Tag Archives: breach

Consumer Response Options To The Equifax Security Breach

Equifax, one of the three major consumer credit reporting agencies, was the victim of a criminal cyber-attack this summer that potentially impacted 145.5 million people in the United States. Hackers gained access to company data that contains highly sensitive information, including social security numbers, driver’s license numbers, addresses, birth dates, credit card information, and more.  Although there have been other cyber-security breaches in recent years, this attack is particularly concerning for many consumers due to the ultra-sensitive nature of the information.  Additionally, the information that Equifax maintains in their databases is much more extensive than the information that was exposed in previous publicized security breaches.

For those that assume they are not impacted by the breach because they have never personally used Equifax, think again. Any individual that has requested a credit report or uses credit could potentially be affected.  Equifax handles the data of 820 million consumers and works with more than 91 million companies around the world.  Although Equifax has promised to notify those potentially affected by e-mail, Equifax suggests visiting the Equifax website to check for a potential impact. Equifax is also offering the opportunity for consumers to enroll in one year of free credit monitoring and identity theft protection offered through TrustedID (an Equifax product).  For those consumers that receive an affirmative potential impact result, enrolling in one year of free credit monitoring is one way to monitor whether a thief is attempting to use your social security number for credit purposes. Enrolling in TrustedID does not take away consumers’ rights to take legal action against Equifax. Consumers must make an independent decision as to whether they should follow Equifax’s advice.

Some consumers may have considered freezing their credit. While this is a viable option for preventing thieves from opening any lines of credit under their stolen social security numbers, consumers considering this option should also consider the difficulties associated with trying to re-open and re-freeze their credit.  Other options consumers have for protecting themselves after the Equifax breach include resetting passwords, setting fraud alerts with credit reporting agencies, and vigilantly monitoring bank and credit card statements.

Share Button

Insurers And Health Plans—Do You Have Your HIPAA House In Order?

data breach

In the wake of the Anthem breach, hackers continue to target the healthcare industry.  At the close of May, CareFirst BlueCross BlueShield reported a data breach that was initially discovered last year; however, when the incident was first noticed, the company believed they had adequately taken care of the problem.  CareFirst said at the time it was believed they “had contained the attack and prevented any actual access to member information.” Unfortunately, ten months later, CareFirst discovered that the breach had, in fact, continued.

Information on about 1.1 million individuals was affected by the breach, which CareFirst discovered during an information technology security review conducted in the wake of the attacks on Anthem and Premera. In June 2014, according to CareFirst, hackers gained access to a single database where CareFirst stores data that is entered by members and other individuals in order to access the company’s websites and online services.

This incident offers a clear lesson to other organizations: it is time to review their security procedures and address gaps in protections before it is too late.  Healthcare data is obtained and stored by a variety of entities that are expected to be aware of and acting to prevent these types of risks.  Healthcare data is extremely valuable to criminals, as it can be re-packaged and sold for a number of different criminal campaigns.  In light of these most recent attacks, we are encouraging all our clients to conduct an internal audit of the security protocols and implement HIPAA policies and procedures to prevent exposure to new threats in the technological world.

If you have questions or would like to discuss your HIPAA compliance questions, please contact a member of the McGrath North Privacy and Data Security team.

Share Button

The Anthem Breach – Assessing Employer Notification Requirements

anthem breachOn February 13, 2015, Anthem, Inc. (Anthem) announced that on January 29, 2015, it discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to Anthem’s IT system and obtained personal information relating to consumers who were or are currently covered by Anthem or other independent Blue Cross and Blue Shield plans that work with Anthem.  Anthem stated that it believed the suspicious activity may have occurred over the course of several weeks beginning in early December, 2014.  Anthem has reported that the information accessed may have included individual names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses and employment information, including income data.  For more information concerning the breach, click here to access the website created by Anthem to update employers about the breach.

Anthem is one of the largest health benefits companies in the United States. Through its affiliated health plans, Anthem companies deliver health benefit solutions through a portfolio of integrated health care plans and related services, along with a range of specialty products such as life and disability insurance benefits, dental, vision, behavioral health benefit services, as well as long term care insurance and flexible spending accounts.  Headquartered in Indianapolis, Indiana, Anthem, Inc. is an independent licensee of the Blue Cross and Blue Shield Association serving members in California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia and Wisconsin; and specialty plan members in other states.

Employers who have Anthem plans or use Anthem as a third party administrator (TPA) for their health plans should review their plan documents to understand what rights and obligations the parties have in the event of a data security breach.

Federal And State Breach Notification Requirements.  With respect to federal and state breach notification requirements, if protected health information was involved in the attack, the attack was most likely was a breach under HIPAA and subject to the HIPAA breach notification reporting rules.  Given the nature of the information involved in the attack, most clients of Anthem will likely treat the attack as a breach under HIPAA and follow HIPAA’s breach notification reporting rules. In addition, forty seven states have separate breach notification reporting statutes that may be triggered when certain sensitive information (such as Social Security numbers) is breached.  Since the rules vary from state to state, an affected employer will need to determine which State breach notification reporting statutes apply.

What Affected Employers Should Do Now.  While Anthem’s investigation continues, affected employers should consider taking steps now to insure required breach reporting requirements are met.

  • Obligation To Provide HIPAA Breach Notification.  Breach notification obligations under HIPAA may depend on whether an employer’s health plan is fully insured or self-funded; and, if self-funded, whether Anthem has contractual obligations under its business associate agreement (Agreement) with an affected employer to provide the required notification.  If a plan is fully insured, Anthem will likely be obligated to provide the notification.  If a plan is self-funded, Anthem may also be obligated to provide the notification pursuant to its Agreement with the employer. Affected employers should review their Agreement with Anthem to make this determination.
  • Obligation To Provide State Breach Notification.  Under many State breach notification reporting statutes, the party that lost the data is the one responsible for issuing notification of the breach.  A review by an affected employer of the applicable State breach notification reporting statutes will be required to determine its obligation to report the Anthem breach to its employees.  An affected employer should also consider confirming with the respective State Attorney General that following the HIPAA breach notification reporting requirements will satisfy that State’s breach notification reporting requirements.
  • Communication With Employees.  Affected employers should urge employees affected by the Anthem breach to be extra vigilant for “phishing” schemes – targeted emails with embedded links that might seek to gain access to additional information – and any other suspicious written or verbal communications.  Employees should also be encouraged to immediately change their passwords to all sensitive accounts and should monitor credit card and other financial accounts to guard against unusual activity.  In addition, in its communications with its employees regarding the Anthem breach, an affected employer should note that any information regarding the Anthem beach has been provided by Anthem (where applicable), and that employer is not making any representations about the breach or surrounding facts.
  • Review Anthem Mitigation Efforts.  An affected employer should confirm with Anthem the steps currently being taken protect the employer’s employees and other affected individuals.  The affected employer will want to review any agreements with Anthem to determine whether the victim protection, client indemnification, and paid notification being proposed by Anthem are consistent with Anthem’s obligations under such agreements.
Share Button

Cyber Insurance: A Valuable Tool In The Cyber Security Readiness Toolbox

cyber insuranceCyber security breaches impose significant costs on affected businesses that can materially affect their finances and reputation. Such costs include expenses related to various federal and state law breach notification requirements, as well as significant civil liability and regulatory fines. Now more than ever, stakeholders in businesses that handle a significant amount of personal identifying information, or hold key trade secrets, must educate themselves about the threat of a potential cyber security breach, as well as the tools available to help mitigate that threat.

Any response to this potential threat should include a review of the degree to which the risks of a cyber security breach are covered by the various insurance policies held in a business’ insurance portfolio. Such a review should address whether all operational, legal and regulatory risks have been identified; whether everyone who needs to be, whether inside or outside the business, is covered (for example, cloud providers and various other vendors and third-party service providers); whether policy language creates unintended exclusions or gaps in coverage; and whether all first party and third party costs associated with such a breach are addressed. First party coverage addresses theft and fraud, forensic investigation costs, business interruption, extortion and computer data loss and restoration, while third party coverage addresses litigation and regulatory expenses, notification costs, crisis management and public relations costs, credit monitoring, privacy liability and media liability.

We encourage businesses to carefully review with their respective insurance and legal advisors the terms of their existing insurance coverage to help gauge their readiness to respond to a cyber security breach. If you have questions about your organization’s cyber security insurance coverage, or that of your vendors and third-party service providers, contact a member of the McGrath North Privacy and Data Security Group.

Share Button

A Roadmap To Cybersecurity Readiness

cybersecurity readinessDeputy Treasury Secretary Sarah Bloom Raskin recently outlined ten questions that bank CEOs should ask to assess their institutions’ cybersecurity readiness. Speaking at a Texas Bankers Association conference in Austin, Secretary Raskin stressed the importance of using the following questions as a roadmap to deal with cyber threats:

Question 1:  Is cyber risk part of our current risk management framework?

Question 2:  Do we follow the NIST Cybersecurity Framework?

Question 3:  Do we know the cyber risks that our vendors and third-party service providers expose us to, and do we know the rigor of their cybersecurity controls?

Question 4:  Do we have cyber risk insurance?

Question 5:  Do we engage in basic cyber hygiene?

Question 6:  Do we share incident information with industry groups?

Question 7:  Do we have a cyber-incident playbook and who is the point person for managing response and recovery?

Question 8:  What roles do senior leaders and the board play in managing and overseeing the cyber incident response?

Question 9:  When and how do we engage with law enforcement after a breach?

Question 10:  After a cyber incident, when and how do we inform our customers, investors, and the general public?

While primarily addressed to bank CEOs, Secretary Raskin’s roadmap also provides a useful guide for any business executive focused on cyber risk management.  If you have questions about your organization’s cybersecurity readiness or how to assess the cybersecurity readiness of your vendors and third-party service providers, contact a member of the McGrath North Privacy and Data Security Group.

Share Button

Point-of-Sale Systems – Protect Your Business Against Data Breaches

point-of-saleSignature Systems Inc., a vendor that provides point-of-sale (POS) systems for restaurants, recently announced that 324 restaurants, including 216 Jimmy John’s locations, may have been compromised when malware that captures payment card data from cards swiped through terminals in affected restaurants was inserted into their system.  According to a September post on Krebs on Security, a well-known security expert, “there are questions about whether Signature’s core product — PDQ POS — met even the most basic security requirements set forth by the PCI Security Standards Council for point-of-sale payment systems. According to the council’s records, PDQ POS was not approved for new installations after Oct. 28, 2013. As a result, any Jimmy John’s stores and other affected restaurants that installed PDQ’s product after the Oct. 28, 2013, sunset date could be facing fines and other penalties.”

If you utilize a vendor for a POS system, you should consider examining your data security and data breach processes and policies to help protect you from a possible breach, and to prepare you in case one does occur. Data breaches are going to occur – the difference is that there are some businesses that prepare, and minimize their costs and exposure afterwards, and some that fail to take these prudent steps. McGrath North’s lawyers stand ready to assist your business in examining its data security and data breach processes and policies.


Share Button

New Sheriff In Town: FTC Enters The Fray As A Federal Enforcer Of Healthcare Data Breaches

SheriffOver the last several years, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has significantly increased its HIPAA healthcare data breach enforcement posture, resulting in aggregate fines exceeding more than $10 million since June 2013.   Despite these increased enforcement efforts, however, the Federal Trade Commission (“FTC”) has now entered the fray as an additional federal enforcer of healthcare data breaches.

In August 2013, the FTC filed an administrative complaint against LabMD, a Georgia cancer detection services laboratory, for failing  to provide reasonable and appropriate security for protected health information (“PHI”) on its computer networks, resulting in a breach affecting over 9,000 consumers’ billing information.  The FTC claimed that this alleged security failure and consumer harm represented an unfair act or practice under Section 5 of the FTC Act.  In the course of rejecting LabMD’s motion to dismiss, the FTC asserted its jurisdiction by stating that nothing in HIPAA indicated an intent of Congress to restrict the FTC’s authority over alleged unfair data security practices such as those at issue in the LabMD case, and that nothing in HIPAA or HHS’ rules negated the FTC’s authority to enforce the FTC Act.  On May 12, 2014, a federal district court dismissed LabMD’s motion for a preliminary injunction to stop the FTC’s administrative proceeding.  Regardless of the outcome of the FTC administrative proceeding, businesses should take note that on January 28, 2014, LabMD announced it would be winding down its operations, citing the debilitating effects of the FTC’s investigative practices and litigation.

Businesses subject to the HIPAA Privacy, Security and Data Breach Notification rules now need to be concerned with more than the OCR and state Attorneys General, who are given direct enforcement power under HIPAA, in that the FTC has now clearly asserted itself as an additional regulator of healthcare data breaches.  Businesses should remain diligent in their HIPAA compliance efforts as a breach of PHI may result in multiple enforcement actions.  For questions about HIPAA compliance issues, contact a member of the McGrath North Privacy and Data Security Group.

Share Button

Do Data Breach Guidelines Signal Coming Enforcement Efforts Against Businesses With Customers Or Operations In California?

cybersecurityAny business that has customers or operations in California should pay attention to California law regarding privacy and data security.  The State of California has been active in the areas of breach notification, privacy policies for online services that collect personal information from California residents, privacy practices for the mobile app industry, online privacy rights for California minors, and disclosure by operators of websites regarding whether third parties may be collecting personally identifiable information relating to a consumer’s online activities.  Last year alone, fourteen pieces of legislation involving privacy and data security were introduced in California’s legislature, three of which were signed into law by Governor Brown.

On February 27, 2014, the California Attorney General’s Office released guidelines outlining steps that smaller firms can take to prepare themselves against data breaches.  While the California AG’s Office has indicated that the recommendations offered in the guidelines are not “regulations, mandates or legal opinions,” firms that have customers or operations in California should be alert to the possibility that the California AG’s office may in the future view the guidelines as an informal mandate for all businesses with customers or operations in California.  A copy of the guidelines can be found here.  McGrath North’s lawyers stand ready to assist your business in addressing the compliance challenges created by the constantly evolving federal and state privacy and data security laws.

Share Button