Data Privacy Monitor

HHS Office of Civil Rights Hosts Webinar on Final Rule

Michael Young — Fri, 14 Jun 2013 20:12:12 -0500

Today, the Department of Health and Human Services, Office of Civil Rights (OCR), joined with the Workgroup for Electronic Data Interchange and hosted an online seminar discussing HITECH requirements in the new Final Rule. The presentations covered many points about the Final Rule previously outlined on this blog (see here, here, and here).

Rachel Seeger, presenting for the Office of Civil Rights, confirmed the regulator's intent to strengthen privacy protections for protected health information (PHI) wherever that information may be stored – whether by the health care providers, business associates, or subcontractors.

With respect to enforcement, Ms. Seeger indicated OCR’s policy preference to make audits “a permanent part of enforcement efforts.” OCR especially expressed interest in identifying “systemic or significant” compliance problems within regulated entities.

Presenting for the Workgroup for Electronic Data Interchange, Mark Cone highlighted recurring compliance issues based on an analysis of Corrective Action Plans and audits. Corrective Action Plans are frequent components of resolution agreements between OCR and non-compliant entities and can provide insight into enforcement direction. Mr. Cone offered the following takeaways for avoiding common compliance failures:

Document risk analysis, as required by the Rule. Simply “putting policies and procedures in place does not constitute a risk analysis,” said Mr. Cone.
Tailor employee training to the actual practices of the organization, and ensure that training occurs prior to any interaction with PHI.
Adequately safeguard mobile and portable devices, including stored data and communications via email and text messaging. “Encryption, encryption, encryption,” repeated Mr. Cone, emphasizing the importance of securing mobile devices.
Enforce workplace sanctions for mishandled PHI. The Final Rule requires implementing a sanctions policy for employee mishandling of PHI, and the OCR demands that the policy be more than words on a page.
Enforce appropriate workstation use. Mr. Cone suggested that the physical positioning of laptop and computer screens can sometimes be a compliance issue. PHI appearing on a screen should not be visible to casual passers-by or other unauthorized personnel.
Respond promptly to letters from the OCR. Have a policy in place for appropriately handling requests from the OCR.
Smaller covered entities should resist the temptation to uncritically accept outside vendors’ own business associate agreements. All business associate agreements should be reviewed to ensure that they are appropriate and up-to-date.
Periodically revise policies and procedures to ensure that they reflect the organization’s current real-world practices and technology use. Policies and procedures are often the first thing the OCR asks to see in an investigation. Out-of-date policies are treated as a red flag and may trigger heightened regulatory scrutiny.

Hospital Disclosure of PHI to Media and Workforce Results in $275,000 Fine

Kimberly M. Wong — Fri, 14 Jun 2013 18:04:05 -0500

Posted by Kimberly M. Wong

This post is co-authored by Kimberly M. Wong and Cory J. Fox.

HHS OCR announced today its second resolution agreement of 2013. Shasta Regional Medical Center (SRMC) has agreed to pay $275,000 and enter into a comprehensive corrective action plan (CAP) to settle an investigation opened by HHS following a Los Angeles Times column identifying two SRMC leaders who met with media to discuss medical services provided to a patient. The CEO and CMO revealed the patient’s full chart to the patient’s hometown newspaper, Redding Record Searchlight, and revealed the patient’s medical exam results to the Los Angeles Times. The two SRMC leaders disclosed the patient’s information in response to a California Watch article regarding the federal and state investigations of Prime Healthcare, SRMC’s owner, for fraudulent billing under Medicare and Medi-Cal. Senior management at SRMC also disclosed the patient’s information to the entire SRMC workforce.

Specifically, OCR’s investigation indicated that:

SRMC failed to safeguard the patient’s PHI from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions without a valid written authorization from the patient;
Senior management at SRMC impermissibly shared details about the patient’s medical condition, diagnosis, and treatment in an e-mail to the entire workforce; and
SRMC failed to sanction its workforce members for impermissibly disclosing the patient’s records pursuant to its internal sanctions policy.

In addition to the settlement amount, SRMC agreed to a corrective action plan (CAP) that includes a one year period of compliance obligations. Specifically, the CAP requires SRMC to revise its policies and procedures to attain the following:

Provide guidance and procedures on appropriate administrative, technical, and physical safeguards to protect PHI from intentional or unintentional use or disclosure for (i) media inquiries and (ii) that define PHI as it relates to individually identifiable health information;
Train SRMC workforce members who use and disclose PHI to ensure that they know how to comply with SRMC’s revised policies and procedures;
Provide guidance and procedures that address permissible and impermissible uses and disclosures of PHI (i) for media inquiries, (ii) workforce members who are not involved in an individual’s care, and (iii) that define PHI as it relates to individually identifiable health information;
Apply sanctions against SRMC workforce members who fail to comply with SRMC’s revised policies and procedures; and
Provide guidance and procedures regarding (i) what is individually identifiable health information and PHI, including what is required for PHI to be unidentified; (ii) communicating with, and respond to, media, including in regarding to patient-related inquiries, and (iii) sharing of patient PHI within SRMC, including sharing of patient PHI with SRMC workforce members not involved in the provision of or payment of care.

In addition, 15 hospitals and medical centers in California, Nevada, Pennsylvania, and Texas under the same ownership and operational control as SRMC must submit affidavits attesting to their understanding of restrictions on uses and disclosures related to media inquiries.

SRMC’s resolution agreement, OCR’s fourteenth resolution agreement to date since 2008, brings OCR’s civil monetary penalty total to $15.2M. The SRMC resolution agreement falls within the two types of action/inaction categorized by Director Rodriguez in May 2013 as ending up in an OCR monetary enforcement scenario: (1) an ongoing failure to comply with the HIPAA Privacy and Security Rules, and (2) an unforgivable disclosure.

Seventh Circuit Denies 26(f) Relief Allowing A Potentially Massive Privacy Class to Proceed to Trial in Harris v. comScore

Judy Selby — Wed, 12 Jun 2013 11:38:50 -0500

Posted by Judy Selby

This post is a joint submission with BakerHostetler's Class Action Lawsuit Defense blog.

As reported here in April, an Illinois federal district court certified a privacy class that could number tens of millions of plaintiffs in the case of Harris v. comScore. The plaintiffs claimed that comScore, an online data research company, violated the Stored Communications Act, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. The plaintiffs also asserted a claim for unjust enrichment. The district court certified the class based on the plaintiffs’ statutory claims only, and not surprisingly, comScore petitioned the Seventh Circuit under Rule 23(f) for an interlocutory appeal of that ruling.

On appeal, comScore noted that the court “certified a worldwide class—tens of millions of people—consisting of everyone who has downloaded …. comScore’s software through a third party since 2005,” and stated, “No privacy case of anything approaching this size has ever been certified, for the simple reason that the individualized issues inherent in case of this type make them particularly unsuited to class treatment.” comScore argued that the district court failed to engage in a “rigorous analysis” before ruling on the class certification issue, and that the decision could “change the course of class action practice in data privacy cases.”

comScore’s appeal was supported by an amicus brief filed by industry groups, including the Direct Marketing Association, the American Association of Advertising Agencies and the US Chamber of Commerce. The amici argued that the district court “created what appears to be the largest class ever certified in a contested internet privacy case, and there is good cause to conclude that it does so erroneously by avoiding Supreme Court precedent and deferring mandatory Rule 23 determinations until trial.” The amici further contended that they “face a groundswell of privacy class actions, such as this one, brought under ill-fitting statutes by uninjured named plaintiffs presenting uncorroborated (and often untestable) allegations that their privacy rights, and those of a massive class of allegedly ‘similarly situated’ individuals, have been violated.”

Yesterday, in summary fashion, the Seventh Circuit issued an Order denying comScore’s petition. The court did not articulate the basis for its decision. The ruling allows the case to proceed to trial, which reportedly will begin before the end of the year. Going forward, class action defendants can expect plaintiffs’ attorneys to rely heavily on the comScore decision to argue for class certification of statutory-based claims in privacy and other cases.

Federal Government Expands AML Cybercrime Enforcement

Gerald Ferguson — Tue, 04 Jun 2013 10:53:54 -0500

Posted by Gerald Ferguson

This Executive Alert was authored by: Lauren J. Resnick and Kaitlyn A. Ferguson

On Tuesday, May 28, 2013, the Department of Justice (DOJ) announced the unsealing of an indictment against Liberty Reserve, S.A. (Liberty Reserve) in the Southern District of New York for operating a $6 billion money laundering scheme. Liberty Reserve and seven of its employees are alleged to have laundered the funds in nearly 55 million transactions since 2006. Based out of Costa Rica, the company, which has been shut down, was a large internet-based payment processor and money transfer system. Despite never registering with the Department of Treasury as a money transmitting business, the company had more than one million customers, 200,000 of which were in the United States. Any customers who were engaged in legitimate business activities have also been unable to access the funds in their Liberty Reserve accounts as a result of the indictment.

Liberty Reserve operated with a digital currency known as LR. Customers were permitted to open accounts under fictitious names with the company, and then, using a third party intermediary known as an "exchanger," deposit funds into their accounts. For small transaction fees, customers would be permitted to move funds between their own accounts and accounts of other Liberty Reserve customers, and withdraw funds. Like deposits, cash withdrawals were not permitted directly through Liberty Reserve, but were, instead, undertaken through a third-party exchanger. Unlike traditional banking institutions that comply with U.S. law, Liberty Reserve did not require accountholders to verify their identities. The lack of identifying information, the use of exchangers and the deliberate concealment of financial transfers by the removal of account numbers from inter-account transfers resulted in a system perfectly designed for money laundering. There was no screening of clients, and fictitious monikers such as "Russian Hacker" and "Hacker Account" were permitted to open accounts and conduct business through the site.

Federal authorities allege that $6 billion was laundered through the site in connection with credit card fraud, identity theft, investment fraud, computer hacking, child pornography and narcotics trafficking, among other illicit activities. Much of the money was moved through shell accounts in at least 17 countries, including Costa Rica, the Netherlands, Spain, Morocco, Sweden, Switzerland, Cyprus, Australia, China, Norway, Latvia, Luxembourg, the United Kingdom, Russia, Canada and the United States.

In addition to the Justice Department's criminal indictment, the Treasury Department also took action on Tuesday by declaring Liberty Reserve a "money laundering organization." This designation under § 311 of the PATRIOT Act bans Liberty Reserve, and those continuing to do business with the company, from the U.S. financial system. This designation by Treasury is the first time the Department has made such a designation against a virtual currency provider. U.S. Attorney Preet Bharara recognized this prosecution as an important step to reign in the "Wild West" of criminal internet banking, noting that "[a]s crime goes increasingly global, the long arm of the law has to get even longer, and in this case, it encircled the earth."

The proliferation of money laundering through cyberspace is an increasing threat. Criminal organizations no longer have to rely on the physical transfer of suitcases of cash across borders to "clean" the proceeds of their unlawful activities. As these organizations become more sophisticated in finding ways to bank their criminally derived proceeds outside of the regulated financial system, many crimes will become increasingly difficult to detect.

Companies utilizing technology to conduct their business activities, whether they are financial institutions, funds transfer processors or users of these services, must develop compliance controls to ensure they do not become vehicles for money laundering and are not doing business with such organizations. Facilitating money laundering has harsh consequences, and even the unwitting use of a money launderer such as Liberty Reserve can result in the freezing of a legitimate company's assets or blockage from the U.S. financial system. Today, more than 74 countries have anti-money laundering statutes, and companies engaged in cross-border activity must ensure that their policies comply not only with the policies of the United States but also with the laws and regulations of other countries where they do business. Companies are advised to vet vendors and other service providers to identify suspicious activity in order to avoid criminal exposure for transaction activity that violates federal law and protect against the commercial consequences of doing business with an entity that becomes the target of government prosecution and forfeiture.

More broadly, as companies increasingly entrust their account and financial information to internet banking services that are vulnerable to data breach, they should have cybersecurity response plans in the event those services are criminally compromised. With legal and consulting specialists advising a company's internal technology team, these threats can be reduced and addressed with cybersecurity contingency plans put in place before the a company's financial information is jeopardized by digital hacking and virtual espionage.

If you have any questions about this alert, please contact Lauren J. Resnick at lresnick@bakerlaw.com or 212.589.4241 or any member of BakerHostetler's White Collar Defense and Corporate Investigations Team.

Illinois Supreme Court Finds Insurance Coverage for TCPA Claims under Traditional Liability Policies

Judy Selby — Mon, 03 Jun 2013 14:48:07 -0500

Posted by Judy Selby

This post is a joint submission with BakerHostetler's Class Action Lawsuit Defense blog.

The Illinois Supreme Court held on May 23, 2013, that claims based on alleged violation of the Telephone Consumer Protection Action (TCPA) are covered under traditional general liability policies. Standard Mut. Ins. Co. v. Lay, 2013 IL 114617 (Ill. 2013). In so ruling, the Court overruled the decision of a lower appellate court, which had affirmed the trial court’s holding that the claims were not covered. The Court also broke with the determinations of courts from several other jurisdictions, which previously found that TCPA claims are not covered.

In Lay, Locklear Electric, Inc. (Locklear) filed a class action complaint against Ted Lay Real Estate Agency (Lay), after Lay’s agent sent a “blast fax” advertisement to approximately 5,000 people and entities. The plaintiffs sought the TCPA-prescribed damages of $500 per violation, as well as injunctive relief. Lay consented to a court-approved settlement of over $1.7 million, and Locklear agreed to seek satisfaction of the judgment exclusively from Lay’s insurance proceeds.

Lay’s insurer, Standard Mutual Insurance Company (Standard), then commenced a declaratory judgment action to determine its liabilities under its commercial general liability and businessowners liability policies. Among the issues to be decided was whether the TCPA constitutes a “penal statute.” Standard’s policies preclude coverage for willful violations of penal statutes. The trial court granted Standard’s motion for summary judgment on that point, which was affirmed on appeal. The appellate court held that TCPA damages are punitive and “are not insurable under as a matter of law under Illinois law and public policy and are not recoverable from Standard.” The court reasoned that the “actual damages incurred by a violation of the TCPA are more in the nature of an irksome nuisance.... Actual damages to any one individual are likely to be small. Five hundred dollars then becomes a predetermined amount of damages and is clearly not meant to compensate for any actual harm.” Id. at 10.

The Illinois Supreme Court disagreed. The court reviewed the legislative history of the TCPA, and concluded that the $500 liquidated damages under the statute were meant, in part, to be an incentive for private parties to enforce the TCPA. “Whether we view the $500 statutory award as a liquidated sum for actual harm, or as an incentive for aggrieved parties to enforce the statute, or both, the $500 fixed amount clearly serves more than punitive or deterrent goals.” Id. at 10-11. The court also held that the availability of treble damages “is but one part of the regulatory scheme, intended as a supplemental aid to enforcement rather than as a punitive measure.” Id. at 11. Consequently, the court concluded, “We hold that the TCPA is a remedial and not a punitive statute, and that the $500 liquidated damages per violation are not punitive damages.” Id. Acknowledging that its decision was at odds with holdings of the 10th Circuit, the Colorado Supreme Court, and a New York appellate court, the court stated that its ruling was based on the “true intent of Congress in enacting the TCPA. Id.

The court declined to address the issue of whether punitive damages are insurable under Illinois law, noting that resolution of that issue was not necessary to the disposition of the case. The case was remanded to the appellate court to address other remaining issues.

As TCPA class actions and other similar statutory-based claims continue to proliferate across the country, we can expect defendants to pursue coverage under traditional liability insurance policies based on the Illinois Supreme Court’s reasoning here.

Mobile Apps and Websites Face New COPPA Requirements Starting July 1

Craig Hoffman — Mon, 03 Jun 2013 10:03:17 -0500

Posted by Craig Hoffman

Authored by Benjamin D. Pergament

In one month, on July 1, 2013, the Federal Trade Commission’s most recent amendments to its Children’s Online Privacy Protection Act Rule (“COPPA Rule”) will go into effect. These changes include a variety of requirements intended to keep up with advances in technology and how children interact with mobile apps and websites. The amendments to the COPPA Rule are primarily focused on the collection of personal information from children under the age of 13, and include changes to the types of information covered by the rule, the methods for obtaining parental consent for collection of personal information, and additional restrictions on how that personal information can be shared among companies who use such information in their business. The amendments to the COPPA Rule:

modify the list of personal information that cannot be collected without parental notice and consent, which includes geolocation information, photos, videos and audio files that contain a child’s image or voice;
establish a “streamlined” approval process for proposed new methods for obtaining parental consent;
require parental consent where the app or website allows third parties to collect personal information from children through plug-ins, and in some cases require those third parties to comply with COPPA as well;
extend COPPA to cover persistent identifiers (such as IP addresses and mobile device IDs) which recognize users over time and across different services or websites;
increase data security protection by requiring operators of apps and websites to take steps to release children’s personal information only to other companies that can keep that information secure and confidential;
require that app and website operators adopt reasonable procedures for data retention and deletion; and
provide increased FTC oversight concerning self-regulatory safe harbor programs.

The new requirements imposed by the amendments will no doubt require some app and website operators to modify their business practices to comply with the COPPA Rule. These amendments close several loopholes and clarify previously gray areas regarding the types of operators, services and personal information that fall within the Rule’s ambit. For apps and websites clearly directed to children under 13, the amendments provide an enhanced set of protections that appear to further COPPA’s overarching goal of creating a safer and more secure online experience for children.

A bit murkier is the effect of the amendments regarding apps and websites that cater to a more general audience. The amended COPPA Rule employs an “actual knowledge” standard, and requires compliance with its requirements when an operator or service provider has actual knowledge that they are collecting personal information through a child-directed app or website. Apps and websites that target a more general audience, where children are not the primary users, are only required to provide notice and obtain parental consent for those users who identify themselves as being younger than 13. Further, third parties (like plug-ins and ad networks) will be deemed to have the requisite “actual knowledge” if the child-directed nature of the content is directly communicated to that third party by the content provider, or if a representative of the third party service “recognizes” the child-directed nature of the content.

Time will tell how these and other issues potentially created by the new amendments to the COPPA Rule will play out. But for now, given the continuing exponential growth in the number of children using computers and mobile devices for education and entertainment, every app and website operator must take notice of the Rule’s new requirements. App and website operators must ensure that their practices, and the practices of the third parties they have integrated or with whom they share user’s personal information, are updated to comply with the new COPPA Rule once it takes effect on July 1.

Highest Bidder Loses Spoliation Fight in Auction House Data Breach

Craig Hoffman — Fri, 31 May 2013 14:01:45 -0500

Posted by Craig Hoffman

This blog post is a joint submission with BakerHostetler's Discovery Advocate blog.

Authored by: Karin Scholz Jenson and Ganesh Krishna

A recent case out of the Northern District of Ohio is an unsung victory for proportionality in that the Court twice declined to sanction a plaintiff’s “failure” to forensically image computers where computer logs showing the relevant evidence were sufficient.

The case, Yoder & Frey Auctioneers, Inc. v. EquipmentFacts LLC, was brought by an online auctioneer of construction equipment against an ex-partner, EquipmentFacts, which was under contract to run Yoder’s bidding services. After Yoder ended the partnership, EquipmentFacts accessed Yoder’s website and posted negative comments about Yoder on a bulletin board and placed bids for more than $1 million for equipment, according to the lawsuit. EquipmentFacts won the bid but never paid for the equipment. Yoder sought damages for lost commissions from the auction.

How exactly EquipmentFacts gained access to the website seemed to be an open question – there was some evidence that EquipmentFacts used an old account, and some evidence that it used another bidder’s account. Yoder had produced software and server log files to show that the transactions were tied to EquipmentFacts’ unique IP address, but the server and software that Yoder was using at the time that EquipmentFacts accessed the system had been destroyed.

EquipmentFacts asked the Court to either dismiss the case or bar Yoder from introducing any evidence relating to the computer system on the grounds that the destruction of the system denied EquipmentFacts the chance to establish “whether the software and hardware worked correctly, produced reliable data, was inappropriately accessed by a third party, or simply analyzed incorrectly by Plaintiffs.”

On April 8, the Court denied the motion. In an opinion underscoring the importance of line drawing in discovery, the Court stated: “The plaintiffs having produced some documented evidence of a break in, the Court will not now sanction Yoder [. . . ] for not preserving the system so that EquipmentFacts might test whether the locks work.”

EquipmentFacts moved for reconsideration, which the Court promptly denied on May 16, 2013. In the opinion, that Court noted that conflicting, contradictory and rebuttable evidence does not equal spoliation.

“Simply saying that the other party’s evidence is weak does not lead to a finding that he spoliated the stronger evidence,” according to the Court. “The Court must find some specific piece of evidence that the plaintiffs should have preserved but actually destroyed.”

EquipmentFacts’ demand to have access to the system hardware and software is not entirely without merit, the Court said – if EquipmentFacts used that analysis to determine that the logs that Yoder produced were somehow defective. But the mere fact that the system may have contained relevant evidence was not enough.

“Preservation of an entire running system is a rare remedy and is often associated with suits premised on a defect in the system to be preserved,” the Court said.

Building on the analogy from the earlier decision, the Court found no basis for holding that “one accused of improper entry is entitled to dust the entire premises for fingerprints.”

The Court does not use the word “proportionality” in either opinion, but the message is there, loud and clear.

Cyber Criminals' Menu Features the Food & Beverage Industry; Steps to Protect Your Business

Judy Selby — Fri, 24 May 2013 14:00:00 -0500

Posted by Judy Selby

2012 was a challenging year for the Food and Beverage (F&B) industry. In addition to increased government regulation, rising food prices and relatively slow growth trends, the industry once again was a favorite target of cybercriminals. According to the 2013 Trustwave Global Security Report, cyberattacks on F&B enterprises comprised 24% of attacks in 2012, second only to retail merchants (45%). A franchisor's lack of corporate control over franchisees coupled with interconnectivity among franchisees adds to the risk.

The cost of a data breach can be devastating. ANX Corporation reports that the average direct cost of a credit card breach to a restaurant is $80,000. Perhaps more importantly, a shocking 70% of restaurants that suffer a breach go out of business within one year of the attack, according to ANX. Immediately after a breach is identified, the business must stop taking credit cards and remediate the breach. The business then would be required to be inspection by a Qualified Security Assessor (QSA) for the Payment Card Industry (PCI) on a yearly basis for three years or until the credit cards brands at issue agree to drop the reporting requirement.

ANX identified eight key security gaps that affect food service organizations: outdated firewalls, insecure remote access, weak security configurations, operating system flaws, lack of staff training, flaw security policies, negligence and poor change control procedures.

Zaxby's 567-location franchise restaurant chain is a recent victim of a computer system and point-of-sale (POS) breach. Zaxby's initiated a forensic investigation after a number of its locations had been identified as common points of potentially fraudulent charges. The investigation revealed that computer systems in 108 locations stored suspicious files and were infected with malware designed to collect and transmit payment card information. Although there is no evidence that third parties obtained that information, Zaxby's required all of its licensees "to engage an industry leading provider of PCI compliance services to provide enhanced firewalls, system monitoring and PCI compliance services."

Despite the inherent risks facing every company that processes confidential data as well as the additional and unique risks encountered by franchised enterprises, some relatively simple steps can be taken to reduce the risk of a data breach and to mitigate the effects if a data breach takes place.

Risk Management

An internal risk management program, including the establishment of strong policies and procedures, training and insurance can reduce the chances of a data breach and mitigate the damages if a breach occurs. Businesses should:

Review their internal policies and procedures and make sure they're up to date. The statutory and regulatory framework governing confidential information is constantly evolving and must be incorporated by your organization. The 46 state laws seem to always change with respect to notification and security requirements. If your organization conducts business outside of the US, requirements of foreign laws must be incorporated into your policies and procedures. Remember, having a policy your company does not follow is worse than not having a policy at all; therefore, ensure that your policies are distributed to, and followed by, employees.
Review your incident response plan regularly and ensure that the team members are prepared to jump in when an incident occurs.
Hire a consultant to conduct a yearly security risk assessment to identify any vulnerability in your processes and procedures for handling confidential data. Some laws, such as HIPAA, require periodic risk assessments. And, it is good practice as organizational risks change with changing practices.
Education of employees is critical to the success of any compliance program. Make sure all employees are educated and trained concerning those policies and procedures and any laws and regulations that apply to your business. There are laws, such as the Massachusetts Data Protection Law 201 CMR 17.00, that mandate these types of training programs.
Work closely with your business partners to ensure that they are properly handling your confidential data. Vendors are the cause of at least 1/3 of all data security incidents.
Do not forget to compare your data collection and sharing practices to what your privacy policy says. Regulators, such as the Federal Trade Commission, are watching closely.

Cyber insurance can help organizations respond to and mitigate the harmful consequences of a data breach. Most cyber insurance policies provide invaluable assistance to help the insured respond to a breach, including first party coverage for an attorney breach coach, forensic technicians, notification providers, credit monitoring services and crisis management professionals, as well as third party liability coverage for legal defense costs and fines. Further reading: Why Risk Data Breaches? Subscription required.

The Franchise Agreement

Franchise agreements should address several important data security concerns, PCI compliance, breach notification and cyber insurance.

PCI Compliance

Every business that accepts credit or debit cards must comply with the PCI's Data Security Standard (PCI DSS). Broadly stated, the PCI DSS requires the business to:

build and maintain a secure network, including installation and maintenance of a firewall and use of appropriate passwords
protect cardholder data, avoiding storage of such data if possible
maintain a vulnerability management program, including use of current antivirus programs
implement strong access control measures limited to those with a need-to know
monitor and test networks regularly
maintain and disseminate an updated information security policy

Although the PCI mandates compliance with its DSS, the Franchise Agreement nevertheless should specifically address data security and require franchisees to comply with the PCI DSS. Any third party vendors should be contractually obligated to comply with those requirements, and contractual indemnity should be considered. The franchisee may ultimately end up being financially responsible for PCI DSS compliance. Potentially devastating financial repercussions include fines of up to $50,000 per incident, liability for losses relating to the compromised account information and re-issuance of cards and possible suspension of merchant accounts.

Breach Notification

The franchisee should be required to promptly notify the franchisor of all breaches in security and immediate notify the franchisor of all breaches of sensitive information. The franchisor must control the response to the security breach including the decision as to whether public disclosure is required. The franchisor must also be afforded the opportunity to investigate the breach with its own resources either on-site or remotely through the franchisee's computing resources.

The franchisor may also want to consider being notified of any impermissible uses or disclosures, not just those that rise to the level of a breach. First, this allows the franchisor to monitor the practices of the franchisee to determine if it wants to continue the relationship. And, it also provides the franchisor with control over what it considers to be a breach, which is important since it is the franchisor's reputation that is typically on the line despite who caused the breach.

Cyber Insurance

Franchise agreements also should require franchisees to purchase a specified amount of cyber insurance coverage in the event of a data breach. The protections provided by cyber insurance literally can provide a lifeline to F&B businesses that are victimized by cyber criminals.

BakerHostetler's Privacy and Data Protection Team and Ted Kobus: Ranked in Chambers USA 2013

Admin — Fri, 24 May 2013 11:15:13 -0500

Posted by Admin

Congratulations to the BakerHostetler Privacy and Data Protection Team for their ranking and “considerable praise” in the 2013 edition of Chambers USA: America’s Leading Lawyers for Business. The team was ranked among the nation’s best in the area of “Privacy & Data Security: Nationwide.” Privacy and Data Protection Team Co-Leader, Ted Kobus, was individually ranked for his “excellence,” leadership, and expertise. Equally impressive, the BakerHostetler team was also given the distinction of being “Recommended for Client Service” and “Recommended for Commercial Awareness.” Our results and client confidence speak for themselves with our clients endorsing us as “a very strong team” and the “go-to firm on these issues” given our “deep capability,” “dedicated service to clients,” and “commercial awareness." The BakerHostetler Privacy and Data Protection Team is recognized for looking “to get the job done in a manner that is in the best interests of the client, in a professional and cost-effective manner."

Twitter v. Manhattan DA Fight Unfortunately Ends with a Whimper

Fernando A. Bohorquez, Jr. — Fri, 24 May 2013 10:00:00 -0500

Posted by Fernando A. Bohorquez, Jr.

This blog post is a joint submission with BakerHostetler’s Discovery Advocate blog.

Last Friday, Twitter’s battle with the Manhattan District Attorney over a subpoena for an Occupy Wall Street protester’s tweets came to an anti-climactic end as the New York appeals court dismissed Twitter’s appeal of a Manhattan Criminal Court’s order to produce the tweets as “academic.” Twitter’s appeal raised important issues of first impression to the social media community and the non-decision decision appears to have been a lost opportunity to bring some clarity to questions concerning the government’s subpoena power.

A little bit of background first. In early 2012, the Manhattan District Attorney served a subpoena on Twitter for Malcolm Harris’ Twitter account information and tweets. Harris - one of the hundreds of Occupy Wall Street protesters – was charged with disorderly conduct by the Manhattan DA for “occupying” the Brooklyn Bridge. The DA served Twitter with a subpoena under the Stored Communications Act for Harris’ Twitter records in connection with the investigation. Consistent with Twitter’s internal policies, Twitter notified Harris of the subpoena and Harris tried to quash it. In an April 20, 2012 order, the Manhattan Criminal Court judge held that Harris had no standing to challenge the subpoena.

Twitter then entered the fray and moved to quash the DA’s subpoena and its motion was similarly denied by the Manhattan Criminal Court in a June 30, 2012 decision. The court reiterated its prior holding that only Twitter - not Harris - had standing to challenge the subpoena and that neither the Fourth Amendment of the U. S. Constitution nor the New York Constitution’s analogue provision required a search warrant. Twitter appealed the decision but in the interim had to produce the records to avoid paying stiff contempt sanctions as its stay of the order was denied.

As we quickly - and arguably irreversibly – move towards a world where we share more and more of our lives on social media, it is growing increasingly important to understand how social media companies respond to government requests for our information and what recourse these companies and their customers may have when faced with such requests. Indeed, in U.S v. Jones – the recent Supreme Court case holding that a GPS tracking device required a warrant under the Fourth Amendment – Justice Sotomayor acknowledged the shifting societal norms and rapidly changing technologies noting in her concurrence that “it may be necessary … to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.”

Twitter is no stranger to government subpoenas and in its brief history has developed a robust reputation for protecting customer information from government requests for information. According to the Electronic Frontier Foundation, Twitter scored a six out of six in a ranking of how strongly companies protect customer data. A handful of other social media giants and big tech companies got five out of six, including Dropbox, Google and Linkedin, but only Twitter garnered a perfect score.

Twitter’s refusal to provide Harris’ information to the DA was perhaps the most high profile example of the company’s pro-customer stance. But more importantly, the case was primed to raise at least two important legal questions on appeal:

(1) Whether Twitter users like Harris have standing under the Stored Communications Act (SCA) and the U.S. Constitution to move to quash government subpoenas for their Twitter records; and

(2) Whether the DA’s subpoena for Harris’ non-publicly available tweets violated the Fourth Amendment, i.e., whether Harris had a reasonable expectation of privacy requiring a search warrant from the government as opposed to a civil subpoena under the SCA (for a quick related refresher, SCA discovery basics were previously discussed here).

On May 17, 2013, the NY appellate court decided to pass on answering these questions as moot because Twitter had already produced Harris’ records. Facing contempt sanctions for failure to comply with the Manhattan Criminal Court Order, Twitter not only appealed the Criminal Court’s decision, but also sought to stay the proceedings while the appeal was pending. The Appellate court, however, denied the stay application on September 27, 2012. Twitter produced the materials last fall to avoid paying substantial monetary fines.

To be sure, the Appellate court’s decision was somewhat preordained and even predicted by Twitter itself. In its opposition to show cause before the Criminal Court as to why it should not be fined for contempt for not producing the records, Twitter argued that being forced to produce Harris’ tweets before resolution on appeal would render the issues moot and prevent a full and fair adjudication of the Criminal Court’s order. Unfortunately for social media companies and their customers looking for clarity and guidance on the scope of the government’s subpoena power, that is exactly what happened.

To get both sides of the argument, we recommend that you read the Criminal Court’s June 30, 2012 Order available here and Twitter’s appellate brief of that decision here.