On Feb. 6, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a $4.75 million settlement with New York non-profit health system Montefiore Medical Center over alleged malicious insider conduct that caused potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This settlement follows two other recent investigations that led to OCR’s first-ever settlements stemming from ransomware and phishing attacks. Read on for more information about the settlements and what they mean for healthcare entities.

The last two Privilege Points have described yet another losing effort to protect a data breach investigation and related communications. In Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023), the court denied the company’s privilege and work product claims — specifically rejecting its efforts to squeeze into two of the only few winning data breach investigation scenarios. In re Target Corp. Customer Data Security Breach Litig., MDL No. 14-2522, 2015 U.S. Dist. LEXIS 151974 (D. Minn. Oct. 23, 2015); In re Experian Data Breach Litig., No. SACV 15-01592AG (DFMx), 2017 U.S. Dist. LEXIS 162891 (C.D. Cal. May 18, 2017).

The court found that McMenamins’ situation “more closely resembles” a decision extensively addressed in previous Privilege Points: Guo Wengui v. Clark Hill, 338 F.R.D. 7 (D.D.C. 2021). McMenamins Inc., 2023 U.S. Dist. LEXIS 217502, at *9. In that case, the Clark Hill law firm suffered a data breach, and lost its privilege and work product claim for its resulting investigation. The skeptical McMenamins court quoted the Clark Hill court’s observation that counsel’s (rather than the client’s) retention of the consultant “appears to [have been] designed to help shield the material from disclosure.” 2023 U.S. Dist. LEXIS 217502, at *9 (alteration in original) (citation omitted).

So what is a data breach victim to do? It seems unrealistic for a company to pay for two entirely separate investigations, or to deprive its internal incident response team of its consultant’s report. Perhaps victims should focus on the investigation report’s content — asking for “just the facts” without any editorial comment or needless criticism — reminding the consultant that its report almost certainly will be read by adversaries. The victim’s employees should likewise be reminded that all of their communications with such consultants are also likely to be discoverable. Facts are never privileged anyway, so a purely factual consultant report and communications between the victim and the consultant presumably would not cause the victim any additional harm by containing injurious “sound bites” an adversary might use.

This summer, the Federal Trade Commission (“FTC”) will once again tighten the belt on entities that offer financial products and services when another round of amendments to the Gramm-Leach-Bliley Safeguards Rule goes into effect—this time, requiring covered entities to report data breaches to the FTC.

What is the Safeguards Rule?

The Safeguards Rule, which originally became effective in May 2003, long had a small bark and an even tinier bite.  The rule required covered entities to develop, implement, and maintain a comprehensive written information security program with “appropriate” safeguards.  With no private right of action and a breathtaking lack of specificity, this requirement was treated as little more than a suggestion by many covered entities.  

Continue Reading Don’t Forget: It’s Time to Notify the FTC of Your Data Breach

Last week’s Privilege Point described a data breach victim’s latest losing effort to claim privilege protection for its consultant’s investigation report. Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023). Before bluntly rejecting McMenamins’ privilege claim, the court spent more time analyzing its work product claim before also denying that.

The court began its analysis by pointing to the determinative issue: “whether the report would have been prepared in a substantially similar form absent the anticipation of litigation.” Id. at *6. Like most losers, McMenamins cited one of the only few cases that seem to have succeeded on the work product side. The court first nixed the analogy to In re Target Corp. Customer Data Security Breach Litigation, MDL No. 14-2522 (PAM/JJK), 2015 U.S. Dist. LEXIS 151974 (D. Minn. Oct. 23, 2015), noting that “unlike here, Target had engaged in a two-track investigation” — one purely factual that was later disclosed, and one that supplied Target’s lawyers with the necessary facts (which had even used a “‘separate team from Verizon’” to provide technical input). 2023 U.S. Dist. LEXIS 217502, at *6-7 (citation omitted). The court pointedly noted that “the Stroz Friedberg report is the only internal investigation arising from the data breach.” Id. at *8-9. McMenamins also relied on one of the only other winning data breach work product claims: In re Experian Data Breach Litig., No. SACV 15-01592 AG (DFMx), 2017 U.S. Dist. LEXIS 162891 (C.D. Cal. May 18, 2017). In that case, Jones Day hired a consultant to investigate a data breach — but its “report was not provided to [client] Experian’s internal incident response team.” 2023 U.S. Dist. LEXIS 217502, at *8. In the McMenamins case, “Stroz Friedberg participated in many internal business discussions.” Id. at *9.

Few data breach victims’ investigations are ever very likely to parallel the successful Target scenario (involving two entirely separate investigations) or the Experian scenario (in which Jones Day did not share its consultant’s report with the client). The McMenamins court did identify an appropriate analogy — another loser. Next week’s Privilege Point will describe the court’s analysis, and some practical tips.

Companies and even law firms suffer data breaches, and usually claim privilege and work product protection for the inevitable resulting investigation. Unfortunately, courts seem to have rejected such protection claims in all but a few cases. Most of the other data breach victims have tried to emulate two of the winners, but have failed.

In Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023), defendant suffered a ransomware attack, triggering a lawsuit by current and former employees claiming that their personal data had been breached. McMenamins retained the Stoel Rives law firm to represent it. That firm in turn hired Stroz Friedberg to “provide consulting and technical services” that the law firm claimed it needed to provide legal advice to its client McMenamins. Id. at *2. McMenamins asserted privilege and work product protection for the Stroz Friedberg report. The court flatly rejected McMenamins’ privilege claim, bluntly stating that “the report does not provide legal advice.” Id. at *12. The court also rejected the privilege claim for communications between McMenamins and Stroz Friedberg personnel — noting that “neither [Stroz Friedberg’s] engagement letter nor the scope of work identifies any work by Stroz Friedberg related to the provision of legal advice.” Id. at *13. The court explained that “[t]he evidence demonstrates Stroz Friedberg was providing a business service, by seeking and providing factual information to McMenamins and their counsel,” which did not become protected “merely because an attorney was copied.” Id. at *13-14.

The court also rejected McMenamins’ work product claim. Next week’s Privilege Point will address that other losing argument.

On January 16, 2024, New Jersey became the thirteenth state to enact a comprehensive data privacy law, named the New Jersey Data Privacy Act (the “NJDPA”).

The NJDPA, which will take effect on January 15, 2025, includes some provisions that are different from other data privacy laws, thereby requiring entities that fall within its scope to examine their compliance obligations with respect to those provisions.

Continue Reading New Jersey Becomes the Latest State to Enact a Comprehensive Data Privacy Law

Last week, Merck & Co. filed documents with the Supreme Court of New Jersey indicating that it reached a settlement with its “all risk” property insurers in a long-running coverage dispute involving over $1.4 billion in losses stemming from a 2017 NotPetya cyberattack that impacted tens of thousands of Merck computers. Read on for analysis of this development and key takeaways regarding coverage for cyberattacks that in-house counsel and risk managers should consider in 2024.

On Dec. 20, 2023, the Federal Trade Commission announced its intent to file a notice of proposed rulemaking related to the Children’s Online Privacy Protection Rule — the first proposed changes to the rule in 10 years.

What are some of the key proposed changes?

  • Separate Opt-In for Targeted Advertising.  Covered service operators are required to obtain separate verifiable parental consent before disclosing children’s personal information to third parties unless the disclosure is integral to the nature of the online service.  Access to services cannot be conditioned on disclosure of personal information to third parties.
  • Writing Current Ed Tech Guidance into the Rule.  As in the current policy statement on education technology and COPPA, schools and school districts may authorize ed tech providers to collect, use, and disclose students’ personal information only for school-authorized educational purposes and not for any commercial purpose.
  • Children’s Personal Information Security Program.  Services operators must implement a written children’s personal information security program with safeguards appropriate for the sensitivity of the personal information collected from children.
  • Data Retention Limits. Data may only be retained for as long as necessary to fulfill the purpose for which it was collected (and may not be retained for any secondary purpose) and may not be retained indefinitely.  Operators must create and publish a written data retention policy for children’s personal information.

Why It Matters

These proposed changes come at a time when the effects of children’s use of the internet and social media are receiving significant media scrutiny and legislation on children’s privacy continues to proliferate.  States across the country are considering and enacting children’s online privacy bills and the U.S. Senate recently passed out of committee two such bills that await a floor vote.  Organizations that handle children’s data are subject to a regulatory environment with overlapping requirements and that is changing rapidly.

What’s Next

Once the NPRM is published in the Federal Register, comments to the proposed regulations will be due 60 days later.  The FTC will then take those comments into consideration and presumably publish a final rule, should Congress not enact any legislation.  Impacted organizations will need to watch this area closely to update compliance programs and internal practices implicated by any regulatory changes.

On Nov. 30, the Illinois Supreme Court, in Mosby v. The Ingalls Memorial Hospital et al., held that certain healthcare providers’ biometric data, used for healthcare operational purposes under the Health Insurance Portability and Accountability Act, is not protected under the Illinois Biometric Information Privacy Act. Read on for details about this development and why the exemption applies.

In light of a significant rise in cyberattacks against hospitals and health systems, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the U.S. Department of Health and Human Services recently released a cybersecurity toolkit. Read on for details about the toolkit and how the federal government is prioritizing cybersecurity in healthcare.