Data Security and Privacy

By Sarah Anderson

Adding publicity to the recent string of security breaches, Gemalto’s Breach Level Index released information on October 9, 2018 stating that for the first half of 2018, approximately 291 records were stolen or exposed every single second.[1]  Gemalto estimates that 945 data breaches led to the release of 4.5 billion data records being compromised worldwide, which increased approximately 133% in the last year.  These data breaches came from varying industries, with health care representing 27% of data breach incidents and the financial sector following with an estimated 14% of the data breach incidents.  Of all the data and records stolen, it is estimated that just 1% of this data was encrypted and only 9% of the security breaches were the result of an accidental loss.

This information comes as more than just a P.S.A. Both threatened and actual data security breaches pose a significant legal threat to all types of businesses – large and small, global and local. Therefore, many forward thinking organizations are increasing their security systems and updating policies to mitigate potential legal claims for security breaches.

While the question of whether or not the fear of identity theft following a data breach is sufficient to constitute standing for a class action is largely undecided in the United States, the United Kingdom’s High Court already answered in the affirmative. More than 5000 current and former employees of Morrison’s, an online supermarket, are suing their former employer in a class action for damages related to a data leak that resulted in exposure to potential identity theft and financial losses. In 2014, a former Morrison’s employee leaked 100,000 names, addresses, bank account details and salaries of his co-workers online and sent it to a newspaper.[2] While Morrison’s spent more than 2 million pounds to mitigate the effects of and remedy the breach, the issue of monetary damages that it may owe its former employees remains outstanding.

The Morrison’s matter was the first data leak class action in the United Kingdom.[3] In 2017, the High Court ruled that Morrison’s was vicariously liable for this criminal data breach by its former employee and allowed those affected by the data breach to claim compensation for distress. Morrison’s is presently appealing this ruling.[4]

No similar legal battle has yet played out so openly in the United States, as Target’s 2017 data breach resulted in a multi-million dollar settlement with the affected customers.  However, with the ongoing and ever increasing number of cyber threats and attacks on both private and public organizations, it is expected that victims of data breaches may become the next wave of class action plaintiffs.

If you have questions on how to protect your business and/or mitigate such claims in the future, please contact Sarah Anderson and Erin Kilgore.

____________________________________________

[1]https://www.gemalto.com/press/Pages/Data-Breaches-Compromised-4-5-Billion-Records-in-First-Half-of-2018.aspx

[2] https://www.bbc.com/news/uk-england-42193502

[3] https://www.theregister.co.uk/2018/10/09/morrisons_data_breach_appeal/

[4] https://www.bbc.com/news/uk-45793598

 

By Sarah W. Anderson

On September 27, 2018, Gov. John Bel Edwards declared October to be Cybersecurity Awareness Month in the State of Louisiana, signing a Proclamation in front of members of the Louisiana Cybersecurity Commission.  By signing this Proclamation, Gov. Edwards is simultaneously kicking off a Cybersecurity Awareness Campaign promulgated by the Louisiana Cybersecurity Commission.   The goal of the Louisiana Cybersecurity Commission, the Proclamation, and Cybersecurity Awareness Month Campaign is to enhance and improve Louisiana’s cybersecurity ecosystem.  Gov. Edwards stated at the Proclamation signing that, “There is no doubt that Louisiana is a leader in cybersecurity.”  He emphasized that “No state has more protections for its citizens and its businesses than Louisiana.”  Gov. Edwards referenced upcoming proposed legislation concerning cybersecurity protections for Louisiana citizens and businesses during his remarks following the Proclamation signing.  The Proclamation signing and the formation of the Louisiana Cybersecurity Commission follow Louisiana’s recently updated data breach notification laws that went into effect earlier this year. Copies of both the Proclamation and Cybersecurity Awareness Campaign Model can be found on the Louisiana Cybersecurity Commission’s website found here.

Kean Miller attorneys will continue to update their clients on relevant cybersecurity news and changes in any relevant legislation and regulations.  If you have any questions concerning this, please contact Sarah Anderson and Jessica Engler from Kean Miller.

By James R. “Sonny” Chastain, Jr.

In a recent Supreme Court decision involving the Fourth Amendment, Justice Roberts noted that there are 396 million cell phones accounts in the United States for a nation of only 326 million people.  The cell phone provides numerous functions including access to contacts, data, information and the internet.  Some studies suggest people check cell phones every ten minutes and are less than five feet away from the phone most of the time.  It seems the cell phone has become an integral part of daily living. While the development may be productive in terms of the overall access to information, it also creates certain risks that employers should consider.

In many instances companies operate on a platform of bring your own device to work (“BYOD”).  Employers should consider what business information may be available to that employee on his or her personal cell phone.  An employer is vulnerable if an employee is connected to the employer’s computer system and can access valuable confidential information through the cell phone.   The risk is that the employer’s business information may “walk” out the door with the employee.  Moreover, if the information gets comingled with the employee’s personal information, there could be a problem in terms of “unscrambling” or wiping the phone on departure.   Certainly one approach is to not permit the employee to have access to the information on the phone.   However, an employee may need access in order to perform his or her job responsibilities.  Employers should consider whether to have a cellular phone policy that addresses how employees should use the phone, any issues regarding expectation of privacy, ownership of information, and wiping upon termination.

Additionally, a cell phone may cause distracted driving. Whether ringing, beeping, vibrating – the cell phone may cause drivers to lose focus.  A driver’s perceived belief that the ever important text/email may have just come in can create an overwhelming desire to check/respond.  To the extent an employee is on the road, the temptation to text, call or open an app may create serious risks.   Distracted driving is alleged to be a contributing factor in 80% of the automobile accidents on the road today.  Employers need to recognize this risk and be proactive in addressing it.  Employers should consider having a policy regarding the use of cell phones while driving.

Cell phones are integrated into our daily activities – just look around at any restaurant, getting on an elevator, or at a stop light.  No matter the time, place or circumstances, staying connected seems to be of utmost importance.  A cell phone is certainly very beneficial in terms of facilitating access to people and information.  However, cell phones may also bring about certain risks.  Employers may want to consider the risks which that may be applicable to it and any policies to put in place to address them.

By Sarah W. Anderson

Companies using Apache Struts 2.0 should be aware of a possible security breach risk that could give rise to breach notification duties.  On August 22, 2018, the Apache Software Foundation posted updates regarding the correction of a vulnerability recently found in its web application platform called Apache Struts.

Apache Struts is an open source web application framework that uses model-view-controller architecture. A security bulletin was placed on https:\\cwiki.apache.org by Man Yue Mo from the Semmle Security Research team, which noted a flaw in the Struts 2 application that would allow a hacker to perform a remote code executive “attack when namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace[.]”[1] There is a similar possible attack “when using [an] url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.”[2]  This web application and vulnerability may affect any entity using Apache Struts, from small businesses to Fortune 100 companies.

The description of the vulnerability has been posted online, and this “blueprint” is suspected to provide an easy “how-to” guide for attackers. Attackers may exploit websites running the Struts 2.0 program by sending requests to hosted sites, to which the web servers will respond by running code commands of the attacker’s choosing. This would allow cyber attackers to undertake malicious acts such as copying and/or deleting consumer data or initiating other malware. Indeed, Equifax was forced to disclose a similar vulnerability in its Apache Struts software in 2017 after 143 million people had their sensitive information compromised in a July 29, 2017 security breach.

If you suspect that your company uses Apache Struts 2.0 and security has been breached in Louisiana, please review and consider your potential obligations under the recent changes to Louisiana’s Database Security Breach Notification Law and contact your data security attorney.

******************************************

[1] https://cwiki.apache.org/confluence/display/WW/S2-057.

[2] https://cwiki.apache.org/confluence/display/WW/S2-057.

By Jessica C. Engler, CIPP/US

To say that privacy regulations have been in the news lately is a bit of an understatement. The European Union’s new General Data Protection Regulation has had privacy professionals and businesses scrambling to meet the May 25, 2018 deadline for compliance. While the GDPR may be dominating the national news circuits, the EU is not the only one making changes to their privacy laws. The Louisiana Legislature has passed, and Governor Edwards signed on May 20, 2018, amendments to Louisiana’s Database Security Breach Notification Law (Louisiana Revised Statutes 51:3071, et seq.), at Act 382.[i] Act 382 becomes effective on August 1, 2018.

A.  Expansion of “Personal Information”

The first major change is the expansion of the definition of “personal information” under the statute. Louisiana previously defined personal information for the purposes of the breach notification law as an individual’s first name or initial and last name in combination with any of the following additional data elements when the name or data element is not encrypted or redacted: (1) social security number; (2) driver’s license number; or (3) account number, credit or debit card number, in combination with the applicable password, security code, or access code that would allow access to an individual’s financial account. Act 382 adds the following additional pieces of data to this list: state identification card number; passport number; and “biometric data.” “Biometric data” is defined as “data generated by automatic measurements of an individual’s biological characteristics” and includes markers such as fingerprints, voice prints, eye retina or iris, or other unique biological characteristics that are used to authenticate an individual’s identity when accessing a system or account. In this change, Louisiana joins a growing trend of expanding personal data beyond ID numbers and financial accounts into more unique and personal identifiers. At the time of this writing, at least twelve other states have enacted laws that include biometric markers as personal information.[ii]

B.  New Data Protection Requirements

Act 382 imposes new requirements on Louisiana businesses to protect personal information. These changes affect companies that conduct business in the state of Louisiana or own or license computerized data that include personal information of Louisiana residents and for agencies that own or license computerized data that includes Louisiana residents’ personal information (collectively “Subject Entities”). Under Act 382, Subject Entities will be required to implement and maintain “reasonable security procedures and practices appropriate to the nature of the information” to protect the personal information from breaches, destruction, use, modification, or disclosure.

Subject Entities will also be under new requirements for data destruction. Subject Entities will be required to take reasonable steps to destroy or arrange for the destruction of records within its custody or control containing personal information that is no longer to be retained by the Subject Entity by shredding, erasing, or otherwise modifying the personal information to make the information unreadable or undecipherable.

C.  Data Breach Notifications

In the event of a breach, the revisions to Section 51:3073 have now implemented a time limit within which Subject Entities must notify the Louisiana residents’ whose data was affected. Originally, the statute provided that notice must be done “in the most expedient time possible and without unreasonable delay.” The revised statute retains that language, but now includes that notification must be made no later than 60 days from the discovery of the breach. The revisions maintain the original exception to this rule in the case of delay necessitated by the needs of law enforcement or measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. However, if a Subject Entity does delay notification for one of these reasons, it must provide written notice to the Louisiana Attorney General of this delay and the reasons for same within the 60 day period. Upon receipt, the Attorney General will grant a reasonable extension of time for notification.

The revisions preserve the ability for a Subject Entity to investigate whether the breach is reasonably likely to cause harm to Louisiana residents, and, if the breach is unlikely to cause harm, the Subject Entity is not required to notify affected Louisiana residents of the breach. This situation commonly arises when the breached data was encrypted, provided the encryption key was not also breached. If the Subject Entity decides not to report under this section, then the entity must document that decision in writing and retain the written decision and supporting documentation for five years from the date of discovery of the breach. The Attorney General can request a copy of this documentation and the written determination, and the Subject Entity must provide the documentation within thirty days of the Attorney General’s request.

Last, violations of these provisions are now deemed an unfair trade practice under R.S. 51:1405(A). During testimony on this bill, the Attorney General’s Office commented that their Office has already been treating violations as an unfair trade practice, so this language only codifies their current practice.

D.  General Comments

Many of the changes made to Louisiana’s data security laws echo similar revisions in other states. Several states have opened their data security laws to expand beyond notification procedures to now requiring “reasonable” security practices and destruction of outdated data. Unlike Alabama’s new data security law, Louisiana’s revised law does not define what security practices qualify as “reasonable”, which may cause some concern amongst Subject Entities looking for guidance when updating their security practices.

It is possible that the new revisions may lead to increased litigation for data breaches. The Attorney General currently is and remains the primary enforcer of the data breach laws; however, private rights of action are permitted. Codifying violations of these statutes as an unfair trade practice may lead to an increase in suits filed under these statutes. However, a potential plaintiff will likely still be required to provide that he or she was injured by the breach, which has been a difficult task for plaintiffs that have not suffered an identity theft.

The new law becomes effective on August 1, 2018. Until that time, Subject Entities that have not recently reviewed their data security policies and practices may want to consider an update.

***********************************************

[i] Act 382 of the 2018 Regular Session can be found at the following address: https://www.legis.la.gov/legis/ViewDocument.aspx?d=1101149.

[ii] These states include, but are not limited to Arizona, Delaware, Illinois, Iowa, Maryland, Nebraska, New Mexico, North Carolina, Oregon, South Dakota, Wisconsin, and Wyoming.

phish

By Jessica C. Engler

The IRS has sent an urgent alert to employers this month that a W-2 phishing scam that many companies fell victim to in 2016 is back in full force for 2017. The IRS warns that this scam is emerging earlier this year and is targeting school districts, tribal organizations, and nonprofits in addition to businesses.

The “W-2 Scam” is carried out by persons who disguise (“spoof”) an email to make it look like it came from a top executive or the receiver’s business colleague. The dummy email is sent to (typically) the organization’s accounting and human resources department, and will ask for a list—or the copies themselves—of the company’s W-2 tax forms, employee’s dates of birth, and Social Security Numbers. If the unsuspecting victim responds with this information, the sender can use this data to file false tax returns, generate revenue on the black market, and perpetuate identity theft.

While this email can take many forms, some example phrasing for the email includes:

  • “Please send me the individual 2016 W-2 (PDF) and earnings summary of all W-2s of our company staff for a quick review”
  • “Hope you had a nice weekend. Do you have PDF copies of the employee’s W-2s? Could you please send to me for a quick review?”
  • “I need you to email me the list of individual W-2 copies of all employees’ wages and income tax statements for 2016 tax year in PDF file format for quick review. Prepare the list and send to me ASAP. I will brief you more about this later.”

The IRS warning indicates that these phishing emails are also including requests for wire transfers this year.

The Security Summit (which comprises the IRS, state tax agencies, and members of the tax industry) recommend that employers and employees stay vigilant of this threat. Employers may consider doing additional training with employees on recognizing these phishing emails.

The IRS instructs any organization that receives a W-2 scam to forward that email to phishing@irs.gov and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to the scam can file a complaint with the Internet Crime Compliance Center (IC3), which is operated by the Federal Bureau of Investigation. Organizations should also consider contacting an attorney with experience in data management to assist in the response to affected persons.

anonymous

By Jessica Engler

Continuing the trend from 2015, 2016 has seen a significant number of large, public data breaches. Many of these breaches involved high-profile companies such as the Democratic National Convention, Internal Revenue Service, MySpace, Yahoo!, and Anthem. Since large corporate and government breaches typically get the most attention, many smaller, local businesses can be lulled into a false sense of security, believing that those who do hack and steal data are not interested in their business. However, in 2016, hacker targeting of small businesses increased from 34 percent to 43 percent.[1] Small businesses, including the construction industry, are at risk.

The construction industry is becoming increasingly more connected. In addition to storage of confidential data on computers, many design and construction software systems—like BIM, Revit, Procore, and Aconex—have remote access controls or Internet-connected capabilities. As a company grows more technologically-savvy, the risk of breaches becomes more inherent. This memorandum will answer some basic questions for construction companies regarding data privacy issues. For specific advice regarding individual, company-specific questions, inquirers should seek the assistance of an attorney experienced in data privacy.

I am not MySpace or the IRS—why would a hacker be interested in my business?

Construction companies are often just as reliant on IT and computers as any other business. Construction companies—especially smaller ones—often do not think they are a target, so any protective measures currently in place may be easier to permeate. Several reasons why a hacker may be interested in you include:

Valuable Personally Identifiable Information Data: The vast majority of hacks are made for financial gain. If you use computers at all in your businesses, it is likely that you have confidential data stored on that computer that would be valuable to a hacker. Though you may not have as much personally identifiable information as a financial institution, you likely still have employee information (e.g., Social Security numbers, bank accounts for payroll, healthcare information, etc.) that could be worth money.

  1. Valuable Non-Personal Data: A construction companies often have access to certain proprietary client documents including project bid data, architectural designs, trade secrets, and other intellectual property. A hacker may also target general information about the company’s banking, accounting data, and policies in order to orchestrate social engineering or phishing schemes to have an employee send the hacker valuable data or unwittingly transfer corporate funds/assets.
  2. Access to Private Client Information: At times, the hacker is interested in accessing a client of the company, rather than the company itself. In 2013, approximately 70 million customers’ data was released by retail giant Target through malware installed on credit card machines. The hackers’ access to Target’s network was obtained indirectly through Fazio Mechanical Services, Target’s HVAC vendor, which had Target network credentials.[2] Through Fazio’s credentials, the hackers were able to cross into Target’s network to install the malware.
  3. Extortion: Ransomware is a type of malware designed to block off access to data stored in a computer system until money is paid (typically in bitcoin) to the hacker. When access is blocked—typically through encryption—the data may be lost if the victim does not pay the ransom and the victim does not have the data backed-up.

I don’t buy it. Name a construction company who has had a breach.

In early 2016, Turner Construction was targeted by a spear-phishing[3] scam wherein an employee emailed tax information on current and former employees to a fraudulent email account.[4] The tax information included full names, Social Security numbers, states of employment and residence, and tax withholding data for 2015. Hackers had manipulated, or “spoofed”, the “From” field in the email to the employee to make the email look like it was from a legitimate sender. This scam was a common scam during the 2016 tax season in order to obtain information used to file fraudulent tax returns.

Whiting-Turner Contracting (Baltimore), Central Concrete Supply Company (California), Century Fence (Wisconsin), Trinity Solar, and Foss Manufacturing were also recent victims of this scam.[5]

Are breaches really that big of a deal?

Data breaches can be very costly for a business. Depending on the type of data breached, a breach can cause loss of business and clients, reputation damages, loss of goodwill, decline in share value, increased legal and technological costs, and potential fines. Some businesses are never able to recover from a breach.

Additionally, even when a company can recover, it will often still have incurred significant costs due to business interruption. Depending on when the data incident occurred, a construction company may also be facing the risk of delay damages.

Yikes, that sounds expensive. What can I do to guarantee I will never be breached?

Unfortunately, there really is no way to “guarantee” that you will never be a target of a hacker. “Most security experts believe that it is a matter of when, not if,” your company will be targeted by hackers.[6] However, there are some actions you can take today to reduce your risk:

  • Identify your company’s valuable, private, and/or confidential information and know where that information is located on your network. Block off access to anyone who does not need that information to perform their job duties;
  • Work with your IT provider to ensure the company and its employees have strong password controls, any necessary encryption, current firewalls, updated security patches, and other recommended protections;
  • Consider using a third-party IT consultant to evaluate your system and identify any holes or vulnerabilities that your in-house IT personnel may have missed;
  • If using a subcontractor or other third party service provider that will have access to your network, establish procedures to evaluate those contractors;
  • Train employees to be aware and vigilant of risks and their role in protecting company data and assets; and
  • Create a plan of action in the event of a data incident.

A number of these steps and further actions to help protect your data can be undertaken with the help of legal counsel.

I have CGL insurance. Wouldn’t this be covered under my insurance?

It depends on the terms of your policy. In 2014, the Insurance Services Office, Inc. (the insurance industry organization that develops standard policy forms adopted by many insurance companies) issued a new form for CGL policies that expressly excludes coverage for data incidents.[7] Consultation with legal counsel can help you determine whether your current insurance coverage will provide coverage during a data incident.

If your CGL policy or any other policy leaves you without coverage for a data incident, you may want to consider purchasing cyber liability insurance. This relatively new form of insurance can provide coverage for costs associated with a data breach, including (depending on the terms of your policy) business interruption expenses, cyber extortion demand payments, legal expenses, IT forensic team expenses, cost of notification, and/or credit monitoring for affected persons.

I have been breached. What do I do?

If you have been breached, immediately contact your incident response team assigned in your incident response plan. If you do not have an incident response plan in place, contact your IT professionals and legal counsel. Many notification laws require that notice be given to affected persons and other state and federal agencies within certain time-frames, so it is important to have counsel retained in order to respond quickly and appropriately.

_________________________________________

[1] Symantec, Internet Security Threat Report: Vol. 21 (Apr. 2016) (available at https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf).

[2] Target Hackers Broke in Via HVAC Company, Krebs on Security (Feb. 5, 2014) (available at https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/).

[3] Phishing is a type of email scam wherein the victim receives an email from someone who is pretending to be another person or entity, believes that the email is legitimate, and typically sends assets or information to the scammer based upon that mistaken belief. A well-known phishing scam is the “Nigerian Prince” scam. Spear phishing is a more targeted version of phishing. In a spear-phishing email, the scammer pretends to be a friend, family member, or co-worker. Because the email appears to be from someone the recipient knows, the recipient is often less vigilant in evaluating the legitimacy of the email. 

[4] Turner Construction Data Breach Notification Letter, State of California Department of Justice, Office of the Attorney General (last accessed 12/14/16) (available at https://oag.ca.gov/system/files/Turner%20Construction%20Ad%20r4prf_1.pdf?)

[5] Data Breaches, Cyber Security, and the Construction Industry, iSqFt.com (May 2, 2016) (available at http://www.isqft.com/start/blog-data-breaches-cyber-security-and-the-construction-industry/).

[6] Data Breaches, Cyber Security, and the Construction Industry, iSqFt.com (May 2, 2016) (available at http://www.isqft.com/start/blog-data-breaches-cyber-security-and-the-construction-industry/).

[7] Marla Kanemitsu & Erin Webb, Reviewing Emerging Insurance Protection for Cyber Risks, Security Magazine (Apr. 1, 2014) (available at http://www.securitymagazine.com/articles/85358-reviewing-emerging-insurance-protection-for-cyber-risks).

 

text

By Sam Lumpkin

The US District Court for the Western District of North Carolina recently held that even text messages are subject to the duty to preserve electronically stored information (ESI). In Shaffer v. Gaither, the plaintiff asserted claims against her former boss – a US District Attorney – for constructive dismissal based on sexual harassment and creation of a hostile work environment. The plaintiff also added a claim of defamation, based on an allegation that the former boss had falsely spread rumors plaintiff was fired for having a sexual relationship with a married member of the defense bar. Although the plaintiff admitted that the relationship existed, the defamation claim was based on what plaintiff argued was a false reason for her termination.

The defendant contended that plaintiff had sent her paramour text messages about the termination in which she admitted that she was fired because of the relationship. However, the text messages were lost when plaintiff purportedly dropped her cell phone in a bathroom. The court therefore had to address whether, in light of the claims pending at the time the text messages were lost, the plaintiff had failed to preserve relevant ESI.

Under the recent amendments to Federal Rule of Civil Procedure 37(e), the duty to preserve ESI arises when litigation is “reasonably anticipated,” and the loss of ESI is sanctionable if reasonable steps to preserve the ESI are not taken and the information cannot be restored or replaced through additional discovery. Dismissal is not an automatic remedy for spoliation, and some remedies are only available when the spoliating party acted with intent to deprive the opposing party of evidence.

The court in Shaffer found that before the messages were destroyed, plaintiff had threatened litigation and her attorney had discussed the messages with the defendant’s attorney. The messages were therefore clearly relevant to the defamation claim, and both plaintiff and her attorney knew they had a duty to preserve the messages at least five months before the messages were destroyed. The court did not immediately find that the destruction of the plaintiff’s phone was intentional, and because similar evidence might be available through the testimony of various parties who had viewed the texts before they were destroyed, the court did not order dismissal of the defamation claim.

However, the court did provide guidance to potential litigants: “Once it is clear that a litigant has ESI that is relevant to reasonably anticipated litigation, steps should be taken to preserve that material, such as printing out the texts, making an electronic copy of such texts, cloning the phone, or even taking possession of the phone and instructing the client to simply get another one.” Although the plaintiff in Shaffer did not face dismissal due to the circumstances of the case, other litigants may not be so fortunate.

social

By Jason R. Cashio

Continuing a trend among other courts, a recent ruling from U.S.D.C., Middle District of Louisiana, recognized the discoverability of plaintiff’s social media postings.  Baxter v. Anderson, 2016 U.S. Dist. LEXIS 110687 (M.D. La. Aug. 18, 2016).  In Baxter, Magistrate Judge Bourgeois addressed the discoverability of social media in a recent discovery ruling on August 19, 2016.  The discovery requests calling for production of plaintiff’s social media information, as propounded, were overly broad.  However, the court was still willing to permit the discovery with some limitations. 

Magistrate Judge Bourgeois was not willing to permit unfettered access to a plaintiff’s social media account just because a personal injury lawsuit was filed, which placed plaintiff’s mental and physical conditions at issue.  However, the ruling permitted access to any postings that met one of the following criteria:

  1. Postings by the plaintiff that relate to the accident;
  2. Postings related to any emotional distress or treated received that relate to the accident;
  3. Postings or photographs that relate to alternative potential emotional stressors, or that are inconsistent with the alleged mental injuries;
  4. Postings that relate to physical injuries sustained as a result of the accident and any treatment therefor;
  5. Postings that relate to other, unrelated physical injuries; and,
  6. Postings or photographs that reflect physical capabilities that are inconsistent with the alleged injuries at issue.

Accordingly, the court acknowledged that social media posts/photographs are subject to discovery, which is consistent with numerous other rulings within Louisiana, as well as around the nation.  

 

mask

By Jessica Engler and Lyn Savoie

Ransomware is here to stay. According to a recent United States Government interagency report, on average, there have been approximately 4,000 daily ransomware attacks since early 2016, which is a 300 percent increase from the approximately 1,000 daily ransomware attacks reported in 2015.[1] A significant percentage of those affected by ransomware have been healthcare providers who are subject to the Health Insurance Portability and Accountability Act (“HIPAA”).

Ransomware is a form of malware that targets a user’s critical data and systems in order to extort payment for restoration of the data or system. After the user is locked out of their system, the perpetrator will demand a ransom payment in order to have the data restored. Else, the data will be deleted or permanently encrypted. After the user sends payment, the perpetrator will provide the victim an avenue to regain or access the data.

The healthcare industry is particular vulnerable to this cyber activity because ransomware can block access to electronic medical records, which can disrupt patient care.[2] In February, attackers held data belonging to the Hollywood Presbyterian Medical Center in Los Angeles for ransom using a piece of ransomware called “Locky.” The hospital remained offline for over a week until hospital officials caved to the demands and paid the equivalent of $17,000 in Bitcoin.[3] Other hospitals and healthcare providers have faced similar attacks.[4] According to new research by Solutionary, an Omaha-based security firm, healthcare organizations were 114 times more likely to be hit by ransomware infections than financial firms, and 21 times more likely than educational institutions.[5] This increase of attacks and threat to healthcare records caused lawmakers to push the U.S. Department of Health & Human Services (“HHS”) for guidance regarding ransomware cybersecurity attacks—particularly on the points of reporting attacks and whether such attacks are considered a violation of HIPAA.

On July 11, 2016, the Office for Civil Rights (“OCR”) issued new guidance on how to handle ransomware attacks under HIPAA. This new guidance discusses how the security requirements under HIPAA can help organizations prevent, detect, and recover from ransomware attacks. The OCR guidance expressly provides that the presence of ransomware on a computer system is a “security incident” under the HIPAA Security Rule and, therefore, an entity impacted by such ransomware must initiate security incident and response and reporting procedures.  Additionally, the OCR guidance addresses whether a ransomware infection is considered a “breach” under HIPAA.

Whether or not the presence of ransomware will constitute a breach is a case-by-case determination. The HIPAA Rules define a “breach” as “the acquisition, access, use, or disclosure of Protected Health Information (“PHI”) in a manner not permitted under the [HIPPA Privacy Rule] which comprises the security or privacy of the PHI.”[6] In cases where electronic PHI is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was accessed and is consequently an impermissible disclosure under the HIPAA Privacy Rule. The entity must then comply with the applicable notification provisions under the HIPAA Breach Notification Rules, including notifying the affected individuals, the Secretary of HHS, and (if the breach affects more than 500 individuals) the media.[7]

Pursuant to the HIPAA Breach Notification Rule, a breach is presumed to have taken place unless the entity suffering the attack can show that there is a “low probability that the PHI has been compromised.”  To make such a determination, the entity must perform a risk assessment that considers, at a minimum, the following four factors:

  • The nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom disclosure was made;
  • Whether PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.[8]

In its recent guidance document, OCR encourages entities to consider additional factors, such as the high risk of unavailability of the data or a high risk to data integrity.[9] This risk assessment must be thorough, completed in good faith, and reach conclusions that are reasonable given the circumstances. Further, the covered entity and business associates must maintain supporting documentation regarding the breach assessment—and, if applicable, notification—process, including documentation of: (1) the risk assessment demonstrating the conclusions reached; (2) any exceptions determined to be applicable to the impermissible use or disclosure of the PHI; and (3) all notifications that were made, if applicable.[10] Outside of this guidance, it is undetermined at this time what will satisfy the OCR that a particular ransomware attack qualifies as having a “low probability of harm.”

The full OCR guidance can be found on the HHS’s website, which also includes recommendations for protection of data in order to prevent a breach, as well as response and recovery from the ransomware attack.[11] It should be noted that this new guidance does not create new law. Rather, it is a clarification by OCR of federal law that has been in place since 2013, meaning that entities subject to HIPAA that have suffered a ransomware attack in the past three years may need to determine whether they need to report the incidents.

Data breaches are serious incidents. They can be even more serious and dangerous when patients’ medical records and medical care are at stake. It is recommended that healthcare entities, as well as their HIPAA business associates, consult with an attorney to ensure compliance with HIPAA before a breach happens, as well as immediately after a potential breach is discovered, to perform the proper due diligence and move in the right direction towards compliance and recovery.

_____________________________________________

[1] United States Government Interagency Guidance Document, How to Protect Your Networks from Ransomware, Justice.gov (available at https://www.justice.gov/criminal-ccips/file/872771/download).

[2] Kim Zetter, Why Hospitals are the Perfect Targets for Ransomware, Wired.com (13:31:00, Mar. 30, 2016) (available at https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/).

[3] Id.; Joseph Conn, Hospital Pays Hackers $17,000 to Unlock EHRs Frozen in ‘Ransomware’ Attack, Modern Healthcare (Crain Communications, Inc., Feb. 18, 2016) (available at http://www.modernhealthcare.com/article/20160217/NEWS/160219920).

[4] See, e.g., Bill Siwicki, Ransomware Attackers Collect Ransom from Kansas Hospital, Don’t Unlock All the Data, then Demand More Money, Healthcare IT News (HIMSS Media, 14:58:00, May 23, 2016) (available at http://www.healthcareitnews.com/news/kansas-hospital-hit-ransomware-pays-then-attackers-demand-second-ransom); Mike Miliard, Two More Hospitals Struck by Ransomware, in California and Indiana, Healthcare IT News (HIMSS Media, 10:55:00, Apr. 4, 2016) (available at http://www.healthcareitnews.com/news/two-more-hospitals-struck-ransomware-california-and-indiana); Joseph Conn, Patient Data Held for Ransom at Rural Illinois Hospital, Modern Healthcare (Crain Communications, Inc., Dec. 17, 2014) (available at http://www.modernhealthcare.com/article/20141217/NEWS/312179948).

[5] Meg Bryant, Healthcare Orgs at Much Higher Risk of Ransomware Attack Than Financial Institutions, Healthcare DIVE (Industry Dive, Jul. 28, 2016) (available at http://www.healthcaredive.com/news/healthcare-orgs-at-much-higher-risk-of-ransomware-attack-than-financial-ins/423395/); Maria Korolov, Health Care Organizations 114 Times More Likely to Be Ransomware Victims than Financial Firms, CSO (IDG, 5:00:00, Jul. 26, 2016) (available at http://www.csoonline.com/article/3099852/security/health-care-organizations-114-times-more-likely-to-be-ransomware-victims-than-financial-firms.html).

[6] U.S. Department of Health & Human Services Office for Civil Rights, Fact Sheet: Ransomware and HIPAA, HHS.gov (July 11, 2016) (available at http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf).

[7] See 45 C.F.R. 164.400–414.

[8] 45 C.F.R. 164.402(2).

[9] Data integrity is an important consideration in the ransomware context, as many ransomware programs delete the original data and leave only the data in the encrypted form. Eric Schulwolf, HHS OCR Guidance on Ransomware Attacks: They Constitute a “Security Incident” and are Likely a Data Breach, JD Supra Business Advisor (JD Supra, LLC, Jul. 25, 2016) (available at http://www.jdsupra.com/legalnews/hhs-ocr-guidance-on-ransomware-attacks-11173/).

[10] 45 C.F.R. 164.530(j)(iv), 164.414, 164.402(1).

[11] See U.S. Department of Health & Human Services Office for Civil Rights, Fact Sheet: Ransomware and HIPAA, HHS.gov (July 11, 2016) (available at http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf).