News & Insights

Newsletter

May 8, 2017

Data, Privacy & Security Practice Report – May 8, 2017


kkHIPAA Settlement With Wireless Health Services Provider Is Less Than Meets The Eye – On April 24, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a $2.5 million HIPAA settlement with CardioNet, a wireless health services provider.  CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.  OCR’s press release stated that “[t]his settlement is the first involving a wireless health services provider.”

However, as it turns out, the conduct at issue, although highly problematic, was in fact a quite old-fashioned fumble:  An unencrypted laptop containing the protected health information (“PHI”) of 1,391 individuals was stolen from a car parked outside an employee’s home.  OCR has consistently demonstrated its intolerance for the storage of PHI on unencrypted portable devices.  In fact, although OCR virtually always resolves enforcement actions through voluntary settlements, in February of this year, OCR took the extraordinary action of imposing a $3.2 million civil money penalty against a medical center that had experienced separate breach incidents involving an unencrypted laptop and Blackberry.  In that proceeding, OCR cited the medical center for, among other things, alleged “failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media” despite, according to OCR, the medical center’s longstanding knowledge about the risks of maintaining unencrypted PHI on its devices.

OCR also stated that according to its CardioNet investigation, the impermissible disclosure revealed that at the time of the theft, CardioNet had insufficient risk analysis and risk management processes in place and had failed to adopt and implement HIPAA security rule policies and procedures, which were in draft form.  Again, these alleged compliance failures are not in any way cutting-edge information security issues unique to wireless health services providers but instead involve issues of basic HIPAA blocking and tackling of longstanding concern to OCR.

Unlike some enforcement agencies, OCR is very transparent about its key HIPAA enforcement priorities, and encryption of portable electronic devices and media and meaningful risk assessment and management are at the top of the list.  OCR has published a number of guidance documents that can help covered entities and business associates make efficient use of their compliance resources, including guidance focused on mobile device security, remote access to information systems, electronic security risk assessments, data encryption and threats from ransomware. 

Reporter, Robert M. Keenan III, Atlanta, GA, +1 404 572 3591, rkeenan@kslaw.com.

Federal Court Stands By Earlier Decision Holding Financial Institutions To Higher Standard Than Customers When Pursuing Data Breach Claims – On May 1, 2017, an Illinois federal district judge dismissed data breach-related claims brought by financial institutions against a grocer.  The court distinguished the case from similar lawsuits aimed at Home Depot and Target and expressed skepticism about whether the relationship between the financial institutions and the grocer created the kind of duty recognized under negligence and contract law.  The court’s dismissal is the second time it has rejected the financial institutions’ claims.  In September 2016, the court cited the generality of the claims and the complicated business relationship between the financial institutions and the grocer as the main reasons the claims could not proceed, but dismissed most of the claims without prejudice, allowing the financial institutions to replead.  The previous dismissal was discussed in our October 3, 2016 DPS Report.

Between December 2012 and March 2013, Schnucks, a grocery chain headquartered in St. Louis, Missouri, experienced a data breach that made payment card information transmitted through its computer system vulnerable to attack by cyber criminals.  The data breach may have affected as many as 2.4 million cardholders who shopped at 79 Schnucks stores during the timeframe of the breach.  According to the amended complaint, stolen data was used in fraudulent transactions across the globe.  The financial institutions alleged that the fraudulent transactions are evidence that Schnucks did not properly encrypt customer payment information and thus fell short of industry standard.  In their original complaint, the banks pursued multiple theories of relief, including RICO conspiracy claims, breach of fiduciary duty, negligence, breach of contract, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.

In their amended complaint, the financial institutions removed the RICO and fraud claims and attempted to address the shortcomings identified in the court’s original dismissal by including additional facts.  Despite these changes, the court was not persuaded.  In addressing the negligence claims, the court first distinguished the alleged conduct from similar claims made against Home Depot and Target.  In Home Depot, the court noted, the company’s alleged conduct in the lead up to the breach was egregious and intentional.  In Target, the court observed, the duty recognized was a data security provision unique to Minnesota law with no analogue in Missouri law.  But even despite this lack of support from precedent, the court concluded that it was still not persuaded that “public policy concerns, the existence of industry standards, or implied contractual relationships should give rise to a duty,” particularly at the time of the breach, which the court said occurred prior to general awareness of the “data breach boom.”  The court dismissed the contract claims because the financial institutions were unable to point to any portion of the contracts that expressly or impliedly contemplate the type of relationship and duty that the banks alleged.  Finally, the court concluded that the financial institutions were not third-party beneficiaries to contracts between Schnucks and other participants in the card network because no portion of the contracts contemplate the financial institutions as a beneficiary.

At the core of the court’s opinion is the same rationale it applied in its original dismissal: the complex web of interrelated contracts in the payment card industry made it difficult to assess what, if any, duty existed between Schnucks and the financial institutions.  Consequently, unless financial institutions are able to show that the merchant exhibited some sort of egregious disregard for data security, payment card issuers and other financial institutions likely will not be able to recover damages from the merchants that suffered the data breach.

Reporter, Drew Crawford, Washington, DC, +1 202 626 5512, dcrawford@kslaw.com.

NSA Curbs Collection Of Americans’ Emails – The National Security Agency (“NSA”) announced that it will voluntarily stop collecting the email and text exchanges of American citizens with persons overseas that mention a target of NSA surveillance.  Although the collection of these so-called “about” communications is permitted by Section 702 of the Foreign Intelligence Surveillance Act (“FISA”), the NSA will now limit its collection to electronic communications sent to or received by a foreign intelligence target.  In addition, the NSA will delete the vast majority of previously acquired “about” communications. 

Set to expire at the end of 2017, Section 702 allows the NSA, and the U.S. intelligence community more broadly, to conduct surveillance to combat international terrorism and cyber threats.  Section 702 permits the NSA to collect the communications of any foreign target, although the NSA generally must obtain a warrant to collect the communications of Americans, except under certain circumstances.  “About” communications were one of those exceptions.  Due to technological limitations, the NSA’s elimination of “about” communications from collection will ultimately exclude some relevant communications to or from foreign targets.  Nevertheless, the NSA determined that in light of factors like the privacy interests of Americans, the new approach is the “responsible” and “careful” option.

These policy changes within the NSA come on the heels of an in-house review of its Section 702 actions in which the NSA discovered multiple inadvertent compliance incidents.  The NSA did not make public the nature of the compliance lapses.  However, per protocol, the NSA reported these incidents to Congress and the United States Foreign Intelligence Surveillance Court (“FISC”).

Reporter, Bailey J. Langner, San Francisco, +1 415 318 1214, blangner@kslaw.com.

Accenture Survey Report Highlights Banking Cybersecurity Concerns And Offers Solutions – On April 19, 2017, professional services company Accenture released the results of its survey of security executives in the banking sector relating to cybersecurity strategy and priorities.  The survey results and accompanying analysis (the “Accenture Report”) conclude that financial services organizations are overconfident about their cybersecurity capabilities and must develop more mature cybersecurity protection mechanisms.  Accenture reached this conclusion from survey results about current systems and the fact that financial firms experience security breaches on a routine basis, both detected and undetected.  The Accenture Report, entitled Building Confidence: Solving Banking’s Cybersecurity Conundrum, is available here  

The Accenture Report assesses banks’ confidence in the effectiveness of their cybersecurity apparatus, finding that “overconfidence within the banking industry is alarmingly prevalent.”  Accenture concludes that generally, security and risk executives think their security capabilities are achieving cyber-related business outcomes, such as protecting customer and company information.  More specifically, the survey showed that “[l]arge percentages of banking respondents were confident that they are doing the right things in terms of cybersecurity, with 78 percent of large enterprise security executives surveyed expressing confidence in their cybersecurity strategies and 76 percent believing they have actually embedded effective cybersecurity into their cultures.”

The Accenture Report posits that the overconfidence stems from financial services firms’ failure to recognize the volume and effectiveness of cyberattacks—two to three effective attacks per month.  Per Accenture, “financial services firms are suffering from an astounding number of security breaches,” and a “typical financial services organization will face an average of 85 targeted breach attempts every year, a third of which will be successful.”  The Accenture Report also suggests that financial institutions’ overconfidence reveals a failure to recognize that attackers spend a great deal of time inside organizations before attacks are detected.  In the survey, “[f]ifty-nine percent of banking respondents admit it takes ‘months’ to detect successful breaches, while another 14 percent identify them ‘within a year’ or longer.” 

Finally, with respect to threat patterns, the Accenture Report states that while companies typically prioritize external security, almost fifty percent of banking respondents to the survey reported that “internal breaches have the greatest cybersecurity impact.”  The Accenture Report also notes that “many attacks are successful because they exploit employees’ login credentials.”

Accordingly, in addressing how to solve banking’s cybersecurity “conundrum,” Accenture first emphasizes the importance of creating a strong culture of cybersecurity, asserting that “a company’s people represent its best form of defense.”  To change the culture, Accenture contends that changing behaviors is critical, and suggests this is best accomplished by ensuring through training, communication, and other means, that employees and executives understand what security means to their work and the organization—“[s]ecurity is not just an IT problem.  It’s a company problem, and even a people problem.” 

Additionally, Accenture emphasizes that accountability and oversight must be spread across C-level roles so that personnel can identify, understand, and respond effectively “across multiple lines of defense.”  This should include, according to the Accenture Report, compliance audits and material, day-to-day engagement between Chief Information Security Officers and enterprise leadership.  Accenture suggests that creating such engagement requires convincing leadership that the cybersecurity team is critical to company value.

To help improve banks’ cybersecurity capabilities, the Accenture Report also recommends a twofold program: “one focused on cybersecurity assessment on the one hand, and attack simulation on the other.”  The objective of this approach is to view a cybersecurity assessment through the lens of an attack, thereby making it “easier to prioritize and to demonstrate to leadership where funding should be applied.”  The recommended assessment is not an audit based on checklists; rather, “[t]oday such an analysis needs to be a true risk assessment that identifies the controls needed to mitigate each risk.”  Accenture recommends that the controls be based on an agreed risk tolerance and metrics that evaluate “the risks against the scale of the problem.”

As to attack simulations, Accenture emphasizes the need not only for testing against external attacks, but also against internal threats.  To avoid having to test against a seemingly limitless variety of attacks, Accenture recommends that energy and investments be focused on where the company’s key assets reside.  The Accenture Report also describes a “security sparring match” exercise that helps participants understand their adversaries by determining what level of sophistication hackers would need to access the systems.  Once understood, the Accenture Report suggests, the cyber team can determine the level of cyber defense necessary to combat adversaries in accordance with the institution’s risk appetite.

To further improve a company’s cybersecurity capabilities and strengthen its resilience to cyberattacks, Accenture recommends looking at seven areas:  

  1. “Business alignment” – understanding what incident scenarios could materially affect the organization;
  2. “Governance and leadership” – focusing on security accountability, advancing a security-minded culture, monitoring performance, incentivizing employees, and creating a chain of command;
  3. “Strategic threat” – exploring threats to align security procedures with business strategy;
  4. “Cyber resilience” – developing an ability to deliver superior operational results while facing cyber adversaries;
  5. “Cyber response readiness” – having a cyber response plan, strong communications about incidents, tested plans regarding critical assets, effective escalation, and stakeholder involvement;
  6. “Extended ecosystem” – ensuring cooperation during crises, implementing cybersecurity clauses in agreements with third parties, and regulatory compliance; and
  7. “Investment efficiency” – shaping organizational understandings about cyber threats to promote appropriate allocations of cyber resources and to avoid overspending.

With regard to spending, the survey revealed that about 40 percent of banking institutions “spend between 7 percent and 10 percent of their IT budget on cybersecurity,” an amount Accenture considers appropriate.  However, the survey also showed that 20 percent overspend and 40 percent underspend.  Accenture considers both overspending and underspending to reflect an “unbalanced cybersecurity risk management strategy.”

Reporter, Kyle Sheahen, New York, +1 212 556 2234, ksheahen@kslaw.com.

ALSO IN THE NEWS

K&S University e-Learn Series Spokeo One Year Later: How Are Federal Courts Addressing Article III Standing In Light Of The Supreme Court’s Decision?

In May 2016, the U.S. Supreme Court issued a long-awaited opinion in Spokeo, Inc. v. Robins, addressing the issue of standing under Article III of the Constitution where a plaintiff does not allege that she has sustained an actual injury.  In the year since the opinion was issued, federal courts have applied Spokeo in many contexts, often with conflicting results.  Program speakers Barry Goheen and Stewart Haskins will discuss these developments and how courts are analyzing and applying Spokeo under different federal statutes.

The interactive web seminar will take place Tuesday, May 16, 2017, from 12:30 – 1:30 PM ET.  Additional details and registration information can be found here.