The California Attorney General’s office reported today that Uber will pay $148 million to resolve claims related to a 2016 data breach that Uber concealed. In addition to failing to report the breach, Uber paid the hackers $100,000 as part of the cover-up. The breach involved the information of 57 million customers and drivers. According to reports, the $148 million will be shared with other states participating in the nationwide investigation. This 2016 breach and a 2014 breach involving a failure to employ reasonable security practices already caught the attention of the Federal Trade Commission (FTC). Uber agreed to resolve those claims earlier this year. Also related to the 2014 breach, Uber caught a break when a judge tossed a class action suit for lack of standing in May.
On September 23, 2018, California’s governor signed into law the first round of revisions to the California Consumer Privacy Act (CCPA), the most sweeping privacy legislation in this country. California enacted the CCPA in June and it takes effect on January 1, 2020. Inspired by the European Union’s General Data Protection Regulation, the California legislature initially drafted the CCPA in haste to avoid a ballot initiative containing more onerous provisions for businesses. Not surprisingly, the hurried and voluminous legislation contained a number of issues that ranged from drafting errors to significant enforcement and compliance hurdles. Accordingly, as expected, at the end of August, the legislature passed S.B. 1121, which contained several revisions to address some but not all of those issues, including a possible enforcement delay of up to six months. Continue Reading California Governor Approves Revisions to Consumer Privacy Act
On September 20, the Department of Health and Human Services Office for Civil Rights (OCR) announced separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH) with penalties totaling $999,000. In each instance, a news story about ABC News filming a medical documentary (a Boston Globe article on BMC and BWH and a posting on MGH’s website) prompted OCR to conduct “a compliance review.” In all three separate investigations, OCR found deficiencies. While the BMC settlement agreement does not provide any details on the specifically alleged improper conduct, the BWH and MGH agreements note that both hospitals took measures to protect patient information but nonetheless OCR found the efforts to be inadequate. In those agreements, OCR implies that BWH and MGH obtained at least some written authorizations but disclosed information to the film crews before obtaining those authorizations. Continue Reading Boston-Area Hospitals Pay Nearly $1M in Penalties for Permitting Filming of “Boston Med”
On September 18, 2018, Connecticut’s governor released an annual report on the cybersecurity sophistication and readiness of the state’s electric, natural gas and major water companies. The four participating utility companies were Aquarion, Avangrid, Connecticut Water and Eversource. Continue Reading Report on Cyber Readiness of Connecticut Utility Companies
Hurricane Florence has caused the Department of Health and Human Services (“HHS”) to declare a public health emergency ahead of the storm. Accordingly, HHS’ Office for Civil Rights (“OCR”) released guidance ahead of the hurricane. The focus of the guidance is that HIPAA should not impede patient care in a disaster situation. Continue Reading OCR Releases Hurricane Florence Guidance Ahead of Storm
In recognition of the vulnerability of mobile devices and the daily use of those devices in health care, the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) released a practice guide earlier this month entitled Securing Electronic Health Records on Mobile Devices (NIST Special Publication 1800-1). NIST and NCCoE specifically examined physician use of a mobile device (i.e. smart phone or tablet) to send a referral or an electronic prescription. Using open-source tools and commercially available technologies, NIST and NCCoE offer technical guidance on how to ensure that such mobile device use complies with the HIPAA Security Rule and is in line with NIST best practices. The 260-page practice guide has something for everyone ‒ high-level summaries for business leaders and technical guidance for information security and technology teams.
On August 3, 2018, the Governor in Ohio signed into law the Data Protection Act, which provides businesses with an affirmative defense to data breach claims if the business was in compliance with reasonable security measures at the time of the breach. Specifically, a business would have to show that it creates, maintains and complies with “a written cybersecurity program . . . that reasonably conforms to an industry recognized cybersecurity framework.” Acceptable standards include the NIST framework and compliance with PCI requirements. For businesses subject to regulatory standards, evidence of compliance with those regulatory standards, such as the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach Bliley (GLBA), will also provide protection. Many believe that this legislation will encourage businesses in Ohio to allocate more resources for cybersecurity and data protection programs.
On July 23, 2018, Denmark’s data protection agency announced that companies must encrypt all emails transmitting sensitive personal data. This new rule goes into effect January 1, 2019, giving companies that do business in or with Denmark approximately five months to implement encryption technologies for their email systems. This is a strict interpretation of Article 9 of GDPR; however, one facet of GDPR is that each European Union country can interpret and determine how companies must comply with the overarching GDPR principles and requirements. Continue Reading Denmark Implements Email Encryption Requirement, What Countries Will Follow?
The much-anticipated Ponemon Institute 2018 Cost of Data Breach Study: Global Overview is out and, not surprisingly, the cost of a data breach continues to rise. In this country, the cost is up $8 per record, going from $225 per record last year to $233 per record this year. A more alarming jump, however, is the cost of a data breach in the health care sector, which is up to $408 per record from $340 just one year ago. In terms of controlling costs, the study provides solid evidence that swift response and incident response planning save money. Continue Reading Data Breach Costs Up; Planning and Swift Response Save Money
On July 5, 2018, the EU Parliament passed a non-binding resolution encouraging the European Commission to suspend the EU-US Privacy Shield Program unless the US is fully compliant by September 1, 2018. The EU Parliament believes that the current Privacy Shield program does not provide an adequate level of protection required by European law. This comes roughly two years after the European Commission deemed the EU-US Privacy Shield Framework adequate to enable data transfers under EU law. But a lot has changed in two years. Continue Reading EU Commission Recommends Suspension of Privacy Shield; Recent FTC Efforts May Be Too Little Too Late