Header graphic for print

Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

FCC Ruling Addresses Robocalls by Health Care Providers

Posted in Privacy Regulation, Uncategorized

Written by Jordan Cohen

As we discussed in last week’s Privacy Monday, the Federal Communications Commission (FCC) recently released its Declaratory Ruling and Order clarifying and expanding the reach of the Telephone Consumer Protection Act (TCPA).  While the ruling is broad in its subject matter, part of the ruling specifically addresses so-called “robocalls” made by health care providers.

The portions of the ruling related to health care were the result of a petition filed by the American Association of Healthcare Administrative Management (AAHAM). AAHAM’s petition primarily related to the TCPA’s consent requirements. FCC rules generally require that callers obtain the prior express consent of the called party before calls or text messages are made to wireless phones using autodialing equipment or an artificial or prerecorded voice. Continue Reading

Data Breach = Class Action Suit. Again.

Posted in Class Action Litigation, Data Breach, Data Breach Notification, HIPAA/HITECH

Originally posted in Mintz Levin’s Health Law & Policy Matters Blog

Written by Jordan Cohen

In yet another data breach affecting millions of individuals, UCLA Health System (“UCLA”) reported on Friday – July 17, 2015 – that hackers had accessed portions of its health network that contained personal information, including names, addresses, dates of birth, social security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information (including medical conditions, medications, procedures, and test results).  Affected individuals include UCLA’s patients as well as providers that sought privileges at the health system.

As night follows day, by the following Tuesday – July 21, 2015 – UCLA became a defendant in a class action lawsuit after plaintiff Michael Allen filed the action in California federal court. The complaint alleges a number of violations related to the breach, including violation of California’s Confidential Medical Information Act. Continue Reading

Change in the Prevailing Winds in Consumer Data Breach Cases?

Posted in Class Action Litigation, Data Breach, Privacy Litigation

Seventh Circuit Rules Consumers Have Standing to Sue in Neiman Marcus Payment Card Data Breach Case

In Remijas v. Neiman Marcus Group, LLC, the Seventh Circuit reversed a district court decision dismissing consumer payment card data breach claims for lack of standing.  The appellate panel held that injuries consisting of 1) lost time and money resolving the fraudulent charges, and 2) lost time and money protecting against future identity theft, were sufficient to confer Article III standing for consumers to bring suit.  The district court, following Clapper v. Amnesty Intʹl USA, 133 S. Ct. 1138 (2013), had construed plaintiffs’ allegations of potential future harms to be too remote to confer standing.  The Seventh Circuit distinguished Clapper, finding that Clapper does not foreclose suit based on all future harm, just suit based on speculative future harm.  Unlike Clapper, which concerned potential NSA interceptions of the plaintiffs’ communications, Remijas alleged actual theft of payment card data, making the potential for misuse of that information, in the Seventh Circuit’s view, not unduly speculative.  Accordingly, costs to avoid potential injury to consumers’ credit were deemed cognizable harm for purposes of Article III standing. Continue Reading

Federal Court Dismisses (Without Prejudice) CNA’s Cyber Insurance Lawsuit

Posted in Cybersecurity, Insurance

We previously reported here that CNA filed a lawsuit against its insured Cottage Health System seeking reimbursement of amounts that it previously paid under Cottage’s cyber liability insurance policy.   On Friday, a federal district court dismissed, without prejudice, CNA’s lawsuit because CNA failed to exhaust the policy’s required non-judicial remedies before filing suit.   The applicable cyber liability insurance policy provided that “[a]ll disputes and differences between the Insured and the Insurer which may arise under or in connection with this policy … shall be submitted to the alternative dispute resolution (“ADR”) process” and, if mediation is chosen, a lawsuit cannot be filed “until the mediation shall have been terminated and at least 60 days shall have elapsed from the date of termination ….”     The federal district court found that  CNA did not allege in the complaint, nor did CNA allege otherwise, that it satisfied the ADR provision.   “That [CNA] has not exhausted the non-judicial remedies required by the contract is therefore apparent on the face of the Complaint.”   Although CNA requested that the court stay the lawsuit pending the parties’ mediation, the federal court dismissed the complaint without prejudice to permit the parties to pursue ADR under the terms of the policy.

 

Privacy Monday – July 20, 2015: Hack Attack on Adultery Site Ashley Madison

Posted in Cybersecurity, Data Breach, Data Breach Notification, HIPAA/HITECH, Privacy Monday

It’s Monday!   Once again, data breaches and hacks are front and center, so here are three stories you should know about to start your week.

1.    The Site that Promises “Discreet Encounters” Hacked — Karma?

If you have not heard the provocative ad campaign launched by a site called AshleyMadison, it may surprise you to know that a self-described site dedicated to “infidelity and married dating” has over 37 million members.  Then again, maybe not.  In any event, the site that bluntly declares “Life is short.  Have an affair.” has apparently been hacked, according to Krebs on Security.   A group calling itself “The Impact Team” claims to have gained access to the databases of Avid Life Media (ALM), the company running AshleyMadison.   The booty The Impact Team allegedly possesses includes payment and personal information of the nearly 37 million members of AshleyMadison — most of whom presumably would desperately want to remain anonymous — as well as internal business information and network and technology mapping of ALM.

The Impact Team’s demand is aimed straight at ALM’s business and demands that either ALM take AshleyMadison and its other site Established Men  (“Connecting young beautiful women with interesting men”) offline, or the data dump will be made public.  “Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver … And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”    According to ALM, they are working with law enforcement to track and shut down the hackers.

Until then, there are a lot of nervous cheaters out there today …..

Read more:

Mashable

Wired

2.  Another High Profile Healthcare Data Breach 

UCLA Health System reports that a criminal hack attack could have accessed the health information of as many as 4.5 million patients.  According to the public statement and notices made by the provider, an intruder apparently gained access to its computer system and activity was tracked to a part of the network where unencrypted patient information was stored.  Although UCLA Health does not have any information that leads it to believe that such information was stolen, because the records were not encrypted, patients were notified out of the ubiquitous “abundance of caution.”   Suspicious activity was apparently discovered by the health system back in October 2014 but the access was not discovered until May 2015 as part of the ongoing investigation.   The Los Angeles Times has published an FAQ regarding the hack.

The takeaway:  If encryption of information “in transit” is a prophylactic against theft, then encryption of sensitive records “at rest” is an insurance policy — it is less expensive than providing notice and credit monitoring and certainly more protective of your company’s reputation.  

3.   The FCC Issues Long-Awaited Autodialer Order

The Federal Communication Commission has released its long-awaited “omnibus” Declaratory Ruling and Order clarifying certain provisions of the Telephone Consumer Protection Act of 1981 (“TCPA”).     In the Order, the FCC responded to 21 petitions by a number of companies and trade associations seeing relief or clarification regarding requirements of the TCPA, particularly with respect to so-called “autodialers.”   Mintz Levin’s Communications group has published a client alert analyzing the provisions of the Order.   Read it here.

 

 

 

 

Privacy Monday – July 13, 2015

Posted in Cybersecurity, Data Breach, Events and Webinars, Privacy Monday

Welcome to the dog days of summer 2015.   Three privacy & security bits and bytes to start your week (if you are reading this on vacation … good for you!)

1.   ICYMI: Massive Data Breach at OPM Claims Victim — The Director

One day after Office of Personnel Management Director Katherine Archuleta broke the news to a congressional hearing that the second data breach at the agency exposed the records of 21.5 million people — the largest data breach in U.S. government history — she submitted her resignation to President Obama.  The databases involved in the second breach included highly sensitive background check information.   Back in early June, the OPM had announced that personnel files for 4.2 million current and former federal employees had been breached.  About 3.6 million individuals were reportedly affected by both breaches, therefore the total number affected is about 22.1 million.

The information in the second breach includes everything from Social Security numbers, mental health records, financial histories, names of old roommates and other information on basically everyone who has undergone a background check through the agency since 2000, as well as the fingerprints of about 1.1 million people.   This information also includes personal information of family, friends and other contacts of individuals who have undergone detailed background checks for top-level security clearances.

2.  Mark Your Calendars

The next Mintz Privacy Wednesday Webinar is coming up on Wednesday, August 26th at 1 PM ET.   We’ll be looking at privacy and security risk in the context of third-party vendors – the weak link in the security chain.  If you don’t believe us, just ask Target Corporation.   It will be compelling beach viewing, we promise!

3. James Lewis Speaks at ABA Event on International Cybernorms

Ari Moskowitz

Mintz Levin was in attendance at a talk by James Lewis of the Center for Strategic and International Studies and rapporteur for the UN Group of Governmental Experts for Information Security, hosted by the American Bar Association Standing Committee on Law & National Security. Lewis talked about the recently concluded meeting of the UN Group of Governmental Experts to establish a set of international guidelines for nation-states operating in cyberspace. That meeting culminated in a report that was delivered to UN Secretary General Ban Ki-moon and will be released publicly in several weeks.

Mr. Lewis said that there were four goals of the 2015 talks: to (1) elaborate international cyber-norms that countries should abide by, whether in peacetime or wartime; (2) build capacity among the UN and world governments; (3) establish confidence building measures countries can take in cyberspace; and (4) address the application of International law to cyberspace. He compared this approach to achieving international agreement on cybersecurity with the international approach to nonproliferation. And like nonproliferation, he believes it will take a long time, but will ultimately succeed. At this stage, he suggested, it is not feasible to get a treaty, and so the talks were designed to get international agreement on a set of norms. Continue Reading

Home Depot Moves to Dismiss Bank Data Breach Claims on Standing and Ripeness Grounds

Posted in Class Action Litigation, Data Breach, Privacy Litigation

In its recently-filed motion to dismiss claims of card-issuing banks arising from the September 2014 theft of payment card data from Home Depot point of sale terminals, Home Depot employs an approach typically used to respond to consumer claims.  In payment card data breach cases, defendants typically argue that consumers lack standing to sue because card issuers hold consumers harmless for any fraudulent charges on their credit or debit cards.  Such standing arguments are not ordinarily advanced against the claims of the card-issuing banks that end up paying those bogus charges.  Home Depot, however, argues that the card issuer plaintiffs do not allege sufficient injury to have standing to bring suit in federal court.  In particular, Home Depot maintains that the card issuers’ consolidated complaint, despite listing 68 separate named plaintiffs, does not contain any specific allegations that identify with particularity what losses, if any, those plaintiffs suffered. Only two of the complainants 285 paragraphs allege the harms suffered by card issuers, but both do so without identifying which particular harms alleged had been sustained by any named plaintiffs.  Home Depot argues that the failure to plead the existence of concrete injuries suffered by named plaintiffs is fatal to the card issuers’ complaint.

In addition, Home Depot asserts that alleged losses incurred to avoid potential future harms – such as the cost of issuing new cards – are not cognizable injuries under the Supreme Court’s ruling in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013).  Clapper held that, to be sufficient to confer Article III standing, losses must be “fairly traceable” to a defendant’s purported wrongdoing.  Losses willingly incurred to protect against a possibility of future harm do not suffice.  See id. at 1152-53.  Quoting Clapper, 133 S. Ct. 151, Home Depot contends that the card issuers “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”   Thus, without conceding that other types of losses might confer standing, Home Depot argues that losses directed toward future harms, even if alleged with particularity, would be insufficient as a matter of law to confer Article III standing on the card issuer banks.

A second significant ground on which Home Depot seeks dismissal of the card issuers’ claims is lack of ripeness. This argument is premised on the complex and detailed rules governing the interrelationship between card issuing banks, banks that accept charges made on cards and the card brands that issue the cards.  Each of the card brands establishes a process for resolving claims relating to fraudulent charges made on their cards.  In its brief, Home Depot collectively refers to the ongoing adjudication of data breach claims under those roles as the “Card Brand Recovery Process.”  According to Home Depot, the Card Brand Recovery Process is ongoing and could substantially resolve card issuers’ claims.  At a minimum, Home Depot contends that card issuers would not be entitled to seek recovery in the consolidated federal court lawsuit that is duplicative of amounts awarded through the Card Brand Recovery Process.  Accordingly, Home Depot argues that the card issuers’ claims will not be ripe until the Card Brand Recovery Process has been completed and the extent of their injuries, if any, are then known.

The card brand claim adjudication process has already played a significant role in connection with card issuers’ claims in the consolidated data breach class action against Target.  In that case, Target attempted to obtain a global resolution of the claims of MasterCard-issuing banks through a settlement negotiated with MasterCard under its dispute resolution rubric.  The proposed settlement was conditioned on approval by issuers of at least 90% of the eligible accounts and failed due to lack of support by issuing banks.  Target’s lack of success in using the card brand dispute resolution process to dispose of card issuer claims casts some doubt on whether Home Depot’s ripeness argument, even if accepted, would facilitate a final resolution of claims outside of federal court.  Allowing the Card Brand Recovery Process to continue, however, could reduce the number of outstanding claims and yield more manageable proceedings in federal court.

Recognizable Faces Disappear from Facial Recognition Meetings

Posted in Data Compliance & Security, Privacy Regulation

 

 

Facing “industry stakeholders [that] were unable to agree on any concrete scenario” in which affirmative consent should be obtained from individuals before employing facial recognition technologies, nine consumer advocacy organizations made an about-face and withdrew from the multistakeholder process coordinated by the National Telecommunications and Information Administration (“NTIA”). These organizations, which include the Center for Democracy and Technology and the Electronic Frontier Foundation, stated that based on the latest multistakeholder meeting earlier this month they believe the process is not likely to lead to a set of rules with adequate protections for consumers. Continue Reading