|
Connecticut >> Massachusetts >> New Hampshire >>
New Jersey >> New York >> Rhode Island >>
United Kingdom
|
|
|
Cybersecurity, Data Protection and Privacy NewsletterOctober 23, 2018
| |
|
|
Welcome to the Morrison Mahoney Cybersecurity, Data Protection and Privacy Newsletter. If you haven't already, please sign up to have future newsletters automatically sent to your inbox.
| |
|
IN CASE YOU MISSED IT... For more information on any of these stories please contact Daniel Marvin by clicking here.
| |
| DID YOU KNOW...
...that the Office of the National Coordinator for Health Information Technology, in collaboration with the Department of Health and Human Services (HHS) Office for Civil Rights, offers a FREE downloadable Security Risk Assessment Tool designed to help small and medium sized healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule. The tool was updated this month to make it easier to use and provide enhanced functionality to document how organizations implement safeguards to mitigate, or plan to mitigate, identified risks. Importantly, all information entered into the SRA Tool is stored locally to the users’ computer or tablet, and HHS does not receive, collect, view, store or transmit any information. The results of the assessment are displayed in a report which can be used to determine risks in policies, processes and systems and methods to mitigate weaknesses are provided as the user is performing the assessment. The tool is available for Windows and iPad by following the link above. If you need assistance navigating the software, you can contact a member of our team.
| |
| Report by Mass. General's Center for Quantitative Health Highlights 2010-2017 Shift in Data Breach Trends By: Anthony Abeln
The Center for Quantitative Health at Massachusetts General Hospital recently released a report of trends emerging from data breaches reported to the Office of Civil Rights of the U.S. Department of Health and Human Services from January 1, 2010, to December 31, 2017. These trends are significant data points for health care providers, their IT professionals, and their insurers.
The study’s authors, Drs. Thomas McCoy Jr. and Roy H. Perlis, examined changes over time in breaches by providers, health plans, and business associates of both. They studied 2,139 breaches, which involved over 175 million patient records.
Of note, in 2010, the most common data breach was still the theft of physical records. By 2017, this had shifted to data hacking and unauthorized access to patient data. Network servers were the main target of attack by 2017, rather than laptops, paper and films at the beginning of the study. Although the majority of breaches came from health care providers themselves, health care plans were responsible, according to the study, for the largest number of exposed medical records.
As the authors noted, “[a]lthough networked digital health records have the potential to improve clinical care … they also have the potential for harm to vast numbers of patients at once if data security is not improved,” authors Thomas H. McCoy Jr., M.D., and Roy H. Perlis, M.D., M.Sc., wrote.
The research letter, published in the JAMA network, can be accessed here:
| |
| American Bar Association Issues Formal Opinion Requiring Client Notification in the Event of a Data Breach By: Robert A. Stern We previously noted that law firms that electronically store clients’ personal identifying information, personal health information and confidences and secrets possess valuable information sought by hackers and, therefore, are no less vulnerable to cyber-attacks than any other organization connected to the internet. We also noted that the potential legal and administrative liability law firms face in the event of a data breach requires them to recognize, assess and address their risk from the unauthorized acquisition of unencrypted sensitive data belonging to their clients. Like other organizations possessing sensitive information, law firms are subject to applicable state and federal laws and regulations to safeguard and protect data, as well as specific ethical rules governing their profession. ABA Model Rules 1.1 and 1.6 require attorneys to take competent and reasonable measures to safeguard information relating to their clients. In the 2015 ABA Tech Report, it was noted that: law firm “[i]nformation security starts with a risk assessment to determine what needs to be protected and the threats that it faces. Comment [18] to Model Rule 1.6 includes a risk assessment approach to determine reasonable measures that attorneys should employ. The first two factors in the analysis are ‘the sensitivity of the information’ and ‘the likelihood of disclosure if additional safeguards are not employed.’ This analysis should include a review of security incidents that an attorney or law firm has experienced and those experienced by others in the legal profession…. The next factors in the risk analysis cover available safeguards. Comment [18] to Model Rule 1.6 includes [considering] …the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). Comment [18] uses a standard risk-based approach. Building on the foregoing Model Rules and ABA Tech Report, last week the ABA issued Formal Opinion 483 addressing lawyers’ obligations in response to a data breach or cyberattack. The opinion summary notes that: Model Rule 1.4 requires lawyers to keep clients “reasonably informed” about the status of a matter and to explain matters “to the extent reasonably necessary to permit a client to make an informed decision regarding the representation.” Model Rules 1.1, 1.6, 5.1 and 5.3, as amended in 2012, address the risks that accompany the benefits of the use of technology by lawyers. When a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations under these Model Rules. Thus, under the ABA formal opinion, law firms have a duty to notify their clients of a breach and to provide updates to their clients as to any findings relating to a breach or cyberattack that puts their personal data and/or client secrets and confidences at risk. It is important to note that any duties to disclose, investigate, mitigate and remediate cyber threats under the formal opinion is independent of any other applicable federal, state and local laws and regulations with which law firms may be required to comply. With respect to former clients whose data may have been compromised, the formal opinion does not take a position as to whether there is any ethical duty to disclose, stating “the Model Rules provide no direct guidance on a lawyer’s obligation to notify the former client. Rule 1.9(c) provides that a lawyer 'shall not . . . reveal' the former client’s information. It does not describe what steps, if any, a lawyer should take if such information is revealed. The Committee is unwilling to require notice to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice.” The ABA formal opinion provides further guidance to lawyers as to what their ethical obligations are with respect to notifying clients in the event of a date breach and/or cyberattack. As noted, such ethical obligations are separate from any other legal requirements mandated under federal or state law. Accordingly, the formal opinion provides another important cybersecurity consideration to law firms as to their ethical obligations to implement reasonable safeguards to protect sensitive data, consistent with applicable ethical rules and cybersecurity/breach notification laws.
| |
| Crunch Gym Petitions for a Rehearing in TCPA Class Action By: Jennifer Chan Earlier this month Crunch San Diego (“Crunch”) petitioned for a rehearing en banc in Marks v. Crunch San Diego. As previously discussed here, in September, the Ninth Circuit unanimously revived a proposed TCPA class action, that was previously dismissed, and remanded the case to the district court in light of the ACA International v. FCC D.C. Circuit ruling. The D.C. Circuit ruling struck down the FCC’s expansive “autodialer” definition which swept a broad range of equipment that lacked the present capacity to have autodialer functions to be subject to TCPA restrictions. The Ninth Circuit unanimously reversed finding that there was a genuine issue of fact as to whether the Textmunication system used by Crunch is an ATDS and therefore it was sufficient to survive summary judgment. In its petition, Crunch argues that the decision must be reconsidered because it interprets the TCPA “in a manner that directly conflicts with the statutory text, legislative history, and binding intracircuit and persuasive inter-circuit authority from the Third and D.C. Circuits” concerning the scope of an autodialer. Crunch further argues that the panel’s opinion creates a circuit split that will result in more uncertainty by reviving the overbreadth problem that the D.C. Circuit ruled was over inclusive and thereby causing every device to qualify as an ATDS. The FCC has issued a request for comment on how to interpret restrictions on the use of ATDS. Crunch was among one of the commenters urging the FCC to not adopt the ruling by the Ninth Circuit as it “expansively” construes the statutory term of ATDS and liability under the statute. The FCC is accepting reply comments through October 24, 2018.
| |
| Class Action Lawsuits Against Yale Underscore the Importance of Data Disposal
By: Alex D'Amico On August 1, 2018, Julie Mason, on behalf of herself and all others similarly situated, commenced a class action lawsuit against Yale University arising out of a data breach that occurred between April 2008 and January 2009 and affected approximately 119,000 individuals. The breach involved the unauthorized access of intruders to Yale’s electronic database to extract names and Social Security numbers, as well as dates of birth, email addresses, and physical addresses. In July 2018, Yale advised affected individuals by letter that their information had been exposed. Yale stated that it discovered the breach in June 2018 during a security review of its servers, but that the information itself had been deleted in September 2011. Ms. Mason states that she has never been a student, alumnus, or staff member of Yale, and her only connection to Yale is that she applied for a visiting student program in approximately 1996. Ms. Mason allegedly has suffered from multiple incidents of identity theft since the data breach occurred. The lawsuit includes claims for negligence, as well as violations of state laws in Connecticut and New York. On October 15, 2018, a man named Andrew Mason commenced a second class action lawsuit against Yale in connection with the data breach. Mr. Mason states that he provided personal information to Yale in approximately 2005 when he registered to attend classes and reside on the Yale campus. Mr. Mason’s lawsuit includes claims for negligence, reckless, wanton, and willful misconduct, and unfair trade practices. The Yale data breach and resulting litigation underscore the importance of data retention and disposal policies. Investing time and resources in developing a data retention policy will help an organization distinguish between the different types of information in its possession, as well as the varying levels of importance and sensitivity for each category of information. By making these determinations, the organization will be able to decide how long to retain each category of information, and by extension, the details of disposal, including when and by what method the information will be destroyed. It is unclear whether Ms. Mason’s data from 1996 and Mr. Mason’s from 2005 had any continuing utility to Yale at the time of the breach, years after the data was obtained. If it did not, the retention of such information unnecessarily exposed Yale to the risk of a cyber incident. Data that is properly destroyed cannot later expose an organization to cyber risk in connection with a breach, and the Yale data breach and litigation underscore that organizations should develop their data retention and disposal policies accordingly.
| |
Learn more about our team by clicking on the images below. Daniel Marvin, Robert Stern, John Knight Michael Aylward, Christopher Martin and Anthony Abeln Alex D'Amico and Jennifer Chan
| |
| This communication, which we believe may be of interest to our clients and friends is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments, and all copies. This may be considered attorney advertising in some jurisdictions. If you have any questions about the items above or Morrison Mahoney's Cybersecurity, Data and Privacy Protection practice, please feel free to contact Daniel Marvin at dmarvin@morrisonmahoney.com or Robert Stern at rstern@morrisonmahoney.com. With 180 attorneys and 10 offices throughout the Northeast, Morrison Mahoney LLP is one of the leading business and litigation firms in the region. We provide a wide array of legal services covering cybersecurity, litigation, transactional, appellate and insurance coverage practice areas. For more information about the firm, visit our web site at: www.morrisonmahoney.com.
| |
|
|
120 Broadway, Suite 1010 | New York, NY 10271
Phone: 212-825-1212 | www.morrisonmahoney.com
|
|
|