Historic Decision by the European Union’s Highest Court
The European Court of Justice ruled in favor of an individual’s right to have Google delete certain links about that individual. The decision was based in part on a finding by the court that Google is a data controller, which apparently is at odds with earlier EU rulings – ECJ’s Advocate General decided in 2013 that Google did not need to delete the links because it was not the “controller” of data and that information should only be deleted when the personal information is either incomplete or inaccurate.
Some commentators question the basis for the decision: “Given that the EU has spent two years debating this right as part of the reform of EU privacy legislation, it is ironic that the ECJ has found it already exists in such a striking manner.” Richard Cumbley of Linklaters told The New York Times.
And, practitioners sound the alarm: Operationally, this will “put search engines in the extremely onerous position of having to take a view on how to comply with potentially millions of individual requests.” (See more details at IAPP Newsletter, The Privacy Advisor, https://www.privacyassociation.org/publications)
Google and others will argue that this amounts to censorship; from Levi Sumagaysay’s blog:
* * * *
Does the right to be forgotten — or the right to privacy — outweigh censorship concerns? “[The decision] is one of the most wide-sweeping Internet censorship rulings that I’ve ever seen,” Wikipedia founder Jimmy Wales told the BBC. Wales said he expects Google to fight back hard. “If they have to start coping with everybody who whines about a picture they posted last week, it’s going to be very difficult for Google.”
HHS issued a press release on May 7, 2014 announcing settlements with two healthcare organizations. Following submission of a joint breach report by New York and Presbyterian Hospital (NYP) and Columbia University (CU), the HHS Office of Civil Rights (“OCR”) investigated the disclosure of ePHI of 6,800 individuals, which included patient status, vital signs, medications, and laboratory results. NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.
In addition to the disclosure of ePHI, OCR’s investigation found that neither NYP or CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections; and neither entity had conducted a thorough risk analysis or had an adequate risk management plan.
NYP has paid $3.3 million and CU has paid $1.5 million, with both entities agreeing to a substantive corrective action plan.
Kentucky is now the 47th state to enact a data breach notification law.
Identity Theft/Fraud Trigger
The bill was signed into law by Governor Steve Beshear earlier this month and requires notification following an event “that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud. Kentucky’s law defines “personally identifiable information” as an individual’s first name or first initial and last name in combination with any one or more of the following data elements (when not redacted):
Account number, credit or debit number, in combination with any required security code, access code or password permit[ing]access to an individual’s financial account.
The statute specifies that any “information holder” shall disclose any breach of the security system following discovery or notification of the breach in the security of the data, to any resident of Kentucky whose unencrypted personal information was, or is reasonably believed to have been, acquired by an authorized person. The statute states disclosure “shall be made in the most expedient time possible…consistent with the legitimate needs of law enforcement.” The notification provisions shall not apply to any person subject to the provisions of Gramm-Leach Bliley, HIPAA or any state or local governmental agency.
In addition, the statute requires express parental permission for a cloud computing service provider to process student data, for any purpose other than for providing, improving, developing, or maintaining the integrity of the cloud computing services (or if done connection with educational research, per federal statute).
The state auditor had promoted enacting such legislation and released a report stating:
“Although auditors didn’t identify any cyber security breaches, they did find instances of state agencies failing to take the necessary steps to protect confidential or sensitive information,” Auditor Edelen said. “This further illustrates the need for legislation to incentivize state and local government to better secure the data it holds on us, as well as require them to notify us when it’s
lost or stolen.”
“The Kentucky Derby is a Grade I stakes race for three year-old Thoroughbred horses, held annually in Louisville, Kentucky, on the first Saturday in May. The race is one and a quarter miles at Churchill Downs. The race is known in the United States as “The Greatest Two Minutes in Sports™” for its approximate duration, and is also called “The Run for the Roses” for the blanket of roses draped over the winner. It is the first leg of the United States Triple Crown of Thoroughbred Racing and is followed by the Preakness Stakes and Belmont Stakes.”
Michaels Stores, Inc. is now reporting that two separate 8-month long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue. Reportedly, the security firms Michaels hired to investigate the “break-ins” found nothing but the ultimate analysis confirmed the attacks “using highly sophisticated malware that had not been encountered previously by either of the security firms.” In a press release dated April 17, 2014, the company states: “The Company has now identified and fully contained the incident, and the malware no longer presents a threat while shopping at Michaels or Aaron Brother.” Following the disclosures regarding Target and Neiman Marcus, in January of this year, Michaels Stores had previously reported that it was investigating a potential security breach involving customers’ credit card information.
The Target breach involved thieves planting malware on cash registers; the malware was designed to siphon card data when customers swiped the cards at the cash register. According to the information released by Michaels, it appears that the affected systems contained certain payment card information, card number and expiration date, but that there was no evidence that other customer personal information (name, address, debit card PIN) was at risk.
The Washington Post reports on the developments of PCORI – the Patient-Centered Outcomes Research Institute. This was part of the move to get better information, data, out of the electronic health records initiative funded and spelled out in the Affordable Care Act. The anonymized or de-identified data is supposed to help clinicians draw some meaningful conclusions from the vast wealth of information gathered by physicians, researchers, hospitals, insurers and the pharmaceutical industry. The PCORI network is supposed to identify patients who could be invited to join clinical trials. The new national patient network will comprise eleven sub-networks, drawing on records from participating organizations. Of importance to the privacy watchdogs is that the participating organization retains all of the personally identifiable information and only the aggregated data is submitted for use in a research project.
In other news, the FTC overcame some question of its authority to police data breach incidents, in this case data specifically involving consumer payment card account numbers. In the FTC v. Wyndham Worldwide Corporation matter, Wyndham hotels challenged the FTC’s authority to bring suit for injunctive relief following three breach incidents. The FTC had alleged in its suit that Wyndham had failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access, collection and use that “has caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses.” The FTC had alleged that after discovering the first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [its] network.” Accordingly, the FTC sought a permanent injunction against Wyndham, presumably then to enter into some kind of agreement to correct such practices. Wyndham argued that the FTC overstepped its authority and moved to dismiss the complaint, arguing that the FTC’s “unfairness authority” did not cover data security and arguing that the FTC needs to publish regulations before filing an unfairness claim in federal court. The US District Court for the District of New Jersey declined to “carve out a data-security exception to the FTC’s authority.” Wyndham had tried to get the Court to analogize this situation to the tobacco industry cases (where the FDA had denied authority over tobacco). Instead, the District Court noted the FTC had never disavowed its authority over unfair practices related to data security.
There are other issues to be resolved in the sphere of enforcement and oversight of similar data breaches. The injunction route can be fraught with technical issues and issues regarding how best to tailor oversight of an entities’ practices and promises. However, for now, the FTC has asserted its authority in an important way, and some commentators believe this will embolden the FTC to bring additional enforcement actions. More than likely, the FTC will scrutinize those incidents that involve significant security lapses and/or some significant financial impact on consumers.
See FTC v. Wyndham Worldwide, Case 2:13-cv-01887-ES-JAD, Filed 04/07/14
A whitepaper released by SANS Analyst Program (sponsored by Norse) predicts an increase in risks to healthcare systems and data given “more open exchanges of health care information between patients, insurers, doctors and pharmacists.” The report subtitled “Widespread Compromises Detected, Compliance Nightmare on Horizon,” describes results from another SANS report, “Biggest Culprits: Internet of Things and Security Devices,” which concluded that since the healthcare and pharmaceutical sectors will employ more devices, the threats are greater.
Specifically, the SANS analysis showed that the healthcare system’s critical information systems are poorly protected and often compromised. These issues affected radiology imaging software, video conferencing systems, digital video systems, call contact software, security systems and devices, including VPNs, firewalls and routers. The report’s author warns: “As compared to traditional IT systems, incidents involving Things, such as a hacked MRI machine, can carry physical consequences, as well as policy and financial impacts.”
Connected medical endpoints (examples: online health monitoring to radiology devices to video-oriented services);
Internet facing personal health data (example: web-based call center for medical supply entity);
Security systems and edge devices (example: enterprise network controllers).
The report details the findings of a study that reviewed the largest sources of malicious traffic.
Target CEO is being replaced, after a 35-year career with the company. News like that should get the attention of corporate boards looking at overall risk profile and how meaningful a data breach is to the bottom line. Last week, Target announced new Chief Information Officer and additional security enhancements, including the move with MasterCard to incorporate chip-and-PIN technology in its own branded credit card.
“For some reason, Minneapolis didn’t react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.”
See post below with description of the Target breach and the aftermath.
Now, it is being reported in the press that employees were aware that an analyst at the retailer wanted to do a more thorough security review of its payment systems’ vulnerability to malware, but the request was brushed off. This was in response to governmental/industry warnings in 2013 about the emergence of new types of malicious computer code targeting payment terminals.
On February 13, 2014, a new trade group headed by former governor Tim Pawlenty was announced. The group is bringing together retail and financial services sectors. The group’s goals include “improving card security technology and promoting the exchange of information in order to help companies ward off cyber attacks.” The partnership was initiated by the Retail Industry Leaders Association and the Financial Services Roundtable. The American Bankers Association, the Consumer Bankers Association, Independent Community Bankers of America, The Clearing House and a number of merchant groups including the National Retail Federation are also participating.
In a blog post, Yahoo reports that attackers now own an undisclosed number of usernames and passwords to Yahoo Mail accounts. User names and passwords would be attractive based upon the premise that consumers use the same name-password combination across multiple platforms, including for financial accounts.
In the Sony Gaming Networks litigation, currently pending in the U.S. District Court for the Southern District of California, the trial court entered a decision on January 21, 2014 ruling on Sony’s Motion to Dismiss class action litigation, which arose out of the April 2011 breach of Sony’s PlayStation Network. Sony sought dismissal of plaintiffs’ First Amended Complaint on several grounds, including standing. Sony argued that plaintiffs did not have standing to pursue non-Ohio state law claims on behalf of non-Ohio residents (the consolidated action includes Named Plaintiffs from Massachusetts, New Hampshire, Florida, California, Missouri, Michigan, Texas, Ohio and New York – fifty-one claims in the consolidated action, included negligence, negligent misrepresentation, breach of express/implied warranty, violation of state consumer protection statutes, violation of the CA Database Breach Act, violation of FCRA and bad faith). The court dismissed without leave to amend the Ohio and FCRA claims. In addition, Sony sought to dismiss on the basis of Article III standing – that plaintiffs’ allegations failed to allege an “injury-in-fact” as a result of the intrusion. Essentially, Sony sought another ruling on the issue in light of the Supreme Court’s ruling in the Clapper v. Amnesty International ruling. In Clapper, journalists and human rights activists alleged they were potential targets of the government under the Foreign Intelligence Surveillance Act (“FISA”) because their work requires them to communicate with international subjects. The Clapper plaintiffs argued that they would be targeted under the Act and they already had undertaken costly and burdensome measures to protect the confidentiality of international sources. The Supreme Court found that the claimants failed to show that the “threatened injury” was “certainly impending.” The Supreme Court stated that a “speculative chain of possibilities … based on potential future surveillance” was not enough. The Supreme Court also noted that if parties could base Article III standing on reasonably incurred costs to avoid the risk of future harm, this would water down the fundamental requirements of Article III.
Sony argued that the Clapper ruling resulted in a more “tightened ‘injury-in-fact’ analysis” than the standard relied upon by the trial court (under Krottner v. Starbucks). Judge Battaglia in the Sony Gaming decision refused to acknowledge a distinction between the analyses he previously made based on Krottner and the Supreme Court’s standards outlined in Clapper. Judge Battaglia stated that courts in the Ninth Circuit “have routinely denied motions to dismiss based on Article III standing where a plaintiff alleges that his personal information was collected and then wrongfully disclosed…” Judge Battaglia said that although Sony argued that plaintiffs’ allegations were insufficient because none of the named plaintiffs alleged that their personal information was actually accessed by a third party, nonetheless, plaintiffs “plausibly alleged a ‘credible threat’ of impending harm…”
So, another test of the injury-in-fact issue relating to so-called fear of identity theft. The cases cited by Judge Battaglia addressed whether personal information was disclosed (Facebook), whether personal information was even exposed (LinkedIn) or whether personal information had been disseminated (Google). The distinctions in the cases regarding whether a plaintiff can allege some kind of injury, for now, appear to relate to whether a court finds that the plaintiff(s) have alleged sufficient facts to show some kind of collection and disclosure of personal information. As more and more data breach scenarios are tested in class litigation, we likely will see courts continue to refine this analysis. Kaiser
In other breach news, the Attorney General for the State of California filed suit on January 24, 2014 against Kaiser Foundation Health Plan alleging violations of unfair business codes because of Kaiser’s alleged delay in disclosing a breach of its security systems. The AG alleges that on September 24, 2011, Kaiser learned that an external hard drive containing unencrypted personal information of former and current Kaiser employees had been purchased by a member of the public at a thrift store in Santa Cruz. Included in the data were employee names, SSNs, DOBs, addresses and personal information of some employee spouses and children (data going back to 2009). Kaiser secured the data and conducted an exam revealing over 30,000 SSNs and other sensitive information, which exam was completed by December 28, 2011. Kaiser continued the inventory and the AG alleges that Kaiser had sufficient information to identify and notify at least some individuals between December 2011 and February 2012. Instead, the AG notes, Kaiser began mailing letters on or about March 19, 2012. The AG also alleges that Kaiser violated CA code by publicly posting or displaying SSNs of 20,000 plus residents. The AG seeks $2500 for each violation. Horizon
Yet another example of how the healthcare, health insurer industry will continue to remain a target given the wealth of member information they manage. As with the recent Target data breaches, predictably, legislators took the opportunity to investigate and interrogate company officials. See article at: http://www.nj.com/politics/index.ssf/2014/01/nj_senate_health_panel_grills_horizon_about_two_stolen_laptops.html