News & Insights

Newsletter

December 11, 2018

Data, Privacy & Security Practice Report – December 11, 2018


Attorneys General File First HIPAA Related Data Breach Suit—A dozen state attorneys general have joined together to file the first multistate HIPAA-related data breach case in federal court.  Amidst a growing trend of stronger enforcement of data privacy laws, this is the first such state attorney general case under federal health care privacy law.  

Attorneys general (“AGs”) from 12 states announced Wednesday, December 5th, that they have filed a complaint against Medical Informatics Engineering, Inc. and NoMoreClipboard, LLC (collectively “MIE”), a web-based electronic health record company based in Fort Wayne, Indiana.  The action is the first state AG suit under HIPAA.  

The complaint alleges that, due to MIE’s violation of HIPAA, millions of patient records were put at risk.  According to the AGs, in May 2015, hackers infiltrated a web application run by MIE, which stores patient information for dozens of institutions; as a result, the hackers allegedly stole the electronic Protected Health Information (“ePHI”) of more than 3.9 million individuals, including names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information (name and potentially date of birth), email addresses, dates of birth, Social Security numbers, and other information.  According to the complaint, the hackers had access to this information for more than two weeks before the breach was detected and reported to the FBI. 

The AGs have alleged that MIE failed to institute proper data security safeguards to protect ePHI from unauthorized access.  Moreover, the AGs argue that the company did not have appropriate controls in place to prevent the exploitation of its system’s vulnerabilities, and when the breach occurred, the company failed to disclose it in a timely fashion. 

Other than federal HIPAA violations, the AGs’ suit alleges numerous violations of state laws, including data breach notification and deceptive trade practices.  The complaint requests injunctive relief as well as an undetermined amount of money for restitution and civil penalties. 

Indiana Attorney General Curtis Hill filed the suit on behalf of the 12 states, which also include Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin. 

Reporter, Bethany L Rupert, Atlanta, + 1 404 572 3525, brupert@kslaw.com

Federal Trade Commission Seeks Public Comment On Identity Theft Rules—On December 4, 2018, the Federal Trade Commission (“FTC”) announced that it is seeking comment on whether to change the “Red Flags Rule” and the “Card Issuers Rule” (the identity theft rules codified at 16 CFR Part 681) as part of the FTC’s systematic review of all of its current regulations and guides.

The Red Flags Rule requires financial institutions and some creditors to establish written identity theft prevention programs to detect, prevent and mitigate identity theft.  The Card Issuers Rule requires debit or credit card issuers to establish policies and procedures to assess the validity of change of address requests if, shortly after receiving such a request, the issuer also receives a request for an additional or replacement card for the same account.  The Card Issuers Rule also bars card issuers from issuing additional or replacement cards until it notifies the cardholder of the request or otherwise assesses the validity of the address change.

The Red Flags Rule and the Card Issuers Rule were first published by the FTC in November 2007, pursuant to the Fair and Accurate Credit Transactions Act (“FACTA”) enacted in December 2003.  FACTA required the FTC and other federal agencies to establish and maintain guidelines for financial institutions and creditors to identify patterns, practices and activities that might indicate identity theft; prescribe regulations requiring financial institutions and creditors to establish reasonable policies and procedures for implementing the established guidelines; and prescribe regulations requiring debit and credit card issuers to validate notifications of changes of address under certain situations.

The FTC seeks comment on a number of issues relating to the Red Flags Rule and Card Issuers Rule, including, among others: the need for the rules; benefits that the rules provide to consumers and businesses; costs that the rules impose on consumers; modifications that would increase benefits or reduce costs; the level of industry compliance with the rules; and whether there are types of creditors that should be but are not currently subject to the Red Flags Rule.

The deadline for submitting comments is February 11, 2019. The text of the FTC Federal Register Notice, which includes instructions for submitting comments, is available here.

Reporter, Stephen R. Shin, Atlanta, +1 404 572 3502, sshin@kslaw.com

INTERNATIONAL NEWS 

EU Data Protection Authority Rewards “Exemplary Cooperation” With Moderate Fine—On November 21, 2018, the data protection authority of the German state of Baden-Württemberg (“LfDI”) imposed a fine of EUR 20,000 on a German social media company for failing to encrypt user passwords, the first fine issued under the General Data Protection Regulation (“GDPR”) in Germany.  In considering the amount of the fine to be imposed on the company, the LfDI explicitly rewarded the company’s exemplary cooperation by disclosing and addressing its shortcomings under GDPR. 

In September 2018, the social media company contacted the LfDI to report a data breach following a hacker attack, which had resulted in the theft and disclosure of personal data of around 330,000 users, including passwords and email addresses.  It then provided an updated notification in which the company fully disclosed its data processing and business structures to the LfDI.  In the update, it became evident that the company had deliberately violated its obligation to ensure the security of personal data under Art. 32 of GDPR as the social media company was saving and using user passwords unencrypted and not hashed. 

Although under GDPR a fine for a contravention of this nature can be as high as EUR 10 million or 2 percent of the company’s worldwide revenue in the previous year, whichever is higher, the LfDI imposed a fine of EUR 20,000. According to the authority’s press release, the company’s “exemplary” cooperation with the authorities by disclosing its shortcomings was taken into account when assessing the fine.  Not only did the company fully disclose its data processing and business structures, but it also willingly implemented the authority’s instructions and recommendations.  Within a couple of weeks, the company had implemented far-reaching measures around its IT security infrastructure and had upgraded the protection of user data to a standard considered to be state of the art.  The LfDI noted that with these measures the company had improved the safety of user data significantly and in a very short period of time.  As fines issued under GDPR are not only intended to provide a deterrent, but are also required to be appropriate, the authority also took into consideration the overall financial burden for the company which amounted in total to a six-digit figure. 

Dr. Stefan Brink, the head of LfDI concluded, “As data protection authority, it is not the aim of the LfDI to compete for the highest possible fines. What really matters is the improvement of the level of data protection and data security for the users concerned.” 

This first fine to be issued in Germany under GDPR teaches a valuable lesson for companies active on the EU market: It seems that European data protection authorities are willing to reward companies’ cooperation and transparency as well as the willingness to implement measures recommended by the data protection authorities with relatively moderate fines, even in case of deliberate data protection violations.  Thus, when becoming aware of potential irregularities under GDPR, it is crucial for companies to develop a good strategy for the cooperation with data protection authorities.  Taking the LfDI’s recent statement on the calculation of fines into account, European data protection authorities’ Guidelines on the application an setting of administrative fines (wp253) are worth a closer look as they provide helpful guidance on the behavior authorities expect from companies when faced with violations under GDPR. 

Reporter, Elisabeth Kohoutek, Frankfurt, +49 (69) 257 811 401, ekohoutek@kslaw.com. 

Also in the News  

K&S Elects 30 New Partners And Promotes 11 Counsel Across 10 Offices—On December 6, 2018 K&S announced 30 new partner and 11 new counsel promotions.  The list of partner promotions includes Elizabeth D. Adler, Counsel in K&S’s Business Litigation Practice Group and a member of the Data, Privacy & Security practice in Atlanta.  The full list of promotions can be found here

Who Is Who Legal 2018/2019 Recognizes Sebastian D. Müller—Sebastian D. Müller has been named one of the future leaders in the international arbitration space by Who Is Who Legal, which has described Müller as an attorney who “stands out as ‘a very smart strategist’ who wins praise from peers for his strong expertise in data protection-related arbitrations.”  Click here for the full article.