1 Responding to Privacy Breaches: Required Actions and Their Costs September 8, 2010 Randy Gainer
2 Topics covered Legally mandated actions you must take when protected health information (“PHI”) or personal information is lost or stolen; Steps you should take to respond to data breaches; and Examples of what it cost to respond to data breaches.
3 HIPAA regs. HIPAA requires covered health care entities (e.g., hospitals, clinics, doctors) to notify patients and the HHS if unsecured PHI is disclosed to an unauthorized person and the breach poses a significant risk of harm. See 42 U.S.C. § and 45 CFR (interim final rule).
4 HIPAA regs. (cont.) PHI is individually identifiable info. related to physical or mental health or condition, care provided, or payment for care. Includes info. maintained or transmitted electronically and in any other form.
5 HIPAA regs. “Unsecured” PHI means protected health info. not rendered unusable to unauthorized individuals through use of a technology approved by HHS. “Unusable” means unreadable or indecipherable by unauthorized persons. E.g., encrypted PHI.
6 HIPAA regs. (cont.) The “significant risk of harm” that will require notice to potentially affected patients and HHS includes financial, reputational, or other harm to the patient. The covered entity must determine if the breach poses such a risk.
7 HIPAA regs. (cont.) Requiring notice only if there is significant risk of harm is termed a “soft trigger.” Other statutes have “hard triggers.” HHS pulled the final data breach notice rules from OMB on July 27, Some speculate that the soft trigger may be replaced by a hard trigger. The interim rules remain in effect for now.
8 HIPAA regs. (cont.) Notice to patients must be in writing, though urgent oral notice is o.k. Written notice to patients must occur without unreasonable delay and not later than 60 days after discovery of the breach.
9 HIPAA regs. (cont.) If 500 or more patients are affected, notify HHS at the same time patients are notified. Notice should be given via the HHS website: trative/breachnotificationrule/brinstruction.ht ml. trative/breachnotificationrule/brinstruction.ht ml Smaller breaches must be reported to HHS annually.
10 HIPAA regs. (cont.) Press releases regarding the breach must be sent to prominent media outlets serving the state without unreasonable delay, within 60 days of discovery.
11 State notice requirements State data breach laws require entities that own or license unencrypted computerized personal information to promptly notify individuals if a breach of the security of the computerized system compromises the security of the information.
12 State notice req’ts (cont’d) State data breach laws typically define “personal information” as a person’s first name or initial, plus last name, plus SSN, Driver’s license or state ID card number, or Financial account number. Some state statutes include “medical information.”
13 State notice req’ts (cont’d) As of Sept. 2, 2010, 46 states, Washington, D.C., and Puerto Rico have data breach notification laws. Alabama, Kentucky, New Mexico, and South Dakota have not yet enacted data breach notice laws.
14 State notice req’ts (cont’d) Massachusetts, North Carolina, New Hampshire, New York, and Puerto Rico also require that government officials in those jurisdictions be notified of a breach that affects large numbers of their residents.
15 State notice req’ts (cont’d) California Health and Safety Code Section Applies to hospitals, skilled-nursing facilities, psychiatric health facilities, clinics, home health agencies, and hospices licensed under Ca. laws. Covers individually-identifiable information, in electronic or physical form. Pertains to any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information.
16 State notice req’ts (cont’d) Ca. H & S Code, § (cont’d) “Unauthorized” means the inappropriate access, review, or viewing of medical information without a direct need for medical diagnosis, treatment, or other lawful purpose under any state or federal law. Requires notice to patient and Ca. Dept. of Public Health within five business days after detection. H & S Code § is a “hard trigger” statute.
17 PCI DSS Businesses that accept credit and debit cards are required by their contracts with their banks to comply with the Payment Card Industry Data Security Standard (“PCI DSS”). The PCI DSS requires that merchants notify card associations immediately if payment card data are stolen from the merchant.
18 Purposes of notice requirements To protect individuals from fraud 11.1 million Americans were victims of identity theft in 2009, a crime wave that cost consumers and businesses more than $54 billion in 2009 (Javelin) Identity theft is the fastest growing white collar crime in America It takes a person an average 150 hours and $900 to resolve fraudulent charges
19 Purposes for notices (cont’d) To encourage businesses to improve their information security practices by mandating disclosure of data thefts.
20 Types of fraud Common types of fraud: Current account fraud – credit card, debit card, phone card Identity theft using an individual’s name and SSN: To establish new credit To commit other crimes
21 Types of fraud (cont’d) Other types of fraud: Driver’s licenses Health benefits Insurance fraud Rental housing Utilities Government benefits Fraudulent W-2s These may not show up on credit reports for years
22 Types of fraud (cont’d) Targets include anyone with a SSN or payment card The thieves’ modus operandi: Gain access to large numbers of potential victims Keep a low profile Victimize average consumers over long periods Sell victims’ personal information
23 Actions required after a breach 1. Senior management, board members, and counsel must be notified and must plan a response 2. The breach must be investigated to determine what information was obtained, lost, or disclosed, and how the breach occurred. 3. Management must determine who else should notified – patients, law enforcement, HHS, employees, others? 4. Management must determine how the notices will be sent and must manage the notice process. 5. Inquiries and lawsuits must be responded to. 6. Security flaws must be corrected, damages paid, and all mitigation efforts documented.
24 Actions required (cont’d): Step 1 1. Notify internal senior management, counsel, and develop: a communication plan to contact other internal officials a plan to identify, prioritize, assign, and manage tasks, e.g., who will direct and manage the investigation, who, if necessary, will contact law enforcement (if there was a theft), who, if necessary, will coordinate media strategy, and who will supervise the notification and inquiry process.
25 Actions required (cont’d): Step 2 2. Investigate: Coordinate investigative steps consistent with the initial plan: What information was accessed or stolen? Were PHI or “computerized data” obtained by an unauthorized person – internal/external? If computer forensics, network security, or private investigators are needed, they should be hired by counsel to permit him or her to advise you. The consultants’ reports should be privileged.
26 Actions required, Step 2 (cont’d): Determine what information was stolen or lost, and how: Lost or stolen laptop, CD, thumb drive, iPod, PDA, smartphone Lost back-up data Paper files Hacking or extortion Rogue employee, internal fraud sent to wrong address FTP file transfer Theft from or loss by third party
27 Actions required (cont’d): Step 3 3. Determine whom to notify outside of the organization: Notify law enforcement of any theft. Discuss with law enforcement whether to delay notifying others. Create a list of any potentially affected individuals, with notice addresses. Notify employees, media?
28 Actions required, Step 3. (cont’d) Determine if you’re required to notify customers, government officials, or both If so, decide how you will provide notice Most statutes require postal mail notice in most circumstances. Will you send postal notices yourself? Will you send notices as well? Notify accurately rather than notifying quickly.
29 Actions required (cont’d): Step 4 4. Determine how to send notifications: If individuals are to be notified: decide whether to outsource notice decide whether to offer credit monitoring and other services (one year of credit monitoring is standard) draft notice letters with potential litigation in mind train operators for a call-in center, draft scripts, and post important info. and FAQs on your website Any notices to regulators should concisely explain what occurred and what remediation steps have been and are being taken.
30 Actions required: Step 4 (cont’d) For notices to patients or customers, what is your deliverable? “Y our data has been lost or stolen and here is a list of things you can do to protect yourself” or Here’s some assistance to resolve potential problems.
31 Actions required: Step 4 (cont’d) Consider hiring one of the companies that provide notices and other services. It will help minimize the disruption of your business. Specialists can better assist your customers.
32 Actions required (cont’d): Step 5 5. Respond to inquiries and to litigation: Respond to individuals, employees, and the media honestly but with an understanding that everything you say may be used in court. Be prepared to defend against a class action lawsuit if lost or stolen information is misused.
33 Actions required (cont’d): Step 6 6. Correct security flaws and remediate damages: Correct all vulnerabilities, e.g., institute secure transport and storage of backup tapes; encrypt personal information on all portable devices; install “lojack” (“call home”) software on laptops; deploy software to prevent data leakage through outgoing s; ensure that audit logs are retained; implement automated auditing of logs;
34 Actions required: Step 6 (cont’d) Correct all vulnerabilities, e.g. (cont’d): ensure that video surveillance of areas where info. is stored is functioning; hire staff to implement and monitor firewalls or outsource that work; install and monitor intrusion detection and prevention systems; ensure that anti-virus software is consistently maintained and patches are always installed; and harden servers and operating system software by turning off unneeded features.
35 Actions required: Step 6 (cont’d) If your computer network was penetrated, Prepare for additional attacks when the breach is disclosed. If individuals can show they suffered fraud related to the breach, compensate them. Your claims specialists should review fraud claims. Experts estimate that 1-4% of the population have experienced “identity theft.” You should compensate only fraud that was probably caused by the breach at your company, not by another event.
36 Prices for contracted-out notices and other services E.g., Kroll, Inc. provides: Address verification, if address data are more than one year old: 50 ¢ per record; Mailing notices, plus 12 months of call center coverage and access to investigators: $4.50 per person impacted;
37 Prices for contracted-out notices and other services (cont’d) Kroll prices (cont’d) Credit reports and credit monitoring: $22 to $75 per person, depending on deliverables (price depends on usage; for 275 cases in 2009, Kroll’s average usage or “take-rate” was 17%); and Identity “restoration” (resolving fraudulent charges or identity theft): $500 per approved case (approval requires an investigation and a determination that the person is a victim of fraud and the fraudulent activity began after the breach).
38 Examples of costs incurred In December 2005, a thief stole backup discs and tapes from the vehicle of an employee of Providence Health & Services. The tapes and discs contained unencrypted information about 365,000 patients.
39 Examples of costs incurred (cont’d) A few patients filed a putative class action case against Providence in Oregon state court. The trial court dismissed the case because the patients could not show they incurred any damages. An appeal is pending.
40 Examples of costs incurred (cont’d) HHS investigated the backup disc and tape theft, as well as several incidents in which Providence laptops were stolen. HHS investigators sent document requests and interviewed witnesses. HHS officials negotiated a Resolution Agreement in 2008.
41 Examples of costs incurred (cont’d) The Resolution Agreement included a three-year Corrective Action Plan (“CAP”) that requires Providence to improve its information security practices, train its workforce, monitor compliance with the CAP, and report any additional breaches.
42 Examples of costs incurred (cont’d) Providence backup theft costs : approximately $7 million.
43 Examples of costs incurred (cont’d) Providence is meeting its responsibilities under the CAP. The key to Providence’s success was management’s decision to plan, build, and operate first-class information security practices across the five-state, 50,000-employee organization.
44 Examples of costs incurred (cont’d) That led to Hiring a CISO, Creating a new information security management structure, Increasing the number of its info. security employees from five to 18, Rewriting info sec. policies and procedures, and Deploying and managing state-of-the-art info. sec. software.
45 Examples of costs incurred (cont’d) Providence’s annual information security costs increased by more than 800% from 2005 to 2009.
46 Examples of costs incurred (cont’d) Online theft of 35,000 payment card datasets (2010): Additional employee wages$94,893 Temp. staffing $82,773 Forensic investigation $93,020 PCI DSS compliance review$22,200 New hosting service $185,880 Network redesign$17,000 New hardware$65,460 New software$27,241 Legal$30,000 Customer notices, call center, credit restoration services ($6.25/customer) $218,750 Lost business during temporary shutdown $159,784 Total $997,001
47 Examples of costs incurred (cont’d) These cost examples amounted to $18.94 and $28.49 per patient or customer. That’s less than reported average costs -- E.g., Ponemon Institute, for records stolen in 2008: direct costs per record: $50; indirect costs per record (lost productivity, stock price decrease, etc.): $152.
48 Questions?
49 Contact information Randy Gainer Davis Wright Tremaine LLP (206)