Our experienced team views data breach response as a joint effort in partnership with the client where the client’s philosophy, brand and customer base are considered integral in reconciling compliance with the numerous, and often competing, laws and regulations. [...]
Last month Adobe Systems reported that it sustained a data breach which potentially exposed over three million customers’ information including their password identifying information to a cyber hacker. Adobe then announced that the number of potentially exposed customers was 38 million. Earlier this month, a data security firm, Last Past, reported that it had found email addresses, encrypted passwords and password hints from Adobe user accounts on an underground website frequented by cyber criminals. Last Past reported that more than 152 million Adobe users’ account information was found on this underground website. According to news reports, Adobe confirmed that records stolen from its data center were found on the underground website but indicated that the information was not significant.
Adobe is claiming that the data base attacked was a backup system that was going to be decommissioned and that some of the records included 25 million invalid email addresses, 18 million invalid passwords, and a large percentage of fictitious accounts. Adobe is continuing to work with law enforcement and outside investigators to determine the complete facts and circumstances of the data breach. At this time, approximately 38 million active Adobe users have been notified, and Adobe is beginning to contact the owners of inactive accounts.
The number of records stolen appears to be the largest ever taken in a data breach. Other significant breaches include the Heartland payment system breach in 2009 that involved more than 130 million credit card numbers, and the notorious 2011 Sony Play Station data breach where approximately 100 million records were accessed by hackers. While Adobe continues to investigate this data breach and slowly provides information to the public, businesses and their data security teams should re-emphasize to all employees, customers and vendors to be especially vigilant in not opening or using any files or emails from unknown entities as you could be one click away from allowing a cyber hacker to gain entry into your system.
A high profile firm that provides software management solutions for the limousine and ground transportation industry is a recent victim of a computer hacking and data breach event that potentially exposed the credit card and other personal information of approximately one million customers. The Associated Press reports that Hold Security, a data security firm, discovered the breach at Corporatecaronline in October. Hold Security alleges it advised the company that Personally Identifiable Information (PII) had been stolen, but Corporatecaronline has not publically acted upon the information. According to the news report, various limo and car services companies across the country purchased software from Corporatecaronline and used it for reservations, dispatching and forms of payment. In addition to the exposure of credit card information, other personal details regarding celebrities and politicians who used the various limousine services was also disclosed during the hacking incident. Hold Security found the Corporatecaronline customers’ PII stored on the same computer server where personal information had been stored from other high profile hacking incidents, including Adobe Systems Inc. and PR Newswire.
This latest incident demonstrates that businesses who ignore or down-play data breaches are potentially setting themselves up for liabilities in the form of negative publicity and damages if they do not provide a quick and appropriate response to a data breach. Negative public relations aside, Corportaecaronline may have potentially affected its insurance coverage for this event if it’s determined that the company did not properly report the incident to its insurance carrier.
Earlier this year we reported that Schnucks Markets, a Midwestern based supermarket chain, had suffered an extensive data breach. News reports indicated that 2.4 million customers’ personal information was exposed as a result of Schnucks’ computers being hacked.
Last week a preliminary settlement of a class action suit was proposed in a Missouri federal district court. The proposed settlement provides a good opportunity for businesses and their insurers to review the monetary expenses that can be incurred just to settle a data breach class action suit prior to full litigation.
Under the proposed settlement, Schnucks would incur the following costs:
- Pay up to $10.00 to each customers for every card that was compromised and had fraudulent charges posted to it;
- Pay customers for certain unreimbursed out of pocket expenses such as bank overdrafts and late fees;
- Pay for up to 3 hours for documented time spent at the rate of $10.00 an hour for customer’s time spent on the data breach;
- A cap of $1.6 million would exist on all of these customer reimbursement expenses, up to $170.00 per class member.
- Pay up to $10,000 for each related identity theft loss with the total capped at $300,000;
- Pay up to $635,000 for plaintiffs’ attorney fees;
- Pay $500.00 to each of the nine main plaintiffs in the lawsuit.
This proposed settlement comes right after an announcement that a declaratory judgment action brought by Liberty Mutual against Schnucks regarding coverage for the data breach had been dropped. A spokesman for the grocery chain was quoted as stating that Liberty Mutual and Schnucks had agreed to discuss alternatives to litigation.
Clearly, the business costs for this data breach have been extremely expensive. If Schnucks did not purchase proper data breach insurance, the costs will be even higher. Once again this incident demonstrates the critical reasons for proper privacy and data security insurance along with vigilant data security to prevent or limit a breach.
North Dakota recently amended its data breach notification statute to include “medical information” and “health insurance information” as personal information that could trigger consumer notification obligations if accessed in a breach of computerized data.
- “Health insurance information” is defined as: an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
- “Medical information” is defined as: any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
N.D. Cent. Code, § 51-30-01 (2013).
North Dakota joins several states that already include medical information as “personal information”, such as California, Texas and Missouri. The amended North Dakota statute was effective as of August 1, 2013. It remains to be seen if other states will also expand what is deemed personal information so as to trigger consumer notification in the event of a data breach.
Pursuant to the HITECH final rules, all organizations handling healthcare data must comply with new security and privacy rules by Monday, September 23rd. All covered entities and their business associates (BA) will be subject to revised data breach notification standards. Additional restrictions on how PHI can be used and disclosed will also begin next week. Covered healthcare entities must also ensure that their BAs and other subcontractors are compliant with the final HIPAA/HITECH privacy requirements.
For instance, a cloud service provider, or business associate, for a healthcare entity can now be found directly liable for protecting PHI even if the BA just stores the provider’s data. BAs are also responsible for ensuring that their subcontractors are also protecting a provider’s customer’s PHI. In addition, healthcare entities and their BAs will not have as much discretion in determining whether a data breach has occurred and if notification is required. The stricter regulations will likely lead to more notifications for data breaches.
All of the new rules that will certainly increase the risk assessments for healthcare entities and their BAs. Healthcare organizations and their BAs should ensure that they have proper cyber and privacy insurance to protect against these increased risks.
Despite tremendous publicity and public education about data breaches during the past several years, business entities continue to store personal information in unencrypted formats. The most recent example is a large Chicago medical provider, Advocate Medical Group. Advocate just announced that four computers were stolen from a Chicago hospital in July. The computers contained Personal Information for over 4 million patients. The information included patients’ names, addresses, dates of birth and social security numbers. Advocate does not believe that the computers were stolen for the PI or that the information has been used in any way. However, while the computers were password protected, the data was not encrypted. As a result, the medical group is now offering credit monitoring services to over four million individuals.
Needless to say, this breach response will be extremely costly for the medical provider and its insurance carriers. By failing to use encryption, the medical group has incurred significant risk and expense. This breach comes on the heels of the California Attorney General’s data breach report which announced that more than half of California’s 2012 data breaches involved unencrypted personal data. Businesses and their insurers must make encryption the number one priority for their data security in the future.
HHS recently announced that it settled the investigation of a managed care company, WellPoint Inc., for potential violations of HIPAA’s privacy security rules. The significant settlement of $1.7 million is the result of WellPoint’s alleged failure to implement appropriate security policies and procedures for access to individuals’ PHI on WellPoint’s websites and portals.
According to the HHS press release, weaknesses in an on line data base resulted in over 612,000 individuals’ PHI being publicly accessible over the internet. The data included names, dates of birth, addresses, social security numbers, telephone numbers and other health information. A subsequent investigation found numerous other potential violations of HIPAA security rules. The data breach appears to have been the result of system upgrades that WellPoint was conducting on its computer systems.
Insurance carriers and their insureds should pay special attention to this settlement. Beginning on September 23, 2013, liability for HIPAA privacy and security rule violations will be extended directly to business associates that receive and/or store PHI. As a result, more and more entities will be responsible for failures to adequately protect PHI and, inevitably, will be the subject of HHS investigations, fines and penalties for security lapses.
Last week the IRS announced that a substantial number of Social Security numbers were posted on IRS.gov in forms filed by Section 527 political organizations. The IRS statement advised that they were temporarily removing the public web access to the records. These records are required by law to be publically posted, however, the IRS is supposed to scrub the forms so that no PII is published.
The IRS was alerted to this data breach by an outside public interest group. The breach includes as many as one hundred thousand names and Social Security numbers. The social security numbers appear to have been largely those of donors to the 527 tax exempt political groups.
This data breach once again demonstrates the variety of ways that PII can be exposed. In this instance, individuals provided their names and social security number along with a political donations to political action committees. The 527 groups provided the information to the IRS. The IRS then appears to have violated privacy laws by exposing the individual social security numbers to the public. An interesting question would be whether the 527 groups are considered the owners of the PII and must now comply with state breach notification laws or the IRS, as the owners of the filed forms, must incur the costs of breach notification.
Florida’s Department of Education just announced that approximately 47,000 teachers in training had their personal information publicly exposed on the internet. The PI was accessible to the public for approximately two weeks in late May and early June. According to news reports, the breach occurred when data was transferred between servers at Florida Center for Interactive Media at Florida State University. Security measures were supposedly in place to restrict access only to authorized individuals. However, the Department of Education has indicated that the measures were not enacted when this data transfer occurred. Florida’s Education Commissioner has ordered a full review of the State’s data security procedures and already set up a hotline for individuals along with providing identity theft protection.
This data breach once again demonstrates the need for proper data security as well as privacy and data breach insurance. In this instance, data security measures were supposedly in place but human error contributed to a breach occurring. Businesses and their insurers should always be aware that regardless of the level of data security and IT prevention measures, breaches can and will continue to happen. Once a breach has occurred, proper cyber insurance will ensure that the response and its costs are properly handled.
Following up on his recent post concerning the Chinese military hacking United States companies, Eric Packel, Esq. was asked to speak with Colin O’Keefe of LXBN for more information on the matter. In the video interview, Eric explains some of the details of the attacks and offers some guidance on what companies can do to protect themselves: