Insurance industry takes protective stance against constant threat of data breaches

Over 1,000 Medicaid identification numbers may have been compromised in a recent breach of security protocol in North Carolina. An employee of the North Carolina Department of Health and Human Services inadvertently sent an email without first encrypting it, which contained protected health information for Medicaid recipients, including the individual’s first and last name, Medicaid identification number, provider name, and provider identification number. While the Department has no reason to believe that any information was compromised, the Department advised affected patients to take steps to protect themselves, such as putting a fraud alert on their credit files and monitoring their financial statements for unauthorized activity.

Individual insurance companies have also fallen victim to cyberattacks. The National Association of Insurance Commissioners (NAIC) has made efforts to strengthen the insurance industry’s security position by launching the Cybersecurity Task Force, which is creating a framework for insurance companies to follow in the event of a security breach. The NAIC recently proposed a Cybersecurity Bill of Rights, which outlines the expectations of insurers when a data breach occurs and remedies for consumers who have suffered harm due to a breach. Consumer advocates, as well as insurance groups representing life, health, and property/casualty carriers, support the Cybersecurity Bill of Rights, but are pushing for changes, arguing that the document may create confusion for consumers because currently it implies that certain rights, which are not contained in all applicable state and federal laws, exist for all consumers. While the Cybersecurity Bill of Rights will not likely become a binding document, the Cybersecurity Task Force has been working alongside state insurance regulators, conducting examinations of insurance carrier’s protocols to determine whether sensitive data and confidential information are properly protected. One thing is for certain – the increase in data breaches nationwide will lead to more regulations affecting all areas of industry and eventually leading to additional lawsuits in compliance with said regulations.

Text Messaging and HIPAA Compliance Risks

Like everyone else, health care workers have become accustomed to the convenience of communicating by text message. Although using text messages can make communications more efficient in the health care setting, transmitting protected health information (PHI), including photographs, in text messages raises Health Insurance Portability and Accountability Act compliance risks. Some of the compliance risks include the following:

  • Many people do not password-protect a mobile device, making it easy for another user to access PHI stored in texts. This access can occur when the device is shared, lost, or stolen.
  • Text messages often are not encrypted, unlike e-mail.
  • The use of personal mobile devices to send texts or photographs is common, unlike email, which most often is sent on work-issued computers or tablets.
  • Text messages can remain on a mobile device indefinitely.

HC BLOG_textingThe U.S. Department of Health & Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC) have gathered tips to safeguard PHI when using mobile devices. They make the following suggestions about how to protect and secure information on mobile devices, which applies to developing a policy on transmitting PHI by text message.

  • Use a password or other user authentication.
  • Install and enable encryption.
  • Install and activate remote wiping and/or remote disabling.
  • Maintain physical control of the mobile device.
  • Delete all stored health information before discarding or reusing the mobile device.

HHS and ONC have resources to assist in updating or developing policies for mobile device use. They recommend the following five steps for policy planning. These steps can assist health care organizations in developing a policy on using text messages to transmit PHI.

1.   Decide whether mobile devices will be used to access, receive, transmit or store PHI.

2.   Conduct a risk analysis to identify risks and perform a risk analysis periodically whenever there is a new mobile device, a lost or stolen device, or suspicion of compromised health information. After conducting a risk analysis, document:

  • which mobile devices are used to communicate with your organization’s internal networks or system; and
  • what information is accessed, received, stored, and transmitted by or with the mobile device.

In addition, organizations should review HHS “HIPAA Security Series: Basics of Risk Analysis and Risk Management” for guidance on conducting a risk analysis.

3.   Identify your organization’s mobile device risk management strategy, including privacy and security safeguards. The risk management strategy should include evaluation and maintenance of the mobile device safeguards you put in place.

4.   Develop, document, and implement your policy. HHS and ONC suggest that the organization consider the following:

  • mobile device management, including identifying and tracking devices;
  • whether personal mobile devices can be used and whether they can be used to connect to the organization’s internal network or system;
  • whether the device can be used away from the organization;
  • whether the device can be used to text;
    • security/configuration settings on mobile devices;
    • restrictions on information that can be stored on mobile devices;
  • procedures for addressing misuse of mobile devices; and
  • recovery and deactivation to wipe or disable lost or stolen devices or devices of employees who leave the organization.

5.   Provide training on mobile device use.

Image courtesy of Flickr by Jhaymesisviphotography

Social Media Providers Prevail In Quashing Subpoenas In Criminal Proceedings

Derrick Hunter and Lee Sullivan were indicted and still await trial, on murder, weapons, and gang-related charges stemming from a drive-by shooting in California which occurred in 2013. Both Defendants served a subpoena duces tecum on Facebook, Instagram and Twitter, seeking public and private content from user accounts of the murder victim and a witness to the alleged crimes. As to Facebook, the subpoena stated “[a]ny and all public and private content,” including, but “not limited to user information, associated email addresses, photographs, videos, private messages, activity logs, posts, status updates, location data, and comments including information deleted by the account holder” for accounts belonging to the murder victim, Jaquan Rice and to the only witness Renasha Lee.

In January 2015, Facebook, Instagram and Twitter moved to quash the subpoenas as violative of the Stored Communications Act (SCA) (18 U.S.C. §§2701-2712). The SCA prohibits electronic communication service providers from releasing a customer’s data without the customer’s consent. (See 18 U.S.C. §§ 2702(a)(1), 2702(b)(3).) For this reason, just about every social networking service in America regularly refuses to produce records containing the content of electronic communications. There are a few exceptions, most notably for law enforcement officers who have a warrant. (See Flagg v. City of Detroit, 252 F.R.D. 346, 350 (E.D. Mich. 2008).)

The trial court denied the motions to quash. Facebook, Instagram and Twitter appealed arguing that disclosure of the information sought was barred by the SCA. The Defendants opposed, contending that their constitutional rights to present a complete defense, cross-examine witnesses, and a fair trial prevailed over the privacy rights of account holders under the SCA. In an offer of proof as to Lee’s social media records, defendant Sullivan alleged that the records would demonstrate Lee, the sole witness who could implicate him in the shootings, was motivated by jealous rage over Sullivan’s involvement with other women, and that Lee had repeatedly threatened others with violence. Sullivan cited examples of postings that included a photograph of Lee holding a gun and making threats. In his offer of proof as to victim Rice’s social media records, Sullivan said review of the records was required to “locate exculpatory evidence” and to confront and cross-examine the prosecution gang expert from the San Francisco Police Department Gang Task Force, who testified that he “relied on social media records in forming an opinion whether a particular crime is gang related.”

Carefully reviewing, but ultimately rejecting these arguments, the Court of Appeal held the SCA provides no direct mechanism for access by a criminal defendant to private communication content, and “California’s discovery laws cannot be enforced in a way that compels . . . disclosures violating the Act.”

Although the court’s holding is limited; it left open the possibility that entities such as Facebook, Twitter or LinkedIn may be obligated to produce evidence of a person’s social media content in a criminal trial, instead of pretrial, as here. This is a curious procedural distinction, perhaps reflecting some discomfort with the holding.

The full opinion is available here.

3rd Circuit Ruling in FTC v. Wyndham Affirms Broad Governmental Authority Under Section 5

In a much anticipated decision, the Third Circuit recently upheld the Federal Trade Commission’s exercise of authority to fine and take other measures against businesses that fail to abide by the “standard of care” for data security. Federal Trade Commission v. Wyndham Worldwide Corporation, No. 14-3514 (3d Cir. Aug. 24, 2015). Wyndham challenged the FTC’s actions arguing that negligent security practices were not an “unfair practice” and that the FTC failed to provide adequate notice of what constituted the standard of care in this context. The Third Circuit, like the trial court before it, disagreed. It held that Wyndham’s negligent data security practices were an “unfair” business practice under 15 U.S.C. § 45(a), otherwise known as § 5 of the FTC Act, because it “publishe[d] a privacy policy to attract customers who are concerned about data privacy, fail[ed] to make good on that promise by investing inadequate resources in cyber security, and thereby expose[d] its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

The Third Circuit rejected Wyndham’s due process, lack of notice of standard of care argument, holding that Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cyber security practices are required by § 45(a) – to know what practices are required by the standard of care. The Court explained that Wyndham had adequate notice of the standard of care because § 45(n) of the Act defines it using usual tort cost-benefit analysis. See United States v. Carroll Towing Co., 159 F.2d 169, 173 (2d Cir.1947). Nothing more is required to satisfy due process concerns in this context.

Prior to the Wyndham decision, courts generally held that the economic loss rule precludes a claim for negligent data security practices. E.g., Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 967-973 (S.D. Cal. 2014) (dismissing such claims under both Massachusetts and California law on the basis of lack of a “special relationship”). The question remains open whether Wyndham defines a special relationship and tort duty that would preclude application of the economic loss rule. Keep an eye on this space for further developments.

Netflix Escapes Liability under the Video Privacy Protection Act

In a recent decision—Mollett, et al. v. Netflix, Inc., No. 12-17045—the Ninth Circuit Court of Appeals held that Netflix cannot be held liable under the Video Privacy Protection Act (“VPPA”) for displaying recently-viewed content on the TV screen.

The plaintiffs, two Netflix subscribers, filed a class action in the Northern District of California alleging that Netflix had violated the VPPA or California’s state law equivalent (Cal. Civ. Code § 1799.3) by displaying recently-viewed content automatically after a subscriber signs in, which could be viewed by a third party such as the subscribers’ family, friend, or a guest of the household. The district court dismissed plaintiffs’ complaint for failure to state a claim, and plaintiffs appealed.

The Ninth Circuit affirmed the District Court’s ruling, finding that the display of recently-viewed content constituted a permissible disclosure “to the consumer” since it was only disclosed to a person who typed in the correct password, which theoretically should only be the consumer or a person to whom the consumer has given his or her password. The fact that nearby third parties might access the subscriber’s account did not alter the legal status of Netflix’s disclosures because “[t]he lawfulness of [the] disclosure cannot depend on circumstances outside of Netflix’s control.” To hold otherwise would convert the VPPA from a “prohibition on unlawful disclosure to a requirement of secure disclosure—an outcome plainly not supported by the VPPA’s text.” The court also affirmed the district court’s dismissal of plaintiffs’ California state law claims on the same grounds in light of the similarities between the two statutes.

This opinion clarifies that once protected information is provided to the consumer, it is then the consumer’s burden to protect his or her personal information.

Please continue to monitor our blog for the latest news on privacy and data security.

Illinois Appellate Court Finds Increased Risk of Harm from Data Breach Insufficient to Confer Standing

As has been previously reported here, a series of recent federal court decisions has suggested a trend in data breach litigation – that an increased risk of harm will be sufficient to satisfy the injury-in-fact requirement for Article III standing. In fact, less than three weeks ago, the Seventh Circuit Court of Appeals revived a previously-dismissed data breach class action lawsuit, ruling that plaintiffs did not have to wait until hackers actually committed identity theft in order to establish standing. On August 6, 2015, the Illinois Appellate Court held exactly the opposite.

In Maglio v. Advocate Health and Hospitals Corporation, several plaintiffs sued Advocate Health and Hospital after computers containing patients’ personal information were stolen. 2015 IL App (2d) 140782 (August 6, 2015). Plaintiffs did not allege that their personal information was used in any unauthorized manner as a result of the burglary, but they claimed that they faced an increased risk of identity theft and identity fraud. Advocate Health moved to dismiss the complaint, arguing that mere stolen information is insufficient to establish standing, because an increased risk of identity theft and/or identity fraud is too speculative to constitute cognizable injury-in-fact.

Affirming the trial court’s dismissal of the action, the Illinois Appellate Court agreed with the defendant’s argument, concluding that the increased risk of harm arising out of a data breach is inadequate to confer standing on consumers. The Illinois Appellate Court noted the similarity between Illinois’ and federal standing principles, and relied for the most part on federal decisions, including Clapper v. Amnesty International USA, Inc., 133 S.Ct. 1138 (2013) – a case which the Seventh Circuit interpreted as not completely foreclosing on the use future injuries to support Article III standing. Yet, in stark contrast to recent federal court decisions, the Illinois Appellate Court opined that where no identity theft had yet occurred, the elevated risk of such harm was too speculative and conclusory to be considered a distinct and palpable injury.

The plaintiffs in Maglio also tried to achieve standing by alleging that they suffered emotional injury as a result of the data breach, such as anxiety, and that their privacy had been invaded. Again, the court found such allegations to be speculative and therefore insufficient, absent allegations of actual disclosure of personal information.

We expect to see fewer data breach class actions being filed in Illinois state courts – long criticized as plaintiff-friendly venues – and an uptick in federal court filings. The full opinion is available here.

Fiat Chrysler Recall Highlights Potential Need for Regulatory Changes

Last week, Fiat Chrysler issued a recall of more than 1.4 million vehicles after security researchers from Wired Magazine exposed major security flaws that would allow potential hackers to take over a vehicle’s crucial systems remotely.

In a controlled demonstration, Charlie Miller and Chris Valasek hacked into a Jeep Cherokee as it was traveling 70 m.p.h. down a St. Louis highway. The hackers were able to take control of the vehicle’s air conditioning, entertainment system, and at one point were able to cut the Jeep’s accelerator. The hackers also revealed the capability to cut the Jeep’s brakes, as well as the ability to track a targeted vehicle’s GPS coordinates via its navigation system.

The experiment revealed vulnerabilities contained within Fiat Chrysler’s Uconnect system, the internet-connected computer feature that controls navigation, enables phone calls, and even offers a Wi-Fi hot spot in hundreds of thousands of Fiat Chrysler vehicles. According to Wired Magazine, a hacker need only know a car’s IP address in order to potentially gain access to the vehicle from anywhere in the country.

Last week’s recall illustrates how the rapidly-developing “Internet of Things” (i.e., the increasing use of interconnected devices in everyday life) can implicate not just issues of personal privacy and data security, but physical safety. It also raises serious questions of accountability for both automakers and government regulators. On July 21, 2015, Senators Edward J. Markey (D-Mass) and Richard Blumenthal (D-Conn.), who followed Miller and Valasek’s research, introduced legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal performance standards that would protect drivers’ privacy and secure vehicle software systems. The Security and Privacy in Your Car (SPY Car) Act would establish a rating system that would inform consumers about how well the vehicle protects drivers’ security and privacy beyond the minimum standards set forth by the Act. The SPY Car Act also contains proposed limitations on automakers’ disclosure, retention, and use of information collected by the on-board software systems featured in most modern vehicles.

Whether or not the SPY Car Act becomes law, it is not difficult to imagine that future real-world data breaches or injuries resulting from vulnerabilities in on-board computer systems could result in significant liability for car manufacturers, especially if they were to occur on a widespread scale. Accordingly, the auto industry should be cognizant of these vulnerabilities and take steps to ensure their vehicles are secured from digital attacks.

Gordon & Rees LLP’s Privacy & Data Security Group will continue to monitor and report on the implications of vehicle security breaches.

Seventh Circuit Revives Consumer Class Action Relating To Neiman Marcus Data Breach

On Monday July 20, 2015, the Seventh Circuit Court of Appeals weighed in on the hotly-contested issue of standing in data breach class action litigation. In so doing, the Court reversed the district court’s dismissal of a consumer class lawsuit against luxury department store Neiman Marcus, holding that the plaintiffs had successfully alleged the concrete, particularized injuries necessary to support Article III standing.

This lawsuit arose in January of 2014, when Neiman Marcus publicly disclosed that it had suffered a major cyberattack, in which hackers collected the credit card information of approximately 350,000 customers. Soon after this disclosure was made, a number of consumers filed a class action lawsuit in the United States District Court for the Northern District of Illinois, alleging that Neiman Marcus put them at risk for risk for identity theft and fraud by waiting nearly a month to disclose the data breach. In September 2014, the district court dismissed the case, ruling that both the individual plaintiffs and the class lacked standing under Article III of the Constitution.

On appeal, the Seventh Circuit analyzed the injuries the Neiman Marcus consumers claimed to have suffered in order to determine whether they constituted the type of “concrete and particularized injury” required to establish standing. In this instance, plaintiffs alleged lost time and money spent in protecting against fraudulent charges and future identity theft, as well as two “imminent injuries:” an increased risk of future fraudulent charges and greater susceptibility to identity theft. The Seventh Circuit ultimately determined that these allegations sufficiently established standing, as they showed a “substantial risk of harm” from the Neiman Marcus data breach. Importantly, the Court explained that the Neiman Marcus customers did not have to wait until hackers actually committed identity theft or credit-card fraud to obtain class standing, as there was an “objectively reasonable likelihood” that such an injury would occur. The full opinion is available here.

This ruling is consistent with decisions from several other courts across the country. See, e.g., In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F.Supp.2d 942 (S.D. Cal. 2014); Moyer v. Michaels Stores, Inc., No. 14 C 561, 2014 U.S. Dist. LEXIS 96588, 2014 WL 3511500 (N.D. Ill. July 14, 2014); In re Adobe Systems Inc. Privacy Litigation, No 13-cv-05226-LHK, 2014 U.S. Dist. LEXIS 124126, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014); Michael Corona, et al. v. Sony Pictures Entertainment, Inc., No. 2:14-cv-09600-RGK-E (C.D. Cal. June 15, 2015). Earlier this year, in a comprehensive article on standing in data breach cases (available here), our firm questioned whether opinions of this nature were indicative of a trend or anomalies. The Seventh Circuit’s ruling this week and the Central District of California’s ruling in Corona last month suggest it is in fact a trend. If the trend continues, consumers nationwide may find it easier to survive a motion to dismiss based on a lack of standing.

Please continue to monitor our blog for the latest news on data breach litigation and other privacy laws.

Update to “What’s Up Next on the Hacking Block?”

On Friday, July 10, 2015, the Director of the Office of Personnel Management (“OPM”), Katherine Archuleta, resigned amid the two massive data breaches of OPM’s information technology systems that occurred within the last year. The breaches have affected approximately 22.1 million individuals. Beth Cobert, the Deputy Director of Management of the Office of Management and Budget, will replace Archuleta. Lawmakers have also called for the resignation of Donna Seymour, OPM’s Chief Information Officer, but it is not clear whether she will resign or remain the CIO.

Our Privacy & Data Security Group will continue to monitor and report on the implications of government data breaches.

What’s Up Next on the Hacking Block?

From Home Depot to Target to Sony, the world is not lacking in the massive-data-breach department. These hacks have opened up a host of problems for the companies involved, including lawsuits and the implementation of more secure systems to protect sensitive data, as well as for the individuals whose personal and/or financial information may have been compromised. But surely our federal government is safe from hackers, right? The answer, unfortunately, is no.

The Office of Personnel Management (“OPM”) is a federal governmental organization that is “responsible for personnel management of the civil service of the Government,” and it strives “to make the Federal government America’s model employer for the 21st century.” But in April 2015, OPM discovered and began investigating a data breach of up to 4.2 million of its employees’ records. The information included the employees’ names, Social Security numbers, and dates of birth. Then on June 8, 2015, OPM announced that it was looking into a second breach, this one involving “background investigations of current, former, and prospective Federal government employees.” On June 18, 2015, however, OPM officials acknowledged that this second hack occurred a full year ago. Individuals affected by the first data breach were notified between June 8, 2015, and June 19, 2015. The investigation regarding the second breach is still ongoing, but it is now estimated that up to 14 million people will be affected by the two breaches. Id.

It is thought that Chinese hackers are responsible for both hacks in a possible attempt to compile an extensive database on government workers. Id. President Obama is considering economic sanctions against China, but at this point it is not clear that the Chinese government was behind the attacks. And it must be crystal clear that these were Chinese-government-sponsored hacks, or the U.S. will be placed in a very difficult position: China has an undeniably strong position in the global economy, and the U.S. and Chinese economies are closely intertwined. Any sanctions efforts by the U.S. would almost certainly be met with staunch opposition from China that could affect the U.S. economy.

It is important to investigate who is responsible for the hacks, but the House Oversight and Government Reform Committee (“Committee”) is also inquiring as to how OPM allowed the hacks to occur. The Committee conducted a hearing on June 16, 2015, regarding the OPM breaches. Many lawmakers placed the blame on the policies and systems on which OPM relied for data protection and stated that OPM’s leadership should resign. The Committee wanted to know why OPM did not abide by the 2014 recommendation of the Office of the Inspector General to shut down eleven of its computer security systems. OPM blamed legacy systems dating back to 1985 because they could not be encrypted.

It is unclear whether OPM’s leadership will resign in the face of this hacker disaster. But what is clear is that more research and investigation into what went wrong and how to prevent future attacks will continue. Our Privacy & Data Security Group will continue to monitor and report on the implications of government data breaches.