View
216
Download
0
Category
Tags:
Preview:
Citation preview
06B – DATA INCIDENTS AND LITIGATION
Jeffrey L. PostonPartnerCrowell & Moring, LLP
TYPES OF INCIDENTS
• Cyber-Hacking• Employee/Vendor Negligence–Lost laptop– Inadvertent transmission
• Employee/Vendor Theft
2
BREACH RESPONSE ISSUES
3
Loss/Theft of Data
Individual Student
Notification
Insurance Coverage
OCR/HIPAA
State AG Enforcement
Class Actions
Law EnforcementTrade Secret
Theft
Business Reputation
Vendor Involvement/ Indemnity
Internal Investigation/
Forensics
RECENT UNIVERSITY BREACHES
• Coordinated Attack– 10/13: hackers infiltrated over 50 universities and
published sensitive information online, including names, addresses, and user names and passwords.
• Phishing Scam– 10/13: phishing scam resulted in the breach of over
3000 individuals’ personal information. University employees inadvertently gave hackers access to protected health information.
4
RECENT UNIVERSITY BREACHES(cont’d)
• Unauthorized Access– 8/13: incident at a Midwestern school resulted in
unauthorized access to records (including SSNs) of over 60,000 individuals. School is providing credit monitoring services for 1 year.
• Cyber Attack– 7/13: hackers accessed data of 80,000 university
employees through defect in vendor software. University is providing credit monitoring services for 1 year.
5
REGULATORY ACTION
• Health and Human Services– College and University Hospitals hit with HIPAA
fines in 2013:• A state university in the Northwest settled with HHS for
$400,000.00• A private university in California experienced a breach
with 13,000 compromised records• A public university in the Midwest experienced a breach
of over 3000 medical records
6
REGULATORY ACTION(cont’d)
• State Breach Notification– Expanded definition of Protected Information in
California
• Includes login information, email addresses, and security questions
• 46 states have breach notification laws– Different timeframes– Subject to enforcement actions and files– Disparate state reporting requirements
7
LITIGATION THREAT
• Springer v. Stanford University–Medical data for 20,000 emergency room patients
accidentally sent to a job applicant– Applicant then posted the information online– Information exposed for over a year– $20 million class action suit, pending in Superior
Court of the State of California, County of Los Angeles
8
LITIGATION THREAT(cont’d)
• Gross v. University of Hawaii– 5 alleged data breaches at 4 different University
institutions from 2009 – 2011. – 96,000 individuals affected– Settled in 2012; credit protection services to
affected individuals for two years.
9
Litigation Threat – Cont’d
• UCLA v. Superior Ct of LA County– Over 16,000 patient records allegedly compromised
by theft of hard drive– Damages sought totaled $1,000 per patient, or over
$16 million– California State Court of Appeals, 2nd District,
dismissed the case on October 15, 2013– Healthcare providers not necessarily liable for stolen
or misappropriated medical data absent a showing that the data was accessed by an unauthorized person
10
LITIGATION THREAT(cont’d)
• Bombardieri v. Emory Healthcare– Emory University allegedly lost 10 discs
containing patient information and some Social Security Numbers.
– Allegation of 300,000 compromised records– Damages sought totaled $200 million, or $1,000
per patient. – Case disposed (dismissed) by Superior Court of
Fulton County Georgia in 2012
11
CYBER ESPIONAGE
• Research universities as targets– Defense / Homeland Security development grants– Patents and intellectual property
• Unique problems facing universities:– Open and collaborative work environment– Foreign professors / students– Foreign travel
12
CYBER ESPIONAGE(cont’d)
• By the numbers:– One public university in the Midwest reports
90,000 – 100,000 illegal attempts to gain access to the network per day originating largely from China
– A California university reports millions of attempts per week
– All Universities are reporting an exponential growth in the number of attacks and in their sophistication
13
HOW TO MANAGE CRISIS WHEN PII COMPROMISED
1. DO NOT SWEEP UNDER THE RUG
2. BE PREPARED– Breach Response Plan
• GC’s Office• Privacy Office• IT• Media Relations• Training/Policies to ensure incident reported up the chain
3. INVOLVE IN-HOUSE/OUTSIDE COUNSEL IMMEDIATELY– Can assert privilege to maximum extent possible– Assert privilege over outside consultants– Use counsel to conduct employee interviews– Assess claims vs. vendors– Assess need for law enforcement– Strategize for long run
14
HOW TO MANAGE CRISIS WHEN PII COMPROMISED (CONT’D)
4. INVESTIGATE
– Physical– Forensics– What data?– Whose data?– Access to vendors– JDA
5. MITIGATE/REMEDIATE– Can you recover data?– Can you forensically prove data not accessed?– If technical cause, can’t be fixed– First 24-48 hours critical 15
HOW TO MANAGE CRISIS WHEN PII COMPROMISED (cont’d)
6. NOTIFICATION ISSUES– HIPAA/OCR?– State breach notification laws– FERPA
7.HERE COME THE REGULATORS
– Be proactive with regulators– Establish relationship/bring them in the loop
8. INVOLVE CORPORATE COMMUNICATIONS– States require certain content in notification letters– Speak with one consistent voice
16
HOW TO MANAGE CRISIS WHEN PII COMPROMISED (cont’d)
9. VENDOR ISSUES– JDA– Who is notifying students etc.?– Indemnity– Tolling Agreement
10.INSURANCE ISSUES– Report incident– What kind of policy?
– CGL– Standard cyber policy
17
EMERGING LITIGATION ISSUES
• Typical Claims– Negligence– Breach of Contract– Unfair Trade Practices– Breach of Privacy– State Statutes
• Threshold issues– Standing to sue (Federal Court)– Actual injury or harm (common law claims)
18
EMERGING LITIGATION ISSUES(CONT’D)
• Class Certification Issues– Rare (dismissal or settlement)– Claims often turn on individualized issues or causation
and damages– Thus common questions of law and facts do not
predominate over questions affecting individual members.
• Damages– Aggregate exposure to nominal damages– Due process violation?
19
TYPICAL SETTLEMENTS
• Non-monetary relief (e.g., credit monitoring)
• Monetary payments to privacy non profits (e.g., Privacy Rights Clearinghouse)
• Consent decree requiring security improvements
• Attorneys fees to plaintiffs’ counsel
• Capped individual payments to plaintiffs who can prove causation
20
Recommended