06B – DATA INCIDENTS AND LITIGATION

Jeffrey L. PostonPartnerCrowell & Moring, LLP

TYPES OF INCIDENTS

• Cyber-Hacking• Employee/Vendor Negligence–Lost laptop– Inadvertent transmission

• Employee/Vendor Theft

2

BREACH RESPONSE ISSUES

3

Loss/Theft of Data

Individual Student

Notification

Insurance Coverage

OCR/HIPAA

State AG Enforcement

Class Actions

Law EnforcementTrade Secret

Theft

Business Reputation

Vendor Involvement/ Indemnity

Internal Investigation/

Forensics

RECENT UNIVERSITY BREACHES

• Coordinated Attack– 10/13: hackers infiltrated over 50 universities and

published sensitive information online, including names, addresses, and user names and passwords.

• Phishing Scam– 10/13: phishing scam resulted in the breach of over

3000 individuals’ personal information. University employees inadvertently gave hackers access to protected health information.

4

RECENT UNIVERSITY BREACHES(cont’d)

• Unauthorized Access– 8/13: incident at a Midwestern school resulted in

unauthorized access to records (including SSNs) of over 60,000 individuals. School is providing credit monitoring services for 1 year.

• Cyber Attack– 7/13: hackers accessed data of 80,000 university

employees through defect in vendor software. University is providing credit monitoring services for 1 year.

5

REGULATORY ACTION

• Health and Human Services– College and University Hospitals hit with HIPAA

fines in 2013:• A state university in the Northwest settled with HHS for

$400,000.00• A private university in California experienced a breach

with 13,000 compromised records• A public university in the Midwest experienced a breach

of over 3000 medical records

6

REGULATORY ACTION(cont’d)

• State Breach Notification– Expanded definition of Protected Information in

California

• Includes login information, email addresses, and security questions

• 46 states have breach notification laws– Different timeframes– Subject to enforcement actions and files– Disparate state reporting requirements

7

LITIGATION THREAT

• Springer v. Stanford University–Medical data for 20,000 emergency room patients

accidentally sent to a job applicant– Applicant then posted the information online– Information exposed for over a year– $20 million class action suit, pending in Superior

Court of the State of California, County of Los Angeles

8

LITIGATION THREAT(cont’d)

• Gross v. University of Hawaii– 5 alleged data breaches at 4 different University

institutions from 2009 – 2011. – 96,000 individuals affected– Settled in 2012; credit protection services to

affected individuals for two years.

9

Litigation Threat – Cont’d

• UCLA v. Superior Ct of LA County– Over 16,000 patient records allegedly compromised

by theft of hard drive– Damages sought totaled $1,000 per patient, or over

$16 million– California State Court of Appeals, 2nd District,

dismissed the case on October 15, 2013– Healthcare providers not necessarily liable for stolen

or misappropriated medical data absent a showing that the data was accessed by an unauthorized person

10

LITIGATION THREAT(cont’d)

• Bombardieri v. Emory Healthcare– Emory University allegedly lost 10 discs

containing patient information and some Social Security Numbers.

– Allegation of 300,000 compromised records– Damages sought totaled $200 million, or $1,000

per patient. – Case disposed (dismissed) by Superior Court of

Fulton County Georgia in 2012

11

CYBER ESPIONAGE

• Research universities as targets– Defense / Homeland Security development grants– Patents and intellectual property

• Unique problems facing universities:– Open and collaborative work environment– Foreign professors / students– Foreign travel

12

CYBER ESPIONAGE(cont’d)

• By the numbers:– One public university in the Midwest reports

90,000 – 100,000 illegal attempts to gain access to the network per day originating largely from China

– A California university reports millions of attempts per week

– All Universities are reporting an exponential growth in the number of attacks and in their sophistication

13

HOW TO MANAGE CRISIS WHEN PII COMPROMISED

1. DO NOT SWEEP UNDER THE RUG

2. BE PREPARED– Breach Response Plan

• GC’s Office• Privacy Office• IT• Media Relations• Training/Policies to ensure incident reported up the chain

3. INVOLVE IN-HOUSE/OUTSIDE COUNSEL IMMEDIATELY– Can assert privilege to maximum extent possible– Assert privilege over outside consultants– Use counsel to conduct employee interviews– Assess claims vs. vendors– Assess need for law enforcement– Strategize for long run

14

HOW TO MANAGE CRISIS WHEN PII COMPROMISED (CONT’D)

4. INVESTIGATE

– Physical– Forensics– What data?– Whose data?– Access to vendors– JDA

5. MITIGATE/REMEDIATE– Can you recover data?– Can you forensically prove data not accessed?– If technical cause, can’t be fixed– First 24-48 hours critical 15

HOW TO MANAGE CRISIS WHEN PII COMPROMISED (cont’d)

6. NOTIFICATION ISSUES– HIPAA/OCR?– State breach notification laws– FERPA

7.HERE COME THE REGULATORS

– Be proactive with regulators– Establish relationship/bring them in the loop

8. INVOLVE CORPORATE COMMUNICATIONS– States require certain content in notification letters– Speak with one consistent voice

16

HOW TO MANAGE CRISIS WHEN PII COMPROMISED (cont’d)

9. VENDOR ISSUES– JDA– Who is notifying students etc.?– Indemnity– Tolling Agreement

10.INSURANCE ISSUES– Report incident– What kind of policy?

– CGL– Standard cyber policy

17

EMERGING LITIGATION ISSUES

• Typical Claims– Negligence– Breach of Contract– Unfair Trade Practices– Breach of Privacy– State Statutes

• Threshold issues– Standing to sue (Federal Court)– Actual injury or harm (common law claims)

18

EMERGING LITIGATION ISSUES(CONT’D)

• Class Certification Issues– Rare (dismissal or settlement)– Claims often turn on individualized issues or causation

and damages– Thus common questions of law and facts do not

predominate over questions affecting individual members.

• Damages– Aggregate exposure to nominal damages– Due process violation?

19

TYPICAL SETTLEMENTS

• Non-monetary relief (e.g., credit monitoring)

• Monetary payments to privacy non profits (e.g., Privacy Rights Clearinghouse)

• Consent decree requiring security improvements

• Attorneys fees to plaintiffs’ counsel

• Capped individual payments to plaintiffs who can prove causation

20