On May 20, 2019, an amendment to the Oregon Consumer Identity Theft Protection Act passed unanimously in the Oregon House and Senate, and Governor Kate Brown signed the bill into law on May 24, 2019. This amendment changed the title of the state’s data protection law to the “Oregon Consumer Information Protection Act.” It also expanded the scope of the law, updating the types of information considered “personal information” and mandating vendor notification of breaches.
The amendment expands the definition of “personal information” to include user names or other information used to access a consumer’s online account. Breaches of this information would require notification pursuant to the requirements of the act.
In addition, vendors now are directly regulated under the act. The amendment adds a definition of “covered entity”—a person owning, licensing, maintaining, storing, managing, collecting, processing, acquiring or otherwise possessing personal information in the course of its activities. Persons contracting with such covered entities to maintain, store, manage, process or otherwise access personal information in the course of services provided to or on behalf of a covered entity are deemed “vendors” under the act.
The amendment specifies that vendors who discover a data breach, or who have reason to believe that a breach occurred, must notify the applicable covered entity no later than ten (10) days following discovery. Subcontractor vendors must notify the vendor with which they contract. If a breach involved personal information of more than 250 consumers, or if the vendor cannot determine how many consumers are impacted by a breach, the vendor is required to notify the Oregon Attorney General (unless the applicable covered entity has already done so).
Health care organizations and vendors regulated under HIPAA are exempt from the requirements of the act if the breached information is subject to HIPAA and they comply with their obligations under HIPAA. However, they must notify the Oregon Attorney General if the breach impacts more than 250 consumers.
The amendment to the act takes effect on January 1, 2020.
On May 6, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with Touchstone Medical Imaging (Touchstone), a diagnostic medical imaging services provider, requiring a three million dollar financial settlement and a two-year Corrective Action Plan.
There are a number of lessons that HIPAA covered entities and business associates can glean from the Touchstone enforcement action, a notable one being that an entity should promptly and thoroughly investigate any security incident or potential data breach. Both OCR and the Federal Bureau of Investigation (FBI) notified Touchstone that one of its FTP servers was allowing uncontrolled access to patients’ protected health information (PHI). After initially denying the exposure, Touchstone eventually reported a breach of more than 300,000 social security numbers and other PHI. OCR found that both Touchstone’s investigation of the incident, as well as its notification, were not handled in a timely manner.
In investigating Touchstone, OCR also found that the entity did not conduct an accurate and thorough risk analysis—a key enforcement priority of OCR in recent years. As part of its Corrective Action Plan, Touchstone is required to conduct an enterprise-wide risk analysis, including creating an inventory of all of its equipment, systems, applications and off-site storage facilities that contain PHI. This is a key element for any organization in order to decide what systems and processes best secure PHI and other sensitive data.
In addition, OCR detailed that Touchstone failed to execute business associate agreements with its vendors, including its information technology vendors, prior to the disclosure of PHI. Similar to prior settlements, the Touchstone settlement emphasizes the importance of understanding which vendors will receive or have access to an organization’s PHI and having the parties involved execute a business associate agreement at the outset of the arrangement.
If approved by the U.S. District Court for the Northern District of California, the $117.5 million settlement agreement proposed by Yahoo on Wednesday will establish the largest common fund ever obtained in a data breach case.
In December 2016, Yahoo announced that login information for over 1 billion of its customer accounts had been stolen in August 2013. However, in October 2017, the company disclosed that an investigation by outside forensic experts revealed that all 3 billion accounts existing at the time had been impacted—making it one of the largest data breaches ever. The stolen information included users’ names, e-mail address, telephone numbers, dates of birth, security questions and answers and hashed passwords created using the MD5 algorithm, a process known to be vulnerable to brute force and hash collision attacks.
Victims filed a class action lawsuit alleging that Yahoo did not use appropriate safeguards to protect users’ personal information and deliberately failed to notify users that their personal information had been stolen. The suit also captures two smaller data breaches that occurred in 2014 and 2016. The proposed settlement would fund two years of credit monitoring for all class members and reimbursement for out-of-pocket expenses related to identity theft, lost time, paid user costs and small business costs, as well as attorney’s fees and costs and expenses, service awards for class representatives and notice and administration costs.
Yahoo and plaintiffs initially agreed to a settlement of $50 million, plus attorney’s fees and other expenses, but the proposal was rejected by U.S. District Judge Lucy Koh. In January 2019, Judge Koh ruled that this offer inadequately disclosed the total size of the settlement fund, the scope of non-monetary relief and the size of the settlement class, making it impossible for class members to assess the reasonableness of the offer. The court will hold a hearing on the revised settlement agreement on June 27, 2019.
On January 17, 2019, North Carolina Attorney General Josh Stein and North Carolina Representative Jason Saine announced proposed legislation intended to strengthen the state’s data protection laws.
The existing North Carolina Identity Theft Protection Act (ITPA) is similar to data breach laws in other states, and requires businesses to protect the sensitive information (e.g., social security numbers) of state residents. Businesses must implement policies governing the secure destruction of personal information and train employees accordingly. In the event of a data breach, the ITPA requires notification to impacted individuals without unreasonable delay.
In 2018, Attorney General Stein and Representative Saine introduced legislation to strengthen the ITPA, expanding the definition of a data breach to include a ransomware attack and requiring incident notification within fifteen (15) days. This legislation was not enacted. The 2019 version reflects certain modifications to last year’s proposal. In particular, the new proposed legislation gives entities up to thirty (30) days to report a data breach to those impacted North Carolina residents and the North Carolina Attorney General.
According to a fact sheet, the proposed legislation goes beyond most breach reporting laws by requiring entities that determine an incident did not result in harm to document that determination for review by the North Carolina Attorney General. If enacted, this will bring greater scrutiny to data hacks, ransomware events and other incidents that may not necessarily result in reportable breaches under the federal HIPAA regulations or other state or federal laws.
Attorney General Stein also released a report summarizing the 1,057 data breaches reported to his office last year. According to the report, these breaches impacted more than 1.9 million North Carolina residents, which is a 63% decrease from 2017 when breaches impacted approximately 5.3 million residents. As to the causes of these breaches, the report indicates that phishing schemes comprised 26% of the breaches, with hacking breaches decreasing slightly as compared to 2017.
On Friday, January 4, 2019, Marriott International, Inc. (“Marriott”) revealed that 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers were included in the data stolen as part of the massive data breach of November 30, 2018. Although Marriott originally disclosed that the breach of its Starwood guest database, which includes Westin, W and Sheraton, included information such as e-mail addresses, credit card data and passport information, this new revelation increases lingering espionage concerns associated with the breach. Passport numbers serve as unique identifiers to those holding the passport. As such, these numbers may be used by hackers to track the travel itineraries of cyberattack victims, many of whom may be government officials or business executives.
A United States intelligence official and other sources familiar with the attack investigation have speculated that China may be behind the attack. The techniques used by the hackers are consistent with past cyberattacks sponsored by the Chinese government. This speculation adds a troubling aspect to the attack. If the Chinese government gained access to the passport information compromised in the attack, it would be able to increase the efficacy of future attacks by honing its espionage assets in on individuals of particular importance.
Marriott’s newest disclosure may affect its legal exposure
Multiple lawsuits seeking class-action certification were filed when news of the data breach originally broke. One such class action is seeking $12.5 billion in damages, which is equivalent to $25 for each of the 500 million cyberattack victims. This figure allegedly reimburses the victims for the costs associated with cancelling credit cards compromised in the attack. Marriott may expect to see its legal exposure rise along with the newest disclosures due to the particularly sensitive nature of passport numbers and the additional burden placed on victims in determining their individual exposure and obtaining new passport information.
Response from Capitol Hill
Lawmakers in the United States cited the Marriott data breach as another example of the increasing need for federal privacy laws. Among other things, lawmakers have called for “data minimization,” which generally relates to safeguarding potential cyberattack victims by requiring companies to discard sensitive consumer data that the companies no longer need. As the scale of the breach and the nature of the data compromised continue to come to light, we can expect to see renewed calls from lawmakers in favor of federal privacy laws.
Marriott’s January 4, 2019, press release may be found here.
Last Friday, November 30, 2018, Marriott International, Inc. (“Marriott”) disclosed a data breach impacting up to 500 million guests who stayed at its Starwood properties across the globe. The breach centered on the Starwood guest reservation database, which holds information such as mailing addresses, e-mail addresses, payment card data, passport numbers and arrival and departure dates.
This breach is different from others because of the variety of data accessed
While it remains unclear what information the hackers were targeting, it is likely that this breach is about more than just stealing payment card information. In this case, the hackers were able to get a bounty of nonfinancial information, which can easily be combined with other information available on the black market to make it even easier for a bad actor to assume someone’s identity. Having this extra information can aid hackers in answering security questions that can enable access to password-protected accounts. The information can also be used to create more personalized and detailed phishing attacks, where a hacker sends an e-mail to a particular person that appears to be legitimate but is actually from a criminal attempting to gain access to information. By including highly personal and detailed information regarding travel dates and locations, phishing e-mails can be harder to detect.
Many experts reported that the data has not appeared to be for sale on the “dark web.” In general, when stolen data does not pop up on the dark web, it is a state actor obtaining the data for intelligence reasons.
The breach may have been ongoing for four years
Marriott said that an internal security tool found an attempt to access the guest reservation database on September 8, 2018. A further investigation then revealed that the hackers have had access to the Starwood database since 2014.
Adding another headache for Marriott is a smaller breach approximately three years ago. In 2015, Starwood reported a breach where attackers installed malware on point-of-sale systems in some hotels to gain payment card information. This breach was disclosed four days after Marriott announced the deal to acquire Starwood. Marriott has responded that the 2015 incident was not related to the current breach. But many experts in the field say that a more thorough investigation into the 2015 incident may have uncovered the hackers who continued to have access for three more years.
A class-action lawsuit was filed
A national class action law suit was filed alleging that Marriott failed to “properly safeguard consumers’ highly sensitive and confidential information.” The complaint does not disclose the amount sought in damages.
Additionally, the United Kingdom’s data protection commissioner and attorneys general from several states, including Maryland, Massachusetts, New York, Pennsylvania and Texas have stated that they intend to look into the incident.
There could be an impact on due diligence in deals
Because it appears as though the hackers had access to the Starwood guest reservation database before the 2016 merger with Marriott, many are questioning the cybersecurity due diligence. We have seen data breaches affecting large deals in the past, but typically a breach has been discovered prior to closing the deal. Here, however, Marriott contends it just learned of the breach this September, about two years after the $13.6 billion deal.
While Marriott does have cyber insurance, it will have to absorb the full financial (and reputational) impact from the breach, which could get expensive. In Europe, for example, under the General Data Protection Regulation (GDPR) companies can be fined up to 4% of global revenue.
Regulatory authorities and courts will also likely investigate whether Marriott was “reasonable” in its due diligence of Starwood’s cybersecurity systems and procedures. This could have far-reaching effects on cybersecurity diligence and make a complete review of a target’s cybersecurity regime become the norm.
Because of the variety of information accessed, individuals who believe their data may be compromised should immediately freeze their credit by contacting the three major credit bureaus. Marriott is also offering guests one free year of enrollment in WebWatcher, which monitors websites where personal information is shared and notifies a consumer if any of his or her personal information is found.
We can expect to keep hearing about this breach for a while.
On September 26, 2018, ride-share company Uber Technologies Inc. agreed to a settlement with the attorneys’ general in all 50 states and the District of Columbia in response to allegations that it concealed a data breach. This follows an April 2018 settlement between Uber and the Federal Trade Commission following allegations that Uber deceived its customers regarding this incident.
Last November, Uber disclosed that it paid hackers a ransom of $100,000 to destroy data related to a breach of a cloud-based service used by the company. This breach, which occurred in late 2016, involved the names, e-mail addresses and cell phone numbers of 57 million Uber riders and drivers, as well as drivers’ license numbers of approximately 600,000 drivers. Failure to timely notify impacted individuals of a data breach is a violation of the breach notification and reasonable data security laws in many states.
The financial settlement will be divided among the states and the District of Columbia based on the number of drivers in each, with New York receiving approximately $5.1 million, Illinois receiving $8.5 million and California receiving $26 million. Illinois Attorney General Lisa Madigan announced that she intends to provide $100 to each impacted Uber driver in Illinois.
In addition to the financial terms, the settlement also requires Uber to implement a corporate integrity program that allows its employees to report unethical behavior. Uber also must hire an independent third party to review its data security practices on a regular basis, and it must adopt model breach notification and security practices.
In a blog post on the Uber website, Uber’s Chief Legal Officer Tony West referenced the hires of Uber’s Chief Privacy Officer and Chief Trust & Security Officer. In noting how Uber is continuing to invest in protecting customer data, West acknowledged that “trust is hard to gain and easy to lose.”
You can read more about the breach here.
Following a report of a breach of protected health information, on August 29, 2018, the New York Attorney General announced a settlement with Arc of Erie County, a social services agency that serves persons with developmental disabilities and their families. Arc of Erie County received a $200,000 financial penalty plus a Corrective Action Plan, which requires Arc of Erie County to conduct a HIPAA-required security risk assessment and submit a report of that assessment to the attorney general’s office.
Under HIPAA, Arc of Erie County and other covered entity health care providers are required to implement appropriate physical, technical and administrative safeguards to protect clients’ protected health information. In March 2018, Arc of Erie County notified impacted clients and the attorney general of a breach of client health information involving a website designed for internal staff access that was visible online, with information from that site found through search engines as well. The data that was available to the public included full names, social security numbers, addresses and dates of birth. A forensic investigation demonstrated that individuals outside the United States accessed the links to the sensitive data many times. The data breach impacted 3,751 New York residents.
In addition to the Department of Health and Human Services, Office for Civil Rights, the HIPAA regulations provide state attorneys’ general with HIPAA enforcement authority. The New York Attorney General’s office concluded that Arc of Erie County failed to implement appropriate physical, technical and administrative safeguards to protect its clients’ health information, as required by HIPAA. The attorney general’s office determined that this resulted in an impermissible disclosure of electronic protected health information.
This enforcement action emphasizes the need for all organizations, even not-for-profit, community-based providers, to conduct enterprise-wide security risk assessments. Data gleaned from such assessments should be the basis for the organization’s risk management plan, which is also a HIPAA requirement. These items are fundamental parts of a covered entity or business associate’s HIPAA compliance program and elements that will be requested in any governmental audit or investigation of HIPAA compliance.
I’ve used the phrase “it’s not a matter of if, but when” referring to data breaches more times than I can count, but still, I never thought it would happen to me. When it comes to identity security, I like to think I do most things right. My passwords are sentences, combining capital letters, numbers and punctuation, and I rarely use the same password on more than a few sites. I’m cautious with opening e-mails from people I do not know, and I am even more cautious at opening links out of e-mails. I read about data breaches over a cup of coffee. But, on the first Sunday evening in July, I got an e-mail from my credit card company informing me that a new account was opened in my name.
By 8:30 a.m. the next morning, an alert was placed on my credit, supposedly warning creditors to add an extra layer of verification before opening any lines of credit with that social security number and a fraud resolution case was opened. Because of the July 4 holiday, I did not actually speak to a fraud resolution agent until July 5. During this three-day span, I received at least four calls trying to verify my identity before a new credit card was opened in my name. I was able to stop these cards from being open, but the inquiry was already on my credit report. Additionally, at least four other credit cards were opened in my name, despite the alert.
Or a version of my name. Interestingly enough, this thief was able to open cards using a misspelling of my name (“Jeny”) and using my maiden name, which is no longer my legal last name.
My fraud resolution agent, Shelly from one of the major credit monitoring bureaus, was extremely helpful and kind, pretending not to notice as my voice cracked when I heard that over $5,000 had been charged at a chain jewelry store and almost $1,000 at a nation-wide department store. Together, Shelly and I called the banks issuing these credit cards to inform them of the fraud. Shelly also noticed two more attempts on my credit report, which we were able to call and confirm should not be opened. But, after almost two hours on the phone with me, Shelly had done all she could do.
Over the next week, I received three more credit cards in the mail and more letters denying an attempt to open a credit card than I’d like to remember. In total, “Jeny” spent almost $10,000 using my social security number in less than one week.
Having drafted letters to individuals affected by data breaches, I knew that I needed to file a report with the FTC and freeze my credit. I will not be able to open any new lines of credit in my name until I lift the freeze, but at least I know that “Jeny” will not be able to either. I also had to file a police report so that I am not responsible for the $10,000 worth of jewelry, children’s clothes, makeup, etc. that “Jeny” purchased. I will need to watch any documents from the IRS and Social Security Administration to make sure that “Jeny” is not working using my social security number.
Over the past two weeks, I’ve spent countless hours on the phone canceling accounts. I’ve filled out massive amounts of paperwork from banks declaring that the purchases were actually fraudulent. I feel violated and angry. My credit score has dropped over 40 points (I am told that all of the various inquiries will be removed from my account within 90 days). Surprisingly, I think I only cried once or twice, although we’d need to confirm that detail with my husband.
When I was filing the police report, the police officer nicely told me that he did not think they’d catch this person. Of course I never thought they would. But that led me to ask, what would I even do if they did catch “Jeny”? Correct his or her spelling? Ask why? Ask how? Cyber criminals never have to face their victims. They are able to cowardly hide behind a computer screen. To “Jeny,” I was just a 9-digit social security number.
I know that I was lucky. My credit card company alerted me at the first sign of fraud. I was able to stop this from spiraling even further out of control quickly. It could have been worse.
Not to suggest that we need to be doing more to protect ourselves against data breaches, because we already know that, but perhaps the fact that victims remain faceless is a problem. We hear of the “Company Name Breach”; we do not hear of the Jenny Holmes identity theft. We do not think of the innocent victim. Breaches are happening daily and most of us sit thinking that it will never affect us. But it will, trust me.
In its March 2018 Cybersecurity Newsletter, the Department of Health and Human Services Office for Civil Rights (OCR) advises health care organizations on the establishment and implementation of contingency plans in the event of an emergency or other disruption to normal operations.
Pursuant to the HIPAA Security Rule, HIPAA covered entities and business associates are required to promulgate contingency plans. Contingency plans focus on a health care organization’s response and recovery operations in the wake of an adverse event that jeopardizes its data, such as a natural disaster or a cyberattack. According to OCR, a well-constructed contingency plan carries two primary objectives: containing any damage or injury to, or loss of, property, personnel and data; and ensuring the continuity of key organization operations. HIPAA-compliant contingency plans, the newsletter explains, must specifically include a disaster recovery plan, a continuity of operations plan and a data backup plan.
The newsletter outlines vital considerations for an organization instituting a contingency plan. Some recommended steps include codifying the contingency plan within the organization’s formal policies, identifying and prioritizing the systems and applications critical to operations and performing risk analyses to determine potential threats, risks and preventative controls. Furthermore, OCR advises health care organizations to establish specific contingency plan guidelines, parameters and procedures. In plain language, such procedures should establish circumstances under which the contingency plan activates and define the time periods for various responses. Finally, the newsletter encourages the integration of contingency plans into normal business operations, dispensing the plan within the organization, testing the plan for weaknesses and regularly reviewing the plan for accuracy.
The OCR Cybersecurity Newsletter can be found here.
Adrienne Testa assisted in drafting this post.