RSS Feed LinkedIn Twitter Facebook
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Deadline Approaching for Small Breach Notification

Posted on: February 14th, 2017

cyber-securityBy: Jeremy W. Rogers

HIPAA covered entities, which are health care providers, health plans, and health care clearinghouses, are required to report “small’ data breaches of unsecured, unprotected health information by March 1, 2017. Covered entities must report these breaches, defined as a breach that involves fewer than 500 individuals, to the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”).  This deadline applies to breaches that were discovered in 2016, and the deadline is fast approaching.

In the past, while it should never have been treated as such, some covered entities may have looked at the small breach reporting deadline as not terribly important. Events over the past several months should have changed this attitude to a great degree and emphasized the importance the OCR places on timely reporting.

First, in August, 2016, the OCR announced an important change in emphasis toward breaches affecting fewer than 500 individuals. At the time of the announcement, the OCR, through its regional offices, began an initiative to more widely investigate such breaches.  The regional offices retained discretion on prioritizing which small breaches to investigate, but the directive set forth was that each office was to increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance through more widespread investigation of small breaches.

Second, in the first resolution agreement announced in 2017, one covered entity agreed to settle potential violations of the HIPAA breach notification rules. This case was the first HIPAA enforcement action for untimely breach notification and resulted in a settlement approaching $500,000.00 in addition to implementation of a corrective action plan.  While the case did not involve untimely reporting of small breaches (the covered entity failed to timely report breaches affecting more than 500 individuals), it does illustrate quite nicely just how important the OCR believes timely reporting to be.

It should be noted, although not applicable for 2017, that a covered entity is not required to wait until the deadline to report breaches and, in many instances, should consider reporting them closer to the date of discovery. A breach is considered “discovered” on the date when any workforce member or agent of the covered entity gains direct knowledge of the breach.  Also, a covered entity is considered to have “discovered” the breach if it would have gained direct knowledge through the exercise of reasonable diligence.  This means a covered entity cannot simply put its head in the sand and claim it did not have knowledge.

With the foregoing information, it is clear that timely reporting of small breaches is imperative. To that end, covered entities must pay particular attention to the approaching March 1, 2017 deadline.

The FMG Data Security & Privacy team is available to help covered entities investigate potential data breaches and comply with all notification and reporting requirements under HIPAA.

Don’t Be a Phishing Victim: IRS Warns of Email Scam This Tax Season

Posted on: February 13th, 2017

PhishingBy: David Cole

It’s tax season again and the cyber criminals are back at it. According to the IRS, last year’s W-2 spear-phishing scam has returned and is currently making its way across the nation. The IRS and state tax authorities have issued a new alert advising HR and payroll departments to beware of phony emails intended to steal employees’ personal information in their W-2 forms.  The phony emails generally appear to be from a senior executive in the company, like the CEO or CFO, and are sent to a company payroll officer or HR employee. The email requests a PDF or list of employee W-2 forms for the tax year. Those forms contain employee names, SSNs, and income information – all of the information a cybercriminal needs to file a fraudulent tax return and collect the return.

The Federal Bureau of Investigation (FBI) has been tracking the financial impact of scams like this. In June 2016, the FBI estimated that cybercriminals had stolen nearly $3.1 billion from more than 22,000 victims of these types of schemes. Now, the IRS says it is receiving new notifications that last year’s email scam for W-2 records is underway for a second time. The IRS urges company payroll officials to double check any executive-level or unusual requests for lists of W-2 forms or SSNs.

To help you be aware, the following are some of the details that may be contained in the emails:

  • Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

These incidents not only create headaches and worry for employees, but they also constitute data breaches reportable under state law because personal information has been exposed to an unauthorized individual and the risk of identity theft is high. Last year’s incidents also resulted in class action lawsuits by employees against some of the victimized companies.

The challenge in guarding against this scam is that the emails look legitimate. The header of the email may look exactly as you would expect, mirroring the company fonts and signature blocks, and containing the actual email address of the spoofed executive in the “From:” line. Often, the return email address won’t be visible until after the reply is sent unless the user specifically expands the address field. If you look carefully, it is likely that the domain name is a few characters different from the company’s actual domain name, such as substituting the number “1” for the letter “l” or replacing a “.org” with a “.com”.

Businesses should train employees—and particularly HR and payroll employees who handle sensitive information—to be wary of email requests like this from company executives. Make them aware of this scam and ones like it, and teach them to be skeptical. A good practice is to require that the employee obtain verbal authorization, preferably in person, from the requesting person to verify that the request is legitimate before sending any response. Your company’s IT department also should be monitoring for phishing trends and remaining on the alert for suspicious outgoing activity, including large files or attachments.

The FMG Data Security & Privacy team is here to help with employee training or preparing a plan to respond to an incident.

Widespread Data Hacks Need to Serve as a Reminder to Strengthen Employee Email and Password Policies

Posted on: December 29th, 2016

hacker_0By: Melissa A. Santalone

With its second, large-scale hack announced on December 14, which this time reportedly compromised more than 1 billion user accounts, Yahoo’s latest cybersecurity conundrum should serve as a reminder to organizations large and small that strong employee email policies are needed to protect confidential and sensitive data. The most recently announced hack into Yahoo’s user accounts, the second announced in the last in 4 months, reportedly exposed the account information of 150,000 government and military employees, including information such as the employees’ names, passwords, phone numbers, birthdates, security questions, and back-up email addresses. These government and military employees provided Yahoo with their official work email addresses as back-ups in case they were ever locked out of their Yahoo accounts.  With this hack, a “hit list” of these official email addresses can be compiled to launch targeted hacking attempts on known government and military accounts in an attempt to obtain sensitive information. While the stolen passwords may be subject to at least some encryption, a real risk of compromise exists to government and military email accounts if the users of those accounts happen to use the same passwords for both their Yahoo and work email accounts.

While the latest Yahoo hack again highlights the potential pitfall of employees using work email addresses in their personal lives, this issue has been raised before in the hacks of user accounts with Ashley Madison and LinkedIn, among others.  In both those hacks, user email addresses were exposed and many of those addresses were corporate email accounts. When the passwords associated with the Ashley Madison or LinkedIn profiles were also exposed and the users reused those same passwords for their corporate accounts, hackers may have gained easy access into corporate emails and possibly even corporate computer systems.

Remember, to some degree, your organization’s cybersecurity is only as strong as your employees’ weakest password. Thus, in order to better protect your organization, you can:

  • Set a policy prohibiting employees from associating their work email accounts with any external services, whether as the primary login or even if just as a back-up email account for recovery purposes;
  • Establish and enforce password policies for all of your corporate user accounts (emails, network logins, etc.) which impose minimum password strength requirements and the resetting of passwords after a short, fixed time period, such as 90 days; and
  • Educate your employees about the risks posed by password reuse across various accounts and require them to use unique passwords for their work accounts that are not use with any other personal account.

For help in drafting or reviewing cybersecurity policies to protect your organization, please contact one of the attorneys in our Cyber Liability, Data Security & Privacy team.

FCC Chairman Wheeler Announces Plan to Step Down

Posted on: December 15th, 2016

fcc-tom-wheelerBy: Matthew N. Foree

Today, the Federal Communications Commission (“FCC”) issued a statement that Chairman Tom Wheeler, a Democrat who has held the position for more than three years, has announced that he intends to leave the FCC on January 20, 2017.

As part of the announcement, Chairman Wheeler issued the following statement: “Serving as F.C.C. Chairman during this period of historic technological change has been the greatest honor of my professional life. I am deeply grateful to the President for giving me this opportunity. I am especially thankful to the talented Commission staff for their service and sacrifice during my tenure.  Their achievements have contributed to a thriving communications sector, where robust investment and world-leading innovation continue to drive our economy and meaningful improvements in the lives of the American people.  It has been a privilege to work with my fellow Commissioners to help protect consumers, strengthen public safety and cybersecurity, and ensure fast, fair and open networks for all Americans.”

Chairman Wheeler was involved in the FCC’s controversial July 2015 Declaratory Ruling and Order (“Declaratory Ruling”), which clarified its position on several issues related to the Telephone Consumer Protection Act (“TCPA”) as reported previously. An appeal of the Declaratory Ruling is currently pending before the U.S. Court of Appeals for the D.C. Circuit.

Chairman Wheeler’s intent to leave the FCC creates an interesting issue as to his successor and the political majority of the Commission. Currently, the Commission includes three Democrats and two Republicans.  Significantly, the Senate took no action to reconfirm Democrat Commissioner Jessica Rosenworcel, meaning that she will be leaving the FCC.  Wheeler and Rosenworcel’s vacancies will leave the Commission with a 2-1 Republican majority until President-Elect Trump fills out the Commission. The vacancies would enable President-Elect Trump, whose campaign is currently involved in TCPA litigation, to appoint two more Republican Commissioners who may be more willing to constrain the interpretation of the TCPA and ultimately end the statute’s boon to plaintiffs’ counsel.  We will continue to monitor this issue and report on any significant developments.

California Strengthens Data Breach Notification Law, Again

Posted on: December 14th, 2016

189166_71f2_10By: : Kacie L. Manisco

On January 1, 2017, California’s data breach notification law will become even more stringent than it already is, requiring notification to individuals in some instances when encrypted personal information has been breached.

California’s current data breach notification law requires agencies, persons, and companies that conduct business in California, and that own or license computerized data that includes personal information (“Covered Entities”) to notify individuals whose personal information has been compromised, only where unencrypted information has been accessed.  This mirrors the majority of other data breach notification laws that provide a safe harbor for encrypted data that is lost or stolen.

The amendments to California’s law, however, will now require Covered Entities to provide notification of a breach to affected individuals whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person if “the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person, business, or agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.”  In other words, beginning on January 1, there will no longer be a safe harbor in California for a breach of encrypted data if the Covered Entity knows or has a reasonable basis for believing that the unauthorized person also gained access to the encryption key.

In light of these changes, Covered Entities should review their data security measures and response plans to ensure that they are prepared for and can respond efficiently to a data breach, and detect when one occurs. All organizations also must be attentive to the ever-changing notice requirements under state and federal data breach notification laws.  Indeed, this amendment marks the sixth-time that California has amended its data breach notification statute since its inception in 2002.  Working with experienced and knowledgeable cyber attorneys is important in that regard, and the attorneys in our Cyber Liability, Data Security & Privacy team keep up to date on all of these changes and other developments in the law. Please contact us to discuss how we can help your organization.

For any questions you may have please contact Kacie Manisco at