Cybersecurity and the Law

February 29, 2016 – 9:30-10:30am

Adam H. Greene, JD, MPH Partner, Davis Wright Tremaine LLP

Conflict of Interest

Adam H. Greene Has no real or apparent conflicts of interest to report.

2

Agenda

• Learning Objectives

• The Potential Legal Costs of Poor

Cybersecurity

• What the Law Requires

• The Value of Best Practices

• The Role of NIST

3

Learning Objectives

• Explain the possible legal ramifications of a cyber-attack

• Review recent developments in Cyber Security Law

• Provide ideas on how to prepare executive management and the board for the inevitable

• Discuss the pros and cons of applying the NIST Cyber Security Framework within healthcare

4

The Potential Legal Costs of

Poor Cybersecurity

A Really Bad Day …

An outside security consultant’s review identified sophisticated malware residing on your information systems.

6

More Bad News…

Forensic investigation identified that: • Outside entity obtained initial access through spear phishing.

• Once inside network, obtained administrative credentials.

• Has been in system for four months.

7 7

What Did They Get?

We don’t know what was exfiltrated. Possibly: • Information on 500,000 patients. • Including medical information and Social Security numbers.

• Affecting residents in 22 states where we operate.

8 8

So, How Bad Is This?

Potential HIPAA Violations: • Impermissible disclosure of 500,000 patients’

protected health information (2015-16) • Failure to conduct an accurate and thorough risk

analysis (2011-16). • Failure to implement a risk management plan

(2011-16). • Lack of information system activity review (2011-

16). • Failure to protect from malicious software (2011-

16).

9

So, How Bad Is This?

Potential HIPAA Penalties (HHS): • $50,000 per violation per day or per affected

individual • Annual cap of $1.5 million for multiple violations of

the same requirement

10

So, How Bad Is This?

Potential HIPAA Penalties (HHS): • Impermissible disclosure: 2 years * $1.5M = $3M • Risk analysis: 6 years * $1.5M = $9M • Risk management plan: $9M • Information system activity review: $9M • Failure to protect from malicious software: $9M • HHS Total = $35M

11

But Wait, There’s More ….

Potential HIPAA Penalties (State Attorney General): • $100 per violation per day or per affected individual

• Annual cap of $25,000 million for multiple violations of the same requirement

12

Potential State AG HIPAA Penalties

• Impermissible disclosure: 2 years * $25K = $50K • Risk analysis: 6 years * $25K = $150K • Risk management plan: $150K • Information system activity review: $150K • Failure to protect from malicious software: $150K • Per State Subtotal = $625K • Total for 22 states = $13.8M

13

And then there’s the FTC …

• If breached entity is for-profit entity, FTC can claim lack of security was unfair or deceptive trade practice.

• Standard 20-year consent order (potentially requiring independent monitoring).

• In Henry Schein Practice Solutions, Inc., FTC required payment of $250,000 to a redress fund

14

Welcome to California …

125,000 of the affected patients reside in California.

15

Welcome to California …

16

Welcome to California …

125,000 x ($1,000 + $3,000 + $1,000) = $625M

17

And don’t forget about …

• Breach notification costs • Credit monitoring costs • Breach notification legal costs • Legal costs for handling multiple regulatory investigations

• Legal costs for class action defense

18

What the Law Requires

HIPAA Provides a Minimal Baseline:

• Substantial flexibility and technology neutral • Provides discretion to not implement certain technology based on risk-based approach

• Does not clearly require due diligence of vendors

• Does not require active monitoring of vendors – only requires action upon learning of violation

20

But Don’t Let HIPAA’s Flexibility Fool You…

• For “accurate and thorough” risk analysis, OCR expects you to document how you are addressing every reasonably-anticipated risk.

• While not directly liable for most business associates’ actions, HIPAA may lead to substantial reputational harm and breach notification costs based on BAs’ violations

21

FTC Applies More Stringent Standards than HIPAA

• Section 5 authority is inapplicable to non-profits.

• No clear information security standards. • Expects “defense in depth” • In GMR Transcription, complaint alleged a lack of active monitoring of subcontractor business associate.

• In Henry Schein Practice Solutions, complaint faulted business associate for encryption that did not satisfy NIST standards.

22

Successes and Failures of Class Actions

Limited Plaintiff Successes Absent Clear Damages • AvMed $3 million settlement (1.2 million affected customers, claim of unjust enrichment based on premiums allegedly not going towards adequate information security) (2014)

• Stanford $4 million settlement (20,000 patients, settlement mostly paid by Stanford’s vendors) (2014)

23

Successes and Failures of Class Actions

Limited Plaintiff Successes Absent Clear Damages (cont’d) • Boston Medical Center, Superior Court held that plaintiffs had standing to sue based on data exposure (2016)

24

Successes and Failures of Class Actions

Most Cases Dismissed on Lack of Standing • Clapper v. Amnesty International, U.S. Supreme Court held that individuals potentially subject to surveillance did not have standing based on allegations of possible future injury. (2013)

• Numerous cases have dismissed data breach class actions on lack of standing or lack of damages

25

Dodging the CA CMIA Bullet

California Confidentiality of Medical Information Act provides $1,000 per person for negligent disclosure of medical information in absence of actual damages. • In Sutter Health, court held that evidence must show that medical information was actually viewed.

• In Eisenhower Med. Ctr., court held that patient demographic information was not “medical information.”

26

To Be Determined

• Successful action under CMIA? Will court award millions in absence of any actual damages?

• Spokeo v. Robins, U.S. Supreme Court addresses whether consumer class can sue for monetary damages w/o identifiable financial or personal injuries.

27

The Value of Best Practices

A Robust Cyber Security Program:

• Legal risks follow real risks – and health care hacking is on the rise.

• Tougher regulators are increasing legal risks from data breaches.

• Doing the bare minimum will lead to: – High breach notification incidents and costs – High litigation costs defending claims of

negligence – Fights with regulators over what is required

• Cyber insurance carriers may require more and more

29

Convincing the C-Suite/Board • Inform:

– Evidence of increasing threats to health care data

– Increasing level of enforcement among more regulators

• Quantify: – How much breach will cost vs. risk reduction

through InfoSec investment – Focus on return on investment

• Progress Reports – What is current profile? – What is target profile? – How are we progressing towards target?

30

The Role of NIST

The Role of NIST

• NIST standards are not required for private entities, unless incorporated through contract, but …

• A good set of tools for improving information cyber security;

• A good proxy for industry best practices; and

• Agencies such as the FTC are increasingly expecting NIST-level safeguards.

32

NIST Cyber Security Framework

Framework Core: • Identify • Protect • Detect • Respond • Recover

33

NIST Cyber Security Framework

Framework Implementation Tiers: • Partial (Tier 1) • Risk Informed (Tier 2) • Repeatable (Tier 3) • Adoptive (Tier 4)

34

NIST Cyber Security Framework

Framework Profile: • Current Profile • Target Profile • Comparison of Profiles

35

NIST Cyber Security Framework

1. Prioritize and Scope 2. Orient 3. Create a Current Profile 4. Conduct a Risk Assessment 5. Create a Target Profile 6. Determine, Analyze, and Prioritize Gaps 7. Implement Action Plan

36

NIST, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

37

Stay Tuned

• Section 405 of Cybersecurity Act of 2015 – HHS to work with NIST to create

information for health care industry stakeholders of all sizes for improving preparedness for, and response to, cybersecurity threats affecting health care industry

– Statute states that any new standards will be consistent with HIPAA but will be optional

38

Resources • NIST Framework for Improving Critical

Infrastructure Cybersecurity, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

• NIST Guide for Conducting Risk Assessments, http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

• Cybersecurity Information Sharing Act (part of Pub. L. 114-113), https://www.congress.gov/114/bills/hr2029/BILLS-114hr2029enr.pdf

• HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, http://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk

39

Questions

Adam H. Greene, JD, MPH

adamgreene@dwt.com 202.973.4213

40