Stephen Treglia ()
As the new administration continues to set its agenda for the next four years, those who work in the personal information data security field are playing wait and see with the direction future regulatory oversight will take. On the one hand, President Donald Trump repeatedly announced during his campaign that when elected he would substantially abolish business-restricting regulations. And while President-elect, he initially dismissed intelligence reports alleging cyber attacks committed on behalf of the Russian government, thereby permitting an inference that he did not see cyber crime being as pressing an issue as past administrations.
On the other hand, he has seemed more willing recently to acknowledge that nation states could have participated in hacking critical information pertaining to the November election. And despite his frequent discourse about reversing the trend of greater regulation, he made no reference to abolishing rules that protect information privacy.
In light of all the above, what sense can businesses that possess their customers’ or clients’ personal data make of all this? Many entities have either already invested heavily in developing internal policies and security staff to avoid regulatory penalties or civil lawsuits or are planning to do so in the very near future. Should they continue to do so or should they dismantle or halt the process?
While there are no conclusive predictions that can be made just yet, there are several observations to help guide those making such decisions. First and foremost, many cybersecurity laws and regulations cannot be changed by the federal government. Identity theft laws in this country are state-based. All but three (Alabama, New Mexico and South Dakota) have personal information data breach notification laws.
Yes, the president was very vocal during the campaign about specifically repealing the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, which regulates various financial institutions. Even if accomplished, however, it contains no personal data protection provisions. Rather, the Financial Services Modification Act of 1999, more commonly called the Gramm-Leach-Bliley Act (GLBA), does mandate the protection of consumer nonpublic personal information. It requires, inter alia, appointing a designated employee with the responsibility of safeguarding the information, conducting in-house risk analysis and testing those safeguards.
If GLBA is repealed, there still exists an even more detailed and more restrictive set of data protection requirements immediately on the horizon for financial institutions that the federal government cannot abolish. The New York Department of Financial Services (DFS) will be empowered, starting March 1, 2017,1 to enforce the “Cybersecurity Requirements for Financial Services Companies,” contained in New York Code, Rules and Regulations §500.2 And New York is not the only jurisdiction imposing its own set of new cybersecurity requirements.
By May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) goes into effect. Its predecessor, the Data Protection Directive of 1995, currently only applies to entities physically located in the EU. The GDPR will instead affect any organization doing business with EU citizens.
Moreover, there is a set of U.S. federal cybersecurity laws and regulations, besides GLBA, that has gone without mention of repeal by the new administration: the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). While the president and most of the Republican members of Congress have made it clear they intend to repeal the Affordable Care Act of 2009 (ACA), HITECH was not part of the ACA, but part of the American Recovery and Reinvestment Act of 2009.
It is also noteworthy that there is a non-federal aspect at work in the health care data protection realm. The HITECH Act authorized states’ attorneys general to institute their own HIPAA actions, as Accretive Health learned when it faced one such action brought by Minnesota Attorney General Lori Swanson, resulting in a $2.5 million penalty settlement with an agreement not to operate in Minnesota for between two and six years, solely at the discretion of the attorney general. Hence, should this administration minimize the effectiveness of the Office for Civil Rights, the group within the U.S. Department of Health and Human Services responsible for enforcing HIPAA on the federal level, state-level enforcement is still available until HIPAA/HITECH are amended or abolished. In addition, states such as Texas and California, have enacted their own versions of health care data protection laws.
FTC and LabMD
Probably the most telling bellwether of the road ahead may be revealed by how the Federal Trade Commission (FTC) proceeds in the future. For a good 20 years, the FTC has been the self-appointed watchdog for ensuring personal information data remain secure from unauthorized access and use, even without any statutory, regulatory or judicial language specifically granting the agency that ability. The FTC has relied on the very broad language in §5 of the FTC Act, which grants the commission the authority to intercede when any “act or practice causes or is likely to cause substantial injury to consumers.”
A case pending since 2010 is currently heading for review before the U.S. Court of Appeals for the Eleventh Circuit and may be the vehicle that provides an answer. Now defunct, Atlanta-based LabMD was a clinical laboratory conducting medical tests on specimens referred to the company by its customers. The FTC complaint alleged two information breaches.
In the first, a cybersecurity firm had located a list containing personal information on about 9,300 patients. It was determined that a LabMD employee had impermissibly downloaded a file-sharing program off the Internet, which caused the data to leak outside the company’s network to computers using the same file-sharing program.
In the second incident, the Sacramento Police Department, while conducting an identity theft investigation, executed a search of a residence in which they found paperwork and checks containing names and information from LabMD’s patients.
In a 92-page decision3 issued on Nov. 13, 2015, Administrative Law Judge D. Michael Chappell dismissed FTC’s complaint against LabMD because the agency failed to met its burden of proving that injury to the patients of LabMD’s customers was either likely or substantial. According to Chappell, no actual harm was suffered by any patient, and the term “likely to cause harm” requires proof of probable, not just possible, harm, which the FTC also failed to prove.
The commissioners reviewed Judge Chappell’s ruling and in a 37-page decision4 issued on July 29, 2016, reversed it, holding LabMD’s inadequate cybersecurity practices likely caused substantial harm. The commissioners ruled that the mere unauthorized release of personal medical information constitutes real harm in that it could cause embarrassment or reputational injury, even though there was no proof the data was ever used by any unauthorized person.
The discovery of paper documents by the Sacramento Police was excluded from the commission’s findings, as it was in Judge Chappell’s decision, since there was no evidence the documents were released as a result of a computer intrusion which was the allegation in the original complaint.
Although the company is no longer doing business, it has maintained the digital data of the work it performed prior to closing its doors for good. Hence, the FTC has issued an order, following last July’s decision, directing LabMD to perform industry-standard cybersecurity measures to be regularly audited at the company’s expense to ensure the data stays secure. LabMD’s CEO, Michael Daugherty, has vowed to continue seeking legal redress and has filed an appeal to the Eleventh Circuit.
This past Jan. 13, 2017, FTC Chairwoman Edith Ramirez, the author of the July 2016 reversal decision, announced her resignation, effective Feb. 10, 2017.5 This will permit President Trump to appoint a new FTC head. How Ramirez’s successor handles the remainder of the LabMD case and continues to pursue cybersecurity cases in the future will require close watching.
1. The original starting date was Jan. 1, 2017. Upon the request of several industry groups, it was recently pushed back by the DFS, although not as far back as requested, inviting the possibility of further delays. Compliance will be required within 180 days of the effective date.