PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Ransomware The Horror Grows

As the FBI warned, ransomware has proven to be a formidable threat costing businesses over $1 billion in 2016, averaging 4,000 attacks per day. Ransomware forces victims to choose between losing access to their files or paying a fee that can range between hundreds and thousands of dollars. Ransomware has already made headlines in the first quarter of 2017.

Continue Reading

The U.S. Congress Is Not the Leader in Privacy or Data Security Law

Capitol Sinking 01

A common myth is that the U.S. Congress is a leader in creating privacy and data security law.  But this has not been true for quite some time.  Congress isn’t leading, and even the policies and practices of US companies are increasingly built around the law of the European Union (EU) or the states.

In the 1970s through the end of the 1990s, the US Congress passed a large number of important privacy laws.  Here are some of the most prominent of these statutes:

Continue Reading

Congress’s Attempt to Repeal the FCC Internet Privacy Rules: The Void Will Be Filled

FCC Privacy Rules Repealed

Recently, Congress voted to overturn new FCC rules that regulated the privacy of broadband Internet Service Providers (ISPs).  The rules implemented the Communications Act, 47 U.S.C. § 222 to ISPs, requiring opt in for sharing sensitive customer data, opt out for sharing non-sensitive customer data, as well as transparency requirements.  Sensitive data includes precise geo-location, children’s information, health information, financial information, Social Security Numbers, Web browsing history, app usage history, and the contents of communications.  The rules required reasonable data security protections as well as data breach notification.

FCC LogoThis development is a setback in Internet privacy protection, but it doesn’t mean that Internet privacy is doomed.  There are many other regulators and sources of privacy law to fill the void.

Pro-industry advocates often decry much privacy regulation and cheer the death of rules such as the FCC rules.  They advocate for rolling back the jurisdiction and power of regulatory agencies like the FCC and FTC.

Ironically, efforts to weaken the FTC and FCC probably won’t lead to more freedom for industry.  In the short term after regulation is weakened or killed, there is a void, so this seems like a nice freer zone for companies..  But nature abhors a vacuum.  Other regulators will fill the void, and typically it is regulators who are most passionate about protecting privacy such as California and the EU.  They are far more likely to regulate privacy even more stringently than the FCC or FTC.

In the absence of federal regulation, many states pass laws that create a complicated patchwork of inconsistent regulation.  This is what happened with data security regulation and data breach notification.  Way back in 2005, after the ChoicePoint breach captured national headlines, Congress was considering enacting a law.  But it failed to act.  Instead, the vast majority of states passed data breach notification statutes, and many states passed data security laws.  Instead of having to comply with one law, companies must navigate laws in many states.  The most common strategy for companies operating in all states  is to try to follow the strictest state law,  Thus, the de facto rule is the law of the state with the most strict protections.

Continue Reading

2017 HIPAA Enforcement

 

Art E.V.Pavlov_by_Repin

The first quarter of 2017 is not yet over and the OCR has already released details of four HIPAA enforcement penalties totaling over $11 million.  2016 set a record with $20 million in fines for the year, with $5.2 million of that coming in the first quarter.  In just the first 2 months of 2017, the fines have been more than half what the entire amount for 2016 was.  Here are details about enforcement actions in 2017 thus far:

  1. Illinois health care network, Presence Health, was fined $475,000 for failing to notify patients of a breach within the 60-day period. The incident took place over 3 years ago.  In October 2013,  operating room schedules that were written on paper and contained PHI of 836 individuals went missing.   Patients were not notified of the breach until February of 2014.  This represents the first enforcement related to the timeliness of breach notification.
  1. An insurance company, MAPFRE, was fined $2.2 million for failure to safeguard portable devices and poor risk assessment and risk management.  OCR found that MAPFRE did not have an adequate security awareness training program in place for their workforce.   In 2011, an unsecured USB device containing the ePHI of 2,209 individuals was stolen from the company’s IT department.  Despite the corrective measures MAPFRE indicated it would take, it did not actually start securing portable devices until 3 years after the incident.
  1. Children’s Medical Center of Dallas received a $3.2 million fine for multiple incidents where devices with unsecured ePHI were stolen. In 2010 an unencrypted Blackberry was stolen with the ePHI of 3,800 individuals.  In 2013, an unencrypted laptop was stolen with ePHI of 2,463 individuals.  The OCR investigation discovered that the hospital did not begin to secure and safeguard workstations and portable devices until 2013 despite being aware of the risks for many years.
  1. Florida corporation, Memorial Healthcare System, agreed to pay a fine of $5.5 million. This ties Advocate Health Care Network’s fine in August of 2016 for the record of highest penalty.  In this incident, the PHI of 115,143 patients was improperly accessed and disclosed.   Memorial Healthcare failed to terminate a former employee’s log-in credentials which was then used to access 80,000 records with PHI over the course of an entire year.  The company also neglected to review the activity within the system that would have identified that the records were being improperly accessed.   Memorial discovered the breach while investigating two employees who were stealing patient information to file fake tax returns.

Not too long ago, I posted an overview of OCR’s enforcement in 2016.  OCR continues to be active in its enforcement, at its highest level to date.  This is a great opportunity for privacy and security officials to point out to upper management the need for greater resources and attention to HIPAA compliance.

Continue Reading

Cartoon About Connected Devices

Cartoon Connected Devices - Internet of Things

This cartoon depicts the potential future of the Internet of Things.  As more and more devices are connected to the Internet, including ones implanted in people’s bodies, increasing thought must be given to the privacy and security implications.  The speed of technological development is moving at a far greater pace than the speed of policy thinking regarding privacy and security.

How will the security of new devices be regulated?  The market doesn’t seem to be adequately addressing the security of the Internet of Things.  Bad security in devices has externalities beyond the users, as devices can be used as part of botnets to attack other targets.

How will privacy be designed into devices?  How will notice and choice work?  When privacy is “baked in” to a device, do the engineers have a comprehensive understanding of privacy?  How will consumers be able to understand and respond to these design choices?

Should there be special considerations for medical devices or any device that is implantable in a person?

We still await satisfactory answers to these questions . . . but the expansion of the Internet of Things isn’t waiting.

Here’s an earlier cartoon I created regarding the Internet of Things:

Continue Reading

Phishing Cartoon: Signs of a Phishing Scam

Misspelled words and bad grammar are tell-tale signs of phishing.   Why don’t phishers learn spelling and grammar?  Can’t they afford a copy of Strunk and White?

Phishers don’t need to spell better because their poorly-written schemes still fool enough people.  It’s just math for the phishers — a numbers game.   If you handle IT security at your organization, don’t assume that people won’t fall for obvious phishing scams — they do.   That’s why it is essential to train people — again and again.

Continue Reading

Privacy Cartoon: Privacy Budget vs. Security Budget

 

Cartoon Privacy vs. Security Budget

My cartoon depicts the discrepancy in the security and privacy budgets at many organizations.  Of course, the cartoon is an exaggeration.  In an IAPP survey of Chief Privacy Officers at Fortune 1000 companies in 2014, privacy budgets were nearly half of what security budgets were.  That’s actually better for privacy than many might expect. Outside the Fortune 1000, I think that privacy budgets are much smaller relative to security.

Fortunately, it does appear that privacy budgets have increased according to the 2016  IAPP-EY Annual Privacy Governance Report which surveyed 600 privacy professionals from around the world.  Though the data captured in 2016 has far more details, comparing the charts published by the IAPP in 2015 vs 2016, you can see a significant increase in total privacy spend.

Continue Reading

Lessons from 2016, the Biggest HIPAA Enforcement Year on Record

HIPAA Enforcement

Time to call the Guinness Book of World Records because HHS has set a new world record in HIPAA enforcement.  2016 saw a considerable increase in HIPAA enforcement resolution agreements and monetary penalties.  At the end of 2016, the OCR logged over $20 million in fines for HIPAA violations from 15 enforcement actions with monetary penalties — a stark contrast to 2015 penalties which were just over $6 million from just 6 resolution agreements.

The per entity fines have increased as well increasing from about $850K in recent years to $2 million in 2016.

Also, in late 2015, the Office of the Inspector General released findings of a study that recommended a stronger enforcement and follow-up from the OCR for HIPAA violations:

Continue Reading

The Nothing-to-Hide Argument – My Essay’s 10th Anniversary

Privacy Surveillance Nothing to Hide Argument

In response to government surveillance or massive data gathering, many people say that there’s nothing to worry about.  “I’ve got nothing to hide,” they declare.  “The only people who should worry are those who are doing something immoral or illegal.”

Nothing to Hide - SoloveThe nothing-to-hide argument is ubiquitous.  This is why I wrote an essay about it 10 years ago called “I’ve Got Nothing to Hide,” and Other Misunderstandings of Privacy, 44 San Diego Law Review 745 (2007).  It was a short law review piece, one that I thought would be read by only a few people.  But to my surprise, this essay really resonated with many people, and it received an unusually high number of downloads for a law review essay.  I later expanded the ideas in the essay into a book: Nothing to Hide: The False Tradeoff Between Privacy and Security  (Yale University Press 2011).

This year is the 10th anniversary of the piece.  A lot has happened between then and now.  Not too long before I wrote my essay, there were revelations of illegal NSA surveillance.  A significant percentage of the public supported the NSA surveillance, and the nothing-to-hide argument was trotted out again and again.  This was the climate in which I wrote the essay.

Later on, in 2013, Edward Snowden revealed that the NSA was engaging in extensive surveillance far beyond its legal authority.  Snowden declared: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”  This time, there was a significantly large percentage of the public that didn’t side with the NSA but instead demanded scrutiny and accountability.

Nevertheless, the nothing-to-hide argument is far from vanquished.  There will always be a need for citizens to demand accountability and oversight of government surveillance, or else we will gradually slide into a more dystopian world.

Here are a few short excerpts from my nothing-to-hide essay:

Continue Reading

HIPAA Cartoon on Snooping

This cartoon is about snooping, one of the most common HIPAA violations.  HIPAA prohibits accessing information that people don’t need to do their jobs.   It can be easy to look at electronic medical records, and people who snoop in this way might not perceive it as wrong.  But the cartoon invites people to imagine how creepy the snooping would appear if it were occurring right in front of patients.  Computers remove the interpersonal dynamic, making it harder for people to fully appreciate the wrongfulness of their conduct.

Though the high-profile, celebrity snooping incidents garner all the media attention, smaller cases affecting everyday individuals make up the bulk of the cases and legal activity.  A large number of inappropriate access claims involve people checking on protected health information (PHI) about family and friends.  Snooping is not intended maliciously.  Often a concerned staff member will access the patient records of a family member or acquaintance out of worry or concern.  In one case, a nurse in New York was fired for disclosing a patient’s medical history to warn a family member who was romantically involved with the patient of the patient’s STD.

Continue Reading