In my last column I talked about medical facilities doing very well as regards the HIPAA requirements to protect patient sensitive and personal information. The thrust of the article however, was to emphasize the value and importance of staff awareness training on identity loss and theft. Below is a short piece that reinforces that point. Although Kaiser is a pioneer in using electronic medical records, and has sophisticated systems to govern how patients' information is used and protected, this relatively unsophisticated crime occurred right under their noses.
Unknown to Kaiser, someone stole the personal information of Kaiser employees! HIPAA doesn't address personnel files, only those of patients. Owing to a compliance mentality the hospital group sought compliance with the law as a risk management tool but did not train the HR or payroll staff on how to protect the employees' files. The protection of personally identifiable information must be a holistic business to include both clients and employees or it is only half a program. It must include awareness training or it will not be effective.
"Kaiser Permanente is notifying nearly 30,000 Northern California employees that a security breach may have led to the release of their personal information. Some employees have reported identity thefts resulting from the breach,Kaiser reported.A law enforcement agency seized a computer file with Kaiser data from a person who was subsequently arrested. The suspect was not a Kaiser employee. The file contained the type of information typically held by a human resources department, according to a written statement issued by Gay Westfall, senior vice president of human resources for Kaiser. "
Thursday, February 12, 2009
Tuesday, February 10, 2009
Medical Identity Theft
I just want to weigh in on this for a moment. There are reams of new data on medical identity theft as the nation is just beginning to come to terms with medical identity theft. Just a short couple of years ago it was hard to convince anyone that this kind of identity theft was a problem. National magazines published articles essentially denying the existence of medical identify theft as a plausible threat. Now we can see from new FTC research that there have been approximately 480,000 medical identity theft victims in 2008. That is roughly 6% of the aproximately 8 million identity theft victims for the year. The victims fall into two basic categories. Those who report new medical insurance accounts were opened in their name, and those who report that medical care was administered to unknown persons in their name.
That is a problem.
We do have legislation aimed at protecting your personal medical information. HIPAA, http://www.cms.hhs.gov/hipaaGenInfo/ the (Health Insurance Portability and Accountability Act) passed in 1996 mandates significant changes in the legal and regulatory environments governing the provision of health benefits, the delivery and payment of health care services, and the security and confidentiality of individually identifiable, protected health information. HIPAA is sweeping in scope and also very complex.
I am happy to say that for the most part health organizations such as hospitals, medical groups, clinics, and others have done remarkably well in addressing the requirements. Corporations and businesses that have health plans, and so called "cafeteria" style benefits plans have also done the heavy lifting regarding compliance procedures to protect this type of data, as have medical insurance groups.
Why then is medical identity theft on the rise? There are two things that come to mind. As our economy slips further and more people find themselves in financial troubles, stealing and selling sensitive information with little or no chance of being caught looks pretty lucrative. We can expect that to continue to be on the increase. Estimates are that all forms of identity theft combined are expected to increase by as much as 20 times within the next 12 to 18 months. That is part of what makes the second reason even more compelling. Just as much information is lost by simple forgetful acts and a lack of understanding of the risks as there are outright thefts. Also what is missing is the component that ties all of the privacy requirements addressed in HIPAA together with a general awareness of medical identity theft. That is identity theft training of the employees of these institutions charged with protecting health information. No compliance program can call itself complete and effective without training. A good understanding of the various forms of identity theft and how they affect all of us is a key aspect in reducing this criminal epidemic. It is imperative to empower the medical, payroll, records keeping, and human resources staff with a solid background. How they can respond to identity theft threats, and how to mitigate their own risk along with that of the patients and clients they serve. There is simply no substitute for training, and most importantly training in person where there is discussion and not simply a check-off list for compliance purposes. Discussion prompts interaction which will raise participation and a deeper retention of the information. Catchy huh? After all we want to stop identity theft if we can, not simply comply with an abstract law.
"When we protect the information we hold on others we are protecting them, when others do it they are protecting us."
That is a problem.
We do have legislation aimed at protecting your personal medical information. HIPAA, http://www.cms.hhs.gov/hipaaGenInfo/ the (Health Insurance Portability and Accountability Act) passed in 1996 mandates significant changes in the legal and regulatory environments governing the provision of health benefits, the delivery and payment of health care services, and the security and confidentiality of individually identifiable, protected health information. HIPAA is sweeping in scope and also very complex.
I am happy to say that for the most part health organizations such as hospitals, medical groups, clinics, and others have done remarkably well in addressing the requirements. Corporations and businesses that have health plans, and so called "cafeteria" style benefits plans have also done the heavy lifting regarding compliance procedures to protect this type of data, as have medical insurance groups.
Why then is medical identity theft on the rise? There are two things that come to mind. As our economy slips further and more people find themselves in financial troubles, stealing and selling sensitive information with little or no chance of being caught looks pretty lucrative. We can expect that to continue to be on the increase. Estimates are that all forms of identity theft combined are expected to increase by as much as 20 times within the next 12 to 18 months. That is part of what makes the second reason even more compelling. Just as much information is lost by simple forgetful acts and a lack of understanding of the risks as there are outright thefts. Also what is missing is the component that ties all of the privacy requirements addressed in HIPAA together with a general awareness of medical identity theft. That is identity theft training of the employees of these institutions charged with protecting health information. No compliance program can call itself complete and effective without training. A good understanding of the various forms of identity theft and how they affect all of us is a key aspect in reducing this criminal epidemic. It is imperative to empower the medical, payroll, records keeping, and human resources staff with a solid background. How they can respond to identity theft threats, and how to mitigate their own risk along with that of the patients and clients they serve. There is simply no substitute for training, and most importantly training in person where there is discussion and not simply a check-off list for compliance purposes. Discussion prompts interaction which will raise participation and a deeper retention of the information. Catchy huh? After all we want to stop identity theft if we can, not simply comply with an abstract law.
"When we protect the information we hold on others we are protecting them, when others do it they are protecting us."
Monday, February 9, 2009
The States Step up to Fill the Gap
Lacking a Federal statute requiring businesses to report data breaches to individuals at increased risk different states have stepped in to enact their own laws. Pennsylvania State Senator Dominic Pileggi has introduced a bill that would require state agencies to provide public notice of data breaches involving personal information within one week of discovering the incident, the Daily Times reports. Similar legislation was filed in 2008 and passed the Senate, but was not considered by the state's House of Representatives. Pileggi introduced the original bill last year in response to three data breach incidents in 2007 in which nearly 400,000 files were compromised, including about 17,800 Social Security numbers. In a press release announcing the bill, Pileggi said, "The public was not notified of these thefts until two or three weeks after the fact, and that is not acceptable. Potentially affected residents deserve to be notified promptly so that they can take steps to protect themselves from identity theft."
Alongside the legislation recently enacted by Massachusetts lawmakers this indicates clearly the need for strict reporting laws to inform the public in a timely way that they are at increased risk to data fraud and identity theft. Including Puerto Rico and the District of Columbia there are currently 46 State data breach notification laws in effect.
Alongside the legislation recently enacted by Massachusetts lawmakers this indicates clearly the need for strict reporting laws to inform the public in a timely way that they are at increased risk to data fraud and identity theft. Including Puerto Rico and the District of Columbia there are currently 46 State data breach notification laws in effect.
Data Breaches Can Cost your Company Plenty
Until now, lawsuits seeking to recover significant damages based on the loss of sensitive personal information have not been especially successful for the plaintiffs. Two recent cases however show plaintiffs that there is a way to expose companies to claims for damages. The headlines are all too familiar. A well known consumer services company announces that millions of individual records containing names, Social Security numbers, account numbers and other sensitive information were left in a dumpster, saved to a stolen, unencrypted laptop, or stored on a misplaced flash drive. The press is terrible, the company's stock takes a temporary plunge, and sometimes the Federal Trade Commission enters into a consent decree where the company promises it will never happen again. But when affected individuals or groups of consumers tried to sue for damages, they seldom recover significant amounts. These cases have not often succeeded because the plaintiffs have been unable to prove actual pecuniary losses resulting from the security breach. Sure, if identify theft occurs the affected individuals can suffer significant emotional trauma, loss of time, etc. But Courts have been reluctant to award damages for anxiety, fear, and other emotional harm that can result from a data breach, for the risk of future identify theft, or for actual identity theft when the plaintiff could not prove that the theft occurred as a direct result of a data breach at a particular source. Most companies facing claims based on data breaches have been able to settle cheaply by offering to provide credit monitoring services, which most consumers do not use, resulting in only minimal expenses for the company whose data were lost or stolen.
Two recent cases may make such circumstances much more dangerous. In Pinero v. Jackson Hewitt Tax Service, Inc., No. 08-3535 (E.D. La. Jan. 7, 2009), a U.S. federal court refused to dismiss a claim for damages by a consumer whose tax returns were found by a third party in an unsecured dumpster outside a tax preparer's office. No actual identity theft had occurred and the plaintiff had suffered no provable pecuniary loss; so the Court dismissed the usual panoply of breach of contract, emotional distress, negligence, and invasion of privacy claims that often flow from such facts. But the Court left standing Pinero's allegations that using false promises of data protection to lure customers to enter into a consumer services contract was an unfair trade practice under the Louisiana “Little Federal Trade Commission” law. The court also recognized that a claim based on a common law “fraudulent inducement” theory could stand, if properly pled. This case is significant not just because it establishes a basis for an individual consumer to assert a real damages claim, but because it also opens the door to class action lawsuits based on such theories. Since some state unfair and deceptive practices laws provide for statutory treble damages, the doors are now open to substantial recoveries.
The second case, In Department of Veterans Affairs Data Theft Litigation, No. 06-0506, (D. D.C. Jan. 27, 2009), involves the settlement of multiple consolidated class action lawsuits against the U.S. Department of Veterans Affairs. In 2006, an analyst for the agency took home a laptop with Social Security numbers and other sensitive data concerning 26 million veterans and 2.2 million active duty military personnel. The laptop was stolen from the analyst's home during a burglary. The laptop was recovered a short time later, and forensic analysts from the FBI determined that it probably had not been accessed. There have been no press reports with information tying any identity theft incidents to the breach. Nevertheless, lawyers brought a class action suit seeking damages for those who incurred out of pocket expenses.The suit settled in late January with an agreement that the V A would create a $20 million fund to pay the expenses of anyone directly affected by the breach, including credit-monitoring expenses and mental health costs for those who found themselves in extreme emotional distress as a result of the breach. The fund will also be used to pay $5.5 million in attorneys fees and expenses. Any funds not used for these purposes will be paid to veterans' charities.This case is noteworthy because of the size of the settlement and the VA's willingness to pay a large amount even though there would likely never be any actual damages resulting from the breach or any evidence to support a causal connection between any actual damages and the breach. The case is also noteworthy because of the fact that the total amount of the settlement is not just available for payments, but is actually committed. That is, many sources of data breach in the past have escaped significant expenses by offering credit monitoring services that were never accepted or paid for. Here, in contrast, VA will pay the full $20 million to someone. What's the damage? What both cases show is that class action plaintiffs are devising new ways to successfully assert larger damage claims against companies that suffer data privacy and security breaches. Companies should renew their efforts to deploy and implementing effective data privacy and security protections.
Two recent cases may make such circumstances much more dangerous. In Pinero v. Jackson Hewitt Tax Service, Inc., No. 08-3535 (E.D. La. Jan. 7, 2009), a U.S. federal court refused to dismiss a claim for damages by a consumer whose tax returns were found by a third party in an unsecured dumpster outside a tax preparer's office. No actual identity theft had occurred and the plaintiff had suffered no provable pecuniary loss; so the Court dismissed the usual panoply of breach of contract, emotional distress, negligence, and invasion of privacy claims that often flow from such facts. But the Court left standing Pinero's allegations that using false promises of data protection to lure customers to enter into a consumer services contract was an unfair trade practice under the Louisiana “Little Federal Trade Commission” law. The court also recognized that a claim based on a common law “fraudulent inducement” theory could stand, if properly pled. This case is significant not just because it establishes a basis for an individual consumer to assert a real damages claim, but because it also opens the door to class action lawsuits based on such theories. Since some state unfair and deceptive practices laws provide for statutory treble damages, the doors are now open to substantial recoveries.
The second case, In Department of Veterans Affairs Data Theft Litigation, No. 06-0506, (D. D.C. Jan. 27, 2009), involves the settlement of multiple consolidated class action lawsuits against the U.S. Department of Veterans Affairs. In 2006, an analyst for the agency took home a laptop with Social Security numbers and other sensitive data concerning 26 million veterans and 2.2 million active duty military personnel. The laptop was stolen from the analyst's home during a burglary. The laptop was recovered a short time later, and forensic analysts from the FBI determined that it probably had not been accessed. There have been no press reports with information tying any identity theft incidents to the breach. Nevertheless, lawyers brought a class action suit seeking damages for those who incurred out of pocket expenses.The suit settled in late January with an agreement that the V A would create a $20 million fund to pay the expenses of anyone directly affected by the breach, including credit-monitoring expenses and mental health costs for those who found themselves in extreme emotional distress as a result of the breach. The fund will also be used to pay $5.5 million in attorneys fees and expenses. Any funds not used for these purposes will be paid to veterans' charities.This case is noteworthy because of the size of the settlement and the VA's willingness to pay a large amount even though there would likely never be any actual damages resulting from the breach or any evidence to support a causal connection between any actual damages and the breach. The case is also noteworthy because of the fact that the total amount of the settlement is not just available for payments, but is actually committed. That is, many sources of data breach in the past have escaped significant expenses by offering credit monitoring services that were never accepted or paid for. Here, in contrast, VA will pay the full $20 million to someone. What's the damage? What both cases show is that class action plaintiffs are devising new ways to successfully assert larger damage claims against companies that suffer data privacy and security breaches. Companies should renew their efforts to deploy and implementing effective data privacy and security protections.
Wednesday, February 4, 2009
What's Ahead for 2009?
I recieved a copy of a report this morning written by Kirk Nahra, a partner in the law firm Wiley Rein LLP. Mr. Nahra is internationally recognized as an expert in privacy issues, particularly in health care compliance. He is the co-chair of Confidentiality, Privacy and Security Work group, a panel of government and private sector privacy and security experts advising the American Health Information Community (AHIC), and Chair of the International Association of Privacy Professionals (IAPP).
In his report he outlines the trends he sees as our new administration digs in on privacy, data protection and identity theft policy. Rather than to paraphrase below are excerpts from the report.
"In the Obama Administration, enforcement of privacy laws is likely to be a significant priority. Additional enforcement resources for the FTC were a component of the Obama platform. There is a virtual guarantee that the new Administration will take a more aggressive approach on enforcement of the HIPAA rules."
The "Red Flags" rule is far and away the most broadly applicable and challenging additional regulation on the horizon. ...the FTC has taken a surprisingly broad view of its' own rule such that any company - in any industry that provides services in advance of payment may face obligations under this rule."
"Companies in virtually all industries face the possibility of being identified as creditors subject to the Red Flags rule."
"In addition, we are seeing increased focus on a newer form of identity theft - medical identity theft. Companies need to continue an aggressive fight against identity theft and should broaden their scope of review to include not only credit related risks but other forms of identity theft as well."
"One of the primary conclusions from recent identity theft cases is that many identity theft schemes result from improper activities by insiders."
"What can we expect on the litigation front? First, we will likely see an increased use of negligence theories to bring cases, relying on existing regulatory or industry standards.
Watch for the breakout case, which could open the litigation floodgates."
I'll conclude with the following two statements which together paint a very clear picture for every business.
"For many years, a reasonable and appropriate information security program has been a requirement for any company that maintains personal information - essentially, every company."
"Make sure your employees are trained well."
Businesses have until May 1st of this year to put into practice an identity theft prevention program and response plan that is appropriate for the company. This is really a wakeup call for any company. From a strictly company point of view and disregarding the agony suffered by identity theft victims for a moment, no business can afford the very real costs of data breaches which run into the tens of billions of dollars each year.
In his report he outlines the trends he sees as our new administration digs in on privacy, data protection and identity theft policy. Rather than to paraphrase below are excerpts from the report.
"In the Obama Administration, enforcement of privacy laws is likely to be a significant priority. Additional enforcement resources for the FTC were a component of the Obama platform. There is a virtual guarantee that the new Administration will take a more aggressive approach on enforcement of the HIPAA rules."
The "Red Flags" rule is far and away the most broadly applicable and challenging additional regulation on the horizon. ...the FTC has taken a surprisingly broad view of its' own rule such that any company - in any industry that provides services in advance of payment may face obligations under this rule."
"Companies in virtually all industries face the possibility of being identified as creditors subject to the Red Flags rule."
"In addition, we are seeing increased focus on a newer form of identity theft - medical identity theft. Companies need to continue an aggressive fight against identity theft and should broaden their scope of review to include not only credit related risks but other forms of identity theft as well."
"One of the primary conclusions from recent identity theft cases is that many identity theft schemes result from improper activities by insiders."
"What can we expect on the litigation front? First, we will likely see an increased use of negligence theories to bring cases, relying on existing regulatory or industry standards.
Watch for the breakout case, which could open the litigation floodgates."
I'll conclude with the following two statements which together paint a very clear picture for every business.
"For many years, a reasonable and appropriate information security program has been a requirement for any company that maintains personal information - essentially, every company."
"Make sure your employees are trained well."
Businesses have until May 1st of this year to put into practice an identity theft prevention program and response plan that is appropriate for the company. This is really a wakeup call for any company. From a strictly company point of view and disregarding the agony suffered by identity theft victims for a moment, no business can afford the very real costs of data breaches which run into the tens of billions of dollars each year.
Tuesday, January 27, 2009
Mortgage Broker charged by the FTC
If there is any doubt as to whether the government prosecutes businesses who lose data due to a failure to provide information security, please take notice of this article from consumeraffairs.com
January 22, 2009
The Federal Trade Commission has charged a mortgage broker with discarding consumers' tax returns, credit reports , and other sensitive personal and financial information in an unsecured dumpster, in violation of federal law.
According to the FTC, in December 2006, approximately 40 boxes containing consumer records were found in a publicly-accessible dumpster. The records included tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers' licenses, and at least 230 credit reports.
The agency says that Gregory Navone of Las Vegas, who has owned numerous companies that handle sensitive consumer information, kept the documents in an insecure manner in his garage before improperly disposing of them.
As charged in the FTC's complaint, the defendant has failed to implement and monitor policies and procedures requiring secure disposal of credit reports; ensure that employees or third parties assigned to transport such documents for disposal are qualified to do so and have received appropriate guidance or training; alert employees or third parties to such documents' sensitive nature or instruct them to take precautions; and oversee the transport of such documents for disposal, or otherwise confirm that the documents are disposed of in a way that ensures that they cannot practicably be read or reconstructed.
The complaint also alleges that the defendant provided customers of two mortgage brokerage companies that he owned — First Interstate Mortgage Corporation and Nevada One Corporation — with a written statement claiming that the companies maintained "physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction."Navone is charged with violating the Fair Credit Reporting Act and the rule regarding Disposal of Consumer Report Information and Records by failing to take reasonable measures to protect consumer information derived from consumer reports against unauthorized access in connection with its disposal. He is also charged with violating the FTC Act by falsely representing that FIM and Nevada One implemented reasonable and appropriate measures to protect sensitive consumer information from unauthorized access, and that the companies contractually required service providers to safeguard customers' information and use it only to provide services for FIM and Nevada One.
January 22, 2009
The Federal Trade Commission has charged a mortgage broker with discarding consumers' tax returns, credit reports , and other sensitive personal and financial information in an unsecured dumpster, in violation of federal law.
According to the FTC, in December 2006, approximately 40 boxes containing consumer records were found in a publicly-accessible dumpster. The records included tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers' licenses, and at least 230 credit reports.
The agency says that Gregory Navone of Las Vegas, who has owned numerous companies that handle sensitive consumer information, kept the documents in an insecure manner in his garage before improperly disposing of them.
As charged in the FTC's complaint, the defendant has failed to implement and monitor policies and procedures requiring secure disposal of credit reports; ensure that employees or third parties assigned to transport such documents for disposal are qualified to do so and have received appropriate guidance or training; alert employees or third parties to such documents' sensitive nature or instruct them to take precautions; and oversee the transport of such documents for disposal, or otherwise confirm that the documents are disposed of in a way that ensures that they cannot practicably be read or reconstructed.
The complaint also alleges that the defendant provided customers of two mortgage brokerage companies that he owned — First Interstate Mortgage Corporation and Nevada One Corporation — with a written statement claiming that the companies maintained "physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction."Navone is charged with violating the Fair Credit Reporting Act and the rule regarding Disposal of Consumer Report Information and Records by failing to take reasonable measures to protect consumer information derived from consumer reports against unauthorized access in connection with its disposal. He is also charged with violating the FTC Act by falsely representing that FIM and Nevada One implemented reasonable and appropriate measures to protect sensitive consumer information from unauthorized access, and that the companies contractually required service providers to safeguard customers' information and use it only to provide services for FIM and Nevada One.
Monday, January 26, 2009
Privacy Pro Picked for Obama Post
Christine Varney will be appointed head of the Justice Department's antitrust division, reports Bloomberg News. A leading privacy attorney and founder of the Online Privacy Alliance, Varney has headed the Internet practice group at international law firm Hogan & Hartson for the last decade. Before that, she served as a federal trade commissioner, where she led efforts to examine privacy issues in the Information Age. Her work at the FTC resulted in congressional and agency hearings, proposed industry standards and increased government enforcement of laws protecting privacy. Varney has served as personnel counsel on President Obama's transition team since November.
Subscribe to:
Posts (Atom)
