RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

$1 Million Settlement for HIPAA Violations is Cautionary Tale

Posted on: November 2nd, 2020

By: Amy Bender

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that insurance giant Aetna will pay $1,000,000 to settle HIPAA violations stemming from the following three disclosures of nearly 19,000 plan members’ protected health information (PHI):

  • Two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and indexed by various internet search engines
  • Benefit notices were mailed to members using window envelopes that displayed the words “HIV medication”
  • The envelope of a research study mailing that was sent to members contained the name and logo of the atrial fibrillation (irregular heartbeat) study in which they were participating

OCR determined that Aetna had committed the following HIPAA breaches:  

  • Impermissible disclosures of PHI
  • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security PHI
  • Failure to implement procedures to verify that a person or entity seeking access to PHI is the one claimed
  • Failure to limit the PHI disclosed to the amount reasonably necessary to accomplish the purpose of the use or disclosure
  • Failure to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI

In addition to paying the hefty fine, Aetna must implement a corrective action plan that includes implementation of, distribution of, and workforce training on written policies and procedures relating to privacy of PHI.

A copy of the settlement agreement and corrective action plan is posted on OCR’s website, available here.

This settlement is yet another reminder to HIPAA-covered entities to be vigilant in maintaining the privacy of PHI. Violations can be costly and result in negative publicity. Freeman Mathis & Gary’s Data Security, Privacy & Technology practice group can assist your organization with implementing data security policies and procedures, other preventative measures, and remedial efforts following a data breach. Please contact Amy Bender at [email protected] for more information.

Central Bank Digital Currency: Oxymoron or Near Reality?

Posted on: October 22nd, 2020

By: Peter Dooley

In a sharp change of course and softening of rhetoric, Federal Reserve Chair Jerome Powell gave a speech on Monday, October 19th at the International Monetary Fund’s Annual Meeting in which he left the door open to the creation of a digital currency backed by the central bank in the near future. The idea of a central bank digital currency, which has been given the catchy abbreviation CBDC, is not a novel idea, but the consistent reluctance of the U.S. Federal Reserve to wade more than ankle-deep into the world of digital currencies makes Powell’s comment particularly noteworthy. The Federal Reserve’s prior hesitancy has quickly given way to comments about “carefully and thoughtfully evaluating the potential costs and benefits of a central bank digital currency for the U.S. economy and payments system.”

This movement towards further exploration of digital currencies is not just a policy stance change for the Federal Reserve, but it also feels odd due to the origin of digital currency and the underlying blockchain technology. A digital currency backed by the U.S. government is a far cry from the origins of blockchain, Bitcoin, and the de-centralized unregulated wild-west conditions that birthed most cryptocurrencies around today. Regardless of the loss of outlaw appeal, the potential benefits that a centralized digital currency could bring in terms of speed of international payments, increases in efficiency of record storage and verification, and the general increase in cyber-security and privacy for which blockchain and digital currencies may be too advantageous for governments to pass up.

The U.S. is not alone in its efforts either as nations such as Canada, Sweden, China, and Japan are already in the experimentation phase with their own government back digital currencies. Despite the newfound love for digital currencies, the Federal Reserve continues to make it clear that a potential digital currency would not be “a replacement for cash, and current private-sector digital forms of the dollar, such as commercial bank money.” Experimentation will be important, but a larger source of delay is likely to be in drafting the extensive regulations surrounding the digital currency while simultaneously assuring that these regulations and payment processes are consistent with International Monetary Fund agreements and other international frameworks and treaties.

A U.S. CBDC is in no way a sure thing, but these statements showing interest and experimentation with the likes of MIT give reason to believe that the Federal Reserve is seriously warming up to digital currencies. In addition, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) recently decided to further regulate and place sanctions on payments of malware ransoms through digital currencies and this move further illustrates the federal government’s new desire to stake its claim in this sector. These first of their kind sanctions are explained in detail in the recent blog post of Caitlin Tubbesing. While it’s also not likely that we will have one of the first CBDC’s in circulation, the Federal Reserve’s shifting tone lends further credence to the idea and provides reason for optimism in wide-scale implementation of blockchain and digital currencies on a national level in the not too distant future.  

As governments and businesses continue to increase involvement in the sector of blockchain and digital currencies, it is important to stay up-to-date and vigilant for any ways this could affect your company’s cyber-security and policies and procedure in general.

If you have questions or would like more information, please contact Peter Dooley at [email protected].

Eleventh Circuit Rejects Class Action Representative’s Incentive Award

Posted on: October 12th, 2020

By: Matthew Foree

The Court of Appeals for the Eleventh Circuit recently confronted the issue of incentive awards commonly given to class representatives as part of class-wide settlements. The court held in Johnson v. NPAS Sols., LLC, which can be found here, that such an award was inappropriate. 

Plaintiff Charles T. Johnson filed the underlying case as a Telephone Consumer Protection Act (“TCPA”) class action. The case proceeded to the settlement phase during which Johnson moved to certify the class for settlement purposes. The trial court preliminarily approved the settlement and certified the class. The court also appointed Johnson as the class representative and permitted him to petition the Court to receive an amount not to exceed $6,000 as an incentive award to acknowledge his role in prosecuting the case on behalf of the class members. Such awards are common in the class action context. 

After the class members were notified of the settlement, only one class member, Jenna Dickenson, objected to the settlement. This class member, the appellant in the Eleventh Circuit case, objected to the settlement on various grounds, including that the incentive award contravened U.S. Supreme Court precedent and created a conflict of interest between Johnson and the other class members. The trial court overruled the objection and approved the settlement. Dickenson filed the present appeal.

In reviewing the issue, the Eleventh Circuit considered Dickenson’s argument that the trial court’s approval of the incentive award contravened Supreme Court precedent. The court considered the two cases that Dickenson relied on, both of which were decided in the late 1800s.  See Trustees v. Greenough¸105 U.S. 527 (1882) and Central Railroad & Banking Co. v. Pettus, 113 U.S. 116 (1885). The Eleventh Circuit determined that Greenough and Pettus established limits on the types of awards that attorneys and litigants can recover. Specifically, the Eleventh Circuit determined that Greenough and Pettus provide a rule that a “plaintiff suing on behalf of a class can be reimbursed for attorneys’ fees and expenses incurred in carrying on the litigation, but he cannot be paid a salary or be reimbursed for his personal expenses.” The court analogized an incentive award for a class representative to a salary for “personal services” prohibited by the Supreme Court. Interestingly, the court stated that modern-day incentive awards present more pronounced risks than salary and expense reimbursements, as they not only “compensate class representatives for their time (i.e., as a salary), but also to promote litigation by providing a prize to be won (i.e., as a bounty).” Accordingly, the court reversed the lower court’s approval of the incentive award.

The Eleventh Circuit’s decision in Johnson comes as somewhat of a surprise, given the proliferation of incentive awards in the TCPA class action context. It remains to be seen how broadly this case will be interpreted and whether other courts will use this reasoning to prevent such awards. It also remains to be seen how this will affect the “incentive” for individuals to serve as class representatives, at least in cases in the Eleventh Circuit.

If you have questions or would like more information, please contact Matthew Foree at [email protected].

Pandemic Brings Increase in Ransomware Payments Prompting New Advisories from OFAC and FinCEN on Sanctions Risks

Posted on: October 12th, 2020

By: Caitlin Tubbesing

On October 1st—the first day of National Cybersecurity Awareness Month—the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) warned companies working with victims of ransomware attacks of potential sanctions for facilitating ransomware payments. Ransomware attacks have increased during the COVID-19 pandemic and the resulting shift to remote operations as cyber actors target online systems companies rely on to conduct business. The guidance provides a timely warning to cyber insurers, digital forensics, and financial services institutions that payment of a ransom to a sanctioned jurisdiction or individual may be a violation of OFAC regulations and federal law which could result in sanctions.

As a part of its sanctions program, OFAC has a database of designated malicious cyber actors, including perpetrators of ransomware attacks and facilitators of ransomware transactions, and imposes sanctions on those “who materially assist, sponsor, or provide financial, material, or technological support for these activities.” Pursuant to the International Emergency Economic Powers Act  and the Trading with the Enemy Act, individuals and entities are prohibited from engaging in direct or indirect transactions with those on OFAC’s Specially Designated Nationals and Blocked Persons List, in addition to other blocked persons, and those covered by a national or regional embargo. OFAC may impose civil penalties for violating these federal laws irrespective of whether it was known or there was even a reason to know it was engaging in a transaction with a prohibited individual, entity, or jurisdiction.  

The sanctions are intended to target and temper the proliferation of ransomware attack payments, which implicate significant national security concerns. Payments made to sanctioned persons or jurisdictions could be used to fund activities adverse to American interests and policy objectives. Payments may also encourage cyber actors to continue to engage in these attacks. In addition to the national security nexus, OFAC observed that payments are no guarantee that access to stolen data will be restored to the ransomware attack victim.  

Companies working with ransomware attack victims should account for the sanctions risks associated with ransomware payments and implement a risk-based compliance program incorporating the following five components: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.  Victims and companies involved in responding to ransomware attacks should also report attacks to OFAC and law enforcement and are encouraged to cooperate with law enforcement before and after the attack. Financial companies responsible for facilitating ransomware payments should determine whether filing a Suspicious Activity Report (SAR) with FinCEN is proper or required.

If you have questions or would like more information, please contact Caitlin Tubbesing at [email protected].

Additional Information:

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients.  Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments.  For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER:  The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19.  The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement.  We can only give legal advice to clients.  Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG.  An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest.  As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you.  We will continue to produce education content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such.  We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**

The Sixth Circuit Takes A Narrow Construction Of The Computer Fraud And Abuse Act And Sides With Employees

Posted on: September 18th, 2020

By: Caitlin Tubbesing and Barry Miller

The Computer Fraud And Abuse Act (CFAA) is a federal law that provides it is a violation for an individual to “intentionally access a computer without authorization or exceed authorized access” to get protected information.  Employers have attempted to rely upon the CFAA for years to pursue former employees who stole (or destroyed) confidential information from the employer’s computer system prior to leaving for a competitor. 

The issue that courts have struggled with is as follows: Does an employee who lawfully accesses his employer’s computer system, but engages in actions with a nefarious intent within the confines of that access violate the Computer Fraud And Abuse Act? That is a lot to chew on, right? Numerous federal courts agree it is a rubbery issue, which is why there are varying decisions by both district and appellate courts across the United States dealing with CFAA claims against former employees.

On September 9, the Sixth Circuit weighed in on this dispute when it held (in Royal Truck & Trailer Sales v. Kraft) that employees who took proprietary information from the network their employer gave them access to prior to departing for a competitor did not violate the Computer Fraud and Abuse Act (“CFAA”). In this case, the Sixth Circuit initially observed that the employees were allowed to access Royal Truck’s system because they still were employees when they did so. So the meatier question for the Sixth Circuit is whether employees exceeded their authorization when they accessed information for an improper purpose.   

The Sixth Circuit answered “no” because  the language of the CFAA required Royal Truck to show that the employees used their permitted access to gain information that they were not entitled to have. The information they acquired—quotes for Royal Truck customers—was information they could have when they were employees. The Sixth Circuit joined the Second, Fourth, and Ninth Circuits in narrowly interpreting the statute in this manner.

The Royal Truck court acknowledged, however, that other circuit courts—the First, Fifth, Seventh, Eighth, and Eleventh—read the statute more broadly, and would likely find the Royal Truck employees liable under the CFAA. The Supreme Court has accepted a criminal case, Van Buren v. United States, to be heard in the October 2020 term. While Van Buren is a criminal case, it still allows the Supreme Court to resolve this conflict in how the statute is interpreted. Until then, employers will have to understand the circuit split when assessing whether to pursue this type of claim against former employees.

If you have questions or would like more information, please contact Caitlin Tubbesing at [email protected] or Barry Miller at [email protected].