State Attorneys General Address Data Privacy and Security Issues

There have been several recent data protection actions by state attorneys general across the United States, which is the subject of “Update on State Attorneys General: Connecticut Creates a Permanent Privacy Department; NAAG Covers Big Data, Cybersecurity, and Cloud Computing; and States Amend Breach Laws,” a post on Reed Smith’s Global Regulatory Enforcement Law Blog written by attorneys Divonne Smoyer and Christine Czuprynski. These actions include:

  • Connecticut Attorney General George Jepsen announced on March 11, 2015 that the privacy task force he appointed in 2011 will become a permanent Privacy and Data Security Department, which will handle investigations and litigation relating to data privacy and security.
  • The National Association of Attorneys General (NAAG) Southern Region Meeting, which concluded on March 13, 2015, featured presentations on big data, cybersecurity, cloud computing and data breaches (including the proposal for a national data breach notification law). In addition, a NAAG presidential initiative summit will be held in mid-April in Biloxi, MS, with agenda topics to include intellectual property theft, cloud computing and digital currency.
  • Following in the footsteps of attorneys general in New York and Oregon, Washington Attorney General Bob Ferguson has proposed several amendments to his state’s current data breach notification law that would expand the scope of requirements in an effort to increase consumer protection.

State attorneys general are focusing a significant amount of attention on issues relating to data privacy and security, and continued action on this front is to be expected.

To read the full post, click here.

FTC Offers Privacy and Security Guidance for Medical Devices in 'Internet of Things' Report

This post was written by Frederick Lah and Sulina Gabale.

On January 27, the FTC issued a 71-page Staff Report on the privacy and security issues with the Internet of Things. As we’ve noted in our previous blog posts, the Internet of Things (“IoT”) refers to the growing ability of everyday devices to monitor and communicate information through the Internet. This is especially relevant in the life sciences industry, to which the IoT may bring potentially revolutionary advances. For example, insulin pumps and blood-pressure cuffs that connect to a mobile application may enable people to monitor their own vitals, without having to visit a doctor’s office. The recent FTC Staff Report follows up on the FTC’s public workshop over concerns with the IoT, as well as the FTC’s first enforcement action brought in September 2013.

In the Staff Report, the FTC referenced the various potential risks that IoT products present. Such connected devices could, if exploited, lead to consumer harm by enabling the unauthorized access and misuse of personal information and medical records; facilitating attacks on other systems; and creating risks to personal health and physical safety with regard to medical devices manipulated by unauthorized third parties. For example, the Staff Report mentions the possibility of an unauthorized third party hacking remotely into connected insulin pumps and changing their settings so that they no longer delivered medicine to the users. In addition, potential privacy risks could flow from the collection of personal and medical information, habits, locations, and physical conditions over time. To address these risks, the FTC recommended that companies developing IoT products take the following concrete measures in the areas of security, data minimization, and notice and choice:

  • Security. The FTC recommended that companies: (1) build security in their IoT devices at the outset; (2) train all employees about good security; (3) retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these providers; (4) implement a “defense-in-depth approach” by considering security measures at several levels; (5) implement reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or network; and (6) monitor products throughout the life cycle and, if feasible, patch known vulnerabilities.
  • Data Minimization. The Staff Report also encouraged companies to examine their business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data. The FTC noted, though, that this recommendation is flexible and intended to give companies options. Per the FTC, companies can decide not to collect data at all; collect only the fields of data necessary to the product or service; collect data that is less sensitive; or de-identify the data collected. If none of these options is consistent with the companies’ business needs, they can seek consumer consent for collecting additional, unexpected categories of data.
  • Notice and Choice. The FTC incorporated certain elements from a use-based approach. In other words, if a use of the data by the company is consistent with the context of the interaction with the consumer (i.e., an expected use), then a choice need not be offered to the consumer. For uses that would be inconsistent with the context of the interaction (i.e., unexpected), the FTC recommended that companies offer clear and conspicuous choices. In addition, if consumer data collected is immediately and effectively de-identified, then the FTC stated that a choice need not be offered to the consumer. The FTC encouraged legislators and multistakeholder frameworks to help guide companies on what types of users of certain consumer data are permissible or impermissible, and to address other concerns.

Finally, the FTC acknowledged that IoT-specific legislation at this stage would be premature. However, it did reiterate previous recommendations for Congress to enact broader, general data security legislation. Commissioner Joshua Wright dissented, citing the lack of empirical evidence, and questioning whether the recommendations in the Staff Report would even improve consumer welfare. Said Commissioner Wright, the FTC should “at a minimum, undertake the necessary work not only to identify the potential costs and benefits of implementing such best practices and recommendations, but also to perform analysis sufficient to establish with reasonable confidence that such benefits are not outweighed by their costs at the margin of policy intervention.”

From smart medical devices to fitness and health monitoring apps, the IoT has been a hot topic lately, garnering a lot of attention from the FTC and life sciences industry alike. With the Staff Report finally released, companies now have a loose playbook on how to develop such products while keeping privacy and security in mind. With the FTC promising more enforcement in this area, we will be watching closely to see how the FTC translates its Staff Report into practice.

New Jersey Enacts Data Privacy Law for Health Insurance Carriers

A newly-enacted law signed by New Jersey Governor Chris Christie requires health insurance carriers in that state to adequately protect the personal information of individuals, with failure to do so being classified as a violation of the New Jersey Consumer Fraud Act (NJCFA). According to “New Jersey Requires Encryption for Health Insurance Carriers; May Open Door to Class Action Suits over Violations Under State Consumer Protection Law,” a post on Reed Smith’s Global Regulatory Enforcement Law Blog written by partners Paul Bond and Brad Rostolsky, the established connection between this new law and the NJCFA means that health insurance carriers should follow its requirements closely in order to avoid possible violations and fines. As a practical matter, business associates of New Jersey health insurance carriers should be considered on notice that this new encryption requirement may start to flow down contractually to business associates through the terms of business associate agreements.

To read the full post, click here.

Effective Cyberliability Insurance Coverage

According to a recent study, the median amount of time between a breach of a company’s cybernetwork and the discovery of that breach is 229 days. Given this lengthy amount of time, companies should consider the benefits of an expanded cyberliability insurance policy period, particularly if the company is switching from one insurance provider to another. As discussed in “Hackers Don’t Care About the Terms of Your Insurance Policy: The Importance of Retroactive Dates and Extended Reporting Periods in Effective Cyberliability Insurance Coverage,” a client alert written by Reed Smith partners Brian Himmel, Andrew Moss, David Weiss and Cristina Shea, two such options for expanding the policy period are retroactive dates (shifting the effective date of coverage back, to capture events that occurred or were occurring but were not yet discovered when the policy was purchased) and extended reporting periods (which provide additional time to report events that are not discovered until after the end of the policy period).

To read the client alert, click here.
 

New California Amendment Aims to Increase Breach Responsibility and Accountability

Reed Smith’s Global Regulatory Enforcement Law Blog features a post on a California bill recently signed into law which expands the scope of requirements for entities that own, license, and maintain personal data or information about a California resident. “Did California Just Impose a First-in-the-Nation Requirement for Breaching Companies To Offer Identity Theft Prevention and Mitigation Services?” written by Reed Smith attorneys Paul Bond, Lisa Kim, and Leslie Chen, focuses on the three sections of the California Civil Code affected by the amendment:

  1. An entity that “maintains” an individual’s data or information – such as a retailer – is required to employ appropriate anti-breach protection. Previously this was only required of companies who “owned” or “licensed” personal information;
  2. An entity identified as the source of a breach of social security numbers or driver’s license numbers must offer affected individuals appropriate anti-breach protection and mitigation services for a period of at least one year; and
  3. An entity is disallowed – except in particular circumstances – from selling, advertising, or offering for sale an individual’s social security number.

The amendments will go into effect on January 1, 2015, after which point entities that do not follow these regulations will be at risk for legal action brought by affected individuals.

To read the full post, click here.

U.S. Senator Schumer Calls for Increased Regulation of Wearable Electronic Devices to Avoid Data Privacy Issues

Reed Smith’s Global Regulatory Enforcement Law Blog features a post on the recent phenomenon of wearable electronic devices and the legal issues that may arise from these gadgets. "Wearable Device Privacy - A Legislative Priority?," written by Reed Smith attorneys Frederick Lah and Khurram Gore, discusses a recent press release issued by U.S. Senator Chuck Schumer of New York expressing concern that personal health data collected by wearable devices and fitness apps, including medical conditions, sleep patterns, calories burned, GPS locations, blood pressure, weight, and more, will be provided to third parties without the user knowing it. Schumer, citing this as a threat to personal privacy, has urged the Federal Trade Commission to mandate that device and app companies provide users with an explicit “opt-out,” allowing them to block the distribution of this information to any third parties.

As the authors note, with the rising popularity of these types of devices, we expect regulators, legislators, and companies to start paying closer attention to the data security and privacy risks associated with their use.

Recent Data Breaches Serve as Warning for Companies to Assess Their Cybersecurity Insurance Coverage

Earlier this week, numerous media outlets reported on the Russian crime ring which had managed to steal more pieces of Internet data than any other group of hackers in history – a whopping collection of at least 1.2 billion user name and password combinations and over 500 million email addresses. The magnitude of data that this group has managed to accumulate, coupled with several other recent high-profile hacking incidents, is a wake-up call for businesses that cybersecurity has become a major contemporary concern. Data breaches are increasing in frequency, severity, and cost, and the potential consequences for an affected company can be devastating.

This trend and its insurance implications are discussed in a client alert by Reed Smith partners Doug Cameron, David Weiss, Andy Moss, and Cristina Shea, who point out that companies must start being proactive with their cybersecurity efforts. Businesses should take the time to assess their current cybersecurity insurance coverage as well as their coverage needs. Cyber-related insurance is an evolving area, so extensive research and consulting with counsel may be necessary before a company can select an insurance policy that maximizes its coverage.
 

Navigating the Complicated, Yet Rewarding, World of Social Media

The social media phenomenon has radically transformed the ways in which commercial businesses promote their services and products. However, as a result, companies must consider potential legal risks from an entirely new angle. To become a successful user of social media, a company must draft, review, disseminate and enforce a social media policy that addresses potential legal issues while at the same time emphasizing positive exposure for the business.

For more information on how your business can utilize social media to maximum effect while exercising compliance with legal guidelines, see Reed Smith’s newly published Third Edition of its white paper on social media, “Network Interference: A Legal Guide to the Commercial Risks and Rewards of the Social Media Phenomenon (3rd Edition).” This updated guide now covers practical, action-oriented guidelines as to the state of law in both the United States and Europe, and is an invaluable resources for companies navigating the social media world.

Recent OCR Enforcement Activities Cause Serious Case of Déjà Vu: Theft of Unencrypted Laptops Leads to Two Separate HIPAA Settlements

This post was written by Brad Rostolsky, Nan Bonifant and Jillian Riley

We have heard this story before: unencrypted laptop containing electronic protected health information (ePHI) is stolen. The covered entity’s subsequent breach self-report triggers not only an incident investigation by the Department of Health and Human Services, Office for Civil Rights (OCR), but a de facto HIPAA compliance audit as well. While the covered entities involved change, the consequences and enforcement message remain the same.

Now, two more covered entities have settled potential violations of the HIPAA Privacy and Security Rules arising from the theft of unencrypted laptops by paying a total of $1,975,220, and agreeing to continued oversight by OCR through Corrective Action Plans (CAPs). In both instances, the breaches were self-reported and the settlements resulted from OCR’s subsequent investigations.

On December 28, 2011, Concentra Health Services (Concentra), a national health care provider and subsidiary of Humana Inc., reported to OCR that an unencrypted laptop was stolen from one of its facilities. OCR’s subsequent investigation revealed that while Concentra previously recognized that a lack of encryption on laptops, desktops, medical equipment, and tablets presented a critical risk to ePHI, Concentra failed to fully implement necessary steps to address those vulnerabilities. OCR’s investigation further found that Concentra had insufficient security management processes in place to ensure proper safeguarding of patient information. Concentra paid OCR $1,725,220 to resolve these alleged HIPAA violations and will adopt a CAP to evidence their remediation efforts.

The second settlement, which resulted in a $250,000 payment to OCR, stemmed from the theft of an unencrypted, stolen laptop from an employee’s car on October 8, 2011. The laptop, belonging to a workforce member of QCA Health Plan, Inc. of Arkansas (QCA), contained the ePHI of 148 individuals. While QCA instituted company-wide device encryption following discovery of the breach, OCR’s subsequent investigation revealed that QCA had failed to comply with multiple requirements of the HIPAA Security Rule, beginning from the Rule’s compliance date in April 2005. In addition to the monetary settlement amount, QCA agreed to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce risks to vulnerabilities of its ePHI. QCA also agreed to retrain its workforce and document its ongoing compliance efforts.

Unfortunately, as the proliferation of portable devices in the health care industry increases, the question for most covered entities is not if a laptop or mobile device will be stolen, but when. Encryption not only provides a safe harbor under the Breach Notification Rule, but it has also become a practical necessity to HIPAA compliance. Failure to address encryption of portable devices in Security Rule risk analyses and, in most cases, failure to implement some form of encryption, will continue to expose covered entities (as well as business associates) to significant compliance risk.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

EU Research Group Condemns EU Regulation for Restricting Growth in Life Sciences Sector; NHS Advocates Selling Confidential Patient Data For Secondary Purposes

Reed Smith’s Global Regulatory Enforcement Law blog features two posts of interest to those in the life sciences industry, both written by Reed Smith partner Cynthia O’Donoghue. “EU Research Group Condemns EU Regulation for Restricting Growth in Life Sciences Sector” discusses the opposition of a lobbying group, led by the Wellcome Trust, to amendments to the proposed General Data Protection Regulation – amendments that they believe could severely inhibit future growth of the life sciences sector in the European Union. “NHS Advocates Selling Confidential Patient Data For Secondary Purposes” discusses the criticism of the UK’s Health and Social Care Information Centre and NHS England’s new initiative known as ‘care.data,' which involves the extraction, anonymization, and aggregation of patient data from GP practices in a central database for sale to third parties such as drug and insurance companies.

Launch of the New French State Portal Allows for Electronic Information Disclosure by Health Care Companies

Reed Smith’s Global Regulatory Enforcement Law blog features a post on the recent launch of the new state portal in France. "The implementation of the French transparency regulation: first good news?," written by Reed Smith partner Daniel Kadar, discusses how the portal will allow health care companies to more easily disclose transparency information to the French government as required by the French Sunshine Act. The portal is thought to be “more customer friendly” for health care companies in that it provides three possible methods for the disclosure and transfer of information.

How to Mitigate Compliance Requirements and Code of Conduct Obligations with Data Protection Regulation: Reed Smith Paris Provided Some Illustrative Examples

As reported on our Global Regulatory Enforcement Blog, Reed Smith Paris partner Daniel Kadar and counsel Séverine Martel hosted on 25 October 2012, a new edition of the conference cycle organized by Reed Smith Paris with the European American Chamber of Commerce, dedicated to the mitigation of Compliance obligations, particularly as set forth in Codes of Conduct, with data protection requirements.

The panel, which included compliance directors of French health care giant SANOFI and General Electric Health, brought examples of how to mitigate compliance obligations, in particular as set forth in Codes of Conduct most International organisations have now adopted, with applicable data protection regulation.  The first example was dedicated to the New French Health Care Regulation and its transparency and disclosure requirements as to the existence (and the financial range) of agreements between the health care and cosmetics industry with health care professionals (including Medicine students), showing that the disclosure of financial and private information (such as the home address for the medicine students) had to be managed carefully with respect to the data owner’s information and access rights.  To read the full post, click here.

Reed Smith Gearing Up For "Big Data Monetization" Conference

Next week, Reed Smith will host a conference on “Big Data Monetization” at the Quadrus Conference Center in Silicon Valley (8:30-11:30 a.m. PDT). Big Data is a term used to characterize the accumulation of data. Virtually every company, in every industry, is now an information and technology company. Companies run on Big Data, whether it be customer information, employee information, or competitive intelligence. Companies store, share, and use that information in increasingly complex ways, taking advantage of cloud-based solutions and revolutions in analytics, and finding ways to turn these massive databases into revenue. There is no doubt a plethora of opportunities in Big Data, however, using it comes with its own set of risks. The key with monetizing Big Data is striking the balance between risk and reward.

View a preview of the types of issues we’ll be tackling at the conference over on our Global Regulatory Enforcement Law Blog.