Are Data Breach Investigations Privileged?
Originally Published on the InfoLaw Group Blog:
Over the past year, the number of data breaches has skyrocketed and, as a result, companies are facing increased risk of litigation for any perceived failure to protect their customer data. In the context of data breach litigation, organizations routinely withheld from production documents related to internal compliance investigations on the grounds of the attorney-client or work product privilege. A recent decision from a U.S. District Court in the District of Columbia calls into question the privileged status of those documents.
In U.S. ex rel Barko v Halliburton Co., a former contract administrator for Kellogg, Brown and Root (“KBR”) alleged that Halliburton and other KBR contractors inflated the costs of construction services on military bases in Iraq. In connection with a qui tam suit, the administrator Harry Barko sought documents relating to possible violations of the corporate code of conduct. KBR withheld documents related to internal compliance investigations on the grounds that they were privileged and Barko moved to compel production. After an in camera review, a District Court Judge for the District of Columbia held that the documents were not protected by the attorney-client or work product privilege, but the reasoning behind that decision may surprise you.
In concluding that the documents were not privileged, the court highlighted the involvement of non-attorneys in the investigation process, the timing of the investigation in relation to the litigation, and the representations made to those involved, specifically that those being interviewed were not told about the legal nature of the inquiry. However, the lynchpin of the court’s logic was that the investigations were taken pursuant to regulatory law rather than for purpose of obtaining legal advice. Here, the court cited Department of Defense regulations that require contractors to have internal controls for compliance, including a mechanism, such as a hotline, by which employees may report suspected instances of improper conduct. The court reasoned that an investigation would have been conducted regardless of whether legal advice was sought because compliance investigations were required by regulatory law and corporate policy.
In this regard, the court’s holding appears to be flawed because regulations are of course enforced by criminal investigations and civil actions, such as the one brought by the plaintiff. While the regulations may require an investigation, the goal is not to force companies to conduct investigations for the sake of investigations, but instead to detect and respond to violations of those regulations. Even without a mandate, a corporation must undertake an investigation before it can assess its potential liability and determine next steps. Granted, some aspects of regulatory compliance will not involve rendering legal advice, such as employee training. Nevertheless, Barko involved allegations of false claims and overbilling the federal government. It seems counter-intuitive that an investigation into such allegations would not be in anticipation of litigation or, at a minimum, for the purpose of rendering legal advice to the corporation on how to proceed.
The court also appears to have overreached when concluding that the investigation would have been conducted regardless of whether legal advice was sought. The idea, the court reasoned, was that the Department of Defense regulations require contractors to have internal control systems, such as KBR’s Code of Business Conduct, to facilitate the timely discovery and disclosure of improper conduct in connection with government contracts. However, simply being required to investigate potential violations does not supplant nor override the ultimate purpose of the investigation, which is to determine whether there has been a violation of the law.
The facts in Barko are similar to those often encountered in the data breach context. Consider a typical data breach under the Health Insurance Portability and Accountability Act (“HIPAA”). As with Barko, the initial investigation may be handled by non-attorney personnel such as a member of the IT department, and may be guided by corporate policy and Department of Health and Human Services (“DHHS”) regulations. Additional similarities can be seen in the Department of Defense regulations cited in Barko which required contractors to 1) have a written code of business ethics, 2) implement internal controls for compliance, 3) conduct internal and/or external audits, 4) enact disciplinary action for improper conduct, 5) timely report to appropriate government offices, and 6) fully cooperate with any government agencies. Similarly, HIPAA requires covered entities to have 1) written policies and procedures regarding the protection of personal health information, 2) appropriate safeguards for protecting that information, 3) regular risk assessments, 4) sanctions against members who fail to comply with HIPAA rules, and 5) notification to the DHHS within 60 days for breaches, and imposes a duty on covered entities to provide records and cooperate with the DHHS in compliance reviews and investigations.
Read the rest here.
FTC Seeks Public Comment on iKeepSafe’s Proposed Safe Harbor Program Under the Children’s Online Privacy Protection Rule
Internet Keep Safe Coalition (iKeep Safe) has submitted a proposed safe harbor program to the Federal Trade Commission under the the agency’s Children’s Online Privacy Protection Rule. Under 16 C.F.R. 312.11, COPPA safe harbor applications must contain:
- A detailed explanation of the applicant’s business model and technological capabilities and mechanisms it will use to assess member operator’s information collection practices;
- A copy of the full text of the safe harbor program’s guidelines and any accompanying commentary;
- A comparison of each program guideline with each corresponding Rule provision and a statement of how each guideline meets the Rule’s requirements; and
- A statement of how the assessment mechanisms and disciplinary consequences provide effective COPPA enforcement.
The amended Rule sets forth the key criteria the FTC will consider in reviewing a safe harbor application:
- Whether the applicant’s program includes guidelines that provide substantially the same or greater protection than the standards set forth in the COPPA Rule;
- Whether the program includes an effective, mandatory mechanism to independently assess member operators’ compliance with the program’s guidelines, which at a minimum must include a comprehensive annual review by the safe harbor program of each member operator;
- Whether the program includes effective disciplinary actions for member operators who do not comply with the safe harbor program guidelines.
Last month, the FTC approved the kidSAFE Seal Program’s kidSAFE+ seal as a safe harbor program.
For a copy of the iKeep Safe application, click here.
I recently authored an article for the Daily Journal on the new cybersecurity framework. You can read about it by visiting the Daily Journal.
Retail giant Target recently suffered a massive security breach during the busiest shopping season of the year. The breach involved the credit and debit card information of an estimated 40 million customers who
shopped at one of Target’s retail stores between November 27th and December 15, 2013. So far, Target has not disclosed the precise details of how the breach occurred. While Target continues to work to repair the damage, it is interesting to see how other companies are reacting to one of the largest data breaches in history.
Target publicly disclosed the security breach on December 19th. Two days later, JPMorgan alerted 2 million of its debit card holders that it was lowering the daily limit on ATM withdrawals to $100 and purchases would be capped at $300 per day. This decision could not have been an easy one for JPMorgan, especially when you consider the limits were imposed the weekend before Christmas. Moreover, a $300 per day spending limit is woefully insufficient if anyone on your Christmas list was hoping for the new Xbox gaming console or the latest iPhone, both of which can easily exceed $500 dollars. Although undoubtedly an inconvenience for their customers, this move makes sense. In the case of credit card fraud, the payment processor usually reverses the charges, refunding the customer and leaving the merchant to bear costs. However, with ATM or debit card purchases, the bank is normally responsible for covering the loss. JPMorgan’s decision to impose spending limits is an interesting and unique strategy for limiting the fraud and reducing their own potential liability.
So far, JPMorgan is the only major bank to impose spending limits on debit cards potentially affected by the breach. Citibank took a different approach, announcing that they would impose limits or block transactions if they noticed any suspicious activity. Other banks are struggling with the decision whether or not to simply cancel and reissue cards to customers. However, at a cost of around $3 to $5 dollars per card, reissuing cards can be an expensive and time-consuming process, especially when the banks do not know for certain which cards have actually been compromised.
Frustrated by the lack of communication from Target surrounding the breach, at least one bank decided to take matters into their own hands. As reported by security expert Brian Krebs, a New England bank was able to “buy back” stolen credit cards from a black market card shop. Hackers use black market card shops to sell stolen credit card information. By purchasing the cards online, the bank was able to confirm that the recent Target security breach did not include the three digit security code printed on the backs of cards, known as the CVV, CSC, or CVD numbers. This is an important fact because those numbers are usually required by most online merchants. In addition, the bank confirmed that nearly all of the stolen credit card numbers had been used by customers to make purchases at Target stores around the country between November 27 and December 15. This may not seem like an important fact, especially when Target’s press release indicated as much, but hacking victims are often unable to confirm exactly which cards were compromised because published estimates usually encompass all of the cards that were potentially exposed. Moreover, if the stolen data was password protected or encrypted, there is a chance that the information may not be compromised, at least until the thieves break through those protections. By confirming that the credit card numbers were available on the black market, the bank was able make a more informed decision about whether to reissue the cards.
Another interesting facet of the Target breach is the number of third-party companies that are proactively notifying customers. State and federal breach notification statutes require Target to notify those affected by the breach. But that has not stopped PayPal from sending an email to its users nor prevented personal finance website Mint.com from notifying its users, albeit in an unusual way. If you are not familiar with Mint.com, it is a website that allows individuals to upload banking and credit card information, generally used for managing finances. Using that information, Mint.com identified individuals who used a credit or debit card at Target in the last 30 days and proactively notified them of the Target’s security breach, encouraging them to be on the lookout for potential fraud. To my knowledge, this is the first time a third-party has used customer data to notify individuals of a potential breach. It would be interesting to see if Mint.com continues this practice with future breaches.
Target is not the first nor the last company to suffer a security breach. As recent history has shown, breaches will continue to occur as hackers become more sophisticated. In the perpetual cat-and-mouse fight against security breaches, it is refreshing to see new and different approaches to responding to potential credit card fraud. Only time will tell whether these efforts will have any meaning full impact.
New Study Finds that Two Thirds of U.S. Adults Would Not Return to a Business Where Their Personal Information was Stolen.
From hackers to stolen laptops, security breaches have been on the rise. While most businesses are aware of the dangers associated with potential security breaches, few truly understand the full ramifications. Calculating the time and money spent on investigations and notifications is fairly straight forward but measuring the damage to a company’s reputation or customer confidence is more complicated. A recent survey sponsored by Cintas is helping to shed some light on this issue. An online survey of 2,061 U.S. adults ages 18 and older was conducted by Harris Interactive in August of this year and the results are surprising. Nearly two thirds of the participants indicated that they would not return to a business where their personal information was stolen. For specific types of businesses:
– 55 percent would change banks
– 46 percent would switch insurance companies
– 42 percent would go to a different drug store/pharmacy
– 40 percent would get a new doctor or dentist
– 39 percent would get a new lawyer
– 38 percent would donate to a different charity/non-profit organization
– 35 percent would not return to their hospital
– 24 percent would no longer donate to their alma mater or another educational institution they attended.
It should be noted that the discrepancy between the two-thirds rate and the industry-specific rates suggest that while consumers are concerned about security breaches on a whole, there is a certain amount of customer loyalty maintaining the relationship. As expected, that loyalty is strongest with educational institutions and charities but weakest with banks and insurance companies. Nevertheless, the survey results indicate that loyalty will only get you so far and that businesses should be proactive in safeguarding confidential information.
For additional details, including a break-down of the survey variables, please contact Christina Alvarez at email@example.com.
Law360, New York (September 26, 2013, 5:53 PM ET) --
The U.S.Department of Health and Human Services' Office for Civil Rights (OCR) is stepping up their enforcement efforts and cracking down on entities who violate the Health Insurance Portability and Accountability Act of 1996. Earlier this year, Idaho State University was fined $400,000 for the breach of unsecured protected health information (PHI) regarding 17,500 individuals who were patients at a university clinic.
In July, managed care company WellPoint Inc. agreed to pay the HHS $1.7 million to settle potential violations of the HIPAA privacy and security rules. The most recent settlement involves Affinity Health Plan Inc., a not-for-profit managed care plan serving the New York metropolitan area. Affinity agreed to pay over $1.2 million as part of the settlement with the OCR for a security breach involving leased copiers, even though it was not clear that any PHI was actually misused or retained as a result of the breach.
Affinity notified the OCR of a potential breach on April 15, 2010, after discovering that copiers it had leased and then returned still contained electronic PHI (ePHI). Often overlooked, advanced copiers, such as those used by Affinity, can contain hard drives where digital images of the documents being copied are stored before they are printed. Depending on the size of the hard drives and the volume of documents being scanned, these hard drives can store thousands of images. Unless the hard drive is wiped, the images remain on the copier until the drive is full, and new data overwrites the old.
At the end of Affinity’s lease, the copiers were returned and then leased again to a different company. At least one recipient of the leased equipment — CBS Evening News —discovered ePHI on the copiers. CBS Evening News reported this to Affinity, who in turn reported the incident to the OCR.
Presumably, CBS Evening News recognized the sensitive nature of the information and did not retain or further disclose the information. However, the risk of compromise was relatively high — Affinity had returned multiple photocopiers to its leasing agents that together contained information on as many as 344,579 individuals.
After an investigation, the OCR concluded that Affinity impermissibly disclosed the ePHI of these individuals when it returned the photocopiers to the leasing agents without erasing data contained on the copier hard drives. However, this finding alone does not explain the high settlement amount.
What does explain the substantial penalty is a circumstance that regularly appears in reports of high-dollar settlements under HIPAA: Affinity did not base its policies and procedures on a thorough risk assessment, as required by the security rule, and therefore, Affinity failed to implement policies and procedures for safeguarding ePHI when returning the photocopiers to its leasing agents.
Affinity should have accounted and planned for the storage of ePHI on photocopier hard drives in its analysis of risks and vulnerabilities. OCR Director Leon Rodriguez noted, “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”
In addition to the settlement payment, the OCR instituted a corrective action plan (CAP) requiring Affinity to use its “best efforts” to retrieve all of the hard drives that were contained on the copiers in the possession of the leasing agent and safeguard all ePHI contained therein from impermissible disclosure.
If Affinity is unable to obtain the hard drives, Affinity must document its best efforts to do so and provide the OCR with the reason(s) Affinity was unsuccessful. Affinity must also now meet its obligation under the security rule to conduct a comprehensive risk analysis of the risks and vulnerabilities associated with its possession of ePHI and develop a plan to mitigate such risks and vulnerabilities. However, under the CAP, Affinity’s plan will be subject to the OCR’s review and approval.
It is hard to deny the similarities between the Affinity settlement and other major settlements with the OCR in the recent past. It is not, as some might believe, because each involve an unauthorized disclosure of PHI. That is certainly true, but breaches happen all the time.
Instead, the common thread is that the OCR has imposed penalties because policies did not exist, risk assessments were not performed, or policies were not followed. Accordingly, this settlement provides several important instructions for companies that handle ePHI.
First and foremost, include in your risk assessments all equipment and locations where PHI may be stored. All electronic devices with memory have the potential to store PHI, including most printers, copies, scanners and fax machines. A major goal of conducting risk assessments is to identify new and potential threats to PHI.
When copiers and fax machines were first introduced into the business environment, memory was expensive, and most devices used just enough to print one document at a time. However, as technology advanced, and the price of memory dropped, hard drives in copiers became more and more common.
If your last risk assessment was performed in the '90s, you might have missed this particular vulnerability. That is why it is important to conduct regular risk assessments, preferably with security professionals who are knowledgeable on a wide range security topics and technology.
Second, address processes in your written policies and procedures for appropriately deleting or safeguarding such ePHI based on your risk assessment. If the device stores data, then pursuant to HHS guidance, it should be wiped before being sold or discarded. The process may be as simple as running a wiping utility on the device itself, or it may require a computer technician to pull the hard drive out of the machine manually.
Third, make sure you implement policies and procedures that govern the receipt and removal of hardware and electronic media on all electronic devices that contain ePHI. Most covered entities have already realized the importance of wiping desktop computers and laptops, but as this settlement should help demonstrate, printers and copiers are just as important.
Finally, organizations may also be best served by encrypting any ePHI that can be impermissibly accessed on electronic devices. While the HIPAA breach notification rule requires the notification of a breach of PHI, it is important to note that this requirement applies only to the breach of “unsecured” PHI.
Pursuant to HHS guidance, encryption is one way to ensure that any breach of ePHI would remain secure and, therefore, not be subject to notification requirements.
Don’t wait until the last minute to tackle these issues. In addition to reviewing your written policies and conducting a risk assessment, your business associate agreements may need to be modified, along with your notice of privacy practices if you are a covered entity.
If you are a business associate under HIPAA, for example, a lawyer who receives or creates PHI in representing covered entities, you should become informed about your newly enhanced obligations and risks under the final rule.
If you are interested in learning more about the Affinity breach, the HHS resolution agreement and corrective action plan can be found on the OCR website here. For more information on safeguarding sensitive data stored in the hard drives of digital copiers, see this page. TheNational Institute of Standards and Technology has also issued guidance on media sanitation, available here.
--By Marcia L. Augsburger, M. Scott Koller and Tiffani V. Williams, DLA Piper
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice
HEALTH PLAN PAYS FOR FAILING TO ERASE DATA ON LEASED EQUIPMENT: TWO TAKEAWAYS FOR COMPANIES HANDLING ELECTRONIC PHI
The Office for Civil Rights (OCR) has announced a settlement between the US Department of Health and Human Services and Affinity Health Plan, Inc. to address potential violations of the Health Insurance Portability and Accountability Act of 1996.
Affinity, a not-for-profit managed care plan serving the New York metropolitan area, paid more than US$1.2 million as part of the settlement, even though it was not clear that any protected health information (PHI) was actually misused or retained as a result of the breach.
In addition to the settlement payment, Affinity will be required to comply with a corrective action plan instituted by OCR.
What can companies that handle PHI learn from this outcome? Find out more.
Check out this website which visualizes the world's biggest data breaches.
The Department of Health and Human Services Office for Civil Rights has announced that WellPoint, Inc. has agreed to pay $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
If you are a covered entity or business associate under HIPAA, this settlement underscores the importance for HIPAA covered entities and business associates of examining all aspects of privacy and security compliance programs before a breach occurs. If you don’t, OCR will.