Category: Corporate Security

Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting

The National Law Review recently published an article, Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting, written by Elizabeth H. Johnson with Poyner Spruill LLP:

Poyner Spruill

 

The U.S. Department of Health and Human Services (HHS) has finally issued its omnibus HITECH Rules.  Our firm will issue a comprehensive summary of the rules shortly (sign up here), but of immediate import is the change to the breach reporting harm threshold.  The modification will make it much more difficult for covered entities and business associates to justify a decision not to notify when an incident occurs.

Under the interim rule, which remains in effect until September 23, 2013, a breach must be reported if it “poses a significant risk of financial, reputational, or other harm to the individual.” The final rule, released yesterday, eliminates that threshold and instead states:

“[A]n acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.”
(Emphasis added).

In other words, if a use or disclosure of information is not permitted by the Privacy Rule (and is not subject to one of only three very narrow exceptions), that use or disclosure will be presumed to be a breach.  Breaches must be reported to affected individuals, HHS and, in some cases, the media.  To rebut the presumption that the incident constitutes a reportable breach, covered entities and business associates must conduct the above-described risk analysis and demonstrate that there is only a low probability the data will be compromised.  If the probability is higher, breach notification is required regardless of whether harm to the individuals affected is likely.  (Interestingly, this analysis means that if there is a low probability of compromise notice may not be required even if the potential harm is very high.)

What is the effect of this change?  First, there will be many more breaches reported resulting in even greater costs and churn than the already staggering figures published by Ponemon which reports that 96% of health care entities have experienced a breach with average annual costs of $6.5 billion since 2010.

Second, enforcement will increase.  Under the new rules, the agency is required (no discretion) to conduct compliance reviews when “a preliminary review of the facts” suggests a violation due to willful neglect.  Any reported breach that suggests willful neglect would then appear to require agency follow-up.  And it is of course free to investigate any breach reported to them.  HHS reports that it already receives an average of 19,000 notifications per year under the current, more favorable breach reporting requirements, so where will it find the time and money to engage in all these reviews?  Well, the agency’s increased fining authority, up to an annual maximum of $1.5 million per type of violation, ought to be some help.

Third, covered entities and business associates can expect to spend a lot of time performing risk analyses.  Every single incident that violates the Privacy Rule and does not fit into one of three narrow exceptions must be the subject of a risk analysis in order to defeat the presumption that it is a reportable breach.  The agency requires that those risk analyses be documented, and they must include at least the factors listed above.

So why did the agency change the reporting standard?  As it says in the rule issuance, “We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. . . .”

The agency may also have changed the standard because it was criticized for having initially included a harm threshold in the rule, with critics claiming that the HITECH Act did not provide the authority to insert such a standard.  Although the new standard does, in essence, permit covered entities and business associates to engage in a risk-based analysis to determine whether notice is required, the agency takes the position that the new standard is not a “harm threshold.”  As they put it, “[W]e have removed the harm standard and modified the risk assessment to focus more objectively on the risk that the protected health information has been compromised.”  So, the agency got their way in that they will not have to receive notice of every single event that violates the Privacy Rule and they have made a passable argument to satisfy critics that the “harm threshold” was removed.

The new rules are effective March 26, 2013 with a compliance deadline of September 23, 2013.  Until then, the current breach notification rule with its “significant risk of harm” threshold is in effect.  To prepare for compliance with this new rule, covered entities and business associates need to do the following:

  • Create a risk analysis procedure to facilitate the types of analyses HHS now requires and prepare to apply it in virtually every situation where a use or disclosure of PHI violates the Privacy Rule.
  • Revisit security incident response and breach notification procedures and modify them to adjust notification standards and the need to conduct the risk analysis.
  • Revisit contracts with business associates and subcontractors to ensure that they are reporting appropriate incidents (the definition of a “breach” has now changed and may no longer be correct in your contracts, among other things).
  • If you have not already, consider strong breach mitigation, cost coverage, and indemnification provisions in those contracts.
  • Revisit your data security and breach insurance policies to evaluate coverage, or lack thereof, if applicable.
  • Consider strengthening and reissuing training.  With every Privacy Rule violation now a potentially reportable breach, it’s more important than ever to avoid mistakes by your workforce.  And if they happen anyway, during a subsequent compliance review, it will be important to be able to show that your staff was appropriately trained.
  • Update your policies to address in full these new HIPAA rules.  The rules require it, and it will improve your compliance posture if HHS does conduct a review following a reported breach.

As noted above, our firm will issue a more comprehensive summary of these new HIPAA rules in coming days.

© 2013 Poyner Spruill LLP

Cyber Attacks Hit Major Banks. Is Your Business Next?

Roy E. Hadley, Jr. and Joan L. Long of Barnes & Thornburg LLP recently had an article regarding Cyber Attacks published in The National Law Review:

Over the past week, several websites belonging to some of the largest banks in the country have been hacked in what experts are calling one of the “biggest cyber attacks they’ve ever seen.” As this CNN Money article points out, the websites “have all suffered day-long slowdowns and been sporadically unreachable for many customers.”

According to security experts, the “denial of service” attacks, which began on Sept. 19, are the largest ever recorded.

For all businesses, denial of service attacks are a growing and more menacing threat.  Your customers can’t access your website and can’t buy your goods and services. This can be catastrophic to your company. So the question remains: What have you done to protect your business?

The CNN Money article can be read in its entirety clicking on the link below.

CNN Money – “Major banks hit with biggest cyberattacks in history

© 2012 BARNES & THORNBURG LLP

New York Enhances Employee and Consumer Privacy Rights Under its Social Security Number Protection Law

Four years ago, New York enacted a Social Security Number Protection Law, N.Y. Gen. Bus. Law, §399-dd, aimed at combating identity theft by requiring employers to better safeguard employee social security numbers in their possession.  (Click here for our summary of the law).  Now, New York is going one step further with its passage of two new Social Security Number Protection laws.

First a note: as of November 12, 2012, §399-dd – the original Social Security Protection Law – will be re-codified as new §399-ddd, and it will also add the statutory language of the first of these two new laws, which prohibits employers from hiring inmates for any job that would provide them with access to social security numbers of other individuals.

The second law, which is codified as a separate new §399-ddd, enhances the requirements for safeguarding employee social security number while also adding similar protections for consumers.  This law prohibits companies from requiring employees and consumers to disclose their social security numbers or to refuse any service, privilege or right to the employee or customer for refusing to make that disclosure, unless (i) required by law, (ii) subject to one of its many exceptions, or (iii) encrypted by the employer.  This law also applies to any numbers derived from the individual’s social security number, which means that it extends, for example, to situations where the company asks the individual for the last four digits of their number.  It is unclear whether this law will prove effective in accomplishing its objectives.

First, it contains an exception with the potential to swallow the rule – where the individual consents to the use of the social security number, which many individuals may freely provide absent knowledge of this law’s protections.  Even with an employee’s consent, however, employers must still be mindful that other provisions of the original Social Security Number Protection Law requires them to institute certain safeguards to protect against the number’s disclosure.  And further, even if the employer obtains the employee’s consent, the original law still prohibits employers from utilizing an employee’s social security account number on any card or tag required for the individual to access products, services or benefits provided by the employer.

Second, the penalties for violations are minimal – up to $500 for the first violation and $1,000 for each violation thereafter, and can be avoided where the employer shows the violation was unintentional and occurred notwithstanding the existence of procedures designed to avoid such violations.  Further, there is no private right of action, and only the Attorney General can enforce the law.

Governor Cuomo signed the acts into law on August 14, 2012.  The inmate law will take effect on November 12, 2012 and the disclosure law will take effect thirty days later on December 12, 2012.  Now if he would only sign the recently passed wage deduction law.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

NY City Bar White Collar Crime Institute

The National Law Review is pleased to bring you information about the inaugural White Collar Crime Institute, on Monday, May 14, 2012 from 9 a.m. to 5 p.m. in New York City, NY.

This excellent review of developments in criminal and regulatory enforcement has been organized by our White Collar Criminal Law Committee, chaired John F. Savarese of Wachtell Lipton Rosen & Katz. Our program will feature keynote addresses by Preet Bharara, United States Attorney for the Southern District of New York, and Eric Schneiderman, Attorney General of the State of New York. The panels on key legal and strategic issues will include senior government officials, federal judges, academics, general counsel of leading New York based corporations and financial institutions, and top practitioners in the field. We have crafted the program to maximize their value for white collar practitioners and corporate counsel.

Plenary sessions will focus on:
  • Providing perspectives of top general counsel concerning the challenges they confront in this new era of expanded corporate prosecutions
  • Discussions of the increasing importance of media coverage in these cases and its impact on prosecutorial decision-making.

Break-out sessions will address:

  • Techniques for winning trials
  • Ethical issues presented by white-collar corporate investigations
  • Trends in white-collar sentencing, and
  • The special challenges of handling cross-border investigations.

NY City Bar White Collar Crime Institute

The National Law Review is pleased to bring you information about the inaugural White Collar Crime Institute, on Monday, May 14, 2012 from 9 a.m. to 5 p.m. in New York City, NY.

This excellent review of developments in criminal and regulatory enforcement has been organized by our White Collar Criminal Law Committee, chaired John F. Savarese of Wachtell Lipton Rosen & Katz. Our program will feature keynote addresses by Preet Bharara, United States Attorney for the Southern District of New York, and Eric Schneiderman, Attorney General of the State of New York. The panels on key legal and strategic issues will include senior government officials, federal judges, academics, general counsel of leading New York based corporations and financial institutions, and top practitioners in the field. We have crafted the program to maximize their value for white collar practitioners and corporate counsel.

Plenary sessions will focus on:
  • Providing perspectives of top general counsel concerning the challenges they confront in this new era of expanded corporate prosecutions
  • Discussions of the increasing importance of media coverage in these cases and its impact on prosecutorial decision-making.

Break-out sessions will address:

  • Techniques for winning trials
  • Ethical issues presented by white-collar corporate investigations
  • Trends in white-collar sentencing, and
  • The special challenges of handling cross-border investigations.

NY City Bar White Collar Crime Institute

The National Law Review is pleased to bring you information about the inaugural White Collar Crime Institute, on Monday, May 14, 2012 from 9 a.m. to 5 p.m. in New York City, NY.

This excellent review of developments in criminal and regulatory enforcement has been organized by our White Collar Criminal Law Committee, chaired John F. Savarese of Wachtell Lipton Rosen & Katz. Our program will feature keynote addresses by Preet Bharara, United States Attorney for the Southern District of New York, and Eric Schneiderman, Attorney General of the State of New York. The panels on key legal and strategic issues will include senior government officials, federal judges, academics, general counsel of leading New York based corporations and financial institutions, and top practitioners in the field. We have crafted the program to maximize their value for white collar practitioners and corporate counsel.

Plenary sessions will focus on:
  • Providing perspectives of top general counsel concerning the challenges they confront in this new era of expanded corporate prosecutions
  • Discussions of the increasing importance of media coverage in these cases and its impact on prosecutorial decision-making.

Break-out sessions will address:

  • Techniques for winning trials
  • Ethical issues presented by white-collar corporate investigations
  • Trends in white-collar sentencing, and
  • The special challenges of handling cross-border investigations.

NY City Bar White Collar Crime Institute

The National Law Review is pleased to bring you information about the inaugural White Collar Crime Institute, on Monday, May 14, 2012 from 9 a.m. to 5 p.m. in New York City, NY.

This excellent review of developments in criminal and regulatory enforcement has been organized by our White Collar Criminal Law Committee, chaired John F. Savarese of Wachtell Lipton Rosen & Katz. Our program will feature keynote addresses by Preet Bharara, United States Attorney for the Southern District of New York, and Eric Schneiderman, Attorney General of the State of New York. The panels on key legal and strategic issues will include senior government officials, federal judges, academics, general counsel of leading New York based corporations and financial institutions, and top practitioners in the field. We have crafted the program to maximize their value for white collar practitioners and corporate counsel.

Plenary sessions will focus on:
  • Providing perspectives of top general counsel concerning the challenges they confront in this new era of expanded corporate prosecutions
  • Discussions of the increasing importance of media coverage in these cases and its impact on prosecutorial decision-making.

Break-out sessions will address:

  • Techniques for winning trials
  • Ethical issues presented by white-collar corporate investigations
  • Trends in white-collar sentencing, and
  • The special challenges of handling cross-border investigations.

NY City Bar White Collar Crime Institute

The National Law Review is pleased to bring you information about the inaugural White Collar Crime Institute, on Monday, May 14, 2012 from 9 a.m. to 5 p.m. in New York City, NY.

This excellent review of developments in criminal and regulatory enforcement has been organized by our White Collar Criminal Law Committee, chaired John F. Savarese of Wachtell Lipton Rosen & Katz. Our program will feature keynote addresses by Preet Bharara, United States Attorney for the Southern District of New York, and Eric Schneiderman, Attorney General of the State of New York. The panels on key legal and strategic issues will include senior government officials, federal judges, academics, general counsel of leading New York based corporations and financial institutions, and top practitioners in the field. We have crafted the program to maximize their value for white collar practitioners and corporate counsel.

Plenary sessions will focus on:
  • Providing perspectives of top general counsel concerning the challenges they confront in this new era of expanded corporate prosecutions
  • Discussions of the increasing importance of media coverage in these cases and its impact on prosecutorial decision-making.

Break-out sessions will address:

  • Techniques for winning trials
  • Ethical issues presented by white-collar corporate investigations
  • Trends in white-collar sentencing, and
  • The special challenges of handling cross-border investigations.

Data Security Breach Alert: 1.5 Million Credit Card Customers Affected

The National Law Review recently published an article regarding A Recent Security Breach written by Adam M. Veness of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

Global Payments, Inc. (NYSE: GPN) (“Global”) has reported a significant data security breach for approximately 1.5 million credit card customers.  According to astatement that Global released on Sunday, their investigation has revealed that “Track 2 card data may have been stolen, but that cardholders’ names, addresses and social security numbers were not obtained by criminals.”  Using Track 2 data, a hacker can transfer a credit card’s account number and expiration date to a fraudulent card, and then use the fraudulent card for purchases.

As a result of the breach, Visa has removed Global from its list of companies that it considers to be “compliant services providers.”  In an effort to calm consumers, Global issued a press release today assuring that “[b]ased on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.”

The incident reinforces the importance of maintaining adequate data security.  Companies must take ample precautions to secure their customers’ data, and if they fail to do so, they may be vulnerable to a serious security breach that could adversely affect their bottom line.  As of the time of this post, Global’s stock price has fallen approximately 12% since the data breach news was announced.  Even when following best practices in data security, companies still may face data security breaches.  Despite these inevitable risks, companies should do everything reasonably required to protect against data breaches.  If a company can show that it has taken the proper precautions, then this may mitigate or reduce potential liability in the event of a breach.  After a breach, companies should ensure that they follow all of the strict legal requirements for notifying customers of the breach and remedying the effects of the breach.  Doing so may greatly reduce a company’s exposure to customer lawsuits and government action against the company.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Workplace Homicides on the Decline

An article by Jared Wade of Risk and Insurance Management Society, Inc. (RIMS) regarding Workplace Homicides recently appeared in The National Law Review:

The number of workplace homicides is less than half of what it was 20 years ago.

Omar Thornton was fired on August 3, 2010. He arrived for a 7 a.m disciplinary meeting at the Connecticut beer distributor where he worked, and after being shown a video his employer had recorded of him stealing a case of beer, was given an ultimatum: resign or be fired. Thornton signed a resignation agreement before reportedly excusing himself to get a drink of water. That was when the horror began.

Thornton used two Ruger pistols he had concealed in his lunchbox to kill nine coworkers during a 45-minute shooting rampage throughout the facility before taking his own life. It was the deadliest workplace shooting in Connecticut history.

Fortunately, tragedies like this are becoming less common. The likelihood of a workplace homicide is now half what it was in the mid-1990s, according to a recent report by the National Council on Compensation Insurance (NCCI). This trend mirrors a declining national homicide rate, but workplace killings have fallen off even more rapidly. There were 950 in 1993 compared to just 462 in 2009, according to the Bureau of Labor Statistics. This represents a 59% drop-off in workplace homicides over 16 years compared to an overall U.S. homicide rate that fell 49%. The number of homicides has also fallen as a percentage of overall workplace deaths. In 1992, 17% were due to homicide compared to just 11% in 2009. (Auto accidents remain the top killer, holding steady at around 40% of all workplace deaths throughout at least the past two decades.)

The massacre in Connecticut was unusual in another way: the homicides were committed by a coworker. “Contrary to popular belief,” states the Spring 2000 issue of Compensation and Working Conditions, “the majority of [workplace homicides] are not crimes of passion committed by disgruntled coworkers and spouses, but rather result from robberies.”

In a disturbing trend, however, this is less the case today than it was a decade ago. Increasingly, coworkers are killing coworkers. “The highest share of workplace homicides is still due to the category of robbers and other perpetrators, but that share has fallen from 85% to 69% from 1997 to 2009,” states the NCCI report. “Over that same time period, the share due to work associates has grown from 9% to 21%.”

This represents a key area of concern for all companies. There is little a company can do about the national homicide rate. And while there is more it can do to protect itself from being targeted by thieves (adding surveillance, physical barriers or security guards, for example), robberies can still happen. There are, however, proven steps a company can take to reduce the likelihood of coworker-on-coworker violence.

Conducting better background screening during the hiring process is one. Other companies have found success by adopting zero-tolerance policies towards aggressive behavior of any kind in the workplace. That may be effective when combined with clear disciplinary actions for offenders. But the federal U.S. Office of Personnel Management recommends one method above all others: vigilance.

“No one can predict human behavior, and there is no specific profile of a potentially dangerous individual,” states the agency. But, it notes, there are clear indicators based on FBI research of increased risk of violent behavior.

Any direct threats of harm lead the list followed by intimidation, harassment, bullying or other aggressive behavior. Employees who have “numerous conflicts” with coworkers or display extreme changes in behavior also fit the profile of those more prone to commit violence. If any of these issues are observed by, or reported to, management, they should never be ignored.

Risk Management Magazine and Risk Management Monitor. Copyright 2012 Risk and Insurance Management Society, Inc.