Does Wyndham Confirm the FTC’s Role as Federal Privacy Enforcer?

Data breach law in the United States might have just become a lot less patchy, but a little more uncertain.  On April 7, 2014, the District Court of New Jersey decided FTC v. Wyndham Worldwide Corp., et al., No. 13-1887-ES.  This case arises out of a FTC action, brought under the deception and unfairness prongs of Section 5(a) of the FTCA (15 USC s. 54(a)), against Wyndham Worldwide relating to a series of data breaches between April 2008 and January 2010.  The question before the court, on a 12(b)(6) motion to dismiss brought by Wyndham, was whether the FTC had the power to bring an unfairness action for data breaches (1) when there are already specific data breach laws over which the FTC has enforcement and regulatory authority, and (2) absent specific rulemaking by the FTC on what data security related actions might constitute unfairness/deception.  The court denied the motion to dismiss, so the FTC’s case will go forward.  Specifically, the court rejected Wyndham’s “invitation to carve out a data-security exception to the FTC’s unfairness authority.”

If you are an entity interested in what federal laws govern breaches of data security, or are advising companies on this issue, this is big news.   Data breach law has tended to be state law heavy, since there is no single over-arching federal data privacy law governing how private companies maintain and protect consumer information (notwithstanding the currently pending – or stalled – Cyber Intelligence Sharing and Protection Act, or CISPA).  Federal laws tends to be very subject matter specific – such as the Gramm-Leach-Bliley for financial issues or HIPAA for health information– and thus understanding the scope of an entity’s obligations under federal law involves first understanding whether a specific statute or regulation applies.  But Wyndham suggests that, in fact, one size might very well fit all.  Wyndham points to the possibility that the FTC has potentially broad power, and a far reach, to bring actions for data breaches as a general matter under much more general authority.

All of that said, Wyndham raises far more questions than it resolves.  Given the case’s procedural posture and the rmaining questions before the court, the case is and might very well remain limited in its reach.  But those of you concerned about developments in this area of law should keep it in mind:  it could be a harbinger of things to come.

FTC Provides Guidance on Heartbleed

I usually do not re-post directly from the FTC, but given the timeliness of the subject, the wide impact of the problem and the technical nature of the issue, I thought it was warranted to re-post the FTC’s guidance on Heartbleed.  Talk to your IT folks about this sooner rather than later:

By Nicole Vincent Fleming

April 11, 2014 – 4:23pm

If you’re thinking “Heartbleed” sounds serious, you’re right. But it’s not a health condition. It’s a critical flaw in OpenSSL, a popular software program that’s used to secure websites and other services (like VPN and email). If your company relies on OpenSSL to encrypt data, take steps to fix the problem and limit the damage. Otherwise, your sensitive business documents and your customers’ personal information could be at risk.

About two-thirds of all web servers use OpenSSL, so it’s safe to say the small coding error recently discovered by researchers has big implications. The error, which has been in place for over two years, makes it possible for a hacker to grab information that’s supposed to be protected. Vulnerable web servers can be tricked into revealing random bits of data over and over, until the hacker gets something juicy, like the server’s encryption key.

Armed with the encryption key, a hacker can monitor all communication to and from a server — including usernames, passwords, and credit card information — or create a fake version of a trusted site that would fool browsers and users, alike. Worse yet, the hacker leaves no trace, so it’s nearly impossible to know the extent of the damage caused by Heartbleed.

What can you do? Talk to your IT staff to find out if your websites, networks, or other applications use OpenSSL. Remember that even if your public website isn’t vulnerable, you might have other applications that are — like your email server. There are details about the problem and the solution at heartbleed.com.

If you have systems that are affected, here are some steps to discuss and implement with your IT team:

    1. Update to the newest version of OpenSSL and reboot servers.
    2. Generate new encryption keys according to your systems’ instructions.
    3. Get a new SSL Certificate from a trusted certificate authority to signal to web browsers that your site is safe and secure.
    4. Notify your employees and customers. Once your systems have been secured, tell your employees and customers to change their passwords for any system that was affected. If they use the same passwords on any other sites, they should change those, too.

If you have business partners or contractors that provide technical services or support, you also will want to confer with them to address any problems in their systems.

Whether or not your business uses OpenSSL, it’s likely you’ll have personal accounts that are affected by Heartbleed. Don’t log in to sites that are affected until you’re sure the company has patched the problem. If a company isn’t forthcoming — confirming a fix or keeping you up-to-date about progress — contact customer service and ask. Once the company confirms that the site is secure, log in and change your password. Going forward, it’s a good idea to monitor your bank and credit card accounts for changes you don’t recognize — especially over the next few weeks.

Heartbleed

SEC Hosts Cybersecurity Roundtable

Cybersecurity remains a hot topic for regulators, including the Securities and Exchange Commission (SEC).  On March 26, 2014, the SEC hosted a roundtable to discuss cybersecurity and the issues and challenges it raises for market participants.  The roundtable addressed cybersecurity concerns for investment advisers, broker-dealers and public companies, and provided a forum to share information as to how they are addressing those challenges. This roundtable follows hard on the heels of the Financial Industry Regulatory Authority (FINRA) sending targeted sweep letters in January-February 2014 to broker-dealers querying their approaches to managing cybersecurity risks.

If you operate in this space, you should be asking yourself whether you have any assets (for example, intellectual property like algorithms or models), trade secrets or consumer data that could be subject to cyber-attack?  If your defenses fail, do you have a business continuity plan in place for a cyber-attack?  Do you have management controls in place and protocols for dealing with the fall-out from a cyber-attack?

There are already good standards/practices out in the marketplace that you can look to for guidance, including those recently promulgated by the National Institute of Standards and Technology (NIST).   Given the SEC and FINRA’s recent activity in this area, we also expect that further regulation will be forthcoming.

Health Insurer Hit With A Record HIPAA Penalty: What Does It Mean?

Triple-S Salud Inc., a Puerto Rican health insurer, has been hit with a $6.8 million penalty from the Office of Civil Rights of the Department of Health and Human Services for a massive data breach.  Triple-S (known as ASES in Spanish) has posted a notice on its website regarding the breach. 

The penalty, which also is described in a securities filing, is based a breach involving 13,336 of Triple-S’s Dual Eligible Medicare beneficiaries.  This penalty dwarfs the previous record fine of $4.3 million, which was related to non-cooperative behavior after a breach by Cignet Health in 2011

Why is this penalty so large and what does it mean for future penalties?  There seems to be a history here, looking at the reported breaches.  There have been at least six Triple-S reported breaches since 2008 involving over half a million individuals.  Perhaps the size of this penalty was due to HHS OCR concluding that Triple-S was not getting the message about HIPAA.  I suspect they have Triple-S’s attention now.  And I suspect this penalty is not generalizable to most one-off HIPAA breaches.

Rare Massachusetts Superior Court Decision Interpreting the CFAA Takes the Narrow View Without Squarely Addressing the Broad

This is a cross-post from our sister blog, Massachusetts Noncompete Law:

Judge Peter M. Lauriat of the Massachusetts Superior Court decided late last year that an employee who takes confidential documents from her employer’s electronic document system to use in a discrimination lawsuit against her employer is not liable to the employer under the Computer Fraud and Abuse Act (CFAA), especially when the employer knew about the lawsuit but nonetheless did not restrict the employee’s access to those documents while she was working for the employer.  In so deciding, Judge Lauriat had to grapple with two different interpretations of the CFAA, which generally makes individuals criminally and civilly liable for accessing information from a computer without authorization or in excess of authorized access.  The “narrow” view limits liability to those who “hack” into a computer and do not have any authorization to access the information, while the “broad” view expands liability to employees and others who have access to the information (e.g., they have a password that allows them to view the information), but then use that information for a purpose adverse to their employer.

As the facts indicate, this case involved the latter situation.  The plaintiff employee, Kamee Verdrager, starting working as a labor and employment associate at defendant Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. (Mintz Levin), one of the largest law firms in Boston.  On her first day, she signed an offer letter stating that she understood and accepted Mintz Levin’s confidentiality policy, which she received and which, among other things, stated that all documents produced by the firm were Mintz Levin’s property and should not be disclosed unless for the delivery of legal services on behalf of the firm.  Shortly after she started working, Verdrager felt that she was being discriminated against and, between May 2007 and November 2008, searched the electronic document system at the firm on six separate occasions for documents that might support her claims.  If she found a document that she thought was helpful, she copied it or emailed it to her personal email account.  She even found hundreds of transcriptions of voicemail messages to Robert Popeo, the managing partner of the firm, and she emailed them to her lawyer.  She also found documents about her own case against Mintz Levin before the Massachusetts Commission Against Discrimination, which she filed in December 2007.  In November 2008, Verdrager told a partner at the firm that she was aware of documents indicating widespread discrimination at Mintz Levin.  Just days later, after Mintz Levin conducted a review of Verdrager’s computer activities, Verdrager was fired.  She continued to pursue her discrimination claims in Superior Court, and Mintz Levin counterclaimed, alleging, among of things, that Verdrager violated the CFAA.  Meanwhile, Mintz Levin also complained to the Massachusetts Board of Bar Overseers (BBO) about Verdrager’s conduct, but ultimately the BBO determined that she had not violated the rules of professional conduct.  Verdrager then moved for summary judgment on Mintz Levin’s counterclaims.

In considering the CFAA claim against Verdrager, Judge Lauriat first acknowledged the two different interpretations of the CFAA, but then cited a recent case from the Massachusetts federal district court that favored the narrow view.  He then stated that “it was not the obtaining of the documents that creates the basis for the defendants’ claims against Ms. Verdrager, but for what use she sought to obtain them,” adding that “Ms. Verdrager’s disloyalty cannot amount to a violation of the CFAA.”  He then dismissed the CFAA claim against Verdrager.

This decision is hard to square with the decision of another federal district court judge who took the narrow view of the CFAA.  In particular, Judge Nathaniel Gorton allowed a CFAA claim where the plaintiff employer alleged that the employee breached his duty of loyalty to the employer by copying confidential documents which he intended to use for a competing venture.  All in all, the Verdrager case shows how hard it has become for judges to decide CFAA cases while courts continue to battle over which interpretation is the best.  The Supreme Court or Congress need to step in and settle the issue.

- See more at: http://www.massachusettsnoncompetelaw.com/2014/02/rare-massachusetts-superior-court-decision-interpreting-the-cfaa-takes-the-narrow-view-without-squarely-addressing-the-broad/#sthash.LRxlljrD.dpuf

HHS OCR Issues HIPAA Guidance on Sharing Information Related to Mental Health

On February 20, the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) released new guidance explaining how the HIPAA Privacy Rule operates to protect individuals’ privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients’ family members and others to enhance treatment and assure safety.

The guidance is essentially a set of answers to frequently asked questions.  Set out below is a highly truncated version of those FAQs (please view the entire Q&A for the full position and explanation of HHS OCR on these questions):

  • Does HIPAA allow a health care provider to communicate with a patient’s family, friends, or other persons who are involved in the patient’s care?

Yes.

  • Does HIPAA provide extra protections for mental health information compared with other health information?

Only for psychotherapy notes.

  • Is a health care provider permitted to discuss an adult patient’s mental health information with the patient’s parents or other family members?

Yes, in situations where the patient is given the opportunity and does not object.

  • When does mental illness or another mental condition constitute incapacity under the Privacy Rule?

Where a provider determines that such a disclosure is in the patient’s best interests, the provider would be permitted to disclose only the PHI that is directly relevant to the person’s involvement in the patient’s care or payment for care.

  • If a health care provider knows that a patient with a serious mental illness has stopped taking a prescribed medication, can the provider tell the patient’s family members?

So long as the patient does not object, HIPAA allows the provider to share or discuss a patient’s mental health information with the patient’s family members.

  • Can a minor child’s doctor talk to the child’s parent about the patient’s mental health status and needs?

Yes, with respect to general treatment situations.

  • At what age of a child is the parent no longer the personal representative of the child for HIPAA purposes?

HIPAA defers to state law to determine the age of majority and the rights of parents to act for a child in making health care decisions.

  • Does a parent have a right to receive a copy of psychotherapy notes about a child’s mental health treatment?

No.

  • What options do family members of an adult patient with mental illness have if they are concerned about the patient’s mental health and the patient refuses to agree to let a health care provider share information with the family?

The HIPAA Privacy Rule permits a health care provider to disclose information to the family members of an adult patient who has capacity and indicates that he or she does not want the disclosure made, only to the extent that the provider perceives a serious and imminent threat to the health or safety of the patient or others and the family members are in a position to lessen the threat.

  • Does HIPAA permit a doctor to contact a patient’s family or law enforcement if the doctor believes that the patient might hurt herself or someone else?

Yes.

  • If a law enforcement officer brings a patient to a hospital or other mental health facility to be placed on a temporary psychiatric hold, and requests to be notified if or when the patient is released, can the facility make that notification?

The Privacy Rule permits a HIPAA covered entity, such as a hospital, to disclose certain protected health information, including the date and time of admission and discharge, in response to a law enforcement official’s request, for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person.

  • If a doctor believes that a patient might hurt himself or herself or someone else, is it the duty of the provider to notify the family or law enforcement authorities?

A health care provider’s “duty to warn” generally is derived from and defined by standards of ethical conduct and State laws and court decisions such as Tarasoff v. Regents of the University of California.  HIPAA permits a covered health care provider to notify a patient’s family members of a serious and imminent threat to the health or safety of the patient or others if those family members are in a position to lessen or avert the threat.

  • Does HIPAA prevent a school administrator, or a school doctor or nurse, from sharing concerns about a student’s mental health with the student’s parents or law enforcement authorities?

Student health information held by a school generally is subject to the Family Educational Rights and Privacy Act (FERPA), not HIPAA.  In the limited circumstances where the HIPAA Privacy Rule, and not FERPA, may apply to health information in the school setting, the Rule allows disclosures to parents of a minor patient or to law enforcement in various situations.