Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Data Privacy and Data Security Compliance Issues

advertisement 
06B – DATA INCIDENTS AND LITIGATION
Jeffrey L. Poston
Partner
Crowell & Moring, LLP
TYPES OF INCIDENTS
• Cyber-Hacking
• Employee/Vendor Negligence
– Lost laptop
– Inadvertent transmission
• Employee/Vendor Theft
2
BREACH RESPONSE ISSUES
Law Enforcement
Trade Secret
Theft
State AG
Enforcement
Business
Reputation
OCR/HIPAA
Loss/Theft
of Data
Insurance
Coverage
Vendor Involvement/
Indemnity
Individual
Student
Notification
Class Actions
Internal
Investigation/
Forensics
3
RECENT UNIVERSITY BREACHES
• Coordinated Attack
– 10/13: hackers infiltrated over 50 universities and
published sensitive information online, including
names, addresses, and user names and passwords.
• Phishing Scam
– 10/13: phishing scam resulted in the breach of over
3000 individuals’ personal information. University
employees inadvertently gave hackers access to
protected health information.
4
RECENT UNIVERSITY BREACHES(cont’d)
• Unauthorized Access
– 8/13: incident at a Midwestern school resulted in
unauthorized access to records (including SSNs) of
over 60,000 individuals. School is providing
credit monitoring services for 1 year.
• Cyber Attack
– 7/13: hackers accessed data of 80,000 university
employees through defect in vendor software.
University is providing credit monitoring services
for 1 year.
5
REGULATORY ACTION
• Health and Human Services
– College and University Hospitals hit with HIPAA
fines in 2013:
• A state university in the Northwest settled with HHS for
$400,000.00
• A private university in California experienced a breach
with 13,000 compromised records
• A public university in the Midwest experienced a breach
of over 3000 medical records
6
REGULATORY ACTION(cont’d)
• State Breach Notification
– Expanded definition of Protected Information in
California
• Includes login information, email addresses, and
security questions
• 46 states have breach notification laws
– Different timeframes
– Subject to enforcement actions and files
– Disparate state reporting requirements
7
LITIGATION THREAT
• Springer v. Stanford University
– Medical data for 20,000 emergency room patients
accidentally sent to a job applicant
– Applicant then posted the information online
– Information exposed for over a year
– $20 million class action suit, pending in Superior
Court of the State of California, County of Los
Angeles
8
LITIGATION THREAT(cont’d)
• Gross v. University of Hawaii
– 5 alleged data breaches at 4 different University
institutions from 2009 – 2011.
– 96,000 individuals affected
– Settled in 2012; credit protection services to
affected individuals for two years.
9
Litigation Threat – Cont’d
• UCLA v. Superior Ct of LA County
– Over 16,000 patient records allegedly compromised by
theft of hard drive
– Damages sought totaled $1,000 per patient, or over
$16 million
– California State Court of Appeals, 2nd District,
dismissed the case on October 15, 2013
– Healthcare providers not necessarily liable for stolen
or misappropriated medical data absent a showing that
the data was accessed by an unauthorized person
10
LITIGATION THREAT(cont’d)
• Bombardieri v. Emory Healthcare
– Emory University allegedly lost 10 discs
containing patient information and some Social
Security Numbers.
– Allegation of 300,000 compromised records
– Damages sought totaled $200 million, or $1,000
per patient.
– Case disposed (dismissed) by Superior Court of
Fulton County Georgia in 2012
11
CYBER ESPIONAGE
• Research universities as targets
– Defense / Homeland Security development grants
– Patents and intellectual property
• Unique problems facing universities:
– Open and collaborative work environment
– Foreign professors / students
– Foreign travel
12
CYBER ESPIONAGE(cont’d)
• By the numbers:
– One public university in the Midwest reports
90,000 – 100,000 illegal attempts to gain access to
the network per day originating largely from China
– A California university reports millions of attempts
per week
– All Universities are reporting an exponential
growth in the number of attacks and in their
sophistication
13
HOW TO MANAGE CRISIS WHEN PII COMPROMISED
1. DO NOT SWEEP UNDER THE RUG
2. BE PREPARED
– Breach Response Plan
• GC’s Office
• Privacy Office
• IT
• Media Relations
• Training/Policies to ensure incident reported up the chain
3.
INVOLVE IN-HOUSE/OUTSIDE COUNSEL IMMEDIATELY
–
–
–
–
–
–
Can assert privilege to maximum extent possible
Assert privilege over outside consultants
Use counsel to conduct employee interviews
Assess claims vs. vendors
Assess need for law enforcement
Strategize for long run
14
HOW TO MANAGE CRISIS WHEN PII COMPROMISED (CONT’D)
4. INVESTIGATE
– Physical
–
–
–
–
–
Forensics
What data?
Whose data?
Access to vendors
JDA
5. MITIGATE/REMEDIATE
– Can you recover data?
– Can you forensically prove data not accessed?
– If technical cause, can’t be fixed
– First 24-48 hours critical
15
HOW TO MANAGE CRISIS WHEN PII COMPROMISED (cont’d)
6. NOTIFICATION ISSUES
– HIPAA/OCR?
– State breach notification laws
– FERPA
7.HERE COME THE REGULATORS
– Be proactive with regulators
– Establish relationship/bring them in the loop
8. INVOLVE CORPORATE COMMUNICATIONS
–
–
States require certain content in notification letters
Speak with one consistent voice
16
HOW TO MANAGE CRISIS WHEN PII COMPROMISED (cont’d)
9. VENDOR ISSUES
–
–
–
–
JDA
Who is notifying students etc.?
Indemnity
Tolling Agreement
10.INSURANCE ISSUES
– Report incident
– What kind of policy?
– CGL
– Standard cyber policy
17
EMERGING LITIGATION ISSUES
• Typical Claims
– Negligence
– Breach of Contract
– Unfair Trade Practices
– Breach of Privacy
– State Statutes
• Threshold issues
– Standing to sue (Federal Court)
– Actual injury or harm (common law claims)
18
EMERGING LITIGATION ISSUES(CONT’D)
• Class Certification Issues
– Rare (dismissal or settlement)
– Claims often turn on individualized issues or causation and
damages
– Thus common questions of law and facts do not
predominate over questions affecting individual members.
• Damages
– Aggregate exposure to nominal damages
– Due process violation?
19
TYPICAL SETTLEMENTS
• Non-monetary relief (e.g., credit monitoring)
• Monetary payments to privacy non profits (e.g.,
Privacy Rights Clearinghouse)
• Consent decree requiring security improvements
• Attorneys fees to plaintiffs’ counsel
• Capped individual payments to plaintiffs who can
prove causation
20
Related documents
NLC provides member cities with access to two such programs: TULIP
NLC provides member cities with access to two such programs: TULIP
Mending Fences After a Breach - Centre for Information Policy
Mending Fences After a Breach - Centre for Information Policy
Best Practices for Insuring Medical Practices from Cyber Risk
Best Practices for Insuring Medical Practices from Cyber Risk
Remedies for Breach of Contract pages 210-214
Remedies for Breach of Contract pages 210-214
Cyber Extortion - Bartling Insurance Group
Cyber Extortion - Bartling Insurance Group
Review, Grammar and Test
Review, Grammar and Test
here
here
Power Point presentation
Power Point presentation
CS-6 Using Technology and Techno-people to Improve your
CS-6 Using Technology and Techno-people to Improve your
Fee for Intervention
Fee for Intervention
HEALTH INFORMATION COMPLIANCE: DON'T
HEALTH INFORMATION COMPLIANCE: DON'T
Chapter 11: Contractual Obligations and their Enforcement
Chapter 11: Contractual Obligations and their Enforcement
Download
advertisement