I recently authored an article for the Daily Journal on the new cybersecurity framework. You can read about it by visiting the Daily Journal.
Retail giant Target recently suffered a massive security breach during the busiest shopping season of the year. The breach involved the credit and debit card information of an estimated 40 million customers who
shopped at one of Target’s retail stores between November 27th and December 15, 2013. So far, Target has not disclosed the precise details of how the breach occurred. While Target continues to work to repair the damage, it is interesting to see how other companies are reacting to one of the largest data breaches in history.
Target publicly disclosed the security breach on December 19th. Two days later, JPMorgan alerted 2 million of its debit card holders that it was lowering the daily limit on ATM withdrawals to $100 and purchases would be capped at $300 per day. This decision could not have been an easy one for JPMorgan, especially when you consider the limits were imposed the weekend before Christmas. Moreover, a $300 per day spending limit is woefully insufficient if anyone on your Christmas list was hoping for the new Xbox gaming console or the latest iPhone, both of which can easily exceed $500 dollars. Although undoubtedly an inconvenience for their customers, this move makes sense. In the case of credit card fraud, the payment processor usually reverses the charges, refunding the customer and leaving the merchant to bear costs. However, with ATM or debit card purchases, the bank is normally responsible for covering the loss. JPMorgan’s decision to impose spending limits is an interesting and unique strategy for limiting the fraud and reducing their own potential liability.
So far, JPMorgan is the only major bank to impose spending limits on debit cards potentially affected by the breach. Citibank took a different approach, announcing that they would impose limits or block transactions if they noticed any suspicious activity. Other banks are struggling with the decision whether or not to simply cancel and reissue cards to customers. However, at a cost of around $3 to $5 dollars per card, reissuing cards can be an expensive and time-consuming process, especially when the banks do not know for certain which cards have actually been compromised.
Frustrated by the lack of communication from Target surrounding the breach, at least one bank decided to take matters into their own hands. As reported by security expert Brian Krebs, a New England bank was able to “buy back” stolen credit cards from a black market card shop. Hackers use black market card shops to sell stolen credit card information. By purchasing the cards online, the bank was able to confirm that the recent Target security breach did not include the three digit security code printed on the backs of cards, known as the CVV, CSC, or CVD numbers. This is an important fact because those numbers are usually required by most online merchants. In addition, the bank confirmed that nearly all of the stolen credit card numbers had been used by customers to make purchases at Target stores around the country between November 27 and December 15. This may not seem like an important fact, especially when Target’s press release indicated as much, but hacking victims are often unable to confirm exactly which cards were compromised because published estimates usually encompass all of the cards that were potentially exposed. Moreover, if the stolen data was password protected or encrypted, there is a chance that the information may not be compromised, at least until the thieves break through those protections. By confirming that the credit card numbers were available on the black market, the bank was able make a more informed decision about whether to reissue the cards.
Another interesting facet of the Target breach is the number of third-party companies that are proactively notifying customers. State and federal breach notification statutes require Target to notify those affected by the breach. But that has not stopped PayPal from sending an email to its users nor prevented personal finance website Mint.com from notifying its users, albeit in an unusual way. If you are not familiar with Mint.com, it is a website that allows individuals to upload banking and credit card information, generally used for managing finances. Using that information, Mint.com identified individuals who used a credit or debit card at Target in the last 30 days and proactively notified them of the Target’s security breach, encouraging them to be on the lookout for potential fraud. To my knowledge, this is the first time a third-party has used customer data to notify individuals of a potential breach. It would be interesting to see if Mint.com continues this practice with future breaches.
Target is not the first nor the last company to suffer a security breach. As recent history has shown, breaches will continue to occur as hackers become more sophisticated. In the perpetual cat-and-mouse fight against security breaches, it is refreshing to see new and different approaches to responding to potential credit card fraud. Only time will tell whether these efforts will have any meaning full impact.
New Study Finds that Two Thirds of U.S. Adults Would Not Return to a Business Where Their Personal Information was Stolen.
From hackers to stolen laptops, security breaches have been on the rise. While most businesses are aware of the dangers associated with potential security breaches, few truly understand the full ramifications. Calculating the time and money spent on investigations and notifications is fairly straight forward but measuring the damage to a company’s reputation or customer confidence is more complicated. A recent survey sponsored by Cintas is helping to shed some light on this issue. An online survey of 2,061 U.S. adults ages 18 and older was conducted by Harris Interactive in August of this year and the results are surprising. Nearly two thirds of the participants indicated that they would not return to a business where their personal information was stolen. For specific types of businesses:
– 55 percent would change banks
– 46 percent would switch insurance companies
– 42 percent would go to a different drug store/pharmacy
– 40 percent would get a new doctor or dentist
– 39 percent would get a new lawyer
– 38 percent would donate to a different charity/non-profit organization
– 35 percent would not return to their hospital
– 24 percent would no longer donate to their alma mater or another educational institution they attended.
It should be noted that the discrepancy between the two-thirds rate and the industry-specific rates suggest that while consumers are concerned about security breaches on a whole, there is a certain amount of customer loyalty maintaining the relationship. As expected, that loyalty is strongest with educational institutions and charities but weakest with banks and insurance companies. Nevertheless, the survey results indicate that loyalty will only get you so far and that businesses should be proactive in safeguarding confidential information.
For additional details, including a break-down of the survey variables, please contact Christina Alvarez at firstname.lastname@example.org.
Law360, New York (September 26, 2013, 5:53 PM ET) –
The U.S.Department of Health and Human Services‘ Office for Civil Rights (OCR) is stepping up their enforcement efforts and cracking down on entities who violate the Health Insurance Portability and Accountability Act of 1996. Earlier this year, Idaho State University was fined $400,000 for the breach of unsecured protected health information (PHI) regarding 17,500 individuals who were patients at a university clinic.
In July, managed care company WellPoint Inc. agreed to pay the HHS $1.7 million to settle potential violations of the HIPAA privacy and security rules. The most recent settlement involves Affinity Health Plan Inc., a not-for-profit managed care plan serving the New York metropolitan area. Affinity agreed to pay over $1.2 million as part of the settlement with the OCR for a security breach involving leased copiers, even though it was not clear that any PHI was actually misused or retained as a result of the breach.
Affinity notified the OCR of a potential breach on April 15, 2010, after discovering that copiers it had leased and then returned still contained electronic PHI (ePHI). Often overlooked, advanced copiers, such as those used by Affinity, can contain hard drives where digital images of the documents being copied are stored before they are printed. Depending on the size of the hard drives and the volume of documents being scanned, these hard drives can store thousands of images. Unless the hard drive is wiped, the images remain on the copier until the drive is full, and new data overwrites the old.
At the end of Affinity’s lease, the copiers were returned and then leased again to a different company. At least one recipient of the leased equipment — CBS Evening News —discovered ePHI on the copiers. CBS Evening News reported this to Affinity, who in turn reported the incident to the OCR.
Presumably, CBS Evening News recognized the sensitive nature of the information and did not retain or further disclose the information. However, the risk of compromise was relatively high — Affinity had returned multiple photocopiers to its leasing agents that together contained information on as many as 344,579 individuals.
After an investigation, the OCR concluded that Affinity impermissibly disclosed the ePHI of these individuals when it returned the photocopiers to the leasing agents without erasing data contained on the copier hard drives. However, this finding alone does not explain the high settlement amount.
What does explain the substantial penalty is a circumstance that regularly appears in reports of high-dollar settlements under HIPAA: Affinity did not base its policies and procedures on a thorough risk assessment, as required by the security rule, and therefore, Affinity failed to implement policies and procedures for safeguarding ePHI when returning the photocopiers to its leasing agents.
Affinity should have accounted and planned for the storage of ePHI on photocopier hard drives in its analysis of risks and vulnerabilities. OCR Director Leon Rodriguez noted, “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”
In addition to the settlement payment, the OCR instituted a corrective action plan (CAP) requiring Affinity to use its “best efforts” to retrieve all of the hard drives that were contained on the copiers in the possession of the leasing agent and safeguard all ePHI contained therein from impermissible disclosure.
If Affinity is unable to obtain the hard drives, Affinity must document its best efforts to do so and provide the OCR with the reason(s) Affinity was unsuccessful. Affinity must also now meet its obligation under the security rule to conduct a comprehensive risk analysis of the risks and vulnerabilities associated with its possession of ePHI and develop a plan to mitigate such risks and vulnerabilities. However, under the CAP, Affinity’s plan will be subject to the OCR’s review and approval.
It is hard to deny the similarities between the Affinity settlement and other major settlements with the OCR in the recent past. It is not, as some might believe, because each involve an unauthorized disclosure of PHI. That is certainly true, but breaches happen all the time.
Instead, the common thread is that the OCR has imposed penalties because policies did not exist, risk assessments were not performed, or policies were not followed. Accordingly, this settlement provides several important instructions for companies that handle ePHI.
First and foremost, include in your risk assessments all equipment and locations where PHI may be stored. All electronic devices with memory have the potential to store PHI, including most printers, copies, scanners and fax machines. A major goal of conducting risk assessments is to identify new and potential threats to PHI.
When copiers and fax machines were first introduced into the business environment, memory was expensive, and most devices used just enough to print one document at a time. However, as technology advanced, and the price of memory dropped, hard drives in copiers became more and more common.
If your last risk assessment was performed in the ’90s, you might have missed this particular vulnerability. That is why it is important to conduct regular risk assessments, preferably with security professionals who are knowledgeable on a wide range security topics and technology.
Second, address processes in your written policies and procedures for appropriately deleting or safeguarding such ePHI based on your risk assessment. If the device stores data, then pursuant to HHS guidance, it should be wiped before being sold or discarded. The process may be as simple as running a wiping utility on the device itself, or it may require a computer technician to pull the hard drive out of the machine manually.
Third, make sure you implement policies and procedures that govern the receipt and removal of hardware and electronic media on all electronic devices that contain ePHI. Most covered entities have already realized the importance of wiping desktop computers and laptops, but as this settlement should help demonstrate, printers and copiers are just as important.
Finally, organizations may also be best served by encrypting any ePHI that can be impermissibly accessed on electronic devices. While the HIPAA breach notification rule requires the notification of a breach of PHI, it is important to note that this requirement applies only to the breach of “unsecured” PHI.
Pursuant to HHS guidance, encryption is one way to ensure that any breach of ePHI would remain secure and, therefore, not be subject to notification requirements.
Don’t wait until the last minute to tackle these issues. In addition to reviewing your written policies and conducting a risk assessment, your business associate agreements may need to be modified, along with your notice of privacy practices if you are a covered entity.
If you are a business associate under HIPAA, for example, a lawyer who receives or creates PHI in representing covered entities, you should become informed about your newly enhanced obligations and risks under the final rule.
If you are interested in learning more about the Affinity breach, the HHS resolution agreement and corrective action plan can be found on the OCR website here. For more information on safeguarding sensitive data stored in the hard drives of digital copiers, see this page. TheNational Institute of Standards and Technology has also issued guidance on media sanitation, available here.
–By Marcia L. Augsburger, M. Scott Koller and Tiffani V. Williams, DLA Piper
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice
The Office for Civil Rights (OCR) has announced a settlement between the US Department of Health and Human Services and Affinity Health Plan, Inc. to address potential violations of the Health Insurance Portability and Accountability Act of 1996.
Affinity, a not-for-profit managed care plan serving the New York metropolitan area, paid more than US$1.2 million as part of the settlement, even though it was not clear that any protected health information (PHI) was actually misused or retained as a result of the breach.
In addition to the settlement payment, Affinity will be required to comply with a corrective action plan instituted by OCR.
What can companies that handle PHI learn from this outcome? Find out more.
Check out this website which visualizes the world’s biggest data breaches.
The Department of Health and Human Services Office for Civil Rights has announced that WellPoint, Inc. has agreed to pay $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
If you are a covered entity or business associate under HIPAA, this settlement underscores the importance for HIPAA covered entities and business associates of examining all aspects of privacy and security compliance programs before a breach occurs. If you don’t, OCR will.
The revision (.pdf), the fourth version of the security controls catalog, also includes for the first time an appendix of privacy controls.
Changes to the security controls include a new emphasis on secure software development in an effort to shift security away from the focus of the past few years, during which it’s targeted matters such as configuration management or continuous monitoring.