EU-US Privacy Shield – How to Opt In and Self Certify

By on August 5, 2016

The Privacy Shield provides a means to transfer EU personal data in accordance with certain EU data privacy principles.

As of August 1, 2016, US companies may self-certify as a means of complying with EU data protection laws when transferring EU personal data from the EU to the US. (For back ground information on the EU-US Privacy Shield, see March 2016 Article.)

Companies should consider self-certifying to the Privacy Shield if they desire to minimize their exposure to liability on many fronts, e.g., regulatory compliance with the EU Data Protection Directive, federal and state laws, and minimizing risks to data breach/regulatory compliance litigation. Additionally, by operating in accordance with these data privacy principles, companies will be building goodwill with their consumers and business partners.

Pre-Certification Assessment/Audit

Prior to self-certifying, companies need to engage in a self-assessment/audit to determine whether their current business practices meet the minimum standards set forth in the Privacy Shield framework. There will likely be some work involved for must companies to self certify to the Privacy Shield, but it is certainly manageable when proper resources are allocated to address the self certification requirements.

Although not a complete and extensive list of all of the pre-certification logistical requirements, the following are required to self-certify to the Privacy Shield.

First, companies will need to assess their external and internal privacy policies, and their EU personal data collection, processing, storage and transfer procedures. Each policy and procedure will need to be compliant with the 7 Privacy Shield Principles, and as applicable, the 16 Supplemental Privacy Shield Principles. A summary of these principles can be found at the US Department of Commerce.

Second, once this assessment/audit is complete, companies will likely need to update all of their privacy policies and procedures and contracts with their business partners. If companies self certify to the Privacy Shield by September 30, 2016, they will be provided with a 9-month grace period to update their contracts with their business partners.

Third, the Privacy Shield requires companies to implement specific complaint and dispute policies and procedures, which include replying promptly to all complaints, identifying a point of contact person/officer for complaints and provide an independent recourse resolution mechanism to EU consumers.

Fourth, companies are required to notify the public that they are self certifying to the Privacy Shield. This reference includes publishing the Privacy Shield logo and required self certifying language to their websites, and appointing a person who is responsible for self-compliance.

Self-Certifying to the Privacy Shield

Once companies complete their pre-certification assessment/audit, then they will be ready to certify to the Privacy Shield.

Self-certification to the Privacy Shield requires companies to submit a written application/certification to the US Department of Commerce. There is also a required fee to self-certify to the Privacy Shield. See Federal Register July 22, 2016 Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework Notice.

Post Certification

After self-certifying to the Privacy Shield, companies must walk the walk. This requires a coordinated effort to comply with their Privacy Policy and maintain good standing on the Privacy Shield list of self-certifying companies.

Additionally, companies must self-certify each year with the US Department of Commerce, which means self-certifying to the Privacy Shield is a constant, ongoing process.

For guidance through the legal and regulatory compliance land mines of self-certifying, do not hesitate to contact Mark Ishman, a member of Gordon Rees’ Privacy & Data Security Practice Group.

Filed under EU-US Privacy Shield

Ransomware: Preparing for the Storm That’s A Brewin’

By on August 5, 2016

On July 11, 2016, the Office for Civil Rights (“OCR”) published guidelines for ransomware attack prevention and recovery, including the role HIPAA has in assisting covered entities and business associates prevent and recover from such attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack. According to the OCR report, there have been 4,000 daily ransomware attacks since early 2016, up 300% from 2015. Earlier this week a healthcare IT Security Consultant told me the chatter he hears is the hackers are working on stronger, more aggressive, more deadly hacks to unleash, and he fears a hacking storm a brewin’. Time to get serious and batten down the hatches, folks!

The OCR report describes what a ransomware attack is, and explains that maintaining strict HIPAA Security Rule compliance can help prevent the introduction of malware, including ransomware. Some of the required security measures discussed include:

  • Implementing a security management process, which includes conducting a risk analysis and taking steps to mitigate or remediate identified threats and vulnerabilities;
  • Implementing processes to guard against and detect malicious software;
  • Training users on malicious software protection; and
  • Implementing access controls.

Ransomware gets into your system, denies you access to your data (usually through encryption), and then directs you to pay a ransom to the hacker in order to receive a decryption key. For this reason, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to surviving a ransomware attack. HIPAA compliance helps protect entities because the Security Rule requires covered entities and business associates to implement a data backup plan as part of an overall contingency plan, which includes periodic testing of the plan to be sure it works.

The presence of ransomware – or any malware – is considered a security incident and triggers the need to initiate security incident response and reporting procedures. Based upon an analysis of the investigation results, breach notification may be required. Additionally, if there is an impermissible disclosure of protected health information (“PHI”) in violation of the privacy rule, there is a presumed breach which may trigger notification. Whether or not the presence of ransomware would be a breach under HIPAA Rules is thus fact specific. However, unless the entity demonstrates there is a “…low probability that the PHI has been compromised,” a breach of PHI is presumed to have occurred and the entity must comply with the applicable breach notification provisions.

Further information and a copy of the OCR report can be found here.

Filed under Data Security, Health Insurance Portability and Accountability Act, Ransomware

For Now, Emails Stored on Foreign Servers Are Immune to Warrant Searches

By on August 1, 2016

On July 14, 2016, the Second Circuit Court of Appeals ruled in the potentially groundbreaking Microsoft v. United States case that the federal government cannot compel companies to turn over emails stored on servers located outside the United States. In today’s border-shrinking digital world, the Second Circuit’s ruling raises a slew of questions (that will no doubt be litigated extensively in the coming years) and more than a few concerns.

In December 2013, the United States government sought to execute a search warrant pursuant to Section 2703(a) of the Stored Communications Act (“the “SCA”) to seize the contents of an email account of a suspected participant in a narcotics ring, which was stored on Microsoft’s servers in Ireland. Microsoft refused to turn over the extraterritorial emails, and was held in contempt for failing to comply with a search warrant.

Initially, the Southern District of New York ruled that Section 2703 of the SCA applies extraterritorially, and ordered Microsoft to release the sought-after emails. On appeal, however, the Second Circuit held that Section 2703 of the SCA “does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign server.”

In reversing the district court, even after noting the presumption against extraterritoriality, the Second Circuit relied heavily upon the fact that the SCA, passed in 1986, was drafted when computers were in their infancy, foreign-communicating servers did not exist, and very few lawmakers were familiar with the concept of the Internet. The Second Circuit also found persuasive the fact that the SCA’s warrant provision that allows the government to require disclosure of electronically stored communications, like any other search warrant and unlike subpoenas, is restricted by the Fourth Amendment to domestic applications only.

In the concurrence to the Microsoft opinion, the Second Circuit acknowledges that the SCA does not protect emails and other information stored on domestic servers. In fact, the Court notes, nothing prevents private companies from transferring electronically stored communications stored on foreign servers to American-based servers with the click of a button, which would give the federal government the opportunity to execute a properly obtained search warrant lawfully.

At minimum, this case signals to Congress the urgent need to updated outdated statutes like the SCA that have been rendered obsolete by decades of warp-speed technological breakthroughs and advancement. In 1986, the concept of cloud storage, extraterrestrial servers and fast-speed internet was the stuff of science fiction novels. Today, such technology is used by virtually every business and by a large percentage of the world’s population. The Second Circuit has signaled to Congress that the time to weigh privacy interests against the government’s legitimate need for evidence is now.

Filed under Stored Communications Act

‘The Dark Overlord’ Places Healthcare Databases on Dark Web

By on July 29, 2016

Once again news reports teach us that the time to have your robust data privacy and security program in place and continually monitored was yesterday!

On June 26 it was reported on DataBreaches.net that 655,000 patient records from three different healthcare databases were up for sale on the dark net. According to reports on the DeepDotWeb, at least one of the hacked entities was using SRS EHR v.9 patient management software. DeepDotWeb also reports that the hacker communicated with them over an encrypted Jabber conversation, and included images from the largest database hack from the hacker’s internal network. The seller/hacker asked the website to add a note to the breached companies: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Apparently it was shortly after that a fourth stolen database consisting of a reported 9.3 million individuals records from a health insurer went up for sale. The hacker taking credit for all refers to himself as “The Dark Overlord”. He claims to have contacted the entities to warn them about the vulnerabilities of their systems, and offered to fix or reveal the problems, for an undisclosed amount, which the healthcare organizations declined. In other words, the hacker offered the stolen data back to its owners for an extorted ransom. When the demand was not paid the hacker moved on to Plan B – sell the data on the dark web. The hacker offered the data from the four hacked healthcare organizations for prices ranging from $96,000 to $490,000 in bitcoin.

In the past week two of The Dark Overlord’s targets – Athens Orthopedic Clinic in Georgia and a Missouri group of clinics owned by Dr. Scott Van Ness – have been identified. The hacker accessed electronic medical records of both targets using the credentials of a third-party vendor. Personal information of current and former patients was breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history. Athens Orthopedic Clinic is advising its current and past patients to place a fraud alert on their credit reports with the major credit bureaus. This notice, however,  is alleged to have materialized only after events of last weekend, when 500 patients records from Athens Orthopedic Clinic appeared on Pastebin, with a note to their CEO to “pay the [expletive omitted] up.”

Notably, according to reports on Databreaches.net, both entities have acknowledged that the attacker likely got access by an unnamed third party contractor (presumably the EMR vendor). Databreaches.net claims however that neither entity mentioned the ransom demands or that patient data was being dumped in public and was still up for sale on the dark net. Athens Orthopedic Clinic apparently did work to get the information removed from Pastebin, but the other group’s data was still posted as of July 16.

Several lessons- or at least questions- must be in the minds of any healthcare organization as they learn of these events. First is to question of whether your own data security is protected from such attacks, or are you vulnerable as well? How safe is your EMR system? How closely do you audit and monitor the third party vendors you contract with? Second, and something I think every organization should have at least a working framework to use for analysis in the event they find themselves the recipient of a post-breach ransom demand, is, what will your response be in the event you receive such a demand?

Filed under Cyber Security, Hacker, Medical Records, Ransomware

Macaroni and Malware: Hundreds of Noodles & Company Locations Hacked, Exposing Consumer Financial Information

By on July 12, 2016

In the wake of Wendy’s announcement of a data breach in its point-of-sale system, Noodles & Company recently announced that it too was a victim of a cyber-attack, which may have resulted in access to thousands of customers’ debit and credit card data. Noodles & Company’s June 28, 2016 press release identifies restaurant locations in 27 states and Washington DC in which data security may have been breached.

In its press release, Noodles & Company states that it began investigating on May 17, 2016, after its credit card processor reported “unusual activity.” It immediately hired a third-party forensic expert to investigate, and on June 2, 2016, it discovered evidence of “suspicious activity on its computer system that indicated a potential compromise.”

Noodles & Company states that it is “moving forward on a number of fronts” in response to the data breach, including working with third-party forensic investigators, operating with the United States Secret Service, and providing guidance to guests who may have been affected. In a subsequent press release, Noodles & Company asserts that it “contained the incident once the malware was identified and credit and debit cards used at the affected locations identified are no longer at risk from the malware involved in [the] incident.” Nonetheless, it will not be a surprise if Noodles & Company suffers the same fate as Wendy’s: defending a federal consumer class-action lawsuit.

We will continue to monitor and report on this story as it develops.

Filed under Cyberattacks, Data Breach, Data Breach Investigations, Data Security

Shared Patient Videos Lead to Class Action against Sharp Grossmont Hospital

By on June 30, 2016

On May 24, 2016, a class-action complaint was filed against Sharp Healthcare in San Diego, California, alleging violations of the Health Insurance Portability and Accountability Act (HIPAA). Specifically, the complaint alleges that Sharp secretly recorded approximately 15,000 videos of patients in Sharp’s year-long attempt to build a case against an anesthesiologist allegedly stealing the drug Propofol. Sharp allowed security guards to review the recordings, and released 14 of the recordings to the anesthesiologist’s defense attorney. Many of the videos depicted unconscious patients, nudity, Cesarean sections, or other surgeries.

The named plaintiff, Melissa Escalera, was allegedly filmed during a Cesarean section. The class potentially includes more than 1,000 patients secretly recorded by Sharp between July 2012 and June 2013. The complaint seeks class certification and damages for breach of fiduciary duty, breach of confidentiality, unlawful recording of confidential information, negligent creation and maintenance of medical information, unlawful disclosure of medical information, invasion of privacy, and distribution of private sexually explicit materials.

We will continue to monitor this story as it develops.

Filed under California’s Confidentiality of Medical Information Act, Health Insurance Portability and Accountability Act

Just When You Thought EU “Model Clauses” Are Safe to Transfer EU Data, Think Again

By on June 1, 2016

After the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor framework for EU-US data transfer, companies began to rely on the EU’s “Model Clauses” as a valid means of transferring data from the European Union. In fact, almost all multi-national corporations adopted “Model Clauses” as the interim best practice to transfer EU data from the European Union.

However, the EU “Model Clauses” do not directly address US national security surveillance laws, which remain unchanged and continue to apply to large multi-national corporations. This has given rise to this latest CJEU proceeding initiated by the Irish Data Protection Commissioner (DPC). The DPC recently announced that it will ask the CJEU to determine whether Facebook can transfer EU data from the European Union via the use of EU’s model clauses. A copy of the press release can be found here.

In addition to the ongoing EU-US Privacy Shield negotiations that will likely continue for at least the next year, we must now watch for the CJEU’s decision on whether EU “Model Clauses” adequately protect EU data from big government surveillance practices. Given the current state of EU data transfers, best practices must continue to be examined and developed by the data privacy industry.

Filed under EU-US Privacy Shield

Investigation Underway After Sharp Grossmont Hospital Shared Private Patient Videos With Third Party

By on May 27, 2016

On May 12, 2016, Sharp HealthCare issued a statement regarding its inadvertent dissemination of videos depicting fourteen female patients undergoing obstetric surgeries. Sharp provided the videos to a local attorney defending a physician who is accused of stealing sedative medication from Sharp Grossmont Hospital in San Diego, California.

The privacy breach may constitute a violation of California’s Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act (HIPAA), both of which prohibit the disclosure or use of medical information without patient authorization. The hospital argues that a clause in its Admission Agreement authorized the surveillance:

You consent to all hospital services rendered under the general and special instructions of your physician(s), and to the taking of photographs and videos of you for medical treatment, scientific, education, quality improvement, safety, identification or research purposes, at the discretion of the hospital and your caregivers and as permitted by law.

However, the patients are sure to assert that even if the surveillance was authorized, the provision cannot reasonably be interpreted as authorization for disclosing the so-called surveillance to a third party.

Sharp has notified the California Department of Public Health and the Department of Health and Human Services Office for Civil Rights, who will investigate the breach. If the California Department of Public Health determines that the breach constituted a violation of CMIA, the hospital could be fined up to $250,000. (Civ. Code, § 53.36.)  HIPAA imposes similar – but more costly – fines for violations.

We will continue to monitor this story as it develops.

Filed under California’s Confidentiality of Medical Information Act, Health Insurance Portability and Accountability Act

Addressing the Wendy’s Data Breach Proves Difficult Due to Size of Breach and Company’s Structure

By on May 26, 2016

As discussed earlier, Wendy’s announced that it was investigating a possible breach of its point of sale systems (“POS”), after the company was alerted of “unusual activity” involving customers’ credit or debit cards at some of its locations. An earlier Wendy’s press release stated “[b]ased on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015.”

It has been reported by Security expert Brian Krebs that “some breached Wendy’s locations were ‘still leaking’ customer card data at the end of March 2016 and into early April.” A statement by Wendy’s spokesman Bob Bertini said, in response to questions about the duration of the breach at some stores, “[a]s you are aware, our investigator is required to follow certain protocols in this type of comprehensive investigation and this takes time. Adding to the complexity is the fact that most Wendy’s restaurants are owned and operated by independent franchisees.”

It has been opined that the extent and duration of the breach was a result of its size. Specifically, Tod Beardsley, security research manager at cybersecurity specialist Rapid 7, stated that the “fact that the breach affected only 5 percent of Wendy’s locations was likely a contributing factor to its success. A small footprint is much more difficult to detect, since the patterns resulting from the fraud take longer to materialize.” Unfortunately, the detection time allows the individuals involved to go on spending sprees comprised of unauthorized purchases well after the breach took place.

At this time it seems investigators are still trying to wrap their arms around the problem so we may not know the extent and duration of this breach for some time.

Filed under Cyber Security, Data Breach, Data Breach Investigations

Privacy Law and Social Media: Why Employers Should Create and Update Social Media Policies

By on May 12, 2016

When can an employer discipline an employee who uses social media to distribute content online that could be detrimental to the employer’s business interests? The answer, of course, is “it depends.”

The law struggles to keep pace with technology. Cyberspace has expanded the “workplace” beyond the physical confines of an office building and the traditional eight-hour workday (overtime concerns are the subject for a future blog post). At minimum, employers should create, update and distribute to employees its privacy rules and policies – typically in an employee handbook with a signed acknowledgment of receipt – that reduce the expectation of privacy in the workplace. Employees should be informed through company policies that  desks, files, vehicles and even lockers provided by the employer may be subject to search. The privacy rules and policies should also extend to digital property (data) contained in and transmitted through equipment and devices the employer provides that can be used both onsite and offsite such as laptops, smart phones, email accounts.

However, employers in California and other states also must balance the risk of disciplining employees for off-duty conduct online that may be detrimental to the employer’s interests with laws that prohibit employers from retaliating against employees who engage in legal off-duty conduct.  For example, under California Labor Code Section 96(k), commonly known as “the moonlighting law,” the Labor Commissioner may pursue claims against an employer “for loss of wages as the result of a demotion, suspension, or discharge from employment for lawful conduct occurring during nonworking hours away from the employer’s premises.”

So, how does an employer minimize the risks associated with addressing an employee’s off-duty and online conduct that may be undesirable or detrimental, but not illegal? The following steps may reduce the risks:

  • Create an employee handbook that specifically states the company’s privacy and social media polices.
  • Reference and incorporate general policies and guidelines for employee communications transmitted by email, text or voice through internet or social media.
  • Prohibit employees from creating conflicts of interest, revealing trade secrets and other specified conduct that is detrimental to the company’s legitimate business interests.
  • Inform employees they will be held to the same standards and code of conduct whether they are off-duty or on-duty.

Filed under Privacy Policies, Social Media

Older posts

Newer posts