Our experienced team views data breach response as a joint effort in partnership with the client where the client’s philosophy, brand and customer base are considered integral in reconciling compliance with the numerous, and often competing, laws and regulations. [...]
CREDIT CARD DATA SECURITY ISSUES RAISED ABOUT ROMNEY SUPER PAC IN WASHINGTON TIMES ARTICLE
This morning a Washington Times newspaper article raised potential data security issues with the online credit card system used by Restore Our Future, a Mitt Romney Super PAC. http://www.washingtontimes.com/news/2012/may/3/romney-super-pac-donors-put-at-credit-card-risk/.
The article detailed how the super PAC’s computer system appears to lack fundamental security methods for protecting its donor’s personal information. The PAC is raising money through online donor forms to support the presidential campaign of Mitt Romney. Apparently, anyone on the same wireless network as the super PAC could record a donor’s credit card number as it was being submitted. The system appears to lack proper secure socket layers (“SSL”) for encrypting information over the internet.
The potential for a data breach and release of the donor’s credit card information should raise serious concerns for the PAC’s owners. As I stated in the article, most states now have data breach and privacy statutes. The definition of a breach is generally the unauthorized acquisition of an individual’s personal information (“PI”) or a reasonable belief that such an unauthorized acquisition of the PI has occurred. In this instance, the PAC should be concerned that such an acquisition could or may have occurred. As a result of the article, the PAC spokesman stated that a secure donor page has been added to their system to ensure that the PI can not be targeted by hackers.
This situation once again demonstrates that all businesses that collect or obtain an individual’s PI must ensure that the data is secure and, just as importantly, that their vendors are securing the data as well. Even if a breach does not occur, the publicity regarding an entity’s lack of a data security system can be just as embarrassing or costly.
OUTSIDE VENDORS CONTINUE TO CAUSE SERIOUS DATA BREACHES FOR HEALTH CARE ORGANIZATIONS
While more and more businesses and organizations are instituting proper in house data security and privacy procedures to protect their electronic personal information, outside vendors continue to pose a serious risk for data breaches.
St. Elizabeth’s Medical Center in Massachusetts recently notified over 6,800 patients that their billing information, including credit card numbers and security codes may have been compromised when the hospital’s documents were removed by a vendor from a building scheduled for demolition. The hospital had intended to shred the documents. However, in February five documents from the hospital were found blowing around a field in Charleston, MA. The documents contained cashier’s receipts for credit card payments made by patients at the provider’s facilities. St. Elizabeth’s immediately attempted to locate any additional documents but was unable to do so. While the hospital found no evidence that any information had been compromised, the documents potentially contained their patients’ billing information, credit card numbers and security codes. The hospital determined that it needed to alert all patients whose information had been stored in the office building that was being demolished.
This incident was the second recent health care data breach in the Massachusetts region. In March, CVS Care Mark Corporation announced that it had mistakenly sent letters to approximately 3,500 health care members providing them with other members’ personal medical information. This incident was caused by an unspecified “program error” by CVS’ pharmacy benefits manager.
Both of these incidents demonstrate that organizations must not only institute proper information security procedures to follow for their own employees but also for the organization’s outside vendors who have access to such information. Numerous data breaches and cyber security incidents could be avoided if organizations routinely conducted critical analysis of their personal information protection procedures and policies. The last thing that any organization wants to learn is that their customers’ or patient’s personal information is “blowing in the wind”, so to speak, in a Charleston, Massachusetts field.
Credit Card Transactions: A Data Breach Waiting to Happen
Last week, Global Payments, Inc., an electronic transactions processor for, among others, VISA and MasterCard, reported a large data breach. According to Global Payments, intruders obtained ”track 2″ credit card data on 1.5 million cardholders.
Track 2 refers to a portion of the data contained on the credit card’s magnetic stripe [pdf]. Track 2 data includes card numbers and expiration dates. Track 1 data, which was not part of this incident, typically includes cardholder names and addresses.
With this sort of data maintained by credit card processors, it is not surprising that they make a tempting target. In fact, processors are just one part of a complex payment system that is fraught with peril. Let’s take a look at what happens in a typical credit card transaction:
- The customer submits a credit card for payment to a merchant.
- The credit card company routes the data on behalf of the merchant to a processor.
- The processor for the merchant’s bank submits the transaction to a credit card network like MasterCard or Visa.
- The credit card network routes the transaction to the bank that issued the credit card to the customer.
- The issuing bank approves or declines the card purchase.
- The credit card network sends the transaction back to the processor.
- The credit card processing company stores the transaction results.
- The issuing bank sends the appropriate funds for the transaction to the credit card network, which in turn passes the funds on to the merchant bank.
Whew! – remember that the next time you swipe your card at the gas station. Of course, any weak link in the processing chain could be a point of attack for a hacker. While the payment card industry (PCI) maintains security standards, the Global Payments breach demonstrates that even comprehensive standards will not stop a determined attacker.
In the wake of this incident, VISA dropped Global Payments from its list of approved providers. VISA’s action is a cautionary note for all businesses. A data breach can have severe consequences, not only in the costs of responding to the breach itself, but also for future business relations.
HHS Hits Insurer for $1.5 Million
On March 13, 2012 the U.S. Department of Health and Human Services announced that it settled its first enforcement action resulting from a reported HITECH breach. In the settlement, Blue Cross/Blue Shield of Tennessee agreed to pay One Million Five Hundred Thousand Dollar ($1,500,000.00) to resolve potential violations of the HIPAA Privacy and Security Rules. Additionally, Blue Cross agreed to a corrective action plan to prevent further breaches.
The settlement was the result of with Blue Cross’ reporting the theft of 57 unencrypted computer hard drives from one of its facilities. The drives contained PHI for over one million members including names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. According to OCR, Blue Cross failed to implement appropriate administrative safeguards to protect the information at the leased facilities. Notability, it failed to perform a required security evaluation in response to operational changes at the facility.
The settlement demonstrates the need to consistently evaluate security procedures to make sure that they still work. We have seen frequent instances where a security policy is out dated because of administrative and/or technological changes which make the plan obsolete. Readers may recall that OIG previously released an audit of security policies at hospitals and found that for those hospitals subject to the audit, security policies were grossly inadequate. We can expect further audits in this regard as OCR ramps up security enforcement.
We would like to get a consensus on how often your institution reviews its security policies.
DATA BREACH LITIGATION: CREDIT MONITORING NOW OR FEDERAL LAWSUIT LATER
Three prominent academics recently published a research paper that analyzed data breach litigation throughout the United States. http://ssrn.com/abstract=1986461. The authors analyzed over 230 federal data breach lawsuits from 2000-2010. The paper’s results suggest that the odds for an organization to be sued in federal court are 3.5 times greater when an individual has suffered financial harm but over 6 times lower when the organization provides free credit monitoring following a breach.
The authors found that a higher probability of a federal lawsuit exists if actual financial loss has occurred, an organization’s own negligence ( unauthorized disposal of personal information) caused the breach, along with a plaintiff’s heightened protection of their personal information.
The research results demonstrate that an organization should proactively attempt to mitigate any harm or damages that individuals sustain from a data breach, Early and appropriate breach notification and credit monitoring offerings can potentially save an organization significant time and expense from future litigation.
The paper’s findings also indicate that defendants will settle 30%
more often when plaintiffs allege financial loss from a data breach or when faced with a certified class action lawsuit. If financial information has been compromised, it does not seem to increase the likelihood of a lawsuit but also does not increase the plaintiff’s chances of settlement. However, if medical information has been lost, a settlement appears to be more strongly initiated by the defendants.
Organizations that obtain large quantities of customer personal information must ensure that the information is properly protected. Encryption and password protection of all personal information, such as social security numbers, email addresses and health records, is still the strongest defense against a data breach litigation.
Is Cloud Computing Compatible With the FBI’s Data Security Rules?
We all know that if you want to do business with the government, you have to play by the rules. This includes law enforcement agencies seeking to access the FBI’s Criminal Justice Information Services (CJIS).
The CJIS database, maintained by the FBI, is one of the world’s largest repositories of criminal information. CJIS provides state, local and federal law enforcement agencies with access to fingerprint records, criminal histories, and sex offender registrations.
Although these records can be made available to law enforcement agencies and contractors around the nation, the FBI recently reiterated that any cloud products sold to law enforcement agencies must comply with the strict CJIS security requirements. Those requirements include:
- Data in transit and at rest must be encrypted.
- A minimum of 128 bit encryption must be used.
- All personnel with access to the CJIS database must pass FBI background checks.
- Scheduled audits and unannounced security inspections by the CJIS audit unit.
The FBI’s data security rules have created problems for some large cloud computing providers. In fact, just a few months ago, the LA Police Department scrubbed a planned migration to Google’s cloud based email service due to security concerns.
Nonetheless, the FBI maintains that its requirements are compatible with cloud computing. However, some of the larger vendors, such as Google, have multiple data centers, including data centers outside the United States. This makes it difficult for those providers to meet the CJIS security requirements, simply due to the vast numbers of personnel involved.
Even outside law enforcement, the security issues with cloud computing are certainly real and have even led to class action lawsuits. In light of these concerns, the FBI will not, and clearly should not, compromise on security simply to benefit some large cloud providers. In fact, any business or entity considering a move to the cloud should carefully weigh the risks involved, particularly when it comes to protecting the privacy of confidential and personal identifying information.
Getting Ready for Private Enforcement: Is a New Form of Quasi-Qui Tam Brewing?
We all know that neither HIPAA nor HITECH create a private right of action against a Covered Entity or a Business Associate. At most, a HIPAA violation may be deemed evidence of a breach in the standard of care. Thus far, HIPAA enforcement is in the hands of the Office of Civil Rights which may act on complaints filed by patients. Nevertheless, few actions have resulted from such complaints.
What if patients were able to recover some percentage of the Civil Monetary Penalties collected by OCR? Would that increase the number of complaints filed? We may be getting ready to put this theory to the test. A relatively unnoticed provision in HITECH is the ability of a patient to collect part of the civil fines imposed by OCR. Section 13410(c)(3) provides that:
Not later than 3 years after the date of the enactment of this title, the Secretary shall establish by regulation and based on the recommendations submitted under paragraph (2), a methodology under which an individual who is harmed by an act that constitutes an offense referred to in paragraph (1) may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.
While this provision does not become effective until after OCR promulgates regulations, such regulations are due, per the statute, to come out no later than February 17, 2012. As we are still waiting for the new, now long overdue, HIPAA regulations, it is doubtful that we will see new CMP regulations any time soon. When regulations are published, expect a wave of new complaints filed with the help of attorneys.
In many ways, CMPs avoid the often difficult task of proving damages for a privacy violation. The only question under the future HITECH regulations is how much of a bounty patients receive for a technical violation where there were no damages. OCR should be mindful of this potential, and award a recovery only in cases of a serious breach where the patient has suffered some real damage.
Thus the question remains: will allowing patients to share a percentage of CMPs improve privacy and security, or simply add costs to an overtaxed healthcare system? Healthcare providers certainly need to watch this development closely.
If the Shoe Fits . . . File a Class Action? Zappos Data Breach Leads to Quick Lawsuit.
Less than 24 hours after the Zappos data breach was announced, a class action lawsuit was filed against Amazon.com (Zappos is owned by Amazon). The Complaint [pdf] purports to be asserted on behalf of a putative class of 24 million customers whose information was exposed in the Zappos hacking incident.
While 24 million individuals, not to mention the name recognition and presumably healthy coffers of Amazon, has class action lawyers in a tizzy, is this simply an opportunistic and headline grabbing consumer action without much substance? Let’s take a closer look.
In addition to state law negligence claims, the Complaint [pdf] alleges that Amazon is liable under the Fair Credit Reporting Act (“FCRA”) [pdf]. Whether Amazon is a Consumer Reporting Agency within the meaning of the FCRA is itself an interesting issue, but outside the scope of this post. The real thorny issue will likely be damages.
As we posted here previously, the information exposed in the breach was limited to:
- names
- addresses
- telephone numbers
- email addresses
- passwords (cryptographically scrambled)
- the last 4 digits of credit card numbers
Significantly, the incident did not expose customer’s social security numbers, nor did it expose complete credit card information. Yet the complaint alleges damages as a result of future ”phishing” attacks directed at the customers, as well as anxiety, emotional distress and loss of privacy. Plaintiff also seeks compensation for the costs of identify theft insurance and credit monitoring (apparently to soothe the anxious and distressed customers).
In other words, the allegations are primarily based on ”fear of identity theft” not actual damages. Aside from the recent 1st Circuit decision in Hannaford, courts have generally rejected such fear of identity theft claims, and require a showing of some actual harm by the individuals affected by the breach. In this instance, unlike Hannaford, which exposed complete credit card numbers, there seems little likelihood of directly connecting any fraud to this incident, in light of the limited customer data that was exposed.
So did Zappos even have to notify its customers that it was hacked? Arguably the risk of harm to the customers is low and most state data breach notification laws are not even triggered without the exposure of SSNs or complete credit card numbers. Obviously Zappos erred on the side of notification for customer and/or public relations reasons, and it would be hard to argue against notifying under the circumstances.
Nonetheless, the Zappos breach demonstrates the conundrum and headaches these sorts of incidents can cause for businesses. Choose to bury the incident, and you may have to justify your decision to regulators and attorneys general, should the word get out. Or err on the side of notifying and expose yourself to class action lawsuits. Either way, businesses can expect to incur significant costs in the wake of a breach.
ZAPPOS HIT BY MASSIVE DATA BREACH
Zappos, an Amazon-owned online shoe and apparel outlet retailer, announced today that hackers accessed the personal information of potentially 24 million of its customers. The personal information included names, addresses, phone numbers and email addresses. Scrambled passwords and the last four digits of customers’ credit cards were also exposed. Zappos stated that the hackers gained access through servers in Kentucky but that critical credit card information was not located in these servers.
However, Zappos is attempting to contact millions of customers by email to advise them of the breach. The number of customers affected is so high that Zappos shut down its customer service phone lines for fear that they would be overwhelmed. http://www.eweek.com/c/a/Security/Zappos-Latest-Company-Hit-by-Data-Breach-581979/.
Since passwords were allegedly stolen, Zappos is advising all customers to change not only their Zappos password but any similar passwords used for different websites.
This incident once again highlights the serious threat to all businesses by hackers and how data breaches can overwhelm a business in the early stages of a response. The notification process to all affected customers will be significant, likely including all 50 states and additional countries. Zappos will also have to deal with investigations by potentially numerous state Attorneys General. Hopefully, Zappos has a good data breach response policy in place that will help them overcome this serious data breach in the coming days and months. All businesses should once again reevaluate their privacy and data protection policies at the beginning of each year to ensure they are ready to respond to an incident such as occurred at Zappos.
Health Care Data Breaches Significantly Increased in 2011
The Ponemon Institute just released their second annual benchmark study on patient privacy and data security. Not surprisingly, the study demonstrates that data breaches significantly increased in 2011. A number of key points can be found in the study’s findings.
One of the more interesting findings was the increased use of unsecured mobile devices in the health care industry. Since these devices generally contain Protected Health Information (PHI), the potential for even more data breaches occurring in 2012 is high, as the devices can easily be lost, stolen or otherwise accessed.
Other key findings in the research paper are as follows:
- Data breaches have increased 32% within healthcare organizations since 2010.
- 49% of the participants in the survey admit that their organization does nothing to protect their mobile devices from a data breach.
- More than half of the respondent organizations did not have sufficient policies that prevent and/or deter data breaches.
- The economic impact of a data breach has increased more than 10% from 2010. On average, a data breach has an economic impact of $2.2 Million Dollars.
- More than 35% of the respondents indicated that data breaches were discovered by patient complaints not the healthcare provider.
Finally, the study found that a large number of healthcare providers cite economic restraints as a major role in a providers’ failure to properly implement data breach prevention policies and procedures. With the economic struggles in the United States and Europe continuing, healthcare providers will likely continue to face significant obstacles when attempting to implement a proper data security program.
Clearly, these economic constraints will play a part in more health care related data breaches. A key question that the healthcare industry will have to address in the coming year is how to prevent data breaches when faced with these budgetary issues as well as PHI contained on more mobile devices.