Mar 192018

John Amabile and Micheal Binns of Parker Poe Adams & Bernstein write:

A change in emphasis in disputes over data security breaches is coming. To date, the focus has been on issues and potential damages arising from the breach itself and the subsequent loss of private, personal information. In light of recognized delays from both Equifax and Uber, combined with the confusing array of breach notification responsibilities, we believe 2018 will see a growing emphasis on disputes arising from a corporation’s delay in notifying the public, the affected individuals and regulatory bodies about the breach.

Read more on Daily Report.

Mar 132018

Courtney M. Bowman of Proskauer Rose writes:

What would companies need to do to comply with the law?

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act imposes requirements in two areas: cybersecurity and data breach notification. The cybersecurity provisions of the proposed SHIELD Act would require companies to adopt “reasonable safe-guards to protect the security, confidentiality and integrity” of private information. The Act provides examples of appropriate administrative, technical, and physical safeguards, such as designating an employee to oversee the company’s data security program; identifying “reasonably foreseeable” risks to data security; selecting vendors that can maintain appropriate safeguards; detecting, preventing and responding to attacks and system failures; and preventing unauthorized access to private information.

Read more on National Law Review.

Mar 132018

Sammantha Tillotson and Casie Collignon of BakerHostetler write:

In January 2018, Colorado legislators sponsored a bill that, if passed, will change the state’s existing data breach reporting laws in important ways. A House Committee Report detailing the current version of the bill can be found here. The bill would create a new statute, C.R.S. § 6-1-713.5, titled Protection of Personal Identifying Information, which amends the existing statutes C.R.S. § 6-1-713, governing the disposal of personal identifying information, and C.R.S. § 6-1-716, Notification of Security Breach.

Read more on Data Privacy Monitor.

Mar 092018

David Lazarus has some unflattering words for a bill introduced in Congress by Representatives Blaine Luetkemeyer and Carolyn Maloney. Indeed, the Data Acquisition and Technology Accountability and Security Act might be more aptly named the “Businesses Get Out of Jail Free Pass and Screw The Consumers Act of 2018.”

Well, ok, I grant you that that title is a bit long.  Anyway, Lazarus writes:

This week, a congressional hearing was held on a draft bill aimed at creating a national standard for breach notifications. It’s a dubious piece of legislation for a number of reasons, not least that it would exclude Equifax and other credit agencies from its requirements.

No less troubling, it would exempt all banks and financial institutions, and would require notification by retailers and other businesses only if they believe there’s “a reasonable risk that the breach of data security has resulted in identity theft, fraud or economic loss” to consumers.

No harm, apparently, no foul. And hence no notification that the company’s system had been hacked.

Read more on the Los Angeles Times.

Mar 082018

March 6 – Attorney General Eric T. Schneiderman today announced a settlement with healthcare provider EmblemHealth and wholly owned subsidiary Group Health Incorporated (“EmblemHealth”) after the company admitted a mailing error that resulted in 81,122 social security numbers being disclosed on a mailing. In addition to paying a $575,000 penalty, EmblemHealth agreed to implement a Corrective Action Plan and conduct a comprehensive risk assessment.

Attorney General Schneiderman today reiterated his call to improve New York’s weak and outdated security laws with the “Stop Hacks and Improve Electronic Data Security Act” (or “SHIELD Act”). Introduced by the Attorney General in November 2017, the SHIELD Act would comprehensively protect New Yorkers’ personal information from the growing number of data breaches and close major gaps in New York’s data security laws, without putting an undue burden on businesses.

“The careless handling of social security numbers is never acceptable,” said Attorney General Schneiderman. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”

EmblemHealth is one of the largest health plans in the United States. On October 13, 2016, it discovered that it had mailed 81,122 policyholders, including 55,664 New York residents, a paper copy of their Medicare Prescription Drug Plan Evidence of Coverage (“EOC Mailing”) that included a mailing label with the policyholder’s social security number on it. Normally, all mailings include a unique mailing identifier that is printed on the envelope. However, in this case, the mailing inadvertently included the insured’s Health Insurance Claim Number, which incorporated the insured’s social security number.

Pursuant to the federal Health Insurance Portability Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (“HIPAA”), EmblemHealth is required to safeguard patients’ protected health information, including social security numbers, and utilize appropriate administrative, physical and technical safeguards. In connection with its 2016 EOC Mailing, EmblemHealth failed to comply with many of the standards and procedural specifications as required by HIPAA. Printing an individual’s social security number on “a postcard or other mailer not requiring an envelope, or visible on the envelope, or without the envelope having been opened” also violates New York General Business Law § 399-ddd(2)(e).

In addition to paying a $575,000 penalty, under the settlement EmblemHealth must implement a Corrective Action Plan that includes a thorough risk analysis of security risks associated with the mailing of policy documents to policyholders, and submit a report of those findings to the Attorney General’s office within 180 days of the settlement. EmblemHealth must also review and revise its policies and procedures based on the results of the assessment, and notify the Attorney General’s office of any action it takes. If no action is taken, EmblemHealth must provide a written detailed explanation of why no action is necessary. EmblemHealth must also catalogue, review, and monitor mailings and make reasonable efforts to ensure: (a) all relevant workforce members are adequately trained for each discrete job function that they are tasked with or assigned to perform related to mailings; (b) report any known violations of EmblemHealth policies and procedures relating to the HIPAA Minimum Necessary Standard, as set forth in 45 C.F .R. § 164.502(b) and § 164.514(b), to the appropriate EmblemHealth official and remediate any known violations as soon as practicable; and (c) for a period of three (3) years, report security incidents involving the loss or compromise of New York residents’ information to the Attorney General’s office that might not otherwise trigger the reporting requirements of New York State law.

This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kathleen McGee. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.

Source: NYS Attorney General Eric Schneiderman

Related Earlier CoverageEmblem Health notifies GHI members whose SSN was exposed in mailing labels.

See also Kirk Nahra’s analysis and commentary on the AG Schneiderman’s enforcement action. Note that HHS/OCR shows this incident as still under investigation.