Header graphic for print

Password Protected

Data Privacy & Security News and Trends

Retailers, Consent and the GDPR: Is Your Business in Breach?

By Alice O'Donovan on Posted in GDPR, Other, Retail

After 25 May 2018, data protection will be a high-risk issue for all retailers who fall within the scope of the GDPR. Organizations can be fined up to 4% of annual worldwide turnover or 20 million euros (whichever is greater) for violations of the GDPR. Moreover, the GDPR applies to any business that targets goods or services at individuals located in the EU – so retailers can be caught by the GDPR even if they have no physical presence in the Union.

Retailers should pay particular attention to how they obtain customers’ consent to marketing. The GDPR requires a high standard for consent to use personal data, and violation of the consent is a serious infringement.

Under the GDPR:

  1. Businesses must ensure that an individual consents to the processing of their personal data by clear, affirmative action, establishing a: (a) freely given; (b) specific; (c) informed; and (d) unambiguous indication of agreement.
  2. Acquiescence (e.g., failing to un-tick a pre-ticked box) will not constitute consent.
  3. Businesses must be able to demonstrate that the individual consented and consent was freely given.
  4. A transaction cannot be conditional on consent that is not necessary to the transaction.
  5. Individuals must be able to withdraw their consent to the processing of their data at any time. It must be as easy to withdraw consent as it was to provide it.

Common retail practices that should be reviewed:

These common practices could place retailers at risk of a fine.

  1. At the cash register
    • Are staff in shops instructed to ask customers for personal data at the cash register?
    • How do they ask for it and how is it used?
    • Is it shared with a third party?
    • Staff must (a) make clear to customers that they can choose not to provide their information and (b) explain exactly what the data will be used for. The request must not be presented to the customer as if it is a condition of sale.
  2. Online
    • Is customers’ personal data retained and used after they place an order? Is it sold or shared with third parties?
      • How is customers’ consent to this obtained?
      • Are consent provisions hidden in ‘small print’?
    • Information required for consent must be clear, distinguishable from other matters, and provided in an intelligible and accessible form.
    • Are pre-ticked boxes or confusingly phrased boxes used to obtain customers’ consent?
      • Pre-ticked boxes will not be sufficient – failure to object is not consent.
  3. Withdrawal of consent
    • Customers have the right to withdraw consent at any time. Withdrawing consent must be (a) free and (b) as easy as it was to provide it.
    • All communications should contain a free ‘unsubscribe’ link, telephone number or email address. Many retailers breach this requirement when marketing by post.
  4. Targeted data lists
    • Are data lists used to contact potential customers?
    • Data lists will still be permissible after 25 May 2018, if consent has been validly obtained. The purchaser of the data is equally responsible for ensuring that valid consent is in place.
    • Were data lists purchased before 25 May 2018?
      • Do not continue to use lists unless you are satisfied that valid consent is in place.

Case Study:

A random review of ten unsolicited marketing catalogs received during September 2017 indicated the following:

  1. None advise the recipient where the sender obtained their data.
  2. Five make no mention whatsoever of how the customer can unsubscribe or opt out of future mailings.
  3. Of the five that do mention unsubscribing:
    • One invites the customer call a UK landline.
    • One invites the customer to subscribe to the Mail Preference Service (MPS); and
    • Three say in small letters “If undelivered or to unsubscribe, please return to…”.

Arguably, none of these comply with the GDPR’s requirements.

How should you approach marketing?

The GDPR does not have to hinder marketing campaigns. However, retailers should:

  1. Ensure that campaigns are permission-based;
  2. Ensure that it is clear to individuals how data will be used;
  3. Provide a simple, free way for customers to unsubscribe;
  4.  Ask for consent to pass details to third parties, and name those third parties;
  5. Record when and where consent was obtained and what it covers; and
  6. Buy data lists from reputable sources and seek an audit trail showing that consent has been validly obtained.

 

Between a Rock and a Hard Place: SEC Disclosure Analysis in Light of Yahoo

By Alexander Madrid, David S. Wolpa, Andrew Konia and Jane Whitt Sellers on Posted in Securities and Exchange Commission

On April 25, the Securities and Exchange Commission announced a settlement with Yahoo that constituted its first enforcement action against a public company for failing to disclose a data breach.

This settlement demonstrates that companies in post-data breach environments must engage in a thorough, fulsome analysis of whether to disclose the cybersecurity incident in their public filings. In conducting this analysis, companies face a difficult choice: disclose and face public and investor backlash, or decline to disclose and potentially face later regulatory scrutiny and/or class action stockholders’ litigation.

To read McGuireWoods’ analysis of what the Yahoo settlement can teach about proper disclosure analysis and the factors that a company must consider when conducting this critical task, download a copy of our white paper, titled “Between a Rock and A Hard Place: SEC Disclosure Analysis in Light of the Yahoo Settlement.”

2018 Virginia General Assembly Wrap-Up: Modest Privacy-Related Bills Adopted

By Chris Nolen on Posted in Legislation, Privacy, Tax

The 2018 Regular Session of the Virginia General Assembly recently concluded after considering approximately 3700 bills and resolutions during the 60-day session. Several privacy-related bills were on the legislative agenda, but few were enacted into law.

Tax Return Data

As highlighted in January, the General Assembly this year continued its efforts to address the growing problem of criminals filing fraudulent tax returns using stolen identities of unsuspecting taxpayers. Last year, Virginia adopted legislation that requires employers and payroll service providers to provide breach notification to the Attorney General of Virginia when those entities experience an unauthorized access or acquisition of unredacted and unencrypted data containing a taxpayer’s identification number and certain payroll information. Virginia Code Ann. § 18.2-186.6(M).

This year, Virginia enacted legislation aimed at imposing certain obligations on state tax return preparers. Tax return preparers are not required to comply with Virginia’s data breach notification statute. However, effective July 1, 2018, Virginia tax return preparers are required to notify the Virginia Department of Taxation:

“without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted return information that compromises the confidentiality of such information maintained by such signing income tax return preparer and that creates a reasonable belief that an [unprotected] version of such information was accessed and acquired by an unauthorized person and that causes, or such preparer reasonably believes has caused or will cause, identity theft or other fraud.” Acts of Assembly, Chapter 283

Additionally, if a breach occurs, the state tax return preparer is required to provide the Department information concerning the taxpayers whose information was accessed or obtained by unauthorized persons and certain information about the preparer.  It is estimated that the enactment of this legislation will save Virginia approximately $300,000 by avoiding the issuance of unrecoverable fraudulent refunds.

Other Privacy-Related Legislation

Additional bills related to privacy include (partial listing):

  • PASSED: Clarifying that certain student directory information held by institutions of higher education may only be released in limited circumstances in response to Freedom of Information Act requests. HB1
  • PASSED: Reduction in the amount a credit reporting agency may charge a consumer to place a security freeze on his credit report from $10 to $5. 1027 SB16
  • DEFEATED: Eliminating the ability of a credit reporting agency to charge a consumer a fee to place a security freeze on the consumer’s credit report. HB6; HB86; HB1232; SB18; SB22; (partial listing)
  • DEFEATED: Prohibiting companies providing broadband internet access services in the Commonwealth from blocking, throttling, engaging in paid prioritization and interfering or unreasonably disadvantaging a users’ ability to access broadband internet access. The bill also would have limited a broadband service providers’ disclosure of personally identifiable information about consumers to circumstances involving certain court orders, subpoenas or for authorized law-enforcement activities. SB948
  • DEFEATED: Limiting state contracts for internet access services only to those services providers that agree to protect certain personally identifiable information and adhere to certain internet neutrality provisions. Proposed to prohibit internet access service providers that provide such service to a public body from blocking, throttling or providing preference to entities that pay for the optimization of data transfer rates. Additionally, the bill proposed to prohibit such service providers from knowingly disclosing personally identifiable information about users unless such disclosure is pursuant to certain court orders, subpoenas or for authorized law-enforcement activities. SB949
  • DEFEATED: Requiring consumer reporting agencies to disclose within 15 days a breach of the security of a computerized data system, when such disclosure is required by Virginia’s data breach notification statute, § 18.2-186.6. The bill provides that failure to report is a violation of the Virginia Consumer Protection Act. HB1588
  • DEFEATED: Prohibiting state agency employment applications, under certain circumstances, from inquiring whether a prospective employee has been arrested or charged with, or convicted, of any crime (a.k.a. “ban-the-box”). SB252; HB1357
  • DEFEATED: Prohibiting a prospective employer (i) from requiring a prospective employee to disclose his wage or salary history or (ii) attempting to obtain such information from the person’s current or previous employers. HB240
  • DEFEATED: Allowing the use of drones by law-enforcement without obtaining a warrant under certain circumstances. HB1290
  • DEFEATED: Prohibiting a provider of electronic communication or remote computing service from disclosing location data to an investigative or law-enforcement officer except pursuant to a search warrant. HB604
  • DEFEATED: Directing a legislative commission to study how local governments report data breaches, identify ways to promote efficient and timely reporting of such breaches by local governments and to develop best practices to assist localities with cyber security. HJ39

Virginia’s approach on privacy issues this past session reflects its approach on most issues – a measured response in response to actual problems. This approach is in contrast to some states enacting policies in anticipation of future issues or without a solid indication of potential harm to consumers. In the case of the security freeze legislation, the enacted bill was in response to a significant data breach last year involving one of the big three credit reporting agencies. With regard to protecting certain student directory information, the General Assembly acted in response to the perceived misuse of such information by political campaigns. Finally, the legislature continued its efforts to address the continuing problem of tax fraud by attempting to cut off avenues for would be identity thieves to file false state income tax returns.

State and Federal Power Struggle Over Data Privacy and Security

By Clare M. Lewis on Posted in Data breach, FTC enforcement

U.S. Senate leaders may be close to reaching an agreement on a legislative proposal that would establish a national data breach notification and security standard (the Data Acquisition and Technology Accountability and Security Act) which would streamline nationwide reporting requirements for businesses.  However, there are a plethora of reasons it may not make much progress through Congress this year. The current 49-state, soon to be 50-state, patchwork of breach notification laws that are all different in various meaningful ways makes compliance with a nationwide breach (which is what typically occurs in companies) quite tedious.  This proposed federal legislation would set a national standard for securing customer data and reporting data breaches.

Similar legislation has stalled in Congress for nearly a decade, but recent events, including numerous high profile data breaches and other events where data was misused, the EU Parliament’s approval of the General Data Protection Regulation (GDPR) with an enforcement date of May 25, 2018, and California’s proposed ballot initiative on privacy (improving consumers’ rights regarding collection and usage of their data), have catalyzed Congress once more.  Last week, senators introduced legislation called Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT Act).  The bill requires explicit opt-in consent from users to share, use, or sell any personal information, notification any time data is collected, shared, or used, and new security and breach reporting requirements. The CONSENT Act relies on the Federal Trade Commission to enforce any violations of those new rules.

There are many obstacles to enacting federal data privacy and security legislation, including disputes over preemption of state law, reasonable security standards, penalties, and exemptions.  After Republicans took control of the White House and both chambers of Congress last year, federal regulatory activity diminished, and cities and states have stepped in to fill the void.  The attorneys general of 31 states are pressing lawmakers to scrap the Data Acquisition and Technology Accountability and Security Act, arguing that it waters down more stringent state laws requiring prompt notification of breaches to consumers.  Since South Dakota passed a new law in March, every state but Alabama has data breach laws in effect which require companies to notify consumers when their personal information hacked.  And last week Alabama’s governor signed the final state data breach law which goes into effect on May 1, 2018.  The attorneys general argue that these state laws have catalyzed greater transparency about data breaches and improved steps companies can take to prevent breaches from occurring again.

In addition to state laws, some cities have taken affirmative steps regarding data security.  NYC Mayor de Blasio announced the launch of a cybersecurity initiative, NYC Secure, which is supposed to defend New Yorkers from malicious cyber activity on mobile devices, public Wi-Fi networks, and beyond.  The first program is a smartphone protection app which issues warnings to users when suspicious activity is detected on their mobile devices.

Stay tuned to see who wins the state versus federal power struggle over data privacy and security—exciting times are ahead!

Federal Enforcement Isn’t the Only HIPAA Concern—States Flex Their Muscles

By Timothy R. Loveland and Nathan A. Kottkamp on Posted in HIPAA

Despite the lack of significant settlements for HIPAA enforcement by the federal Office of Civil Rights (OCR) so far in 2018, states have not hesitated to patrol privacy and security breach activity and take action against perceived violations.  Indeed, under the HITECH Act, state attorneys general have their own HIPAA enforcement authority.  Two recent settlements suggest that states are ramping up their enforcement activities.

The New Jersey Attorney General recently announced a settlement of nearly $418,000 involving physician network Virtua Medical Group, P.A. (Virtua) for an alleged breach of privacy involving 1,654 patients, most of whom reside in New Jersey.  The settlement followed an investigation by the New Jersey Division of Consumer Affairs, which concluded that an online server misconfiguration during a software update by a third party vendor and business associate of Virtua rendered patient medical records and related electronic personal health information (ePHI) to be viewed online and indexed by search engines.  The New Jersey Division’s investigation determined that the third party vendor and business associate of Virtua discovered the breach in January 2016 and reinstated the security protections put in place prior to the update, but did not notify Virtua upon its discovery of the breach.  The resulting settlement stemmed allegations that Virtua failed to conduct a comprehensive analysis of risks relative to PHI sent to the third party vendor, failed to safeguard against the risk of disclosure, failed to set forth sufficient procedures requiring security measures necessary to mitigate the risk, and failed to implement awareness and training programs for workforce members related to impermissible disclosures.

Furthermore, in March 2018, the New York Attorney General announced a $575,000 settlement with EmblemHealth and wholly-owned subsidiary Group Health Incorporated (EmblemHealth), following an incident in which 81,122 social security numbers were disclosed on a mailing.  In EmblemHealth’s case, a Medicare Prescription Drug Plan Evidence of Coverage notice included a mailing label with the policyholder’s social security number on it.  In addition to the settlement, EmblemHealth is required to implement a corrective action plan.

These settlements serve as reminders to covered entities and business associates that states may aggressively enforce data privacy and security violations, separate from what the OCR does.  Some state laws (such as those in New Jersey and New York) may not expressly target PHI breaches in the same manner as HIPAA and other federal data privacy and security regulations, but they may have similarly sharp teeth.  Furthermore, state enforcers may share information with and involve federal enforcers in activities constituting a violation of such federal regulations.  In addition, covered entities should thoroughly examine business associate agreements to ensure that third party vendors bear the financial risk for failures to provide notice regarding breaches and to maintain adequate security measures to mitigate against the risk of disclosures.

HIPAA in Due Diligence (Part III): Risk Mitigation Strategies

By Kate Waters Hardey, Sara Helene Shanti and Timothy R. Loveland on Posted in HIPAA

Health Information Highlight

Welcome back to our three-part series examining ways to efficiently identify, address and mitigate gaps in HIPAA compliance in transaction diligence. In Part I, we discussed four key diligence questions upon which buyers should focus their efforts in a transaction. In Part II, we reviewed considerations related to storage of and access to diligence materials, particularly in the context of using a data room or other cloud-based server. Here, we address potential risk mitigation strategies when HIPAA issues are identified in the course of diligence.

It is not unusual to identify gaps or deficiencies in HIPAA compliance during the diligence process. These deficiencies can range from a lack of robust policies, procedures and employee training to inappropriate use of texting and cloud storage or failure to conduct a required security risk assessment. Several years ago when HIPAA enforcement risk was more of a secondary concern, many buyers did not take a proactive approach to remediation and assumed these areas could be addressed in the ordinary course. Given the uptick in enforcement against both covered entities and business associates and ever-increasing fines, it is important to take a proactive approach to quickly address compliance gaps. When a buyer encounters compliance gaps, there are various ways to mitigate this risk, several of which are discussed below:

  1. Require Compliance Actions as a Pre- or Post-Close Condition. Depending on the level of risk and exposure, buyers should consider whether addressing compliance gaps should begin prior to closing. In other instances, it may be reasonable to address compliance post-close; however, it is important to ensure that any post-close compliance is completed within a specified time, such as 30, 60, 90 or 120 days post-close.
  2. Indemnification, Escrows & Representation and Warrantee Insurance. Buyers should consider whether it is appropriate to obtain specific indemnification or escrow of funds to cover potential HIPAA non-compliance. When negotiating indemnification provisions, a buyer should consider applicable dollar caps, floors and the survival period to ensure appropriate coverage for potential future liability.
  3. Ongoing Settlements. If the seller is involved in any government or third party investigation or settlement negotiation related to HIPAA compliance, buyers should consider obtaining a waiver of liabilities and rights from the government or third party prior to close. Buyers should also ensure that the indemnification provisions from the seller are modified so as to adequately protect the buyer from undue risk or exposure.

With the continued risk of HIPAA enforcement, privacy and security diligence should not be a “check the box” activity. Buyers should fully understand the scope of potential risk in the early stages of transaction diligence, take steps to adequately mitigate that risk and understand the cost of protecting the target’s greatest assets.

HIPAA in Due Diligence (Part II): Cloud Server Data and HIPAA Compliance

By Kate Waters Hardey, Sara Helene Shanti and Timothy R. Loveland on Posted in HIPAA

Health Information Highlight

Welcome back to our three-part series examining ways to efficiently identify, address and mitigate gaps in HIPAA compliance in transaction diligence. In Part I of this series, we discussed four key diligence questions upon which buyers should focus their efforts in a transaction. Here, we review considerations related to storage of and access to diligence materials, particularly in the context of using a data room or other cloud-based server.

For an online or virtual data room administrator, opening access to an inquiring stakeholder, valuator, or reviewer party to an acquisition target company’s documentation may be as simple as a few clicks and perhaps an email or two. However, if any document contains personal or identifiable health information, a number of privacy and data protection regulations may deem access to such information by an unauthorized party to be a violation. In the case of disclosure of protected health information (PHI) in a healthcare transaction, HIPAA may impose significant penalties on target providers posting the PHI and the unauthorized parties accessing the PHI alike.

There are a number of ways to minimize the risk of inadvertent unauthorized disclosure:

1. Consider Restricted Access. The uploading party can restrict the access of unauthorized parties to uploaded PHI by either (a) preparing separate data rooms with PHI for authorized parties and with no PHI for unauthorized parties, or (b) if the data room’s user features permit, restricting access to unauthorized parties to certain documents or folders which may contain PHI. Prior to permitting or restricting access, a covered entity uploading its data should review and categorize its relationship with each accessing party for HIPAA purposes. All parties accessing data should enter into and be bound by certain confidentiality provisions relative to the data, which may include putting into place a Business Associate Agreement (BAA).

2. Remove Patient Identifiers. Alternatively, prior to uploading any data into the room, ensure that the uploading party scrubs all data and financials of any patient identifiers and only uploads “clean” versions of documents. The uploading party could also elect to provide “model” contracts rather than contracts which might disclose PHI. With respect to provider financial data, which may have patient detail containing PHI identifying a patient, this process may be a particularly time-consuming investment in resources.  Regardless, the up-front investment in cleaning data prior to uploading would reduce the risk of disclosing any actual PHI.

3. Secure Data Rooms. Choose a secure data room provider which complies with data protection laws. Services such as popular file-sharing applications may be exceedingly simple to set up, share, and have no costs, however, many such cloud providers may not have appropriate security or data protection measures in place and may increase the risk of unauthorized access.

Stay tuned for Part Three where we will examine HIPAA risk mitigation strategies.

 

HIPAA in Due Diligence (Part I): Four Key Diligence Questions

By Kate Waters Hardey, Sara Helene Shanti and Timothy R. Loveland on Posted in HIPAA

Health Information Highlight

Welcome to a three-part series that will examine several ways to efficiently identify, address, and mitigate gaps in HIPAA compliance in transaction diligence.

A target’s value is often held in its information and people. An increased risk of HIPAA enforcement means that privacy and security diligence should not be a “check the box” activity. Buyers should fully understand the scope of potential risk in the early stages of transaction diligence, take steps to adequately mitigate any potential go-forward risk, and, most importantly, understand the cost of protecting the target’s greatest assets.

Beginning last year, we saw a substantial increase in the economic impact of HIPAA enforcement by the Department of Health and Human Services, Office for Civil Rights (OCR). Since then, several new cases have illuminated the need for increased scrutiny of HIPAA compliance during the transaction diligence process.

To better understand a seller’s overall HIPAA compliance, there are four key diligence questions upon which buyers should focus their efforts in a transaction:

1. Does the seller have the core HIPAA documentation in place? At minimum, the buyer should look for:

  • Privacy and Security Rule Policies and Procedures
  • Breach Notification Policies and Procedures and Risk Assessments
  • Security Audits and Incident Logs
  • HIPAA Risk Analyses (for the last 2-3 years) and corresponding Management Plans
  • Business Associate Agreements (BAAs) with Contractors/Customers
  • As applicable, Notice of Privacy Practices

2. Is the seller complying with its policies? The principal measure of the effectiveness of a HIPAA compliance program is whether the seller’s internal controls and compliance practices live up to the promise set out in the policies. To determine whether a seller is complying with its policies, a buyer should look to whether the seller is:

  • sufficiently training employees and documenting this training;
  • assessing and tracking security incidents;
  • identifying and empowering compliance personnel;
  • auditing and monitoring compliance on a periodic basis; and
  • performing frequent security assessments regarding risk areas.

In some cases, a simple public news search may identify target’s incidents or reputational risks that may be meaningful to the buyer, even where a formal investigation or enforcement has not yet been triggered.

3. How does the seller address potential HIPAA security and breach risk areas? A seller’s representation that “no HIPAA breaches have occurred” may tell the buyer much about what the seller is not doing to identify and take action on various security and privacy compliance risks. The buyer should review seller security risk analyses, breach assessments, and investigation logs to understand the seller’s historical liabilities and what the seller has treated as actionable risks. Buyer may also wish to understand how seller is assessing third party risks, including determining BAA compliance and determining whether and how third parties are accessing and using protected health information (PHI).

4. What is the nature of risk related to any identified gaps? A buyer should carefully consider the spectrum of liability to the parties related to risks identified in transaction diligence. Buyer should review the liabilities in the context of:

  • the risk of governmental enforcement, including more restrictive state and international laws that may attach to the data;
  • civil liability, including contractual breaches;
  • ethical and organizational fines;
  • criminal executive liability for profiting off or knowingly not reporting breaches; and
  • related reputational harm to the parties related to an enforcement action or third party suit.

Stay tuned for Part Two where we will examine cloud server data and HIPAA compliance strategies. 

Is HIPAA A Sleeping Giant?

By Nathan A. Kottkamp on Posted in Health Information, HIPAA

So far, 2018 has been a light year in terms of HIPAA enforcement.  There have been only two publicly-disclosed settlements.  But that doesn’t mean covered entities and business associates should let their guard down and assume that they don’t need to be mindful of HIPAA.  Indeed, it is hard to know what is going on in the Office for Civil Rights (OCR) with respect to enforcement.  Theories include that the priorities of the current administration are driving less enforcement, that the OCR is focusing its efforts on the current round of audits, and that the OCR is simply holding back on some settlements so that it can ensure a consistent approach to multiple settlements that it will announce in the near future.  No matter the answer, it is not safe to assume that things will remain quiet on the HIPAA front.

Looking at the 2018 settlements, they reflect two very different scenarios, and they both demonstrate that HIPAA settlements can take a long time to work their way through the OCR (which makes enforcement predicting even more difficult).  The first settlement of the year was with Fresenius Medical Care North America (Fresenius) for $3.5 million and the adoption of a comprehensive corrective action plan.  The Fresenius settlement dates back to 2012 when Fresenius experienced breaches at five different facilities around the country.  The OCR’s investigation revealed systematic failures by Fresenius to adopt appropriate policies and procedures to address the Privacy and Security Rules.  In the press release for the Fresenius settlement, the OCR Director stressed the importance of enterprise-wide risk analysis.

The second settlement was for $100,000 with the receiver that was appointed to liquidate the assets of Filefax, as it was closing its operations in 2015.  The OCR’s investigation followed an anonymous complaint regarding improper disposal of medical records, and the OCR found a variety of issues in which records were left unsecured.  Even though Filefax had closed, the receiver was held responsible for on-going compliance with HIPAA.  Thus, the OCR has confirmed that closing operations does not relieve covered entities of HIPAA obligations, and that any entity that assumes custody of health records needs to be mindful of HIPAA.

Given that the Omnibus Final Rule is now more than five years old, the OCR is unlikely to tolerate non-compliance and it is probably only a matter of time before the sleeping giant awakens—or, more likely, that we learn that the giant hasn’t been sleeping at all.  Indeed, because settlements take so long to process, no one outside the OCR really knows how active the OCR is with respect to enforcement activities for situations occurring right now.  Therefore, all covered entities and business associates need to stay vigilant with respect to the three pillars of HIPAA compliance: Privacy Rule Policies and Procedures, reasonably current Security Rule Risk Assessments, and workforce training regarding HIPAA.  And, any entity that experiences a breach—particularly a breach involving 500 or more individuals that requires prompt notice to the OCR—should revisit all three of these compliance pillars.

To better mitigate HIPAA enforcement actions, stay tuned for a three-part series that will examine several ways to efficiently identify and address gaps in HIPAA compliance during transaction diligence.

“White Hat” Ethical Hackers and Corporate Investigations

By Michael J. Adams and J. Curtis Griner on Posted in Cybersecurity, Data Security, Information Management, Legislation

A “white hat” is an ethical computer hacker who specializes in penetration testing and other testing methodologies to ensure the security of an organization’s information systems. According to the Ethical Hacking Council, “The goal of the ethical hacker is to help the organization take pre-emptive measures against malicious attacks by attacking the system himself or herself; all the while staying within legal limits.”  White hat hackers usually present their skills as benefiting their clients and broader society. They may be reformed black hat hackers or may simply be knowledgeable of the techniques and methods used by hackers.  However, white hats have been known to offer broader hacking services, such as information gathering about persons or entities at odds with those hiring the white hat.  Ethical hackers have been compared to digital versions of private investigators or investigative reporters.

In considering whether to engage a white hat hacker, there are a number of precautions that a company should take to increase the likelihood that the white hat will be credible, professional and ethical and only engage in lawful activities during the course of the engagement.

Credibility.  Consider existing relationships, references and certifications.  For example, the EC-Council offers a Certified Ethical Hacker accreditation.  Many large consulting firms provide ethical hacking services. References from trusted peers are also extremely important.

Background Check.  Conduct a thorough background check.  Although the white hat may be affiliated with a reputable consulting firm, verify his or her experience and credentials and investigate possible criminal history.  Do not assume that what the hacker tells you is true.

Engagement Letter.  Have the hacker sign an engagement letter or similar contract that clearly defines the engagement, prohibits any illegal or unethical conduct, and addresses liabilities, indemnification and remedies where appropriate.  Specify the hacking methods that are and are not acceptable and which information systems, networks and data may be accessed.  Require the hacker to provide proof of adequate professional liability insurance.

Confidentiality Agreement.  Require the hacker to sign a confidentiality or non-disclosure agreement that strictly prohibits the use or sharing with others of any information gathered as part of the engagement and that specifies the penalties for violation or references penalties set forth in the primary agreement.

Oversight.  Monitor the hacker’s activity and be on the lookout for any suspicious activity—both during and after the white hat’s work.  Ensure that the hacker remains within the scope of work defined within the engagement letter.  If the scope of work changes, revise the engagement letter accordingly.  Keep in mind that access to information systems presents opportunities to set conditions for future remote access or other unauthorized, nefarious activities.

Work Product.  Consider the desired work product that will be developed over the course of the white hat’s engagement and whether the white hat should report to the General Counsel or outside counsel to protect privilege.  In order to be admissible in evidence in civil litigation, the white hat must be willing to submit a signed affidavit, which describes under oath the results of the investigation, and to possibly testify.  Not every white hat makes a good witness.