LabMD]’s alleged unreasonable data security, even after the passage of many years, undermines the persuasiveness of [the FTC]’s claim that such harm is nevertheless ‘likely’ to occur.” Adopting a post-hoc analysis, the Initial Decision concluded that because actual harm had not yet been demonstrated from the allegedly unreasonable security practices, then the practices were not “likely” to cause substantial consumer harm. The Initial Decision also held that “privacy harms, allegedly arising from an unauthorized exposure of sensitive medical information … unaccompanied by any tangible injury such as monetary harm or health and safety risks, [do] not constitute ‘substantial injury’ within the meaning of Section 5(n).” Claiming that the “substantial consumer injury” required by Section 5(n) could not be satisfied by “hypothetical” or “theoretical” harm or “where the claim is predicated on expert opinion that essentially only theorizes how consumer harm could occur,” Judge Chappell opined that “[f]airness dictates that reality must trump speculation based on mere opinion.”

The FTC’s opinion rejected not only Judge Chappell’s analysis, but also his overly narrow view of what constitutes “harm” in the case of a security breach. According to the FTC, “[w]e conclude that the disclosure of sensitive health or medical information causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n).” The Commission pointed out that its very first data security case was brought against the pharmaceutical company Eli Lilly, where lax security practices resulted in the inadvertent disclosure of the e-mail addresses of Prozac users. The opinion also identified “established public policies” in both state and federal law protecting sensitive health and medical information from public disclosure, as well as the recognition of privacy harms in tort law which do not require either economic or physical harm.

More importantly, the FTC ruled that a showing of “significant risk” of injury is sufficient to satisfy the “likely to cause” standard set forth in the Act. According to Chairwoman Ramirez, Judge Chappell’s post-hoc analysis focusing on the injuries suffered by patients (whom were never notified of the breach) “comes perilously close to reading the term ‘likely’ out of the statute. When evaluating a practice, we judge the likelihood that the practice will cause harm at the time the practice occurred, not on the basis of actual future outcomes. This is particularly true in the data security context. Consumers typically have no way of finding out that their personal information has been part of a data breach.” The FTC also re-emphasized that they are authorized to act pre-emptively in order to prevent harm, explaining that “Section 5 very clearly has a ‘prophylactic purpose’ and authorizes the Commission to take ‘preemptive action.’ We need not wait for consumers to suffer known harm at the hands of identity thieves.” (citations omitted).

In addition to concluding that LabMD’s inadequate security practices were likely to cause substantial harm to the 750,000 patients in their databases, the Commission also concluded that consumers had no reasonable ability to avoid the resulting harm. It noted that most patients were wholly unaware that their records were being collected by LabMD, who obtained them directly from their physician-clients, including records for which no testing was ever performed. LabMD attempted to counter that consumers could mitigate any injury “after the fact”; however, the Commission rejected this argument outright. According to the Opinion, “[o]ur inquiry centers on whether consumers can avoid harm before it occurs … even assuming arguendo that the ability to mitigate harm does factor into its avoidability, there is nothing LabMD has pointed to that demonstrates mitigation after the fact would have been possible here. Without notice of a breach, consumers can do little to mitigate its harms.” (emphasis in original). The Commission also pointed out that “it may be difficult or impossible to mitigate or avoid further harm, since [consumers] have ‘little, if … any, control over who may access that information’ in the future, and tools such as credit monitoring and fraud alerts cannot foreclose the possibility of future identity theft over a long period of time.”

As to the third factor of its analysis (i.e. whether countervailing benefits to consumers or to competition outweighs the cost of implementing adequate practices), the FTC pointed to the ubiquity of “free or low cost software tools and hardware devices available for detecting vulnerabilities, including antivirus programs, firewalls, vulnerability scanning tools, intrusion detection devices, penetration testing programs, and file integrity monitoring tools,” as well as free or low-cost availability of IT security training courses and free notifications available from vendors, the Computer Emergency Response Team (CERT), the Open Source Vulnerability Data Base, and the National Institute of Science and Technology. From an operational security standpoint, the FTC identified that LabMD could have easily implemented access controls based on the “principle of least privilege,” limiting employees’ access to only the types of data necessary to perform their particular job functions and preventing employees from installing software such as the LimeWire application without administrative privileges. They could also have purged data for consumers for whom they had never performed testing because there was no legal obligation for them to retain this data.

The FTC’s Final Order required LabMD “to establish, implement, and maintain a comprehensive information security program that is reasonably designed to protect the security and confidentiality of consumers’ personal information” for the next 20 years, with biennial assessments and reporting. The Opinion recognized that while LabMD has ceased operations for the time being, it continues to exist as a corporation and still maintains records on approximately 750,000 consumers. Accordingly, the required information security program needs only be appropriate “for the nature and scope of LabMD’s activities,” noting that “a reasonable and appropriate information security program for LabMD’s current operations with a computer that is shut down and not connected to the Internet will undoubtedly differ from an appropriate comprehensive information security program if LabMD resumes more active operations.” The Final Order also required LabMD to notify all “individuals whose personal information LabMD has reason to believe was or could have been exposed about the unauthorized disclosure of their personal information” and “notify the health insurance companies for these individuals of the information disclosure.” LabMD has sixty (60) days after service of the Opinion and Final Order to file a petition for review with the U.S. Court of Appeals.

The FTC’s authority to regulate the adequacy of computer security practices continues to solidify. In its action against Wyndham Worldwide Corp., the 3rd U.S. Circuit Court of Appeal held in 2015 that the FTC could prosecute claims of deficient security practices without first issuing regulations advising businesses how to comply with its expectations. In the reversal of Judge Chappell’s Initial Decision in the LabMD case, the FTC made it clear that its authority would not be confined by an Article III-based standing analysis requiring proof of actual injury after the fact. This pre-emptive investigative and prosecutorial authority could be further tested in cases such as where disgruntled whistleblowers report the lax security practices of their former employers, without the necessity of a public data breach. For businesses eager to demonstrate their compliance with FTC expectations, the Commission’s Opinion points to the large body of freely-available consent decrees and prior decisions outlining practices to be avoided, as well as free resources whereby businesses can improve their processes and procedures for little or no cost. When all appeals have been exhausted, LabMD will likely serve as an cautionary tale for others – if they had put only a fraction of the effort they have expended defending themselves into preventative improvement of their security processes, they might still be in business today.

“Check Your Mail” – OCR Phase II HIPAA Audits May Be Coming to You!

As reported in the March 21, 2016 Blog Post, the 2016 HIPAA Audits Season had begun. As stated on its website, “OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations.”  The OCR intends to use the audits as a proactive measure, in conjunction with its ongoing complaint investigations and compliance reviews, to identify problems before they result in breaches.  Phase II of the OCR audit program has been underway for several months.

On July 12, 2016, the OCR announced that it sent email letters to 167 Covered Entities, including health plans, health care providers, and health care clearinghouses, that they would be subject to desk audits. Recipients of this recent notification will have 10 days (or until July 22, 2016) to comply with the documents requests.  After these documents are received, the OCR auditor will review the information and provide the Covered Entity with draft findings.  The Covered Entity will then have 10 days to provide any written comments to the auditor.  Thereafter, it is expected that the OCR auditor will then complete a final audit report within 30 business days. The desk audit is intended to evaluate the Covered Entity’s compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.  The email letter notified the Covered Entity of the subject(s) of the audit, which reportedly include whether the Covered Entity has required documents under the following areas:

  • Privacy Rule

Notice of Privacy Practices & Content Requirements

Provision of Notice – Electronic Notice

Right to Access

  • Breach Notification Review

Timeliness of Notification

Content of Notification

  • Security Rule

Security Management Process – Risk Analysis

Security Management Process – Risk Management

Based on the designated sections at issue with the HIPAA desk audits, the focus seems to be on the Covered Entity’s understanding and compliance with the requirements directed to patient rights under HIPAA and their ability to access their medical records.

As in the past, the OCR recommends that Covered Entities check their spam filter to make sure email from OSOCRAudi@hhs.gov lands in your “in-box” and it responded to in a timely manner. The same advice should be followed by Business Associates who will be the subject of desk audits in the fall.  Now is the time to conduct a HIPAA risk analysis to ensure that your organization is HIPAA compliant regardless of whether you organization is the recipient of the July 11, 2016 “desk audit” email.

Ransomware article by Scott Lyon published in Today’s General Counsel

The article “Lessons from Ransomware Attacks on Healthcare Providers” by Scott Lyon was published in the June/July issue of Today’s General Counsel. The article addresses the recent ransomware attacks on healthcare providers and proposes strategies for any company to avoid or mitigate ransomware attacks. Click here to view the article.

Upcoming Event: Critical Updates on HIPPA Enforcement Actions and 2016 OCR Audits

Wednesday, June 22, 2016
11 a.m. PT/1 p.m. CT/ 2 p.m. ET

Who: Lawyers and non-lawyers, insurers and commercial claims representatives.
Where: At your desk. (There is no dial-in required; the audio will stream through your computer).
How: Register here.

The Midwest Claims Association and Sedgwick LLP cordially invite you to join us for this webinar where Sedgwick LLP partners Cinthia Granados Motley and Fred A. Smith will share their experiences in the areas of data privacy, healthcare and HIPAA-related issues. They will provide an overview of the HIPAA and HITECH requirements for PHI and ePHI, compliance requirements for Covered Entities and Business Associates, and risks for non-compliance, including an overview of recent OCR enforcement actions and fines. They will also address how your organization can prepare for an OCR Audit.


Cinthia Granados Motley is a member of Sedgwick’s cybersecurity leadership team. She has an active practice handling data privacy, security and liability matters, both domestically and internationally, as well as information governance, e-discovery, international contract disputes, directors and officers liability and employment defense. In her litigation practice, she has also handled ERISA and professional liability matters both in state and federal courts, and routinely counsels clients in complex commercial disputes both domestically and abroad. Her experience extends beyond the United States to Latin America.

Fred Allen Smith, III, represents healthcare entities, corporations, partnerships and professionals in a wide variety of matters such as healthcare disputes, medical device claims, medical negligence, professional liability, class actions and products liability. Mr. Smith also counsels clients on insurance coverage disputes, including contract interpretation issues, environmental matters, reinsurance, professional liability and bad faith law.

CLE Information

Sedgwick LLP is an accredited MCLE provider in CA, FL, IL, NJ, NY and TX. The MCLE approval for this program is as follows:

1.0 hours of General Credit: CA, IL, NJ, NY and TX.

Pending 1.0 hours of General Credit: Florida

For questions about this event, please contact: Amy Beecham at 816-423-2121 or via email.

Learn more about Sedgwick’s Cybersecurity & Privacy Practices Group and Healthcare Practices Group.

FCC Net Neutrality Rules Upheld by Federal Appeals Court

Today, a federal appeals court upheld the FCC’s recent net neutrality rules which purportedly make internet service providers treat all web traffic equally, delivering a major defeat to cable and telephone companies.

The D.C. Circuit Court of Appeals, in a 2-1 vote, affirmed the FCC’s net neutrality rules, which have been supported by both consumer groups and the white house.

In March 2016, the FCC voted to approve the new rules which require ISPs to obtain consent (Opt-In) from their users to collect and monetize their data. Traditionally, ISPs have an opt-out policy, which allows users to disallow ISPs from monetizing their data. It is fairly obvious that ISPs could use a lot more users’ data by following an opt-out policy.

The rules create some of the strongest privacy regulations for any segment of the technology and telecommunications industries and could have a significant impact on how ISPs compete and do business. Such a significant change in their business model will in turn effectuate changes throughout the business of the Internet. Profits will no doubt shrink for ISPs, thereby putting pressure on providers to increase fees for users. Because not all Internet sites will be treated as ISPs, there will be an inequity in the treatment of different Internet business entities resulting in a power shift away from ISPs, which will likely compel service providers to exercise legal action in order to revoke the new rules.

The inclusion of an opt-in standard for certain data uses is significant. Traditionally in the U.S., privacy guidelines require only that users be permitted to opt-out of data uses such as ad targeting based on behavioral data. The new FCC rules for ISPs will require that users must opt-in for most uses of their data including but not limited to providing this information to marketing and advertising companies.

Not all Internet entities are covered by the new FCC rules. The rules affect only companies that connect users to the Internet including Comcast, Verizon and Sprint. The new rules do not apply to Internet companies that have huge advertising businesses based on customer data, such as Facebook or Google (non-ISPs, also referred to as “edge providers”). Those companies are regulated by the Federal Trade Commission (FTC). The result of the FCC’s new rules will be a revenue and power shift away from ISPs towards existing Internet behemoths.

Many in the industry are of the opinion that opt-in requirements will create a divide in the online world, giving an advantage to non-ISPs such as Google and Facebook. These edge providers will not be required to seek permission from users through the opt-in process.

The framework adopted by the FCC last year was to reclassify ISPs as common carriers, much like utilities. This enables the FCC to regulate them, which gave rise to the FCC net neutrality rules in 2016. Critics argue that the FCC should not be regulating ISPs since they, like edge providers, are already regulated by the Federal Trade Commission which analyses complaints on a case-by-case enforcement basis.

In the lawsuit brought to overturn the FCC rules, ISPs, such as Verizon and Comcast, argued the rules will chill investment in network infrastructure. Also included as plaintiffs in the lawsuit are AT&T, CenturyLink, along with cable, wireless and telecom trade groups. The crux of the lawsuit focused on the application of net neutrality to the wireless internet. The majority of the appellate court allowed that decision by the FCC to stand, citing the “rapidly growing and virtually universal use of mobile broadband service.” This is perceived to be a crucial part of the rules since most people are now accessing the web through their smartphones.

Also interesting in the decision was the opinion of the dissenting Judge Williams. He indicated that he felt the FCC does have the authority to regulate ISPs, but had not set forth enough of a basis to justify doing so in this instance. Many Democrats in Congress welcomed the court decision as a victory for consumers. Bernie Sanders tweeted that it “will help ensure we don’t turn over our democracy to the highest bidder.” Republicans in opposition were critical of the decision and many called for legislation to undo the FCC’s rules.

Bankruptcy Rules On Privacy Pose Risk to Unwary Creditors

With the advent of electronic case filing, the increased risk of identity theft, and proliferation of various privacy laws, creditors need to be more cautious than ever when filing their proofs of claim in bankruptcy cases to order to avoid inadvertent disclosure of the debtor’s personal information. This is of particular importance as to any invoices, statements of account or other documentary evidence that may be filed in support of the proof of claim.

We discuss below the applicable Bankruptcy Rule regarding public disclosure of the debtor’s personal information in a proof of claim and the possible consequences of any inadvertent violation of this Rule.

Scope of Bankruptcy Rule 9037

Rule 9037 of the Federal Rules of Bankruptcy Procedure requires that all electronic or paper filings with the bankruptcy court must be redacted if they contain any of the following personal information of the debtor or other individual: (1) social security number, (2) taxpayer ID number, (3) full name of any minor, (4) birth date, and (5) financial account number. The Rule is applicable to proofs of claims and all pleadings that are filed in bankruptcy cases, including all attachments or exhibits.

The Rule does not define “financial account number,” but some courts have construed the Rule broadly to include any statement of account or attached billing that identifies the debtor and lists the full account number. The Official Comment to the Rule notes that redaction of other personal information, such as driver’s license numbers or health care records, also may be appropriate or necessary.

In some jurisdictions, the courts also issue general orders to reinforce or augment the privacy requirements of Rule 9037.

Redaction Requirement

Rule 9037(a)(1) specifically requires any filing party to redact the electronic or paper filing to list only the last four digits of an individual’s social security or taxpayer ID number, the year of the birth date, the minor’s initials and the last 4 digits of any financial account number.

The Rule exempts certain filings from the redaction requirement, such as the filing of the record of any administrative, agency, or court proceedings (if the underlying record was not subject to a redaction requirement). Rule 9037(d) also permits the Bankruptcy Court to redact additional information from any filing or to limit or prohibit other parties from obtaining electronic access to any filings in the bankruptcy case, for cause shown.

Rule 9037 does not purport to grant any safe harbor for the public disclosure of any personally identifiable information that might violate other privacy laws, such as Health Insurance Portability and Accountability Act (HIPPA) or the Gramm-Leach-Bliley Act (GLBA).

Possible Consequences of Violating the Rule

Rule 9037 does not specify any penalty or sanction for any filings made in violation of the Rule, nor prescribe any remedy to redress the potential harm caused by court filings that contain unredacted personal information.

However, there are many reported decisions in which debtors have brought suits or other enforcement actions against the offending creditor to enforce the Rule and/or compensate the debtor for the unlawful disclosure of his or her personal information in unredacted proofs of claim or other bankruptcy filings. The debtors typically allege a number of different legal theories, and they often seek a wide variety of relief, including disallowance of the proof of claim, compensatory damages, attorney’s fees and punitive damages. We provide a short discussion of the most common enforcement actions and possible outcomes.

Action to Enforce Rule 9037

In some cases, the debtors bring a motion to redact the personal information from the proof of claim as necessary to conform to the Rule, or to strike the proof of claim and prohibit further public access to it. The Debtors often will also seek reimbursement their attorney’s fees incurred in bringing these motion, which the courts will award in appropriate circumstances, particularly where the offending creditor has refused the debtor’s request for corrective action.

Private Rights of Action

In other cases, the debtors will bring suit against the offending creditor seeking compensatory and punitive damages. In these cases, the debtor typically alleges a number of different legal bases for recovery. They include the Bankruptcy Court’s inherent contempt power under Section 105(a) of the Bankruptcy Code to enforce the bankruptcy rules (and/or any applicable general orders of the court that may be applicable), other potentially applicable privacy laws such HIPPA or GLBA, and invasion of privacy or other common law torts. In addition, the debtors often also seek to disallow the proof of claim.

Thus far, the courts generally have found that there is no private right of action to enforce Rule 9037 or the court’s contempt power. Likewise, the courts have specifically determined that neither HIPPA, nor GLBA affords the debtor a private right of action to collect damages or attorney’s fees. In addition, the courts have found the Bankruptcy Code does not permit disallowance of a proof of claim solely for the violation of a disclosure rule, like Rule 9037.

Common Law Tort Claims

The case law is less developed in the area of common torts, such as invasion of privacy, and more dependent upon the applicable state law. In one reported case, the court found that under the applicable common law an unredacted proof of claim in a bankruptcy case did not satisfy a “publicity requirement.” In short, the court found that access to proofs of claims in the Court’s database (PACER) was restricted only to registered users who paid subscription fees. As such, the unredacted personal information in the proof of claim was not disclosed to the general public – which the court found was a necessary element to the tort claim.

In addition, absent a showing of actual harm from the filing of the unredacted proof of claim, such as identify theft, courts have dismissed tort claims on the grounds that the asserted damages were too speculative.

Court Sanctions

Even if the debtor is unsuccessful in prosecuting a private right of action, the courts appear willing to impose sanctions – attorney’s fees and punitive damages – against a creditor for filing an unredacted proof of claim in blatant or willful disregard of the requirements of Rule 9037. The basis for the sanction award is the Bankruptcy Court’s power under section 105(a) of the Bankruptcy Code to, in essence, police the bankruptcy system and enforce the rules.

The fact patterns often involve creditors who fail to take any corrective action after being made aware of the violation by the debtor. In one recent case, the Bankruptcy Court awarded both attorney’s fees and punitive damages against an attorney who filed the debtor’s unredacted financial statement as an exhibit to a contested motion after finding that the attorney failed to demonstrate any just cause for refusing to correct the problem upon request by the debtor. In addition, the Bankruptcy Court required the attorney to reimburse the debtor for any future costs incurred in credit monitoring to avoid the risk of future damages caused by the public disclosure of the debtor’s name, address, social security and date of birth in the bankruptcy filing.


• The Bankruptcy Rules impose specific non-disclosure requirements for personal information, which apply to the filing of proofs of claim and any documents filed in connection therewith.

• Creditors should carefully review all documents and exhibits to be filed with their proof of claims, particularly invoices, billing statements or other statements of account, to insure that the debtor’s personal information is redacted.

• Failure to redact the debtor’s personal information from proofs of claim can result in the bankruptcy court’s imposition of sanctions and other liability exposure.

• In the event of any inadvertent disclosure of the debtor’s personal information in a proof of claim, creditors should act quickly to voluntarily request that the court redact the personal information from the proof of claim and without waiting for any request from the debtor or the Bankruptcy Court to do so.