New Massachusetts Law Creates More Stringent Notification Requirements for Data Breach Incidents

While we’ve all been busy keeping an eye on California’s CCPA mess and the brewing federal privacy legislation, Massachusetts enacted some amendments to its already stringent consumer-protection oriented privacy laws. (See MGL c.93H)

As a result of the amendments, effective April 11, 2019, Massachusetts’ general breach notification statute will include the following new requirements:

  1. Consent to Access Credit Reports – Before getting hold of a consumer’s credit report for most non-credit purposes, third parties must obtain the consumer’s consent. In the process, they also need to disclose the reason they’re seeking access.
  2. Security Freezes – Consumer reporting agencies can no longer charge a fee to consumers to place, lift, or remove a security freeze on their credit reports.
  3. Credit Monitoring Services – Companies experiencing a security breach involving social security numbers must offer affected MA residents free credit monitoring services for at least 18 months (or 42 months if the company is a consumer reporting agency). Additionally, companies that experience a security breach must file a report with the Attorney General and Department of Consumer Affairs and Business Regulation certifying their credit monitoring services comply with state law.
  4. No Waiver – Individuals affected by breaches can no longer be required to waive their private right of action as a condition to getting credit monitoring services.
  5. Breach Notice Obligations – Notice to the Attorney General and Department of Consumer Affairs and Business Regulation must include additional information such as the person responsible for the breach (if known), the type of personal information compromised, and whether the entity has a written information security program in place. Notice to consumers must include the name of the parent or affiliated corporation if the entity that experienced the breach is owned by another entity.
  6. No Delay in Notice to Residents – Notice to residents cannot be delayed on the grounds that the total number of residents affected has not been ascertained. If and when additional information is obtained, additional notice must be provided as soon as practicable and without unreasonable delay.

It’s not clear how these requirements will work in practice, but for those whose business activities expose them to Massachusetts law, existing incident response and management policies should be revisited by the end of March to make sure they reflect these new obligations.

All Eyes on Equifax

As news around the world has reported, the Equifax data breach from mid-May through July resulted in the exposure of sensitive personal information of more than 143 million American consumers. Although this may not be the largest data breach ever, it has been regarded as one of the most significant breaches because of the sensitive information at risk: social security numbers, drivers’ license numbers, addresses, and more.

The Federal Trade Commission (FTC) confirmed this month that it is “actively investigating” the data breach due to the “intense public interest and potential impact” of the breach. The breach is also being investigated by the Department of Justice, Consumer Financial Protection Bureau, and the Securities and Exchange Commission. The investigations were the result of action by multiple senators and legislative committees highlighting the severity of the breach and the deficiencies of Equifax’s response, as well as threats by several states to bring suit against Equifax.

Senator Mark Warner (D-Va) sent a detailed letter to the acting head of the FTC calling for the investigation, and calling for the agency to scrutinize Equifax for the security lapses and its poor handling of customer service after the breach was disclosed. Specifically, Sen. Warner has stated: “The hack was awful but then [Equifax’s] response to the hack continued to show [Equifax’s] incompetence. This should be a new impetus to move.”

The investigations are expected to involve the alleged errors by Equifax leading up to the breach and in handling the breach. In addition to the company’s alleged cyber vulnerabilities which led to the breach, the investigations will also include potential insider trading by Equifax executives more than a month before the breach was made public and ambiguous language in Equifax’s Terms of Service, purporting to waive a consumer’s right to sue the service.

Most importantly, the FTC’s investigation of the Equifax breach could provide momentum for Congress to act on federal data privacy legislation. Although this legislation has been long pushed for by advocates and elected officials, the efforts have proved unsuccessful in recent years. Sen. Mark Warner has stated that he is working on efforts to pass a data breach notification law requiring companies to notify customers about a breach within a certain narrow time frame. Given the scope of the breach, and Equifax’s response, this may be the final straw to prompt a definitive reaction from Washington.

The SEC Takes Action to Protect Retail Investors

In recent years, retail data breaches have become the norm. The news is filled with stories of nefarious hackers, identity theft, and credit monitoring. A topic that we rarely hear about, however, is the impact a data breach event can have on retail investors. Data breaches can have catastrophic consequences for retailers and, by extension, their investors, as a result of both decreased profits and increased expenses. To address this issue, the SEC has established two new initiatives specifically targeted at protecting retail investors from cybersecurity risks. To learn more, check out the SEC’s September 25, 2017 Press Release, available here.

Questions Remain as to Extent of HBO Cyberattack

On Monday, HBO acknowledged that it had been the victim of a cyberattack. The hacker(s) claiming responsibility use the alias “little.finger66,” a reference to HBO’s hit show, Game of Thrones.

The hackers accessed an estimated 1.5 terabytes of data. They have leaked full episodes of Ballers and Room 104, as well as a script from the upcoming episode of Game of Thrones. They promise that more is to come. HBO is working with law enforcement and private security firms to examine the extent of the breach and to protect its data.

HBO has expressed an intent to offer its employees credit monitoring, which raises questions as to whether human resources records were accessed. Thankfully for subscribers, at this time, there is no indication that the hackers accessed subscribers’ login credentials or payment information.

Also, luckily for HBO, it appears that HBO’s email system was not compromised in its entirety, unlike with the Sony Entertainment breach in 2014. The release of confidential and proprietary information following the Sony breach – such as executives’ salaries and embarrassing email communications – sent ripples through the entertainment industry and led Sony’s then co-chairman to resign. It also resulted in a class action lawsuit brought by certain Sony employees.

We will continue to monitor this story as it unfolds.

Updated HIPAA Breach Reporting Tool Launched by HHS

“…a more positive, relevant resource of information for concerned consumers.”

On July 25, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), unveiled a revised Health Insurance Portability and Accountability Act (HIPAA) Breach Reporting Tool (HBRT) that provides consumers improved access to information on breach data, and also provides greater ease-of-use for organizations reporting incidents. The HBRT makes required reporting information public, such as name of the entity suffering the breach; state where the breach occurred; number of individuals affected; date of the breach; type of breach (e.g. hacking/IT incident, theft, loss, unauthorized access or disclosure); and the location of the breached information (e.g. laptop, paper records, desktop computer). HIPAA also requires health care providers and other covered entities to promptly notify individuals of a breach and, in some cases, notify the media.

HHS Secretary Tom Price, M.D., explained, “HHS heard from the public. . . .To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned citizens.”

The HRBT may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.

Target Settlement a First Step for Companies Looking to Avoid Data Breach Litigation

Target ends its multi-state data breach litigation over its 2013 data breach with an $18.5 million settlement to 47 states. While the settlement outlines the type of security measures companies should employ in order to not be found negligent with customer data, it doesn’t go far enough to improve organizational security. The bulk of the settlement terms are still defensive in nature when it comes to data breaches. As such, companies looking to follow the terms of Target’s settlement should be cautioned to use offensive tactics to prevent such attacks if they want to avoid litigation.

In 2013, while Target’s security systems had detected the breach, no one understood the significance of, or acted upon, the alerts, resulting in the massive data breach given the delay in response time. Target has since toughened its security systems and made significant improvements. The terms of the settlement give Target 180 days to develop, implement, and maintain a comprehensive security program. However, this requirement refers to the changes the retailer has already implemented. While the settlement reiterates some of the basics, such as having a comprehensive security program, segmenting the network, and implementing stricter access control policies to sensitive networks and data, future data breach lawsuits may use the Target settlement to try to prove an organization did not go far enough in protecting personal information and other sensitive data. As such, abiding by the terms of the Target settlement is a first step for companies looking to avoid data breach litigation, but further tactics will be required for companies to go on the offensive to prevent breaches as the plaintiffs’ bar will try to use the Target settlement as a varying degree of negligence in pushing forward with future litigation.

Failure to Update Business Associate Agreement Leads to Health System’s Settlement with OCR

A hospital’s breach notification to the Department of Health and Human Services, Office of Civil Rights (“OCR”) led to a Resolution Agreement, payment of $400,000 and a Corrective Action Plan for an east coast health system. On September 23, 2016, OCR issued a press release advising that Woman & Infants Hospital of Rhode Island (“WIH”) a member of Care New England Health System (“CNE”) notified OCR of a reportable breach in November of 2012, stemming from its discovery that unencrypted backup tapes containing electronic Protected Health Information (“PHI”) were missing from two of its facilities. CNE provides centralized corporate support to the covered entities under its common ownership and control, including technical support and information security for WIH’s information systems, as its business associate. Although WIH had in place a business associate agreement (“BAA”) with CNE, it was dated from March of 2005 and had not been updated since implementation and enforcement of the HIPAA Omnibus Final Rule.

OCR’s investigation of WIH’s HIPAA Compliance program, triggered by the report of the missing tapes, uncovered the outdated BAAs. WIH updated their BAA on August 28, 2015, as a result of OCR’s investigation. OCR then determined that from September 23, 2014, the date enforcement of the Final Rule began, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI. The settlement was reached without any admission of liability by CNE or WIH.

The settlement is a jolt to many covered entities and their business associates for a number of reasons. The key take-aways are: (1) There is an inference in the OCR’s actions that a well worded BAA, wherein the business associates agrees to abide by the specifications required by the Privacy and Security Rules, is sufficient to satisfy the covered entity’s obligation to obtain “satisfactory assurances” the business associate will appropriately safeguard the PHI (meaning those often lengthy and burdensome security questionnaires or audits business associates are being asked to complete may be unnecessary and not required); (2) documentation of intent and action, including policies, procedures and BAAs, is extremely important in establishing HIPAA Compliance (i.e., the fact that the mistake occurred—tapes went missing—is being treated as the result of the absence of a written agreement, justifying the enforcement action, when in reality it is likely, or at least conceivable, that human error, inadvertence or lack of attention is the root cause and this could have occurred even if an updated BAA was in place and being followed); and (3) policies, procedures and continuous training and retraining of the workforce handling PHI is imperative to a successful HIPAA compliance program, and remains on the radar of any OCR investigation.

A copy of the Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/wih.
OCR’s sample BAA may be found at http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

Arizona Anesthesia Group Notifies 882,590 Patients of Data Breach

Valley Anesthesiology and Pain Consultants (“VAPC”), a physician group of more than 200 anesthesiologists and pain management specialists with several locations near Phoenix, Arizona, began notifying patients on August 11, 2016, of a potential data breach involving protected health information (“PHI”), despite the fact their retained forensic consultant found no evidence that the information on the computer system was accessed. However, the consultant was unable to definitively rule that out after investigation, and it did confirm that an individual gained access to a system containing PHI. The physician group elected to take the proactive route of notifying affected individuals. The forensic firm was apparently called in shortly after VAPC learned on June 13, 2016, that a third party may have gained unauthorized access to VAPC’s computer system on March 30, 2016, including records of 882,590 current and former patients, employees and providers.

On its website, VAPC says they value their relationship with patients and so decided to mail the notification letters. Law enforcement was also advised, and a dedicated call center has been set up to answer patients’ questions. Patients have been advised to review the statements they receive from their health insurer and to advise the insurer of any unusual activity. The computer system accessed is believed to have contained patient names, limited clinical information, name of health insurer, insurance identification numbers, and in some instances, social security numbers (“SSN”). No patient financial information was included in the computer systems. For providers, the information included credentialing information such as names, dates of birth, SSN, professional license numbers, DEA (Drug Enforcement Agency) and NPI (National Provider Identifier) numbers, as well as bank account information and potentially other financial information. The employee records on the system included names, dates of birth, addresses, SSNs, bank account information and financial information. Individuals that had their SSN or Medicare number exposed are being offered credit monitoring and identity theft protection services.

The circumstances of the incident illustrate the quandary regarding the presumption that it is a reportable breach if you can’t prove there was no access to the information, and the interplay between the HIPAA Security Rule and the Privacy Rule. Here, it was apparently established the system’s security was breached, but unclear whether personal health information was accessed once the unauthorized individual was in the system.

More information is available on VAPC’s website: https://valley.md/securityupdate.

Macaroni and Malware: Hundreds of Noodles & Company Locations Hacked, Exposing Consumer Financial Information

In the wake of Wendy’s announcement of a data breach in its point-of-sale system, Noodles & Company recently announced that it too was a victim of a cyber-attack, which may have resulted in access to thousands of customers’ debit and credit card data. Noodles & Company’s June 28, 2016 press release identifies restaurant locations in 27 states and Washington DC in which data security may have been breached.

In its press release, Noodles & Company states that it began investigating on May 17, 2016, after its credit card processor reported “unusual activity.” It immediately hired a third-party forensic expert to investigate, and on June 2, 2016, it discovered evidence of “suspicious activity on its computer system that indicated a potential compromise.”

Noodles & Company states that it is “moving forward on a number of fronts” in response to the data breach, including working with third-party forensic investigators, operating with the United States Secret Service, and providing guidance to guests who may have been affected. In a subsequent press release, Noodles & Company asserts that it “contained the incident once the malware was identified and credit and debit cards used at the affected locations identified are no longer at risk from the malware involved in [the] incident.” Nonetheless, it will not be a surprise if Noodles & Company suffers the same fate as Wendy’s: defending a federal consumer class-action lawsuit.

We will continue to monitor and report on this story as it develops.

Addressing the Wendy’s Data Breach Proves Difficult Due to Size of Breach and Company’s Structure

As discussed earlier, Wendy’s announced that it was investigating a possible breach of its point of sale systems (“POS”), after the company was alerted of “unusual activity” involving customers’ credit or debit cards at some of its locations. An earlier Wendy’s press release stated “[b]ased on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015.”

It has been reported by Security expert Brian Krebs that “some breached Wendy’s locations were ‘still leaking’ customer card data at the end of March 2016 and into early April.” A statement by Wendy’s spokesman Bob Bertini said, in response to questions about the duration of the breach at some stores, “[a]s you are aware, our investigator is required to follow certain protocols in this type of comprehensive investigation and this takes time. Adding to the complexity is the fact that most Wendy’s restaurants are owned and operated by independent franchisees.”

It has been opined that the extent and duration of the breach was a result of its size. Specifically, Tod Beardsley, security research manager at cybersecurity specialist Rapid 7, stated that the “fact that the breach affected only 5 percent of Wendy’s locations was likely a contributing factor to its success. A small footprint is much more difficult to detect, since the patterns resulting from the fraud take longer to materialize.” Unfortunately, the detection time allows the individuals involved to go on spending sprees comprised of unauthorized purchases well after the breach took place.

At this time it seems investigators are still trying to wrap their arms around the problem so we may not know the extent and duration of this breach for some time.