Morrison Mahoney  
Connecticut  >>  Massachusetts  >>  New Hampshire  >>  New Jersey  >>  New York  >>  Rhode Island  >>  United Kingdom

Cybersecurity, Data Protection and Privacy Newsletter

October 23, 2018
Welcome to the Morrison Mahoney Cybersecurity, Data Protection and Privacy Newsletter. If you haven't already, please sign up to have future newsletters automatically sent to your inbox.  
IN CASE YOU MISSED IT...
  • On October 16, 2018, the Securities and Exchange Commission issued an investigative report outlining whether nine public issuers which were victims of business email compromise fraud (spoofing) may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls. In connection with the investigation, the Commission considered whether the nine issuers complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934, which require issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization. The Report concluded that public issuers subject to the requirements of Section 13(b)(2)(B) must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.

  • Anthem, Inc. has reached a settlement agreement with the government relating to the largest health-care related data breach in U.S. history. Anthem agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights, and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the exposure of the electronic protected health information of almost 79 million people.

  • Speaking of HIPAA, in January, 2019, the U.S. Department of Health and Human Services will ask for public comment on a proposed change to HIPAA that would allow the sharing of monetary penalties and settlements paid by health-care organizations as a result of a data breach with those individuals whose records were compromised. Such a change will undoubtedly increase public complaints about HIPAA violations, and should serve as a warning to HIPAA covered organizations that cyber-security must be a top-level concern.

  • A Federal Court in Florida recently ruled that a claim asserting that an insured’s negligent data security practices led to a payment card breach did not trigger personal injury coverage under a Commercial General Liability policy because it was the hacker’s conduct, and not the insured’s business practices/omissions, that led to the breach. This is another case that underscores the importance of policy language and interpretation. The case is St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc. (M.D. Fla. Sept. 28, 2018), and the decision can be found here.

  • The European Data Protection Supervisor stated last week that EU regulators had received a flood of GDPR related complaints, and the first GDPR fines should be expected by the end of the year.  

For more information on any of these stories please contact Daniel Marvin by clicking here. 
DID YOU KNOW...
...that  the Office of the National Coordinator for Health Information Technology, in collaboration with the Department of Health and Human Services (HHS) Office for Civil Rights, offers a FREE downloadable Security Risk Assessment Tool designed to help small and medium sized healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule. The tool was updated this month to make it easier to use and provide enhanced functionality to document how organizations implement safeguards to mitigate, or plan to mitigate, identified risks. Importantly, all information entered into the SRA Tool is stored locally to the users’ computer or tablet, and HHS does not receive, collect, view, store or transmit any information. The results of the assessment are displayed in a report which can be used to determine risks in policies, processes and systems and methods to mitigate weaknesses are provided as the user is performing the assessment. The tool is available for Windows and iPad by following the link above. If you need assistance navigating the software, you can contact a member of our team. 
Report by Mass. General's Center for Quantitative Health Highlights 2010-2017 Shift in Data Breach Trends
By: Anthony Abeln
The Center for Quantitative Health at Massachusetts General Hospital recently released a report of trends emerging from data breaches reported to the Office of Civil Rights of the U.S. Department of Health and Human Services from January 1, 2010, to December 31, 2017.   These trends are significant data points for health care providers, their IT professionals, and their insurers.
The study’s authors, Drs. Thomas McCoy Jr. and Roy H. Perlis,  examined changes over time in breaches by providers, health plans, and business associates of both.  They studied 2,139 breaches, which involved over 175 million patient records. 
Of note, in 2010, the most common data breach was still the theft of physical records.  By 2017, this had shifted to data hacking and unauthorized access to patient data.  Network servers were the main target of attack by 2017, rather than laptops, paper and films at the beginning of the study. Although the majority of breaches came from health care providers themselves, health care plans were responsible, according to the study, for the largest number of exposed medical records.
As the authors noted, “[a]lthough networked digital health records have the potential to improve clinical care … they also have the potential for harm to vast numbers of patients at once if data security is not improved,” authors Thomas H. McCoy Jr., M.D., and Roy H. Perlis, M.D., M.Sc., wrote. 
The research letter, published in the JAMA network, can be accessed here
American Bar Association Issues Formal Opinion Requiring Client Notification in the Event of a Data Breach
By: Robert A. Stern 
We previously noted that law firms that electronically store clients’ personal identifying information, personal health information and confidences and secrets possess valuable information sought by hackers and, therefore, are no less vulnerable to cyber-attacks than any other organization connected to the internet. We also noted that the potential legal and administrative liability law firms face in the event of a data breach requires them to recognize, assess and address their risk from the unauthorized acquisition of unencrypted sensitive data belonging to their clients.
Like other organizations possessing sensitive information, law firms are subject to applicable state and federal laws and regulations to safeguard and protect data, as well as specific ethical rules governing their profession. ABA Model Rules 1.1 and 1.6 require attorneys to take competent and reasonable measures to safeguard information relating to their clients. In the 2015 ABA Tech Report, it was noted that:
law firm “[i]nformation security starts with a risk assessment to determine what needs to be protected and the threats that it faces. Comment [18] to Model Rule 1.6 includes a risk assessment approach to determine reasonable measures that attorneys should employ. The first two factors in the analysis are ‘the sensitivity of the information’ and ‘the likelihood of disclosure if additional safeguards are not employed.’ This analysis should include a review of security incidents that an attorney or law firm has experienced and those experienced by others in the legal profession…. The next factors in the risk analysis cover available safeguards. Comment [18] to Model Rule 1.6 includes [considering] …the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). Comment [18] uses a standard risk-based approach.
Building on the foregoing Model Rules and ABA Tech Report, last week the ABA issued Formal Opinion 483 addressing lawyers’ obligations in response to a data breach or cyberattack. The opinion summary notes that: 
Model Rule 1.4 requires lawyers to keep clients “reasonably informed” about the status of a matter and to explain matters “to the extent reasonably necessary to permit a client to make an informed decision regarding the representation.” Model Rules 1.1, 1.6, 5.1 and 5.3, as amended in 2012, address the risks that accompany the benefits of the use of technology by lawyers. When a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations under these Model Rules.
Thus, under the ABA formal opinion, law firms have a duty to notify their clients of a breach and to provide updates to their clients as to any findings relating to a breach or cyberattack that puts their personal data and/or client secrets and confidences at risk. It is important to note that any duties to disclose, investigate, mitigate and remediate cyber threats under the formal opinion is independent of any other applicable federal, state and local laws and regulations with which law firms may be required to comply. With respect to former clients whose data may have been compromised, the formal opinion does not take a position as to whether there is any ethical duty to disclose, stating “the Model Rules provide no direct guidance on a lawyer’s obligation to notify the former client. Rule 1.9(c) provides that a lawyer 'shall not . . . reveal' the former client’s information. It does not describe what steps, if any, a lawyer should take if such information is revealed. The Committee is unwilling to require notice to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice.”
The ABA formal opinion provides further guidance to lawyers as to what their ethical obligations are with respect to notifying clients in the event of a date breach and/or cyberattack. As noted, such ethical obligations are separate from any other legal requirements mandated under federal or state law. Accordingly, the formal opinion provides another important cybersecurity consideration to law firms as to their ethical obligations to implement reasonable safeguards to protect sensitive data, consistent with applicable ethical rules and cybersecurity/breach notification laws. 
LinkedIn
Crunch Gym Petitions for a Rehearing in TCPA Class Action
By: Jennifer Chan 
Earlier this month Crunch San Diego (“Crunch”) petitioned for a rehearing en banc in Marks v. Crunch San Diego. As previously discussed here, in September, the Ninth Circuit unanimously revived a proposed TCPA class action, that was previously dismissed, and remanded the case to the district court in light of the ACA International v. FCC D.C. Circuit ruling. The D.C. Circuit ruling struck down the FCC’s expansive “autodialer” definition which swept a broad range of equipment that lacked the present capacity to have autodialer functions to be subject to TCPA restrictions. The Ninth Circuit unanimously reversed finding that there was a genuine issue of fact as to whether the Textmunication system used by Crunch is an ATDS and therefore it was sufficient to survive summary judgment.
In its petition, Crunch argues that the decision must be reconsidered because it interprets the TCPA “in a manner that directly conflicts with the statutory text, legislative history, and binding intracircuit and persuasive inter-circuit authority from the Third and D.C. Circuits” concerning the scope of an autodialer. Crunch further argues that the panel’s opinion creates a circuit split that will result in more uncertainty by reviving the overbreadth problem that the D.C. Circuit ruled was over inclusive and thereby causing every device to qualify as an ATDS.
The FCC has issued a request for comment on how to interpret restrictions on the use of ATDS. Crunch was among one of the commenters urging the FCC to not adopt the ruling by the Ninth Circuit as it “expansively” construes the statutory term of ATDS and liability under the statute. The FCC is accepting reply comments through October 24, 2018. 
Class Action Lawsuits Against Yale Underscore the Importance of Data Disposal
By: Alex D'Amico
On August 1, 2018, Julie Mason, on behalf of herself and all others similarly situated, commenced a class action lawsuit against Yale University arising out of a data breach that occurred between April 2008 and January 2009 and affected approximately 119,000 individuals.  The breach involved the unauthorized access of intruders to Yale’s electronic database to extract names and Social Security numbers, as well as dates of birth, email addresses, and physical addresses.  In July 2018, Yale advised affected individuals by letter that their information had been exposed.  Yale stated that it discovered the breach in June 2018 during a security review of its servers, but that the information itself had been deleted in September 2011.  Ms. Mason states that she has never been a student, alumnus, or staff member of Yale, and her only connection to Yale is that she applied for a visiting student program in approximately 1996.  Ms. Mason allegedly has suffered from multiple incidents of identity theft since the data breach occurred.  The lawsuit includes claims for negligence, as well as violations of state laws in Connecticut and New York.
On October 15, 2018, a man named Andrew Mason commenced a second class action lawsuit against Yale in connection with the data breach.  Mr. Mason states that he provided personal information to Yale in approximately 2005 when he registered to attend classes and reside on the Yale campus.  Mr. Mason’s lawsuit includes claims for negligence, reckless, wanton, and willful misconduct, and unfair trade practices.
The Yale data breach and resulting litigation underscore the importance of data retention and disposal policies.  Investing time and resources in developing a data retention policy will help an organization distinguish between the different types of information in its possession, as well as the varying levels of importance and sensitivity for each category of information.  By making these determinations, the organization will be able to decide how long to retain each category of information, and by extension, the details of disposal, including when and by what method the information will be destroyed.  It is unclear whether Ms. Mason’s data from 1996 and Mr. Mason’s from 2005 had any continuing utility to Yale at the time of the breach, years after the data was obtained.  If it did not, the retention of such information unnecessarily exposed Yale to the risk of a cyber incident.  Data that is properly destroyed cannot later expose an organization to cyber risk in connection with a breach, and the Yale data breach and litigation underscore that organizations should develop their data retention and disposal policies accordingly.
Email us at cybersecurity@morrisonmahoney.com
Learn more about our team by clicking on the images below.
Daniel Marvin, Robert Stern, John Knight
Michael Aylward, Christopher Martin and Anthony Abeln
Alex D'Amico and Jennifer Chan

This communication, which we believe may be of interest to our clients and friends is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments, and all copies. This may be considered attorney advertising in some jurisdictions. If you have any questions about the items above or Morrison Mahoney's Cybersecurity, Data and Privacy Protection practice, please feel free to contact Daniel Marvin at dmarvin@morrisonmahoney.com or Robert Stern at rstern@morrisonmahoney.comWith 180 attorneys and 10 offices throughout the Northeast, Morrison Mahoney LLP is one of the leading business and litigation firms in the region. We provide a wide array of legal services covering cybersecurity, litigation, transactional, appellate and insurance coverage practice areas. For more information about the firm, visit our web site at: www.morrisonmahoney.com.
120 Broadway, Suite 1010 | New York, NY 10271
Phone: 212-825-1212 | www.morrisonmahoney.com
Manage your preferences | Opt out using TrueRemove®
Got this as a forward? Sign up to receive our future emails.
View this email online.
This email was sent to kconyers@morrisonmahoney.com.
To continue receiving our emails, add us to your address book.