Morrison Mahoney  
Connecticut  >>  Massachusetts  >>  New Hampshire  >>  New Jersey  >>  New York  >>  Rhode Island  >>  United Kingdom

Cybersecurity, Data Protection and Privacy Newsletter

January 20, 2021
Please email questions to
Click here to have future newsletters sent to your inbox.  
  • Could Have Been (Much) Worse: It is estimated that insured losses from the recent SolarWinds cyber attack will come in around $90,000,000. Considering the sheer size and scope of the attack, losses could have been much, much worse. Insurers are believed to have avoided catastrophic losses because many of the hacked organizations were not fully exploited after entry was gained. 

  • Cyber InsuranceAccording to a recent report, the total costs of ransom payments doubled year-on-year through the first six months of 2020 “forcing insurers to become more selective and even scale back on the coverage they offer against cyber crimes.” It was always believed that the scaling back of coverage would someday happen as the cyber insurance market evolved, and 2021 could see the biggest shift in coverage yet. 

  • Report Ordered Produced: In Wengui v. Clark Hill, PLC, No. 19-cv-3195 (JEB), 2021 WL 106417 (D.D.C. Jan. 12, 2021), the Court granted a plaintiff's motion to compel production of a forensic report prepared following a data breach, rejecting claims it was protected by the work-product doctrine and attorney-client privilege. While the court's findings where fact sensitive, it serves as a cautionary tale and good reminder to be careful of to whom post-breach reports are distributed, as well as to read our piece from last year entitled: Captial One and the Attorney Work Product: How to Protect Breach Reports.

  • $5.1 Million HIPAA Fine: Excellus Health Plan, Inc. has agreed to pay $5.1 million to the the Department of Health and Human Services Office for Civil Rights to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules relating to a data breach that lasted almost a year-and-a-half and affected over 9 million people. 

  • Start Spreading the CCPA (News): Governor Cuomo of New York recently announced plans for a comprehensive law that will provide New Yorkers with transparency and control over their personal data and provide new privacy protections. This law will mandate that companies that collect information on large numbers of New Yorkers disclose the purposes of any data collection and collect only data needed for those purposes. Governor Cuomo will also establish a Consumer Data Privacy Bill of Rights guaranteeing every New Yorker the right to access, control, and erase the data collected from them; the right to nondiscrimination from providers for exercising these rights; and the right to equal access to services. Sound familiar? (see CCPA). 
As you may know, the Health Information Technology for Economic and Clinical Health Act (HITECH) was signed into law in 2009 in order to to promote the adoption and meaningful use of health information technology, and provides for fines and penalties against covered entities and business associates that are non-complaint. On January 5, 2021, HITECH was amended when HR 7898, a safe harbor bill, was singed into law. The amendment requires the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes. In particular, the legislation provides that when making determinations relating to fines, decreasing the length and extent of an audit,  or remedies otherwise agreed to by the Secretary, the Secretary shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may (i) mitigate fines, (ii) result in the early, favorable termination of an audit, or (iii) mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule. The law defines “recognized security practices” as the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”
This is your periodic reminder that when it comes to data privacy oversight, the Federal Trade Commission wields a very big stick. The FTC recently exercised its authority when it entered into a Consent Agreement with Everalbum, Inc., a provider of a photo storage and organization application with approximately 12 million users, in order to resolve allegations that Everalbum made false and misleading statements to consumers in violation of Section 5 of of the FTC Act which prohibits unfair and deceptive trade practices. In particular, the FTC alleged that Everalbum represented that it was not using face recognition unless the user enabled it or turned it on when in fact, that was not the case. It was also alleged that Everalbum represented  in its Privacy Policy that it would delete users’ photos and videos upon users’ deactivation of their accounts, when instead, the company stored them indefinitely. The proposed settlement requires Everalbum to delete photos and videos of app users who deactivated their accounts as well as any facial recognition models or algorithms developed with users’ photos or videos. In addition, the proposed settlement prohibits Everalbum from misrepresenting how it collects, uses, discloses, maintains, or deletes personal information, including face embeddings created with the use of facial recognition technology, as well as the extent to which it protects the privacy and security of personal information it collects. Under the proposed settlement, if the company markets software to consumers for personal use, it must obtain a user’s express consent before using biometric information it collected from the user through that software to create face embeddings or develop facial recognition technology. The full Consent Agreement can be found here.

Fifth Circuit Deals Blow to Federal Enforcement of Penalties Under HIPAA in M.D. Anderson Case
By: Alex D'Amico
In 2012 and 2013, a series of data incidents occurred involving M.D. Anderson Cancer Center personnel: 1) a faculty member’s unencrypted and unprotected laptop, containing electronic protected health information (ePHI), was stolen; 2) an M.D. Anderson trainee lost an unencrypted USB thumb drive containing ePHI during their evening commute; and 3) a visiting researcher misplaced another unencrypted USB thumb drive containing ePHI.  M.D. Anderson notified the Department of Health and Human Services (HHS) of these incidents, and HHS determined that it violated two federal regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”): a) the requirement to implement a mechanism to encrypt ePHI or adopt some other reasonable and appropriate method to limit access to patient data; and b) the prohibition of unpermitted disclosure of protected health information.
Initially, HHS imposed fines for the three incidents totaling $4,348,000.  M.D. Anderson filed several administrative appeals, and HHS conceded that the penalty was overly aggressive, arguing that a reduced penalty of $450,000 was appropriate.  Still, M.D. Anderson challenged the penalty on the grounds that it violates the Administrative Procedure Act, which prohibits federal agency actions that are “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.”
Last week, the Fifth Circuit agreed with M.D. Anderson, concluding that the HHS’s penalty was arbitrary, capricious, and otherwise unlawful.  The court gave four reasons for its decision.  First, the Court said that even though there were several incidents where M.D. Anderson data was not encrypted, M.D. Anderson did have a system in place to encrypt and decrypt mobile devices, emails, and files, and provided employee training. The failure of three employees to abide by the encryption mechanisms in place does not disprove the existence of the encryption mechanism.
Second, the incidents that occurred were not necessarily “disclosures” in violation of the Disclosure Rule.  The Disclosure Rule prohibits the disclosure of ePHI by covered entities.  Disclosure is defined in terms of active verbs (release, transfer, provide, and divulge), none of which occurred in the subject accidents that led to the passive exposure of ePHI.  Further, there was no evidence of disclosure to someone outside of M.D. Anderson.
Third, there is a bedrock principle that agencies must treat like cases alike.  M.D. Anderson provided examples of entities violating the Encryption Rule and facing no financial penalties.
Fourth, the penalties imposed were attributed to “reasonable cause,” and not “willful neglect.”  For reasonable cause violations, the total penalty relating to violations of an identical requirement or prohibition during a calendar year may not exceed $100,000.
Accordingly, the Fifth Circuit vacated the penalty against M.D. Anderson.  This case may provide some relief for HIPAA-covered entities to see that when they have broad data protection mechanisms in place, they will not necessarily face harsh penalties for the negligence of isolated individuals that fail to comply.  On the other hand, it is also important to remember that as a result of the data incidents, M.D. Anderson has still suffered in the meantime: 1) it has faced the risk of liability in connection with the incidents for years; 2) it had to retain counsel to protect its rights in legal proceedings; and 3) it has suffered reputational harm.  The key takeaway for HIPAA-covered entities is that even though M.D. Anderson’s victory dealt a substantial blow to HHS’s ability to impose large penalties for HIPAA violations, it is still best to take all possible steps to prevent incidents from occurring in the first place.
Learn more about our team by clicking on the images below.
Daniel Marvin, Robert Stern, John Knight
Michael Aylward, Eva Kolstad and Anthony Abeln
Alex D'Amico and Jennifer Chan

This communication, which we believe may be of interest to our clients and friends is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments, and all copies. This may be considered attorney advertising in some jurisdictions. If you have any questions about the items above or Morrison Mahoney's Cybersecurity, Data and Privacy Protection practice, please feel free to contact Daniel Marvin at or Robert Stern at rstern@morrisonmahoney.comWith 180 attorneys and 10 offices throughout the Northeast, Morrison Mahoney LLP is one of the leading business and litigation firms in the region. We provide a wide array of legal services covering cybersecurity, litigation, transactional, appellate and insurance coverage practice areas. For more information about the firm, visit our web site at:
Wall Street Plaza, 88 Pine Street, Suite 1900 | New York, NY 10005
Phone: 212-825-1212 |
Manage your preferences | Opt out using TrueRemove®
Got this as a forward? Sign up to receive our future emails.
View this email online.

This email was sent to
To continue receiving our emails, add us to your address book.