On August 3, 2018, the Governor in Ohio signed into law the Data Protection Act, which provides businesses with an affirmative defense to data breach claims if the business was in compliance with reasonable security measures at the time of the breach. Specifically, a business would have to show that it creates, maintains and complies with “a written cybersecurity program . . . that reasonably conforms to an industry recognized cybersecurity framework.” Acceptable standards include the NIST framework and compliance with PCI requirements. For businesses subject to regulatory standards, evidence of compliance with those regulatory standards, such as the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach Bliley (GLBA), will also provide protection. Many believe that this legislation will encourage businesses in Ohio to allocate more resources for cybersecurity and data protection programs.
Dena M. Castricone, CIPP/US is the chair of the Privacy and Cybersecurity group and a member of the Long Term Care and Health Care groups. She also serves as Chair of the firm’s Women Expanding Business initiative and co-chair of the firm’s Pro Bono Committee. Prior to joining Murtha Cullina, Dena served as a law clerk to the Chief Justice of the Rhode Island Supreme Court, Frank J. Williams.
As the Chair of the Privacy and Cybersecurity group and a Certified Information Privacy Professional (CIPP/US), Dena provides the full complement of data breach coaching services to business and health care clients including breach notification to individuals and various government entities. Related to data breaches, she also counsels clients on the creation of information security, incident response plans and other proactive measures. Additionally, Dena advises clients on compliance with state, federal and international privacy laws including the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) as well as many others. Dena has written extensively on privacy and cybersecurity issues and she is the Co-Editor of Privacy and Cybersecurity Perspectives. Read More
The much-anticipated Ponemon Institute 2018 Cost of Data Breach Study: Global Overview is out and, not surprisingly, the cost of a data breach continues to rise. In this country, the cost is up $8 per record, going from $225 per record last year to $233 per record this year. A more alarming jump, however, is the cost of a data breach in the health care sector, which is up to $408 per record from $340 just one year ago. In terms of controlling costs, the study provides solid evidence that swift response and incident response planning save money. Continue Reading Data Breach Costs Up; Planning and Swift Response Save Money
On July 5, 2018, the EU Parliament passed a non-binding resolution encouraging the European Commission to suspend the EU-US Privacy Shield Program unless the US is fully compliant by September 1, 2018. The EU Parliament believes that the current Privacy Shield program does not provide an adequate level of protection required by European law. This comes roughly two years after the European Commission deemed the EU-US Privacy Shield Framework adequate to enable data transfers under EU law. But a lot has changed in two years. Continue Reading EU Commission Recommends Suspension of Privacy Shield; Recent FTC Efforts May Be Too Little Too Late
You could almost hear the cheers of plaintiffs’ class action lawyers in California last night, as California’s governor signed the most sweeping privacy law this country has seen to date. Notably, the law gives consumers the right to statutory damages in the event of a breach if the company holding the consumer’s information failed to implement reasonable security measures. Those statutory damages are not less than $100 and not more than $750 “per consumer per incident or actual damages, whichever is greater.” Continue Reading California Gets Its Very Own GDPR with Statutory Damages
Today, in a 5-4 decision, the US Supreme Court ruled that the government’s acquisition of information regarding an individual’s location based on a cell phone record amounts to a Fourth Amendment search and generally requires a warrant. In Carpenter v. United States, the government obtained nearly 13,000 location points on Carpenter’s movements over a 127-day period from Carpenter’s wireless carrier under the Stored Communications Act (SCA). The standard for obtaining information under the SCA is much lower than the probable cause showing required for a warrant. The government used these cell phone records to show that Carpenter’s phone was near four locations that had been robbed when those robberies occurred and obtained a conviction. In reversing the decision of the Sixth Circuit and remanding the case, the Court held that individuals have a reasonable expectation of privacy in their physical movements.
Chief Justice Roberts delivered the 119-page opinion for the majority, joined by Justices Ginsburg, Breyer, Sotomayor and Kagan. Justices Kennedy, Alito, Thomas and Gorsuch each filed dissenting opinions.
This week, the Department of Health and Human Services Office for Civil Rights (OCR) issued guidance on the use of HIPAA-compliant authorizations for research based on a mandate in the Cures Act for such guidance. The guidance addresses authorizations and expiration language for future research as well as revocation of the authorization. A copy of the guidance can be obtained here. Continue Reading OCR Issues Guidance on the Use of HIPAA Authorizations for Research
Today, the European General Data Protection Regulation (“GDPR”) takes effect. The GDPR is the most comprehensive and complex privacy regulation currently enacted. The GDPR can apply to a business or organization (including a non-profit organization) anywhere in the world and its potential financial impact is huge; fines can reach up to € 20 million Euros (over $23 million USD) or 4% of an entity’s total revenue, whichever is greater. Not surprisingly, the potential for this type of penalty has caused concern and chaos leading up to the May 25, 2018 effective date. In light of this significant international development, all organizations should consider the following: Continue Reading Three Important Considerations For All Businesses in Light of GDPR
Malware-infected servers of a Baltimore hospital system, LifeBridge, may have affected more than half a million patient records. LifeBridge reports in a statement on its website that it discovered malware on the servers that host electronic medical records as well as patient registration and billing systems. The provider’s investigation determined that an unauthorized person accessed the server of its physician practice over a year and a half ago on September 27, 2016. Accessed information may include patients’ names, addresses, dates of birth, diagnoses, medications, clinical and treatment information, insurance information, and social security numbers. LifeBridge sent letters to potentially affected patients and is offering one year of credit monitoring to individuals whose social security numbers may have been accessed.
While it appears that LifeBridge reported the breach to the state AG, as of the date of this post, this breach is not listed on OCR’s list of breaches affecting 500 or more patients (lovingly referred to as the OCR “Wall of Shame”).
The Department of Homeland Security (“DHS”) released its cybersecurity strategy on May 15, 2018. The 35-page document sets forth a plan for managing cybersecurity risks through public and private sector collaboration. By 2023, DHS seeks to have “improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure; decreasing illicit cyber activity; improving responses to cyber incidents; and fostering a more secure and reliable cyber ecosystem through a unified departmental approach, strong leadership, and close partnership with other federal and nonfederal entities.” The strategy document is broken into five pillars: risk identification; vulnerability reduction; threat reduction; consequence mitigation; and enable cybersecurity outcomes. DHS assures that it “will maintain a leadership role, collaborating with other federal agencies, the private sector, and other stakeholders, across all of its cybersecurity mission areas to ensure that cybersecurity risks are effectively managed, critical networks are protected, vulnerabilities are mitigated, cyber threats are reduced and countered, incidents are responded to in a timely way, and the cyber ecosystem is more secure and resilient.”
Uber suffered a data breach in 2014 resulting in the compromise of more than 50,000 drivers’ personal information, including back account and social security numbers. Drivers brought a class action suit in federal court in the U.S. District Court for the Northern District of California. On May 10, a judge tossed the suit for a third time for lack of standing because the two named plaintiffs failed to allege that they suffered an injury in fact. Continue Reading Uber Catches Break in Data Breach Class Action