Privacy alert | Nixon Peabody LLP
April 25, 2014
What’s trending in data privacy & security
By Linn Foster Freedman, Kathryn M. Sylvia and Kate A.F. Martinez
We’re looking ahead on all fronts in privacy and data security. Iowa State University announced a
breach of 30,000 student social security numbers—a reminder for all schools and universities to
think about the security of their student and faculty data. And for those working with minors, new
COPPA clarification on the collection and use of personal information from students. Here’s a
round-up of the latest news and what’s on the horizon.
Data breach
Michaels Stores, Inc. confirms credit card data breach of over 2 million customers
On April 16, 2014, Michaels Stores Inc. (“Michaels”) and its affiliated Aaron Brothers Craft Stores
(“Aaron Brothers”) confirmed the breach of 2.6 million customers’ credit card information
collected at point of sale through a malware placed on its network by a hacker from May 8, 2013, to
January 27, 2014—another 400,000 customers’ information was breached at the Aaron Brothers’
stores. Michaels had originally suspected a breach back in January 2014, but after extensive
investigation, the company confirmed that the information had been breached. Michaels informed
its customers that the malware has been removed and the threat no longer exists. Customers’ credit
card numbers and expiration dates were accessed; however, customers’ names, addresses and PINs
associated with credit or debit accounts were not compromised. The company is offering both
identity protection and credit monitoring to all of its customers for one year. This is the second
data breach suffered by Michaels in the last three years.
These hacker attacks have resulted in lawsuits against Michaels. To read about an Illinois class
action accusing Michaels of insufficient security measures, click here.—Linn Foster Freedman and
Kathryn M. Sylvia
Universities vulnerable to security breaches; administrators and boards should pay attention
Not only are large companies and retailers vulnerable to attack by hackers, schools and universities
should also beware of the cyber hacker. Holding vast amounts of personal data about faculty and
students, universities must be prepared and protect against security breaches. On April 22, 2014,
Iowa State University announced a breach of over 30,000 students’ Social Security numbers from
over a 17-year period (1995–2012) by a hacker who accessed five servers on its campus. Law
enforcement officials have been notified and Iowa State University is offering free credit
This newsletter is intended as an information source for the clients and friends of Nixon Peabody LLP. The content should not be construed
as legal advice, and readers should not act upon information in the publication without professional counsel. This material may be considered
advertising under certain rules of professional conduct. Copyright © 2014 Nixon Peabody LLP. All rights reserved.
monitoring to each individual whose Social Security number was breached. Schools and
universities collect and maintain high risk data and should be sure that their data privacy and
security practices are robust and properly implemented to avoid security incidents.—Linn Foster
Freedman and Kathryn M. Sylvia
27,000 employees’ information breached at the University of Pittsburgh Medical Center
The University of Pittsburgh Medical Center (“UPMC”) said on April 17, 2014, that approximately
27,000 of its employees’ information was likely breached by hackers seeking access to Social
Security numbers and tax information. This announcement stems from the reports of
approximately 788 hospital employees who fell victim to tax fraud schemes by hackers who filed
false tax claims this year using information stolen from the UPMC database. While UPMC will
continue to monitor the situation and investigate the breach, UPMC has issued a statement that no
patient health information was compromised during this security incident.—Linn Foster Freedman
and Kathryn M. Sylvia
Enforcement & litigation
OCR HIPAA enforcement: covered entities pay over $2 million for potential violations
On April 22, 2014, the U.S. Department of Health and Human Services (HHS) Office for Civil
Rights (OCR) settled two Health Insurance Portability and Accountability Act (HIPAA)
investigations. The first, with Concentra Health Services (“Concentra”), resulted in a $1,975,220
payment to the OCR and implementation of a corrective action plan (“CAP”). The second, with
QCA Health Plan, Inc. (“QCA”), resulted in a $250,000 payment to the OCR and the
implementation of a CAP as well. Read our alert to learn more about these settlements and the
CAPs.—Linn Foster Freedman and Kathryn M. Sylvia
Wyndham asks Third Circuit to expedite its review of FTC’s expanded authority
On April 17, 2014, Wyndham Worldwide Corp. (“Wyndham”) asked the New Jersey federal court to
allow the immediate appeal of a prior ruling that the Federal Trade Commission (FTC) may
proceed with its data security suit against the hotel corporation. Wyndham argued that the Third
Circuit must decide this novel question about the FTC’s authority under Section 5 of the FTC Act
for a company’s failure to implement data security practices, and, if the FTC does have such
authority, whether the FTC provided Wyndham with any notice or guidance of what constitutes
reasonable data security measures. Wyndham believes that the Third Circuit’s review of these
questions can be answered quickly without any prior review of the litigation record. Wyndham
cites the LabMD, Inc. litigation, which is based on many of the same legal grounds. If the Third
Circuit does weigh in on these issues, it could have a serious impact on the FTC’s attempts at
expanding its statutory authority. Stay tuned—we are keeping a close eye on these developments.—
Linn Foster Freedman and Kathryn M. Sylvia
Cybersecurity
Heartbleed bug scare: HealthCare.gov website users warned
Administration officials are warning individuals who enrolled in the government’s new health care
insurance through the HealthCare.gov website that they should change their passwords as a
precautionary measure while the government determines its vulnerability to the Heartbleed bug’s
attack. Currently, there is no indication that the website has been compromised, but administration
officials are overly cautious because of the large amounts of health information and personal
information collected and transmitted through the website.
On April 19, 2014, the HealthCare.gov website posted the following: “While there’s no indication
that any personal information has ever been at risk, we have taken steps to address Heartbleed
issues and reset consumers’ passwords out of an abundance of caution.” Because the full extent of
the damage caused by the Heartbleed bug is yet unknown, websites that collect and transmit large
amounts of personal and sensitive data should heed the same warning.
In addition to the government’s health care website, the Department of Homeland Security is
assessing other government networks, such as the Internal Revenue Service, to assure that the
Heartbleed bug has not infiltrated websites that collect and transmit sensitive data.—Linn Foster
Freedman and Kathryn M. Sylvia
Health Information Technology (HIT)
AHRC issues report outlining future HIT interoperability recommendations
The Agency for Healthcare Research and Quality (“AHRC”), in a joint effort with the Office of the
National Coordinator for Health IT (ONC) and the Robert Wood Johnson Foundation, issued a
report this week, “A Robust Health Data Infrastructure,” which proposes recommendations for the
future of the national health IT architecture. The report outlines recommendations for the Centers
for Medicare and Medicaid Services and the ONC to realize the promise of improving health care
through the integration of health information. The broad recommendations offered in the report
include:
— Embrace Stage 3 Meaningful Use
— Define an overarching software architecture for the health data infrastructure
— Define Stage 3 Meaningful Use requirements to enable the creation of an entrepreneurial space
across the entire health data enterprise
— Solicit input from the biomedical research community to ensure that the health data
infrastructure meets the needs of researchers
— Ensure that the adopted software architecture has the flexibility to accommodate new data types
generated through emerging technologies that balance individual privacy with the societal
benefits of biomedical research
— Facilitate international interoperability for sharing health information for research purposes
— Employ large-scale data mining techniques and predictive analytics to detect fraud
The report concludes that “the path forward must include full access to health data for clinical care,
public health, and biomedical research.” Patients must have trust in the system that their privacy
can be protected while providing access to the information for societal benefit. In addition, opening
an entrepreneurial space for innovation of health care delivery tools and approaches is essential.
The joint report can be accessed here.—Linn Foster Freedman
Social media
SEC Corporation Finance Issues C&DIs on social media, but be careful about tweeting away
The Securities and Exchange Commission (SEC) Division of Corporation Finance issued
Compliance and Disclosure Interpretations on April 21, 2014, about how use of social media could
affect corporate disclosure requirements. The guidance acknowledges how electronic
communications through social media could be problematic due to functions inherent in those
platforms, like limitations on text or characters and re-transmittal by third parties.
In particular, the Division advised that it is appropriate to use an active hyperlink to required
legends in electronic communications in compliance with Rules 165(c)(1), Rule 134(b), Rule
134(d), and Rule 433(c)(2)(i) unless the communication is capable of including the required legend
within the amount of text allowed. The communication, however, must “prominently” convey that
“important or required information” is provided through the hyperlink.
The Division also stated that re-transmission of an electronic communication would not be
attributable to an issuer as long as the third party is neither an offering participant nor acting on
behalf of the issuer, nor an offering participant and the issuer had no involvement in the retransmission beyond having initially prepared the communication that complied with Rule 134 or
443. Although this guidance does shed a little light on the ability to use social media in compliance
with SEC disclosure requirements, it may not be a green light to “Tweet” away—the SEC will be
keeping its eye on how companies use social media and will surely continue to issue guidance on
using social media in compliance with securities rules. We will keep you informed of these
developments.—Kate A. F. Martinez
PhRMA concerned with FDA social media draft guidance
The Pharmaceutical Research and Manufacturers of America (“PhRMA”) recently provided its
concerns to the Food and Drug Administration’s (FDA) draft guidance on interactive promotional
media submission for drugs, which was issued in January. The guidance addresses communications
and interactions used to promote drugs, including blogs, microblogs, social media, online
communities and podcasts. PhRMA’s concerns include: 1) the FDA’s premise that a
biopharmaceutical manufacturer can be held accountable for content written by others and posted
on third party websites if the company “influences” the third party, and 2) “the assumption that all
manufacturer statements about prescription medicines on social media constitute promotional
labeling or advertising.” PhRMA pointed out that a broad interpretation of labeling and advertising
“could chill truthful and non-misleading communication protected by the First Amendment.”—
Linn Foster Freedman
Children’s Privacy/COPPA
FTC updates COPPA FAQs to clarify statute’s applicability to schools and proper consent
models
On April 22, 2014, the Federal Trade Commission (FTC) updated its Frequently Asked Questions
(FAQs) pertaining to the Children’s Online Privacy Protection Act (COPPA) to clarify the use and
collection of personal information from students. The updates include information on who should
be responsible for providing student consent in situations where an online service will collect
personal information from the students on behalf of the school where the online service is acting
on behalf of the school. Additionally, the FTC included commentary that schools should, as a best
practice, provide parents with a list of all the websites and online services that will collect personal
information from the students with the consent of the parents. The new FAQs also remind schools
that the Family Educational Rights and Privacy Act (FERPA) requirements must also be followed
in addition to COPPA standards. Educational institutions should be aware of these revised FAQs as
well as the applicability of COPPA and FERPA to its collection and use of student information.
Implementing proper privacy and security policies and procedures is the first step, and making sure
third-party online services and vendors adhere to the same strict requirements is the next.
In the FTC’s announcement, a senior attorney stated that if “you have a website or app covered by
COPPA, represent clients in the educational arena, or are active in your local schools, you’ll want to
read the latest about COPPA and schools.” These updates include two new questions and revisions
to the previous four questions in Section “M” about “COPPA and schools.”—Kathryn M. Sylvia
For more information on the contents of this alert, please contact:
— Linn Foster Freedman, Privacy & Data Protection Group Leader, at
lfreedman@nixonpeabody.com or 401-454-1108
— Kathryn M. Sylvia at ksylvia@nixonpeabody.com or 401-454-1029
— Kate A. F. Martinez at kmartinez@nixonpeabody.com or 585-263-1332