“From the Office to Cyberspace: Workplace Violence in the Twenty-First Century” Article Published by DRI

By and on February 21, 2017

Gordon & Rees Partner Diane Krebs and Associate Jamie Haar authored an article, “From the Office to Cyberspace: Workplace Violence in the Twenty-First Century,” published in the January 2017 issue of DRI’s magazine, For The Defense.

In their article, Krebs and Haar, both members of Gordon & Rees’s Employment Practice Group, offer key legal considerations for employers on how to navigate workplace violence and bullying  in today’s social media-heavy world.

The article discusses the many forms of workplace violence and bullying, with a particular focus on workplace cyberbullying, as well as identifies legal implications and an employer’s potential liability. Among other things, the article discusses the privacy concerns implicated by the Stored Communications Act to assist employers in crafting their investigatory procedures.

To read the full article, click here.

Filed under Cyberbullying, Stored Communications Act

Five Steps to Lower the Risk of Trade Secret Theft from Business Partners

By on February 14, 2017

As stories of international and domestic hacking and espionage dominate the news cycle, it’s easy to forget that when it comes to trade secrets, employees and business partners—not hackers—pose the biggest threat. See David S. Almeling et al., A Statistical Analysis of Trade Secret Litigation in Federal Courts, 45 Gonz. L. Rev. 291 (2009/2010).

In a recent webinar, Gordon & Rees addressed protection of trade secrets and proprietary information from employee theft. Here, we address some steps to help prevent business partners from misusing your trade secrets.

  1. Identify your trade secrets and control access to them

Before any agreements are drafted or any information or documents are exchanged, be sure you have identified your trade secrets (see also the definition under the Uniform Trade Secrets Act). You can’t protect them unless you know what they are. This sounds like common sense, but surprisingly, in the hustle and bustle of everyday work, not all companies take the time to do this until they’ve realized their trade secrets have ended up in the wrong hands. (Unless it is appropriate for your industry, referring to everything as a “trade secret” is not helpful, either—for example, your business partners are less likely to take your actual trade secrets seriously if you claim that information you have made public are also trade secrets.)

A trade secret “registry” could be considered favorable evidence in court—as long as it is timely updated and actually distributed to employees. See Schalk v. State, 823 S.W.2d 633, 643 (Tex. Crim. App. 1991). This registry will also help your own employees with the marking the proper designations when such information is exchanged with a business partner.

Securing your trade secrets in-house will not only help your case in court, it also helps when it comes to disclosure to third parties, particularly inadvertent disclosure. Chances are, not every employee will require access to every trade secret. Secure physical and electronic access to the appropriate trade secrets to the appropriate personnel.

What measures are appropriate will depend on the circumstances and will likely evolve with time and technology. Information stored on secure servers that had three layers of physical security passwords, 256-character PuTTY keys, with portions possessed by only a single person was found by a court sufficient evidence for a jury to conclude that a trade secrets owner took appropriate measures to protect its trade secrets. Xtec, Inc. v. CardSmart Techs., Inc., No. 11-22866-CIV-ROSENBAUM, 2014 U.S. Dist. LEXIS 184604, at *26 (S.D. Fla. May 15, 2014).

On the other hand, where information was distributed to 600-700 people where at most only 190 people signed confidentiality agreements, and where that same information was not stamped as “confidential,” a court found that no reasonable jury could conclude that “reasonable efforts” were made. Tax Track Sys. Corp. v. New Inv’r World, Inc., 478 F.3d 783, 788 (7th Cir. 2007).

  1. Draft tailored non-disclosure agreements (“NDAs”)

Before any information is exchanged with a business partner, have your attorneys help you draft a non-disclosure/confidentiality agreement tailored to the arrangement. Not only will this agreement help you in case you need to litigate the matter, it will provide the protocols for your business partner to follow.

Some provisions you and your attorneys will want to consider are the return/destruction of trade secrets at certain stages (and certainly when the relationship is terminated), a perpetual non-disclosure and non-use clause when it comes to trade secrets (as opposed to an expiring one), how trade secrets will be identified/marked (and the ability to later identify/mark previously exchanged documents), and requirements for the business partner’s employees to sign individual NDAs and/or obtain training on how to handle trade secrets.  This is not an exhaustive list—work with your attorney to flesh out the agreement.

Be wary of stock or template agreements; many of them may not contemplate the specific issues that may arise in your situation. Many “standard” agreements also contain language that relieve the business partner of its contractual obligations of non-disclosure and non-use as soon as the trade secrets are made public—without specifying that such public disclosure must have been authorized by the owner of the trade secret, and without giving the owner the chance to mitigate the effects and damage of the unauthorized disclosure.

But no matter how perfect the agreement, it won’t matter if it isn’t properly implemented.

  1. Train your own employees

Identify all the employees who will be corresponding with the business partner and make sure you train them. Let them know what information can be exchanged, what cannot, which individuals from the business partner they can exchange information with. Provide them with a written checklist and designate a person most knowledgeable—or better yet, a specialized team to direct their questions to. This team should also conduct some “spot checks” throughout the relationship to make sure protocols are being followed.

If the relationship with the business partner will span more than a couple months, also have a plan in place to retrain your employees in regular intervals.

  1. Train the business partner’s employees

Even if you require individuals from the business partner’s company to sign an NDA, that may not be enough. You may want to provide the partner’s employees with the necessary training, or at least provide the partner with the necessary materials to provide the training themselves (and require them to do so as part of the NDA). Regularly communicate with the partner to make sure they are protecting your trade secrets, and have your employees and your specialized team pay attention to how the business partner is using this information as well.

  1. Create a contingency/emergency plan

Did an employee send a trade secret to the business partner without marking it as such? Has the business partner communicated plans that may violate the NDA?  Has the relationship with the business partner begun to go sour?

Your team should already have a contingency plan in place to deal with these—and other—situations, and protocols to continually improve security and access. Make sure you follow through on enforcing contractual provisions, and make sure you act swiftly.

In closing, remember that when dealing with trade secrets or handling other proprietary, confidential or otherwise private information, nothing beats being prepared.

Filed under Trade Secret Theft

The Joint Commission Issues Clarification on Texting of Patient Care Orders

By on January 4, 2017

“The use of secure text orders is not permitted at this time.”

In 2011, the technology to provide for the safety and security of text messaging was not available and, at that time, The Joint Commission (“TJC”) said it was not acceptable for practitioners to text orders for patient care and treatment. Then, in May 2016, TJC revised its position in recognition of technological advances and said physicians could text message when done in accordance with standards of practice, laws, regulations, policies and practices “as long as the system met specific requirements.”

Since then, however, TJC got together with the Centers for Medicare & Medicaid Services (CMS) and issued updated recommendations that include the following:

  • Providers should have policies prohibiting the use of unsecured text messaging of protected health information (PHI).
  • CPOE (computerized provider order entry) should be the preferred method for submitting orders, which are directly entered into the electronic health record.
  • The use of secure text orders is not permitted at this time.

This turnaround came after TJC and CMS discussed the issues with numerous stakeholders, including text messaging platform vendors and experts in electronic health records (EHRs). The identified concerns for maintaining the existing status quo were:

  • Increased burden on nurses to manually transcribe text orders into the EHR.
  • Verbal orders are preferred when CPOE not used, because they allow for real-time clarification and confirmation of the order as it is given by the practitioner.
  • Text messaging could cause delay in treatment where a clinical decision support (“CDS”) recommendation or alert is triggered during data entry, requiring the nurse to contact the practitioner for additional information.

To view the full text article on the TJC website click here.

Filed under PHI

Recent Suit Highlights the Importance of Data Security for Law Firms

By on December 28, 2016

In what undoubtedly portends things to come, recently unsealed court files reveal that the first data security class action complaint against a domestic law firm was formally filed. Chicago-based Johnson & Bell, a firm of more than 100 attorneys that recently celebrated its 40th anniversary, was recently named in a lawsuit that alleged it failed to appropriately protect confidential client information. That lawsuit was filed by Johnson & Bell’s former clients, bitcoin-to-gold exchange Coinabul LLC, and its Chief Operating Officer, Jason Shore.

Coinabul and Mr. Shore set forth a four-count Complaint alleging breach of contract, negligence, unjust enrichment, and breach of fiduciary duty. Underpinning all of theses claims were the following core allegations: the defendant law firm’s time-tracking system (“Webtime”) was built on a “JBoss Application Server” which was out-of-date and suffered from a critical vulnerability, leaving it susceptible to hacking; its virtual private network (“VPN”) supported insecure renegotiation, leaving it vulnerable to man-in-the-middle attacks; and, finally, the firm’s email system had broken security that left it susceptible to attack. In short, plaintiffs allege the firm failed to implement industry standard data security measures with respect to its Webtime, VPN, and email services, resulting in certain vulnerabilities that could expose confidential client information.

The hypothetical exposure of confidential client information makes this lawsuit all the more interesting – plaintiffs did not actually allege that Johnson & Bell’s Webtime, VPN, or email services were ever compromised, or that that confidential information was ever leaked. These points were all raised in Johnson & Bell’s subsequently-filed motion to dismiss. That motion was ultimately never ruled upon, as the parties are now engaged in a confidential arbitration.

While the outcome of this suit might never become public, the takeaway lesson is apparent – attorneys and law firms must remain diligent, and continue to take reasonable efforts to maintain client confidentiality and properly secure data.

Filed under Data Security

Seventh Circuit Applies Spokeo and Requires Actual Injury to Establish Article III Standing in FACTA Case

By and on December 20, 2016

On December 13, 2016, the Seventh Circuit Court of Appeals became the first post-Spokeo circuit court to address the issue of Article III standing in a putative class action brought for an alleged violation of the Fair and Accurate Credit Transactions Act (“FACTA” or “the Act”), 15 U.S.C. § 1681c(g), which is itself an amendment to the Fair Credit Reporting Act (“FCRA”). Generally, FACTA prohibits a vendor or retailer who accepts a credit or debit card as a means of payment from printing more than the last five (5) digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction. 15 U.S.C. § 1681c(g)(1). Willful violations of the Act could subject a defendant to any actual damages sustained by the consumer, or statutory damages of not less than $100.00 and not more than $1,000.00. 15 U.S.C. § 1681n(a). The Act also provides for the potential recovery of punitive damages along with reasonable attorney’s fees and costs. Id. Thus, per the plain language of the statute, actual damages are not necessarily a precondition for a FACTA suit. Aggregated statutory damages in a class claim, as one might imagine, could prove ruinous for a defendant.

In Spokeo v. Robbins, the United States Supreme Court held that a plaintiff could not establish Article III standing by relying solely on a “bare procedural violation” divorced from any real-world harm, because “Article III standing requires a concrete injury even in the context of a statutory violation.” In the five months since Spokeo was decided however, district court decisions as to whether a plaintiff may enjoy standing to bring actions premised upon statutory violations alone have been far from consistent.

In Meyers v. Nicolet Restaurant of De Pere, the Seventh Circuit dismissed a plaintiff’s putative class claim for lack of Article III standing, as he sought only those damages that are statutorily provided-for under FACTA. More specifically, Mr. Meyers alleged that, after dining at Nicolet Restaurant of De Pere, he was given a receipt that did not truncate the expiration date of his credit card. He subsequently filed suit on behalf of all customers who had similarly been provided with receipts that were not compliant with FACTA’s requirements. While Mr. Meyers admitted seeking only statutory damages, he argued that standing was conferred upon him because, in enacting FACTA, Congress granted him the legal right to receive a receipt that truncated his credit card’s expiration date. The Seventh Circuit disagreed, finding it significant that Mr. Meyers discovered the violation immediately, and that no one ever saw the violative receipt. The Seventh Circuit found it difficult to imagine how the presence of the expiration date could have increased the risk that Mr. Meyer’s identity would be compromised, and accordingly held that, without a showing of injury apart from the failure to truncate a credit card’s expiration date, the injury-in-fact requirement under Article III could not be satisfied.

While district courts continue to interpret Spokeo in cases implicating various “no-injury” consumer and privacy statutes, this decision provides defendants with additional grounds to potentially move for dismissal. Conversely, plaintiffs are sure to use it is a roadmap to creatively tailor pleadings to establish an injury in fact.

The Seventh Circuit’s opinion in Meyers v. Nicolet Restaurant of De Pere can be found here.

Filed under Fair and Accurate Credit Transactions Act, Fair Credit Reporting Act

Arizona Voter Registration Database Hacked by Email Designed to Look Like Employee

By and on October 25, 2016

In this contentious election year, foreign hackers have taken a keen interest in the U.S. electoral system. Perhaps most memorable was this summer’s high-profile assault on Democratic National Committee computers, which exposed a number of unsavory emails and forced DNC Chairwoman Debbie Wasserman Schultz to step down. But state voter registration databases have also become popular targets for hackers looking to disrupt confidence in this year’s elections; over two dozen states have seen some form of cyberattack on their election systems this year. An apparent hacking attempt in June 2016 caused Arizona’s voter registration system to shut down for almost a week while state and federal officials investigated the source of the hack. The FBI later attributed the breach to Russian hackers.

Speaking at the Cambridge Cyber Summit this month, Arizona Secretary of State Michele Reagan revealed that the malware was traced to a highly sophisticated email designed to look like it came from an employee. Hackers used the email to obtain the username and password for a single election official, giving them access to Arizona’s entire voter registration database, which houses the personal information of more than four million Arizona residents. According to Secretary Reagan, election officials have taken several steps to protect Arizona’s election system from additional cyberattacks, including requiring employees to implement new and stronger passwords and multifactor authentication. Although Secretary Reagan has been adamant that hackers did not gain access to any mechanism for tallying votes, the mere possibility that election results could be compromised may be enough to cast doubt on this election, which some (including one major party candidate) have already alleged is “rigged.” This latest revelation from Arizona officials serves as yet another example of the importance of creating a culture of data security in the workplace and training employee–in all industries–to recognize the signs of fraudulent emails.

See Secretary of State Reagan’s complete interview here.

Filed under Cyberattacks, Hacker

Failure to Update Business Associate Agreement Leads to Health System’s Settlement with OCR

By on October 3, 2016

A hospital’s breach notification to the Department of Health and Human Services, Office of Civil Rights (“OCR”) led to a Resolution Agreement, payment of $400,000 and a Corrective Action Plan for an east coast health system. On September 23, 2016, OCR issued a press release advising that Woman & Infants Hospital of Rhode Island (“WIH”) a member of Care New England Health System (“CNE”) notified OCR of a reportable breach in November of 2012, stemming from its discovery that unencrypted backup tapes containing electronic Protected Health Information (“PHI”) were missing from two of its facilities. CNE provides centralized corporate support to the covered entities under its common ownership and control, including technical support and information security for WIH’s information systems, as its business associate. Although WIH had in place a business associate agreement (“BAA”) with CNE, it was dated from March of 2005 and had not been updated since implementation and enforcement of the HIPAA Omnibus Final Rule.

OCR’s investigation of WIH’s HIPAA Compliance program, triggered by the report of the missing tapes, uncovered the outdated BAAs. WIH updated their BAA on August 28, 2015, as a result of OCR’s investigation. OCR then determined that from September 23, 2014, the date enforcement of the Final Rule began, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI. The settlement was reached without any admission of liability by CNE or WIH.

The settlement is a jolt to many covered entities and their business associates for a number of reasons. The key take-aways are: (1) There is an inference in the OCR’s actions that a well worded BAA, wherein the business associates agrees to abide by the specifications required by the Privacy and Security Rules, is sufficient to satisfy the covered entity’s obligation to obtain “satisfactory assurances” the business associate will appropriately safeguard the PHI (meaning those often lengthy and burdensome security questionnaires or audits business associates are being asked to complete may be unnecessary and not required); (2) documentation of intent and action, including policies, procedures and BAAs, is extremely important in establishing HIPAA Compliance (i.e., the fact that the mistake occurred—tapes went missing—is being treated as the result of the absence of a written agreement, justifying the enforcement action, when in reality it is likely, or at least conceivable, that human error, inadvertence or lack of attention is the root cause and this could have occurred even if an updated BAA was in place and being followed); and (3) policies, procedures and continuous training and retraining of the workforce handling PHI is imperative to a successful HIPAA compliance program, and remains on the radar of any OCR investigation.

A copy of the Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/wih.
OCR’s sample BAA may be found at http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

Filed under Data Breach, Health Insurance Portability and Accountability Act, PHI

Privacy of Nonparty Patients

By on September 1, 2016

The public has a right to every man’s evidence, unless that evidence is protected by a constitutional, common-law, or statutory privilege. How should this doctrine apply where a litigant seeks discovery of the identity of a nonparty patient who may have been a witness to negligence or malpractice? At what point is the right to evidence trumped by a patient’s right to privacy? When addressing such questions, courts distinguish the situation where disclosure of a nonparty patient’s identity would reveal nothing more than the fact that the person was a patient from the situation where such disclosure would reveal the nature of the person’s ailment or treatment.

Thus, an Arizona court allowed discovery of the identity of a hospitalized patient who may have witnessed events relevant to a malpractice claim brought on behalf of his hospital roommate. The court allowed such discovery on the basis that revealing that a person was a patient in a particular hospital room on a particular day would not reveal anything of importance about the nature of his ailments or treatment.1 Along similar lines, a New York court allowed discovery of the identities of nonparty patients in an emergency room because, due to wide range of services and medical conditions treated in emergency room, disclosure of their identities would not violate their right to keep their personal health information confidential.2

In contrast, a New York court did not allow discovery of the identities of patients in a cardiac rehabilitation center who may have witnessed an injury that was the subject of a lawsuit.3 This court did not allow such discovery because it necessarily would have revealed the nature of their ailment. It would have revealed “that they were undergoing treatment for cardiac-related conditions.” One might expect a court following this reasoning to bar discovery of the identity of a nonparty patient if it required revealing that they were receiving treatment in a particular part of a hospital (such as cancer radiation) or were hospitalized in a facility that provided a particular kind of care (such as a cancer or orthopedic specialty hospital).
_______________________________________________________________________
1 Carondelet Health Network v. Miller, 221 Ariz. 614, 212 P.3d 952 (App. 2009).
2 Rabinowitz v. St. John’s Episcopal Hospital, 24 A.D.3d 530, 808 N.Y.S.2d 280, 282 (2005).
3 Gunn v. Sound Shore Med. Ctr., 5 A.D.3d 435, 772 N.Y.S.2d 714, 715 (2004).

Filed under Privacy Rights

OCR Provides Further Clarification on Charging Flat Rate for Copies of PHI

By on August 25, 2016

The Office of Civil Rights (OCR) at the Department of Health and Human Services recently provided further clarification about the amount that an individual may be charged for a copy of their protected health information (PHI). After releasing guidance earlier this year about individuals’ rights under HIPAA to access and obtain a copy of their health information, OCR provided clarification in response to questions it received after releasing the guidance. In a new frequently asked question, OCR clarifies that $6.50 is not the maximum amount that can be charged to provide individuals with a copy of their PHI. Rather, OCR states that charging a flat fee of $6.50 is an option available to those covered entities (or business associate acting on behalf of the covered entity) that do not want to calculate the allowable fees for providing individuals with copies of their PHI as provided by the Privacy Rule.

Filed under PHI, Privacy Rule

Arizona Anesthesia Group Notifies 882,590 Patients of Data Breach

By on August 18, 2016

Valley Anesthesiology and Pain Consultants (“VAPC”), a physician group of more than 200 anesthesiologists and pain management specialists with several locations near Phoenix, Arizona, began notifying patients on August 11, 2016, of a potential data breach involving protected health information (“PHI”), despite the fact their retained forensic consultant found no evidence that the information on the computer system was accessed. However, the consultant was unable to definitively rule that out after investigation, and it did confirm that an individual gained access to a system containing PHI. The physician group elected to take the proactive route of notifying affected individuals. The forensic firm was apparently called in shortly after VAPC learned on June 13, 2016, that a third party may have gained unauthorized access to VAPC’s computer system on March 30, 2016, including records of 882,590 current and former patients, employees and providers.

On its website, VAPC says they value their relationship with patients and so decided to mail the notification letters. Law enforcement was also advised, and a dedicated call center has been set up to answer patients’ questions. Patients have been advised to review the statements they receive from their health insurer and to advise the insurer of any unusual activity. The computer system accessed is believed to have contained patient names, limited clinical information, name of health insurer, insurance identification numbers, and in some instances, social security numbers (“SSN”). No patient financial information was included in the computer systems. For providers, the information included credentialing information such as names, dates of birth, SSN, professional license numbers, DEA (Drug Enforcement Agency) and NPI (National Provider Identifier) numbers, as well as bank account information and potentially other financial information. The employee records on the system included names, dates of birth, addresses, SSNs, bank account information and financial information. Individuals that had their SSN or Medicare number exposed are being offered credit monitoring and identity theft protection services.

The circumstances of the incident illustrate the quandary regarding the presumption that it is a reportable breach if you can’t prove there was no access to the information, and the interplay between the HIPAA Security Rule and the Privacy Rule. Here, it was apparently established the system’s security was breached, but unclear whether personal health information was accessed once the unauthorized individual was in the system.

More information is available on VAPC’s website: https://valley.md/securityupdate.

Filed under Data Breach, PHI

Older posts

Newer posts