Data Breaches in Employee Benefits Cynthia Boyle Lande BrownWinick 666 Grand Avenue, Suite 2000 Des Moines, IA 50309-2510 Telephone: 515-242-2476 Facsimile: 515-323-8576 E-mail: lande@brownwinick.com

Common Problems Lost or stolen laptops or flash drives Lost or stolen cell phones with work email Hacker Disgruntled employee Mistyped fax number or email autocorrect Spreadsheets with hidden columns containing personal information Documents left in copier Records discarded without shredding

Types of Confidential Information Commonly Affected Social security number State ID/drivers license number Health insurance and claims information Medical records Financial information

Legal Regulation State Security Breach Laws HIPAA Common Law

State Security Breach Laws Currently found in most states, but no comprehensive federal law Require businesses to inform individuals of security breaches involving personal data

Iowa Security Breach Law Iowa Code Chapter 715C “Any person who owns or licenses computerized data that includes a consumer’s personal information that is used in the course of the person’s business . . . and that was subject to a breach of security shall give notice of the breach of security following discovery.”

Iowa Security Breach Law (Continued) Consumer: Any person who resides in the state of Iowa Breach of security: unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information

Iowa Security Breach Law (Continued) “Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not altered in such a manner that they are unreadable:

Iowa Security Breach Laws (Continued) Social security number. Driver's license number or other unique identification number created or collected by a government body. Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Iowa Security Breach Law (Continued) Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Iowa Security Breach Laws (Continued) Penalties: Calculated based on harm to consumer(s) and benefit to violators

HIPAA General duty to protect the privacy of individual health information

Who is subject to HIPAA? Covered Entity Business Associate Health Plans Health Care Clearinghouses Health Care Providers Business Associate

Protected Health Information Individually identifiable health information that is one of the following: Transmitted by electronic media; Maintained in electronic media; or Transmitted or maintained in any other form or medium.

HIPAA Data Breach The acquisition, access, use, or disclosure of protected health information in a non-permitted manner which compromises the security or privacy of the protected health information.

Exceptions Unintentional, good-faith acquisition, access, or use by a workforce member or authorized person. Inadvertent disclosure by authorized person to another authorized person. Disclosure to unauthorized person where it is reasonable to believe the PHI cannot be retained.

HIPAA Data Breaches Any non-permitted use or disclosure of PHI presumed to be a “breach” unless the Covered Entity or Business Associate demonstrates “a low probability that the protected health information has been compromised” based on 4 factors.

HIPAA Data Breaches (Continued) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. The unauthorized person who used the PHI or to whom the disclosure was made.

HIPAA Data Breaches (Continued) Whether the PHI was actually acquired or viewed. The extent to which the risk to the PHI has been mitigated.

Responding to a HIPAA Breach Fewer than 500 individuals affected by breach of “unsecured” PHI: Notify Individuals in writing without unreasonable delay and no later than 60 days after discovery Maintain log of breaches Notify Secretary of HHS within 60 days of end of calendar year

Responding to a HIPAA Breach (Continued) More than 500 individuals affected by breach of “unsecured” PHI: Notify Secretary of HHS within 60 days from discovery of breach Notify prominent local media outlets within 60 days from discovery of breach

HIPAA Civil Penalties Covered entity or business associate did not know and by exercising reasonable diligence would not have known of the violation: $100 to $50,000 per violation Not to exceed $1,500,000 for identical violations during a year Violation due to reasonable cause and not willful neglect $1,000 to $50,000 per violation Not to exceed $1,5000,000 for identical violations during a year

HIPAA Civil Penalties (Continued) Violation due to willful neglect but corrected within required time period: $10,000 to $50,000 per violation Not to exceed $1,500,000 for identical violations during a year Violation due to willful neglect and not corrected: $50,000 per violation

HIPAA Criminal Penalties Knowingly obtain or disclose PHI Up to 1 year in prison Offenses committed under false pretenses Up to 5 years in prison Offenses committed for personal gain or malicious harm Up to 10 years in prison

Common Law Causes of Action Negligence Duty of Care Breach of Duty Causation Damages Contract

Target Example Facts: In November of 2013, hackers installed malware on Target’s system. The objective was to obtain credit card and personal information of Target customers as they shopped for the holiday season. Target stored this information on its system after purchasers completed purchases. Target had malware detection and other data security measures in place, but they did not trigger steps to stop the malware from collecting customer data until approximately the middle of December. The Target data breach was made publicly known by the news media, rather than Target.

Blue Cross and Blue Shield of Tennessee Example Facts: In March of 2012, 57 computer hard drives containing PHI of over 1 million individuals were stolen from a BCBST facility. The information on the hard drives included names, social security numbers, diagnosis codes, dates of birth, and health plan ID numbers. BCBST self-reported this breach to HHS.

Affinity Health Plan Example Facts: Affinity returned a leased copy machine before deleting PHI affecting 344,579 individuals from the hard drive. CBS Evening News subsequently purchased the photocopier and discovered the breach. After discovering the breach, Affinity filed a breach report with OCR.

Kaiser Foundation Health Plan Example Facts: In 2011, an external hard drive from the Kaiser Foundation Health Plan was sold to a member of the public at a thrift store. The hard drive contained addresses, dates of birth, and social security numbers for over 20,000 employees. The Kaiser Foundation Health Plan obtained the hard drive in December of 2011, completed an investigation, and notified affected individuals in March of 2012.

Best Practices Develop, implement, and regularly update data protection policies and procedures Obtain and store limited amounts of information Segregate the most highly confidential information and limit the number of users who have access

Best Practices (Continued) Provide appropriate training to employees who will have access to confidential information Police implementation of these policies and procedures

Responding to Data Breaches Identify breadth and cause of data breach Promptly provide notices as required by law Assist affected individuals in remedying breach to extent possible Review processes and procedures that allowed breach to occur, and determine whether it is practicable to improve those processes and procedures going forward

Questions? ?

Website: www.brownwinick.com Toll Free Phone Number: 1-888-282-3515 OFFICE LOCATIONS: 666 Grand Avenue, Suite 2000 Des Moines, Iowa 50309-2510 Telephone: (515) 242-2400 Facsimile: (515) 283-0231 616 Franklin Place Pella, Iowa 50219 Telephone: (641) 628-4513 Facsimile: (641) 628-8494 DISCLAIMER: No oral or written statement made by BrownWinick attorneys should be interpreted by the recipient as suggesting a need to obtain legal counsel from BrownWinick or any other firm, nor as suggesting a need to take legal action. Do not attempt to solve individual problems upon the basis of general information provided by any BrownWinick attorney, as slight changes in fact situations may cause a material change in legal result.