The Anthem Breach – A Retrospective (Part II)

We published Part I of our “Anthem Breach Retrospective” in January 2017.  Coincidentally, at around the same time several plaintiffs in one of the earliest filed cases arising out of the Anthem data breach voluntarily asked a judge in the Northern District of California to dismiss their lawsuits. The requests for dismissal came after Judge Cousins ordered select plaintiffs to comply with a discovery request by Anthem, requiring them to submit their computers to an independent forensic examiner to determine whether malware caused data or credentials to be stolen from the plaintiffs’ computers even before the breach of Anthem’s systems. In other words, Anthem wanted to know whether someone else caused the plaintiffs’ alleged injuries.

Legally, it isn’t surprising that Anthem should be entitled to this kind of information through discovery because it pertains to the issue of causation. Anthem wanted to know if the plaintiffs’ personal information was compromised under circumstances having nothing to do with Anthem, months before the Anthem breach. In discovery, it was fair game for Anthem to seek to compel these plaintiffs to comply with its request – even if it requires the disclosure of confidential information. But, it appears that at least one of these plaintiffs dropped out of the suit because he did not wish to disclose possibly confidential information in a lawsuit where he is suing because of alleged negligence with respect to confidential information.


ISO’s Privacy Standard for Cloud Service Providers

In July 2014, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) issued a new security standard – ISO 27018 – which attempts to outline best practices for public cloud service providers on how to better protect personally identifiable information.  Although the standard expressly only applies to public cloud providers, it’s instructive to any cloud provider –public or private.

Like all ISO standards, compliance with ISO 27018 is voluntary, and certification under the standard is not required by any law. However, over time, more and more cloud service contracts are requiring compliance with or certification to this standard. Adhering to the ISO 27018 standard can help build a foundation of trust between a cloud provider and its customers. During the contract negotiation stage, the standard can serve as a very beneficial framework for providing assurances that most customers can understand and rely on. Customers moving to the cloud are giving up control of their sensitive data and relying on the cloud provider to maintain adequate safeguards to protect it. New cloud adopters may be nervous, and the cloud provider will likely need to provide assurances and manage their customer’s qualms in order to get the customer under contract.


Key HIPAA Settlement Agreements by HHS’s Office for Civil Rights in 2015 & 2016

The last time this blog presented an overview of key HIPAA settlement agreements at the Office for Civil Rights in the U.S. Department of Health and Human Services was a review of 2014.  The number of complaints that year had spiked up compared to 2013: around a 25% increase.  This post will examine key cases from 2015 and 2016.  While the number of complaints in 2015 was relatively steady with 2014, it appears, based on preliminary numbers, that 2016 was the busiest year ever for the Office.

HHS has data through November 2016 currently posted on its website, but no data for December 2016.  There it notes that, from April 14, 2003 through November 2016, it has received 144,662 complaints.  Elsewhere, the agency has the number of complaints received by year, from 2003 through 2015: 125,641.  Thus, even without the data for December 2016, it appears that in 2016 the Office received 19,021 complaints.  The previous highest year, 2014, saw 18,015 complaints.

Here’s a brief summary of some key agreements from 2015 and 2016:

Cancer Care Group, P.C. is 13-doctor radiation oncology practice in Indiana.  In September 2015, Cancer Care agreed to a $750,000 settlement with OCR.  This grew out of, initially, the discovery that a laptop was stolen from a Cancer Care employee’s car.  The laptop contained unencrypted names, dates of birth, SSNs, insurance information, and clinical information on around 55,000 current and former Cancer Care patients.  A subsequent investigation revealed that Cancer Care “was in widespread non-compliance with the HIPAA Security Rule.”  Proper encryption must be a part of an organization’s approach to data management.


The Anthem Breach – A Retrospective

Anthem #2

Many people and news outlets have opined, weighed in, and informed the public about the 2015 Anthem breach. It remains a hot topic in January 2017, because it currently lines up with other hot stories about hacking ordered by foreign governments.  But even before the Anthem breach was linked to one of the biggest issues of the 2016 election cycle, it was an important data incident, for several reasons.

  1. Why was the Anthem breach important at that time?

The Anthem breach was notable because it was the first major data breach that potentially involved protected health information. Media coverage about the breach in 2015 reported that personal information of affected individuals was apparently sitting on Anthem’s servers unencrypted.  Encryption of PHI at rest (i.e., data that is not moving) is a much more common data security practice in 2017, in part because of the lessons learned from the Anthem breach. Some laws now even require personal information to be encrypted when at rest.

Another novelty at the time was a tactic the hackers employed in the Anthem breach.  When Anthem learned of the breach, it quickly notified affected individuals by e-mail and through public announcements, saying it would send follow-up information about next steps. This speedy notification was lauded by many as a best practice.  But in the wake of Anthem’s public announcements, scammers sent fake e-mails to untold thousands of Anthem members and former members, which appeared to be from the company, as a ruse to scam impacted data subjects into providing additional sensitive personal information.  Again, this provided a valuable lesson for the future, to Anthem and other companies impacted by hacker-caused data breaches.


Legal Considerations for Website Privacy Policies

privacy-policyYou finally created your website.

  • Did you include eye-catching graphics? Check.
  • Did you include an attention-grabbing banner slogan?
  • Did you post all of your social media handles?
  • Did you include a privacy policy for the website? Maybe…

We get questions from clients about whether they are required to include a privacy policy and, if so, what should it say.  The answers may surprise you, but a privacy policy should definitely not be an afterthought for website owners.  It certainly isn’t a best practice to simply copy and paste the privacy policy of another’s company’s website.  The representations made in website privacy policies may subject website owners to legal risk, so thought and consideration is critical.

We generally convey one broad message when it comes to a published privacy policy – “Say what you do, and do what you say.”


Cloud-Computing Lessons using Software as a Service (SaaS)

Businessman drawing a CloudLong before anyone referred to “the cloud” as something related to the Internet, software companies began shifting away from expensive, customized, on-site software implementations to something we used to call Software as a Service (SaaS).  Now, “the cloud” is widely recognized as a place where Internet-based computing resources are shared, but SaaS is still out there.  In fact, it’s probably the most widespread type of “cloud” computing; you just don’t hear it called “SaaS” that much anymore.  But SaaS is, fundamentally, the same as it ever was – a type of Internet-based computing that provides shared computer device processing resources and data on demand. The SaaS software distribution model otherwise known as “on demand software” gives users access to application software and databases without having to manage and host those resources on their own.

In helping some clients who operate their business completely in the cloud, we’ve learned some things over time. The list below is not exhaustive, but four of the most important lessons are as follows:


Ninth Circuit Reaffirms Section 230 Protections

yelpInformation Counts.  That’s the title of this blog.  And it’s an indisputable fact.  Information is – and has been for at least 20 years – the currency of our economy, providing consumers, regulators and the general public information about business, practices and events.

A critical, and even indispensable, factor in the development of the information economy is Section 230 of the Communications Decency Act, which was part of the massive Telecommunications Reform Act of 1996.  That subsection provides that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

It means, essentially, that an interactive website (think Angie’s List) is not liable for content that was created by others.  So, if there is a false and defamatory post on Angie’s List about a particular business, the business can sue the “speaker” (e.g., the person who authored the post), but generally cannot sue Angie’s List.  The impact of this law cannot be overstated.  If it did not exist, websites like Yelp, Angie’s List, Amazon and eBay, and hundreds others, might not exist because, rather than facing liability for the posts of their users, they would simply shut down.


Policing Internet Privacy: FCC’s New Frontier

fccUnwilling to be left behind by the likes of Google and Facebook, Internet Service Providers are increasingly exploring how they may capitalize on the high-value targeted advertising market.  In November 2016, AT&T explained that targeted advertising is a major contributor behind its bid to buy Time Warner Inc. for $85 billion.  AT&T is not alone.  In 2015, Comcast acquired an ad-targeting firm, Visible World, in what has been widely viewed as an effort to gain stronger footing in the industry.  Another major mobile carrier recently came under fire following its acquisition of a name-brand ISP for sharing information about users of its mobile phone network with the ISPs advertising network.

These and other ISP efforts to collect and capitalize on user data have not gone unnoticed.  On October 27, 2016, the Federal Communications Commission passed new rules that govern how ISPs may share customers’ information with third parties. According to the FCC “[t]he [R]ules do not prohibit ISPs from using or sharing their customers’ information – they simply require ISPs to put their customers into the driver’s seat when it comes to those decisions.”


You Just Used My Picture Without Permission?

Young couple on holidays taking selfieArtist Richard Prince’s exhibit entitled “New Portraits’’ was displayed at New York City’s Gagosian Gallery and Frieze New York during the summer of 2015.  This exhibit featured screenshots of other people’s Instagram photos.  These screenshots were not altered.  They were simply the pictures that Instagram users posted, with an addition of Prince’s comments in the comment section of the post. What is remarkable is that the individuals whose likenesses and photographs were used were unaware of the use.  Prince did not ask for permission or provide notice.  He just used the pictures.  Apparently, the art world was pleased with his work, and he has reportedly sold many of the individual works for anywhere from $90,000 to $1 million.  How much of that went to the Instagram poster?  Likely nothing.

How can this be?  Well, ultimately we will see if it can be.  There would seem to be compelling copyright infringement arguments as well as rights of publicity arguments (for misappropriation of the person’s likeness). A make-up artist whose likeness was used filed a lawsuit claiming Prince wrongfully created copies of her photo without her consent and “engaged in acts of widespread self-promotion of the copies directed at the public at large.” Lawsuits have also been brought by photographers who claim that Prince stole and unfairly profited from their work.


Autonomous Vehicles and the Internet of Things

Autonomous cars on a road with visible connectionThis is our second post in a row regarding autonomous vehicles, otherwise referred to as driverless cars.  As we noted last week, driverless cars are no longer an idea of the future or science-fiction. Very soon they will become every commuter’s reality. Several major car companies such as Ford, Volvo, and Toyota have announced that their autonomous vehicles will be available to the mass market within five years. The belief among manufacturers is that autonomous vehicles will reduce traffic congestion, create efficiency, increase safety and save consumers money (i.e. time and fuel).

Simultaneously with the development of autonomous cars – and, in fact, fueling that development –the Internet of Things (IoT) continues to evolve rapidly.  Everyday objects increasingly have network connectivity enabling them to send and receive data. The goal of the IoT is to make these everyday objects “smart.”  Devices gather data and the “cloud” – which is just a descriptor for Internet-based applications – provides secure (hopefully) and intelligent infrastructure to hold all the gathered data and enable access and sharing across various types of devices, including cars.  Currently, driver-enabled cars increasingly include Internet connectivity.  But as the development of driverless cars progresses, the network connectivity will spread beyond the vehicle to the environment around it. This will bring the IoT and autonomous cars to life on a large scale.