Presentation is loading. Please wait.

Presentation is loading. Please wait.

06B – DATA INCIDENTS AND LITIGATION Jeffrey L. Poston Partner Crowell & Moring, LLP.

Similar presentations

Presentation on theme: "06B – DATA INCIDENTS AND LITIGATION Jeffrey L. Poston Partner Crowell & Moring, LLP."— Presentation transcript:

1 06B – DATA INCIDENTS AND LITIGATION Jeffrey L. Poston Partner Crowell & Moring, LLP

2 TYPES OF INCIDENTS Cyber-Hacking Employee/Vendor Negligence – Lost laptop – Inadvertent transmission Employee/Vendor Theft 2

3 BREACH RESPONSE ISSUES 3 Loss/Theft of Data Individual Student Notification Insurance Coverage OCR/HIPAA State AG Enforcement Class ActionsLaw Enforcement Trade Secret Theft Business Reputation Vendor Involvement/ Indemnity Internal Investigation/ Forensics

4 RECENT UNIVERSITY BREACHES Coordinated Attack – 10/13: hackers infiltrated over 50 universities and published sensitive information online, including names, addresses, and user names and passwords. Phishing Scam – 10/13: phishing scam resulted in the breach of over 3000 individuals’ personal information. University employees inadvertently gave hackers access to protected health information. 4

5 RECENT UNIVERSITY BREACHES (cont’d) Unauthorized Access – 8/13: incident at a Midwestern school resulted in unauthorized access to records (including SSNs) of over 60,000 individuals. School is providing credit monitoring services for 1 year. Cyber Attack – 7/13: hackers accessed data of 80,000 university employees through defect in vendor software. University is providing credit monitoring services for 1 year. 5

6 REGULATORY ACTION Health and Human Services – College and University Hospitals hit with HIPAA fines in 2013: A state university in the Northwest settled with HHS for $400,000.00 A private university in California experienced a breach with 13,000 compromised records A public university in the Midwest experienced a breach of over 3000 medical records 6

7 REGULATORY ACTION (cont’d) State Breach Notification – Expanded definition of Protected Information in California Includes login information, email addresses, and security questions 46 states have breach notification laws – Different timeframes – Subject to enforcement actions and files – Disparate state reporting requirements 7

8 LITIGATION THREAT Springer v. Stanford University – Medical data for 20,000 emergency room patients accidentally sent to a job applicant – Applicant then posted the information online – Information exposed for over a year – $20 million class action suit, pending in Superior Court of the State of California, County of Los Angeles 8

9 LITIGATION THREAT (cont’d) Gross v. University of Hawaii – 5 alleged data breaches at 4 different University institutions from 2009 – 2011. – 96,000 individuals affected – Settled in 2012; credit protection services to affected individuals for two years. 9

10 Litigation Threat – Cont’d UCLA v. Superior Ct of LA County – Over 16,000 patient records allegedly compromised by theft of hard drive – Damages sought totaled $1,000 per patient, or over $16 million – California State Court of Appeals, 2 nd District, dismissed the case on October 15, 2013 – Healthcare providers not necessarily liable for stolen or misappropriated medical data absent a showing that the data was accessed by an unauthorized person 10

11 LITIGATION THREAT (cont’d) Bombardieri v. Emory Healthcare – Emory University allegedly lost 10 discs containing patient information and some Social Security Numbers. – Allegation of 300,000 compromised records – Damages sought totaled $200 million, or $1,000 per patient. – Case disposed (dismissed) by Superior Court of Fulton County Georgia in 2012 11

12 CYBER ESPIONAGE Research universities as targets – Defense / Homeland Security development grants – Patents and intellectual property Unique problems facing universities: – Open and collaborative work environment – Foreign professors / students – Foreign travel 12

13 CYBER ESPIONAGE (cont’d) By the numbers: – One public university in the Midwest reports 90,000 – 100,000 illegal attempts to gain access to the network per day originating largely from China – A California university reports millions of attempts per week – All Universities are reporting an exponential growth in the number of attacks and in their sophistication 13

14 HOW TO MANAGE CRISIS WHEN PII COMPROMISED 1.DO NOT SWEEP UNDER THE RUG 2.BE PREPARED – Breach Response Plan GC’s Office Privacy Office IT Media Relations Training/Policies to ensure incident reported up the chain 3.INVOLVE IN-HOUSE/OUTSIDE COUNSEL IMMEDIATELY – Can assert privilege to maximum extent possible – Assert privilege over outside consultants – Use counsel to conduct employee interviews – Assess claims vs. vendors – Assess need for law enforcement – Strategize for long run 14

15 HOW TO MANAGE CRISIS WHEN PII COMPROMISED ( CONT ’ D ) 4.INVESTIGATE – Physical – Forensics – What data? – Whose data? – Access to vendors – JDA 5.MITIGATE/REMEDIATE – Can you recover data? – Can you forensically prove data not accessed? – If technical cause, can’t be fixed – First 24-48 hours critical 15

16 HOW TO MANAGE CRISIS WHEN PII COMPROMISED (cont’d) 6.NOTIFICATION ISSUES – HIPAA/OCR? – State breach notification laws – FERPA 7. HERE COME THE REGULATORS – Be proactive with regulators – Establish relationship/bring them in the loop 8. INVOLVE CORPORATE COMMUNICATIONS – States require certain content in notification letters – Speak with one consistent voice 16

17 HOW TO MANAGE CRISIS WHEN PII COMPROMISED (cont’d) 9.VENDOR ISSUES – JDA – Who is notifying students etc.? – Indemnity – Tolling Agreement 10.INSURANCE ISSUES – Report incident – What kind of policy? – CGL – Standard cyber policy 17

18 EMERGING LITIGATION ISSUES Typical Claims – Negligence – Breach of Contract – Unfair Trade Practices – Breach of Privacy – State Statutes Threshold issues – Standing to sue (Federal Court) – Actual injury or harm (common law claims) 18

19 EMERGING LITIGATION ISSUES ( CONT ’ D ) Class Certification Issues – Rare (dismissal or settlement) – Claims often turn on individualized issues or causation and damages – Thus common questions of law and facts do not predominate over questions affecting individual members. Damages – Aggregate exposure to nominal damages – Due process violation? 19

20 TYPICAL SETTLEMENTS Non-monetary relief (e.g., credit monitoring) Monetary payments to privacy non profits (e.g., Privacy Rights Clearinghouse) Consent decree requiring security improvements Attorneys fees to plaintiffs’ counsel Capped individual payments to plaintiffs who can prove causation 20

Download ppt "06B – DATA INCIDENTS AND LITIGATION Jeffrey L. Poston Partner Crowell & Moring, LLP."

Similar presentations

Ads by Google