Are Data Breach Investigations Privileged?
Originally Published on the InfoLaw Group Blog:
Over the past year, the number of data breaches has skyrocketed and, as a result, companies are facing increased risk of litigation for any perceived failure to protect their customer data. In the context of data breach litigation, organizations routinely withheld from production documents related to internal compliance investigations on the grounds of the attorney-client or work product privilege. A recent decision from a U.S. District Court in the District of Columbia calls into question the privileged status of those documents.
In U.S. ex rel Barko v Halliburton Co., a former contract administrator for Kellogg, Brown and Root (“KBR”) alleged that Halliburton and other KBR contractors inflated the costs of construction services on military bases in Iraq. In connection with a qui tam suit, the administrator Harry Barko sought documents relating to possible violations of the corporate code of conduct. KBR withheld documents related to internal compliance investigations on the grounds that they were privileged and Barko moved to compel production. After an in camera review, a District Court Judge for the District of Columbia held that the documents were not protected by the attorney-client or work product privilege, but the reasoning behind that decision may surprise you.
In concluding that the documents were not privileged, the court highlighted the involvement of non-attorneys in the investigation process, the timing of the investigation in relation to the litigation, and the representations made to those involved, specifically that those being interviewed were not told about the legal nature of the inquiry. However, the lynchpin of the court’s logic was that the investigations were taken pursuant to regulatory law rather than for purpose of obtaining legal advice. Here, the court cited Department of Defense regulations that require contractors to have internal controls for compliance, including a mechanism, such as a hotline, by which employees may report suspected instances of improper conduct. The court reasoned that an investigation would have been conducted regardless of whether legal advice was sought because compliance investigations were required by regulatory law and corporate policy.
In this regard, the court’s holding appears to be flawed because regulations are of course enforced by criminal investigations and civil actions, such as the one brought by the plaintiff. While the regulations may require an investigation, the goal is not to force companies to conduct investigations for the sake of investigations, but instead to detect and respond to violations of those regulations. Even without a mandate, a corporation must undertake an investigation before it can assess its potential liability and determine next steps. Granted, some aspects of regulatory compliance will not involve rendering legal advice, such as employee training. Nevertheless, Barko involved allegations of false claims and overbilling the federal government. It seems counter-intuitive that an investigation into such allegations would not be in anticipation of litigation or, at a minimum, for the purpose of rendering legal advice to the corporation on how to proceed.
The court also appears to have overreached when concluding that the investigation would have been conducted regardless of whether legal advice was sought. The idea, the court reasoned, was that the Department of Defense regulations require contractors to have internal control systems, such as KBR’s Code of Business Conduct, to facilitate the timely discovery and disclosure of improper conduct in connection with government contracts. However, simply being required to investigate potential violations does not supplant nor override the ultimate purpose of the investigation, which is to determine whether there has been a violation of the law.
The facts in Barko are similar to those often encountered in the data breach context. Consider a typical data breach under the Health Insurance Portability and Accountability Act (“HIPAA”). As with Barko, the initial investigation may be handled by non-attorney personnel such as a member of the IT department, and may be guided by corporate policy and Department of Health and Human Services (“DHHS”) regulations. Additional similarities can be seen in the Department of Defense regulations cited in Barko which required contractors to 1) have a written code of business ethics, 2) implement internal controls for compliance, 3) conduct internal and/or external audits, 4) enact disciplinary action for improper conduct, 5) timely report to appropriate government offices, and 6) fully cooperate with any government agencies. Similarly, HIPAA requires covered entities to have 1) written policies and procedures regarding the protection of personal health information, 2) appropriate safeguards for protecting that information, 3) regular risk assessments, 4) sanctions against members who fail to comply with HIPAA rules, and 5) notification to the DHHS within 60 days for breaches, and imposes a duty on covered entities to provide records and cooperate with the DHHS in compliance reviews and investigations.
Read the rest here.
I recently authored an article for the Daily Journal on the new cybersecurity framework. You can read about it by visiting the Daily Journal.
We take for granted the affect technology has on our daily lives. This comic offers an interesting (and humorous) perspective on how society changed.
source: Doghouse Diaries
The Massachusetts Supreme Judicial Court Holds that ZIP Codes Constitute “Personal Identification Information”
On March 11, 2013, in Melissa Tyler v. Michaels Stores, Inc., the Massachusetts Supreme Judicial Court ("SJC"), in responding to three certified questions from the United States District Court for the District of Massachusetts, held: (1) ZIP Codes constitute personal identification information ("PII"); (2) a person may bring an action under General Laws, chapter 93, section 105(a) absent identity fraud; and (3) the term "credit card transaction form" "refers equally to electronic and paper transaction forms." The questions arose out of a class action lawsuit against Michaels for allegedly requesting and recording its credit card customers' ZIP Codes in violation of Section 105(a). This decision has parallels to the California Supreme Court decision in Pineda v. Williams-Sonoma Stores, Inc. In Pineda, the California Supreme Court held that ZIP Codes were PII under California's Song-Beverly Credit Card Act, Civil Code section 1747.08.
Source: Cooley Alert
On Wednesday, CMS announced that it has delayed the enforcement date for the first two operating rules for HIPAA transaction standards, AHA News reports (AHA News, 1/3).
CMS said that its Jan. 1 compliance deadline for the operating rules remains intact, but it will not begin enforcing the rules until March 31 (Conn, Modern Healthcare, 1/4).
Read more: http://www.ihealthbeat.org/articles/2013/1/4/officials-delay-enforcement-of-two-hipaa-operating-rules.aspx#ixzz2HFYbhIRe
Covered Entities and HIPAA practitioners should be aware that the Office of Civil Rights (OCR) has issued guidance about methods and approaches to achieve de-identification in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The full text is available here:
Source: IAPP Full Story
The operator of fan Web sites for pop stars Justin Bieber, Selena Gomez, Rihanna and Demi Lovato agreed to pay a $1 million civil penalty to settle federal charges that the
sites had illegally collected personal information about thousands of children, the Federal Trade Commission said Wednesday.
Artist Arena, a company that operates fan web sites for pop stars like Justin Bieber and Selena Gomez, agreed to settle federal charges that the sites had violated a children's privacy protection law.
In a complaint, the Federal Trade Commission alleged that Artist Arena, the operator of the sites, had violated a children’s online privacy rule by collecting personal details — like the names, e-mail addresses, street addresses and cellphone numbers — of about 101,000 children aged 12 or younger without their parents’ permission.
The law, called the Children’s Online Privacy Protection Act, or COPPA for short, requires operators of Web sites to notify parents and obtain verifiable parental consent before collecting, using or disclosing personal information about children younger than 13.
Source: New York Times
Watch out, Silicon Valley, there’s a new startup in town and its gunning for you. California Attorney General Kamala Harris announced Thursday she’s created a unit intended to actually enforce federal and state privacy laws.
“The Privacy Unit will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others,” California’s top attorney said in a statement.
The announcement of the unit, comprised of six attorneys, comes just months after Harris inked a February agreement with Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion to demand that mobile apps on their platforms contain privacy policies. Facebook signed on last month.
Source: Wired Threat Level
On June 7, 2012, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference hosted in Washington, D.C. by the Department of Health and Human Services Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”), OCR Director Leon Rodriguez said that, given HIPAA’s 15-year history and the substantial technical assistance OCR and NIST have provided covered entities, tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past.
In his remarks, Director Rodriguez indicated that the final omnibus rule modifying the HIPAA Privacy, Security and Enforcement Rules is “very close.” Director Rodriguez reiterated that the modifications will include extending HIPAA liability to business associates, but emphasized that business associates should not wait for the final rule to be enacted to focus on compliance. This is particularly true, according to Director Rodriguez, in light of the ability of state Attorneys General to enforce the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act), as evidenced by Minnesota Attorney General Lori Swanson’s recent lawsuitagainst Accretive Health, a business associate that suffered a security breach compromising patient data. Director Rodriguez stated that he would not be surprised if other state Attorneys General began enforcing the HITECH Act in the business associate context.