Best Practices for Avoiding Costly Data Breaches
By Tom Zeno and Lindsay Holmes
Headlines about data breaches focus on companies such as Target, but the importance of the AvMed settlement should not be overlooked. AvMed recently paid approximately $3.5 million to end a class action lawsuit, even though some plaintiffs could not prove actual damage from the breach. Can your organization avoid such a fate?
In 2009, health insurer AvMed reported two missing laptops containing unencrypted personal information including as many as 1.2 million names and Social Security numbers. In October 2013, after years of litigation, AvMed agreed to settle by implementing data security measures that should have been in place. These include measures described in the Health Insurance Portability and Accountability Act (HIPAA) regulations at 45 CFR Parts 160 and 164.
The trendsetting aspect of the settlement requires AvMed to forfeit the “unjust enrichment” it has received over the years by not providing sufficient data security for its customers. Described as returning “premium overpayments,” AvMed will pay $10 for each year an affected customer paid insurance premiums. In addition, it will pay actual losses related to identity theft.
Following the AvMed settlement, companies that are tempted to improve the bottom line by delaying data security upgrades may face a hefty price tag in the event of a breach— regardless of whether an actual injury results. Plaintiffs’ litigation seeking the return of unjust enrichment will not be limited to health care, so investments in security measures will protect your company, as well as your patients and customers. In AvMed’s case, for instance, no breach would have occurred if the laptops had been encrypted because the information would have been unreadable.
Federal and state data privacy laws likely will establish a standard of due care against which unjust enrichment claims will be filed and damages calculated. By following those standards now, your organization can avoid a host of problems.
Federal Health Privacy and Security Laws
Under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, covered entities, such as a health care provider, and their business associates are responsible for implementing security measures to protect the integrity and privacy of patient information (45 CFR Parts 160 and103). Although these requirements are scalable, an organization’s size, complexity and capability cannot be used to avoid security.
At a minimum, covered entities and business associates are required to maintain HIPAA privacy and security policies and procedures, implement specified security measures, and train employees to safeguard protected health information. Unsecured PHI includes information “not rendered unusable, unreadable or indecipherable to unauthorized persons” through methods specified by the secretary of Health and Human Services (HHS).
Currently, the two acceptable methods of securing PHI are either encryption or proper destruction of the data. The penalty HHS imposed on the Hospice of North Idaho in December 2012 demonstrates the need for encryption. The hospice was charged the maximum penalty of $50,000 for a single violation when a laptop computer with the data of 441 patients was stolen, because the organization used an unencrypted laptop and failed to have policies or procedures addressing mobile device security, as required by HIPAA
Subsequently, HHS also announced its initiative, “Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information.”
Additionally, the Federal Trade Commission has brought more than 30 cases against a variety of companies for violating consumers’ privacy rights or for data breaches. The FTC also polices financial institutions subject to the Gramm-Leach-Bliley Act, which distinctly resembles the HIPAA privacy and security rules by requiring protections such as a written security policy, risk assessment and access controls.
Although voluntary, the Framework for Improving Critical Infrastructure Cybersecurity, released in February 2014 by the National Institute of Standards and Technology, should not be overlooked. NIST describes the framework as “created through collaboration between industry and government” and “consist[ing] of standards, guidelines, and practices to promote the protection of critical infrastructure.”
NIST considers the framework “prioritized, flexible, repeatable and cost-effective.” It is likely that plaintiffs will try to hold companies to this standard.
Currently, 46 states, along with the District of Columbia, Guam, Puerto Rico and the Virgin Islands, have data security breach laws, and some of them are broad enough to span multiple industries. For example, personal information, as defined by Massachusetts law, can be the first initial and last name of an individual coupled with a Social Security number, driver’s license number or credit card number. Based on the broad definition of personal information, this and other state laws should prompt all companies to protect customer information correctly.
Practical Tips for Protecting Data
Here are some practical tips for protecting data held by your organization.
Organize Your Data: Determine where personal information is stored and who has access to it. Ensure that wherever personal data is kept, it is secure and segregated from other information. All personal data that is not essential to business operations should be properly destroyed.
Establish Updated Policies and Procedures: Policies and procedures covering privacy and security should be tailored to your organization. Policies should anticipate a variety of issues that include texting, use of social media, BYOD (bring your own device), cloud storage and use of external storage devices, such as external hard drives and thumb drives. It's important to update these policies and procedures to meet changing technology and business environments.
Encryption: Use encryption as specified by NIST, especially on portable devices that store protected information. Additionally, keep your encryption key separate from the device. (Do not, for example, put the key on the desktop.)
Computer Security Protections: Common computer security protections can go a long way toward protecting personal data. Examples include installing software patches, requiring robust passwords, requiring multiple-factor authentication for remote access and terminating dormant accounts.
Employee Training and Security: Once an organization has established policies and procedures, it is important to disseminate that the information throughout the organization. That can be accomplished through employee training on proper privacy and security procedures and training specific to breach identification and notification.
The organization also should safeguard security by limiting employee access to information that could lead to a breach. Such restraints can include selective employee access to Websites (to avoid hacker sites), limited employee access to data storage (on an as-needed basis), and establishment of an employee exit procedure (including an exit interview and separation agreement).
Unfortunately, although these useful ideas may prevent a claim against an organization for unjust enrichment, even these steps cannot immunize an organization against a data breach. For this reason, Part II of this article will discuss elements that an organization should have in its response plan in the event of a data breach.
By becoming familiar with the requirements of the applicable laws and regulations and by following the steps listed above, an organization's management can help avoid a costly data breach. Unless your organization is willing to take such steps, a lawsuit may determine that the money you appear to be saving is nothing more than unjust enrichment.
Thomas E. Zeno, a former assistant US Attorney for the District of Columbia, is now Of Counsel to Squire Patton Boggs. An AUSA for more than 25 years, Tom investigated and prosecuted economic crimes involving health care, financial institutions, credit cards, computers, identity theft and copyrighted materials. Tom practices in the firm’s white-collar, investigations and enforcement group, as well as in its health care group. Lindsay Holmes, an associate in Squire Patton Boggs’ Washington, D.C., office, focuses her practice on health care matters.