Cybersecurity & Tech

Federal Health and Human Services has pursued a string of health care data breach claims against health care providers.

Health care data is protected under HIPAA, and data breach issues could also fall under data security laws and regulations.  

For refresher on the HHS settlement with Anchorage Community Mental Health Services, see Association of Corporate Counsel. 

Forecasting trends related to hacking/data breaches/cyber security is a hot topic. Just look at the plethora of class action lawsuits, and the Sony hack that led to pulling the film, The Interview, and its own set of lawsuits.

In an interview with the WallStreet Journal Legal Writer Dan Dipietro, a cyber security expert says he expects cyber security insurance to soon be part of the ordinary course of business.  

WallStreet Journal

Tech companies (makers of computers, phones, tablets, etc… & software companies) are getting protection under a bill By Sen. Wyden.  

Think of all the personal privacy bills in Texas during 2013- drones, license plate capturing, photography protections… Texas loves protecting personal privacy from big brother. 

The Wyden bill would prohibit law enforcement from requiring tech companies to make it easy for law enforcement to access data and devices. Closing this exception would make it harder for hackers to access data and devices.

Win for data security against hackers. Win for Constitutional protection against unreasonable searches.   VPN Creative | The Verge 

Lawmakers wants to know what financial institutions are doing to keep financial data secure. This applies to state and federal lawmakers.

National press focuses on federal lawmakers. So, here we go: Sen. Warren and Rep. Cummings want to know which banks have experienced cyber attacks. They claim 500 million records have been hacked from financial institutions in the last year, and they want solutions to fix it.

We all know this will first get fixed on the state level,  like the 11 states that enacted data security bills in 2014. 

 Above the Law  | Letter from Sen. Warren & Rep. Cummings  

California’s sweeping data security legislation should serve as a model for the nation and states according to the National Consumers League (“NCL”).

NCL also commends the 10 states that have enacted data security legislation requiring businesses to implement data security protocols. The Hill  California’s Assembly Bill 1710

Data breaches and law suits go together like PB&J- pear, brie and jambon.

Sony faces a class action lawsuit from former employees, who claim Sony had knolwedge of the data security weaknesses & did nothing to correct or protect confidential information.

The data breach leak included personal & confidential employee information, and their lawsuit is limited to the leaking of the employee information.  Deadline Hollywood  Sony Employee Class Action Court Filing 

This should be on every employer’s radar as well as the impending legislation to address data security that may add new burdens to businesses. 

New York is home to WallStreet. Naturally the New York Department of Financial Services would include new exmaination requirements that focus on data security. Exmainations will now include:

• Management of 3rd parties
• Cyber Security Insurance requirements
• Monitoring, protection, testing, and detection of cyber security systems [3 page letter from NYDFS] [WSJ]

Winter 2013 brought a large data breach for Target. Various lawsuits ensued. Financial institutions sued. Individuals sued.

Target had sought to dismiss the suit brought by 5 financial institutions. The judge said, “NO,” in one of the first rulings of its kind allowing financial institutions to sue retailers for data breaches. 

Judge Magnuson also said, “imposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.”  [Bloomberg] [Law360] [NY Times | BitsBlog]

HHSC gave the House Committee on Public Health and the Senate Health and Human Services Committee a holiday gift- a report on data security.

The report lays out plans for rulemaking and legislative recommendations, including new requirements for providers: 

Iowa Department of Motor Vehicles is releasing an app that will function as your driver’s license. No more getting ticketed for not having your driver’s license with you, unless your phone battery is drained. 

State officials assure that the app and driver’s license will be secure from data security breeches.  [Des Moines Register]

Legislation predictions from Bankers: 

• Banks required to appoint chief information security officers
• Banks to undergo quarterly tests for information system vulnerabilities
• Required review of these third-party contracts and relationships
• Standard set of protocols that banks must follow
• Tort issues like: 
  • assign legal duties and responsibility
  • illuminate investor or shareholder disclosure obligations

[American Banker]

How do policy makers balance the need for educational systems to adapt and improve while also protecting student data?

 It’s a state issue. It’s a federal issue. It’s a local school district policy issue. Politico calls it an issue that “Parents, activists and a select group of lawmakers are clamoring for a fix.”

Federal, bipartisan bills are languishing. in 2014 Colorado, Oklahoma and California passed their own bills to protect sudent data. Industry wants to self regulate, with some online education providers signing a letter that states they will not sell student data.  [Politico]

Winter 2013 brought a large data breach for Target. Various lawsuits ensued. Financial institutions sued. Individuals sued.

Target had sought to dismiss the suit brought by 5 financial institutions. The judge said no.

Judge Magnuson also said, “imposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.”  [Bloomberg] [Law360]

President Obama’s pick to lead the Pentagon, Ashton Carter, is a strong proponent of increasing data security. He’s been involved with the reorganization of US Cyber Command. ​

Expect more legislative & media attention for data security. [Washington Post] 

Retailers support uniform notification requirements. Pawlenty, head of the Financial services Roundtable, wants them to go a step further.

He wants businesses to meet the high standards that financial institutions have to meet.  [The Hill]

Multidistrict litigation found its new bread and butter in data breach lawsuits. The Credit Union National Association determined that the Home Depot data breach cost credit unions $60 million. $60 million hit includes the cost to reissue cards, deal with fraud and cover other costs. [Atlanta Business Journal]

FTC’s data security enforcement powers are rooted in FTC Act. The Third Circuit Court of Appeals is considering an appeal of a ruling that affirmed the FTC’s data security enforcement powers. The Center for Democracy and Technology supports the FTC’s enforcement powers. [CDT]

Protecting the personal privacy of citizens is trending. Wyoming is considering legislation that will:

• Limit the amount of information the state can collect
• Prohibit the sale of information to third parties [Wyoming Public Media]

Data Security is a concern for businesses large and small. These associations are urging fair reform that doesn’t overburden businesses, large or small: 

Back in 2013, gubernatorial candidate Greg Abbott released his “We the People Plan” focusing on privacy. He’s concerned about data security, specifically:

• The sale or resale of Texans’ data by state agencies
• Extending the prohibitions against re-identification of de-identified data to non-medical data [Greg Abbott’s We the People Plan]

Data breaches don’t only affect retail establishments and customers, banks and credit unions are also affected.  Each data breach requires new credit and debit cards to be printed and mailed, and for fraudulent charges to be covered.  This comes at a hefty cost to financial institutions. 

The “Credit Union National Association says September’s data security breach at Home Depot cost its members nearly $60 million to reissue cards and cover fraudulent charges.” That’s double the estimate to cover the Target data breach. [Washington Business Journal]

The 2014 Home Depot data breach litigation has raised the very tort issues that data breach legislation addresses- venue and consolidation. Whenever there are a lot of injuured parties, spread out throughout a state or country these issues arise.

Data security breaches are the new pharmaceutical class action. [National Law Review]

36 states considered 110 bills related to student data protection and privacy in 2014. The usual and obvious bills to ban collecting and/or storing student data were filed. And more nuanced bills were fild such as those which granted State Baords of Education privacy powers to protect student data. 

Need some pictures to show what was considered throughout the country? Check out the Data Quality Campaign. [Data Quality Campaign]

Schools have been tracking students to make them safer and more efficicent. The more data that is collected, the more information there is that can be fruitful to the nefarious hackers.

This year Florida became the first state to ban the collection of biometric identifiers from students. In 2014, 36 states considersidered 110 bills on protecting data security of students.

What type of student data protections are we seeing?

• FL bans collecting student biometric identifiers
• KS requires parental consent for collection biometric identifiers from students
• NH, CO, & NC ban the collection and retention of student biometric identifiers
• NH & MO said no to radio frequency student identification cards  [Pew Trusts]

The phrase “if any” is giving lawsyers fodder with California’s new data security law. The issue is whether “if any” means credit monitoring must be offered or may be offered. 

As always, drafting matters. Read carefully. Consider propositions, conjunctions, and the placement of commas. It matters. [National Law Review]

There’s a national talent deficit in cybersecurity personnel. Its also hard to hire the necessary talent when the talent can fiscally fare far better in the private sector. [The Fiscal Times]

Strong economies rely on investor confidence. According to a poll by the Center for Audit Quality, increased data security regulation leads to improved investor confidence.

Investor confidence in the U.S. economy stands at 70%.  [Journal of Accountancy]

Early this year privacy advocates had a win when ICE retracted its planned policy to allow access to a national law enforcement license-plate tracking system.

Local ICE offices didn’t like this. So, they started buying access to a private company’s vehcile registration database. Houston ICE office is noted as buying the private company’s vehicle database.

On going criminal investigations, where constitutional protections apply, are one thing, but open access to a private company’s vehicle registration database is concerning to privacy rights adovates and civil libertarians. [Washington Post]

A New Jersey data security bill is called best practices for businesses and government, but also increases the costs of government and of doing business.

The bill would require notification for more data breaches. Like most states notification in New Jersey was required for traditional indentify fraud issues- like when a name and social security number are released.

The new legidslation requires disclosure of a breach if  usernames and email addresses, in combination with a password or security question-and-answer, are released or captured. [Philadelphia Business Journal]

Washington Post points out that local regulations on ride share continuously forego obtianing access to anonymized ride share data. Its the same data local governments collect from taxicab drivers. 

The data  serves two purposes.

(1) It strengthens transportation systems  and gives tools for transportation planners, and

(2)It  provides an understadning of how many jobs ride share is creating. [Washington Post]

Lots of nobel bills become studies and reports when the opposition is vocal. For the last years, the Attorney General of California has released data breach reports.

In 2013, there were 167 breaches reported to the California Attorney General, exposing data of 18.5 Million Californians.

The California Attorney General also makes the following recommendations:  

For the health care industry:

– Use strong encryption to protect medical information on laptops and on other portable devices, and consider encryption for desktop computers.

For the Legislature:

– Consider legislation to amend the breach notice law in order to strengthen the substitute notice procedure; clarify the roles and responsibilities of data owners and data maintainers; and require a final breach report to the Attorney General.
– Consider legislation to provide funding to support system upgrades for small California retailers.
 

Data Breach Legislation History from California:
“In 2003, California was the first state to pass a law (AB 700, Simitian) mandating data breach notifications. This law requires businesses and state agencies to notify Californians when their personal information is compromised in a security breach.

In 2012, companies and state agencies subject to the law were also required, for the first time, to report any breach that involved more than 500 Californians to the Attorney General’s Office. (SB 24, Simitian).” [Lake County News]

Does this sound familiar? A state entity sends unecrypted names and social security numbers? Yes, much like the Texas Comptroller incident, a Pension system in Arizona sent unecrypted filed in regular mail to a third party provider.

The third party provider never received the unecrypted disks. Now, the state is spending $300,000 to provide indentity protection for the affected retirees. [News 4 Tucson]

Canada is considering imposing $100,000 fines on businesses that fail to notify customers of data breaches. Currently Canada utilizes a regional patch work of data security legislation, the national fine for businesses would be a first for Canada. [Info Security Magazine]

Refreshing Recollection: The FCC can and does impose fines on businesses, like it did on two telecom companies late last week. 

RollCall argues that the down side of hightened data security legislation is that it makes consumers complacent. Consumers aren’t encouraged or empowered to protect their own personal data. Are more regulations on business the answer to data security?  [Roll Call]

New Jersey Legisalture is moving a bill that would place new burdens on business and government in the Garden State.

Businesses & government would be required to maintain databases that allow quick contact to  customers/clients/citizens in case of a data breach.

The bill also expands the type of breaches that have to be disclosed to include usernames and passwords. [NJ A3146] 

Florida passed a data security bill earlier this year. A Republican in a neighboring state, Alabama, is filing legislation to require companies and financial institutions to disclose to customers when their personal information is exposed.

The Alabama Governor also initiated a push to upgrade all state software to better protect personal privacy. [Decatur Daily]

A contentious state house race in Kentucky has reached new dramatic heights when the Democratic Party sent out the arrest record of the Republican candidate, including his Social Security Number. A botched recovery for breaching data privacy by the Democratic Party isn’t helping this situation. The Republican called on the state Attorney General to investigate. 

This campaign oops moment has led to more talk of better data security laws. [Good Morning America]

Tech companies have been contributing exponentially more to campaigns and causes that are not favored by the perceived liberal core of Silicon Valley.

Some argue the tech company liberal core isn’t liberal but rather libertarian. Just look to the hearty response Rand Paul received recently in Silicon Valley.  

Tech companies want changes to data privacy laws. Tech companies generally support increased protection for your data privacy and they are putting their money where there mouths are. [Politico]

Personal data protection is a concern world wide. Australia created a Privacy Commissioner to monitor the protection of personal data privacy. Some argue that the Privacy Commissioner enforcement powers exclude state and local governments and thus isn’t effective. A legislative proposal seeks to revoke the Privacy Commissioner. [The Guardian]

FCC wades into data security enforcement by fining two telecom companies $10M for failing to properly secure their customer data. Does the PUC have this power? [WSJ]

Data breaches. There’s a new one every week. Cybersecurity experts say the only way to address the issue is long term legislative and political reform.  Bruce Schneier, a fellow at the Berkman Center for Internet & Society at Harvard says there should be more regualtion on business to secure our personal information. What does those regulations looks like?

• Causes of Action for consumers against the business.
• Government imposed penalties against businesses. 
• Timely and comprehensive disclosures of breaches by businesses.

That’s a lot of business regulation. [Sacramento Business Journal]

News reports allege that Staples had a data breach. There’s a long list of retailers that have endured a data breach. 

Forbes discusses the role personal repsonsibility has in data breach corrections. Legislating personal responsibility is challenging. The modus operandi of the Legislature is putting into place new regulations on retailers, banks and/or creating new civil or criminal penalties. [Forbes]

Almost a year ago, Target experienced a large data security breach through a third party vendor. This data breachprompted federal and state legislation, and class action law suits.

The Target data breach led to at least 27 federal causes of action in 18 different federal courts. MDL, multi district litigation, is a hot topic for the Texas Legislature. MDL was addressed in 2003 tort reform legislation and in various asbestos litigation reforms.

If Texas creates causes of action related to data privacy, be assured, MDL will be discussed. [Southeast Times Record]

The FBI is sharing frightening information. 500 Million financial records have been hacked.

Can you hear all those bills being written? Legisaltor comments write themselves: FBI statistics indicate that 500 million financial records have been hacked. These vicitms deserve justice for the invasion in their privacy. This bill will give the vicitims of hacking justice….

What remains to be seen is whether these bills will go after the hackers? after the financial institutions for not protecting the information better? Will it be civil penalties or criminal penalties?[USA Today]

The Internet Association has been active in D.C. It’s now setting its sights on shaping student data security legislation and ride sharing legislation. It formed a California PAC.  Next stop is Texas. [The Recorder]

All federal debit and credit cards  will require PIN and chip technology. President Obama required the data security measures by issuing an executive order. The Order is heralded by the National Retailers Federation. [Roll Call] [The Hill]

Refreshing Recollection: The same chip and pin technology is discussed by several interim committees examining increasing Texas’ data security. [Business & Industry March 27, 2014]

California is limiting how third party education vendors can use student data. In an interview with Education Week, the new law is referred to as the “first truly comprehensive student-data-privacy legislation” and said he expects it to become a model for other states around the country.” [Education Week] [Copy of the Bill- The Student Online Personal information Protection Act]

Privacy is a hot issue. Citizens want privacy. The government wants to be free to peruse your electronic information. It’s causing a bone of contention between the U.S. government and big technology companies like Apple and Google that seek to protect and encrypt customer data.

The FBI Chief is warning Silicon Valley that they are doing too much to protect privacy. He wants Congress to act to allow the government to intercept more electronic information. That should be popular with the new Libertarian leaning, Republican Congress. [WallStreet Journal]

For a good while law enforcement could obtain cell phone data without a warrant. Its a controversial 4th amendment issue throughout the US, including in Texas.

Florida police had a warrant for calls going into and out of a defendant’s phone, but the Florida Supreme Court said that warrant did not cover tracking cell phone data to follow the defendant’s movements. The ruling is being heralded as an enormous victory for privacy rights. [First Coast News] [Wall Street Journal]

This interim legislative committees have been studying data security after a rash of data breaches. It’s a complex issue. How to protect consumers, how to protect businesses and how to protect banks will be a tricky balance for the Legislature.

We need to add one more policy consideration- how data security policies impact innovation. Texas wants to be a leader in innovation and utilizes economic development programs and favorable tax environment to draw leaders in innovation to Texas.  

A recent Intel panel on data security and data privacy suggests poor data security and data privacy policies are harming innovation. Add innovation and economic development to your list of poilicy considerations for 2015’s data security legislation.  [Engadget] 

DropBox, the cloud storage service, was allegedly hacked. Logins and passwords are being published and bitcoin is being requested by the hacker. DropBox’s statement is that the hack came through a third party vendor, much like the Target hack.

DropBox recommends enabling the two key log-in. Two key log-in methods have also been discussed in interim committee hearings as a standard for the state to consider adopting in 2015 legisaltion. Look for the phrase in any laundry list of data security measures. [Houston Chronicle] 

Protecting your data security has many levels. One is personal responsibility, which is Snapchat’s point. Unusual PR choice of Snapchat to blame its own users. But, exercising personal responsibility to protect your personal data is smart. Don’t worry the good men and women of Texas government will come to your aid during 2015 with legislation to protect individuals and businesses, increase criminal penalties and create new causes of action. [NYMag]

Digital health is big business. But, protecting digital health records doesn’t get the same attention as data breaches at retail establishments. We should be paying more attention to the security of our digital health records. [Washington Post: WonkBlog]

Even the Blizzard cannot prevent data breaches.  Dairy Queen followed the 3 key responses. (1) Publicly list of affected stores (2) Offer identity repair services. (3) Work with law enforcement. As usual, the target of the hack was credit card information while in transit, and no PIN numbers or social security numbers which were hacked.  [GrubStreet]

Data Security is complicated. Federal statutes and rules control on one level. State statutes and rules compliment and add to federal requirements.  Legislation will be focused on keeping the bad guys out of your personal and private information. This protection from data breaches will focus on state causes of actions to protect businesses; additional security parameters for the banking industry; and state criminal causes of action galore.

Sometimes the bad guys who should be kept out of your personal and private information is law enforcement. Most of us think law enforcement can’t go on fishing expeditions for information and that law enforcement needs warrants. Such is not true. Here’s Google’s CEO talking about it to the WallStreet Journal. [WSJ]

Breaching data security means jail time. Also- remember to be kind to people- when a fired employee is pushed to the point to break into secured email- there were communication problems. Communication problems usuallly trace to a failure to listen. Listen- it’s respectful.    No one likes a name calling bully. Be smart, don’t incite those prone to hacking.   [Albuquerque Journal] 

Breaching security means jail time. Also- remember to be kind to people- when a fired employee breaks into secured email- there was a lack of respectful treatment.    No one likes a name calling bully.      

2015 legislation will include criminal penalties.  Since the banking crisis, we’ve seen an uptick in criminal charges against corporations.  [ABQ Journal]

When talking about data security, it’s easy to get lost in the data that can be taken away by the nefarious. But, businesses shouldn’t ignore examining the information that they collect.

FTC Commissioner Brill stresses the need for companies to consider minimizing data collection. Less data collected, less of a target for data breaches by the nefarious elements. [AdAge] 

UT Austin today announced the formation of IDWise, funded with a partnership with the Texas Legislature. IDWise will provide data security toolkits and education for individuals and small businesses.   [UT Austin Center for Identity]

Blue Spike is being called a patent troll. Filing 45 patent infringement claims in two weeks raises red flags. Especailly after June US Supreme Court rulings requiring greater specificty in patent infringement claims.

The texas Legislature is looking to state solutions for businesses that were targetted by trolls. Solutions include state legal claims against the trolls. 

[EFF on the US Supreme Court Rulings] [Above the Law] [TX House Committee on Techonology Interim Charge]

Google says it takes hours, not weeks, to clean up a data breach, if your personal information/photos are posted on its websites. But, here’s the kicker- Google relies on users to report breached information.

There is no internet law enforcement. There are bullies and hackers, but there is no John Wayne or Clint Eastwood of the Internet to ensure everyone acts respectfully.  The very Libertarian internet world relies on personal responsibility.

Personal responsibility is a wonderful concept, in a perfect world. In reality, lawsuits abound. When there are lawsuits, state legislatures will step in and regulate data security. Regulation will also bring internet taxes to support data security enforcement. [WSJ]

Big week for tech and politics. Facebook & YELP stop contributing to ALEC.  Tech companies are in high gear hiring consultants at record levels to navigate politics and government. Search warrants that make tech companies turn over terabytes of storage, angering their tech users, automatically sparks the attention of their lawyers, which in turn, causes consultant hiring. It’s a limbic reaction.  The Government taking “cloud property” is as evil as taking real property to Libertarian types. [Buzzfeed]

Trust issues are hard to overcome. Jimmy John’s trusted a third party vendor. The third party vendor had log-in information stolen that allowed the thief to access Jimmy John’s customer credit card and debit card information. The incident was first reported in July. The company has made security enhancements and is offering affected customers identity protection services.[Bloomberg] [Jimmy John Press Release]

Facebook is a gold mine for divorce attorneys. They can’t get enough of it. Now, estate attorneys are falling in love with Facebook and Google. Delaware this week enacted the first bill to allow estate attorneys access to data of the deceased. So far 10 states have considered the bill, only Delaware has enacted it.  [Wall Street Journal]