Privacy & Data Security Advisory - September 2008

The Department of Health and Human Services (“HHS”) has entered into its first Resolution Agreement and corrective action plan (“CAP”) under the Security Rule of the Health Insurance Portability and Accountability Act (“HIPAA”). The CAP was signed in July 2008 by HHS and Providence Health & Services (the “Covered Entity”) to settle what HHS described as “potential violations” of HIPAA’s requirements for safeguarding electronic patient data. HHS concerns about such potential violations stemmed from the loss or theft of laptops, optical discs and backup tapes containing the unencrypted medical records of more than 386,000 patients of the Covered Entity. The data loss and/or theft at the Covered Entity was the focus of much media scrutiny, particularly in the Seattle area where many of the patients are located. This CAP is notable as the first Resolution Agreement required by HHS of a covered entity under the HIPAA Privacy and Security Rules.

Data Security Requirements Imposed

Under the terms of the settlement, the Covered Entity agreed to pay $100,000 to settle the alleged violations claimed by HHS. It has also agreed to make a number of changes regarding its information security. Specifically, it has agreed to revamp its security policies to include physical protections for portable devices and for the off-site transport and storage of backup media. The Covered Entity also agreed to implement technical safeguards, such as encryption and password protection. The CAP also requires the company’s chief information security officer to personally validate that all required policies have been put in place and that all employees have been properly trained. In addition, the company must conduct random compliance audits and submit compliance reports to HHS for the next three years, including self-reporting of any violations. Under the Resolution Agreement, there is also a tolling of the statute of limitations on civil monetary penalties to allow for HHS to bring such claims if necessary. Significantly, under the terms of the agreement, the Covered Entity will be unable to contest any of the terms of the CAP in the future.

Implications

This CAP is notable not only because it is the first of its kind but also because it is very stringent in terms of the obligations imposed upon the covered entity. In the past, HHS has been accused of being lax in enforcing HIPAA. However, this CAP signals that HHS may be cracking down on HIPAA violators and getting tough on enforcement. Other recent developments also support this possible trend. For instance, in January, the Centers for Medicare & Medicaid Services (“CMS”), the unit responsible for administering the HIPAA security rule, announced that it had hired PricewaterhouseCoopers to conduct audits on its behalf. At the time, the unit said it planned to do 10 to 20 audits this year at organizations that had been the target of complaints about their data security practices. In addition, last year, HHS disclosed that it conducted a compliance audit on Piedmont Hospital in Atlanta.

Over the years HIPAA has been in force, there has been scant enforcement activity; this case is a startling example of the potential consequences of HIPAA violations. The terms of the CAP are both detailed and strict, and the prohibition on contesting the terms of the CAP means that the Covered Entity will be locked into these requirements for the duration. Given this CAP and the audit activity of HHS, all HIPAA covered entities should conduct an internal compliance review to ensure that they are taking all appropriate measures to comply with HIPAA. Likewise, service providers who are business associates of covered entities should also evaluate their own policies and procedures, as well as their compliance with the terms of business associate agreements they have with covered entities. With concern about this CAP circulating in the healthcare community, it would not be surprising if more covered entities increase audits of the activities of their business associates.

The SEC settled an enforcement action against a firm registered as a broker-dealer and investment adviser for the firm’s failure to adopt policies and procedures reasonably designed to safeguard personal customer information under Rule 30(a) of Regulation S-P (the “Safeguards Rule”). Since July 2001, the Safeguards Rule has required registered broker-dealers and advisers, and other entities subject to SEC regulation, to maintain policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information, and are reasonably designed to insure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information.

In 2005, the SEC amended Regulation S-P to require that these policies and procedures be in writing. (Earlier this year, the SEC proposed amendments to Reg. S-P that would create more specific standards under the Safeguards Rule.) The SEC alleged in this proceeding that the firm failed to maintain adequate written policies and procedures addressing the Safeguards Rule, and failed to respond in a timely and appropriate manner to an internal audit that found weaknesses in the security of the Internet-based trading platform (the “Platform”) the firm’s registered representatives (“RRs”) used to enter customer trades.

Security Breaches in Web-Based Trading Platform . According to the SEC, from July 2007 to February 2008, unauthorized persons accessed and traded, or attempted to trade, in customer accounts by gaining access to 13 RR accounts on the Platform. Once logged on to the Platform, the unauthorized persons placed, or attempted to place, 209 unauthorized trades in 68 customer accounts, and may have had access to non-public information of at least 10,000 customers. Altogether, the unauthorized persons attempted to place over $700,000 in trades in securities of 19 different companies. The firm detected the unauthorized and inappropriate trade requests, most of which were blocked by the Platform. In some cases, however, unauthorized trades were executed through customer accounts. The firm promptly reversed or eliminated the resulting customer positions and compensated the customers for the resulting trading losses, which totaled approximately $98,900.

Inadequacy of Written Policies and Procedures . The SEC found that the firm had failed to have a customer information policy for its employees and branch RRs describing its overall program that complied with the Safeguards Rule. Although the firm had some documents addressing policies for safeguarding customer records and information, those documents did not constitute, either individually or in combination, a complete set of policies and procedures addressing administrative, technical and physical safeguards reasonably designed to protect customer records and information at the firm’s branch offices. Among other things, these documents included only limited and insufficient written materials (and, in some instances, only suggestions or recommendations, as opposed to mandates) regarding safeguarding customer information. In addition, when Regulation S-P was amended in 2005 to require that policies and procedures for safeguarding of customer information be written, the firm failed to comply.

Internal Audit Report Identifies Deficiencies in Trading Platform Security . In mid-2006, the firm conducted an internal audit that identified inadequate security controls to safeguard customer information at its branch offices. The internal auditors identified the following weaknesses: (i) RR passwords did not meet industry standards for so-called “strong” passwords, because, among other things, the passwords had no requirements on length or alphanumeric/special character combinations; (ii) passwords were not set to expire after a certain period of time; (iii) users could not change their own passwords; and (iv) there was no automatic lockout feature related to unsuccessful login attempts. In addition, over 300 of the firm’s information technology employees had access to a list of Platform passwords, and a number of former employees likely had access to such a list before leaving the firm. The firm’s internal auditors further observed that the Platform’s automatic session timeout limit of eight hours was believed to be significantly longer than the timeout periods used by other financial services firms for similar applications. The audit concluded that weaknesses in the Platform’s security would increase the likelihood that unauthorized persons could obtain confidential information and make unauthorized trades.

Failure to Take Prompt, Appropriate Corrective Action . According to the SEC, a written report of the internal audit was finalized and provided to the firm’s Chief Information Officer in December 2006. In early 2007, the report was shared with members of the firm’s senior management, and later in May 2007, the report was presented to the firm’s executive risk committee. Among the specific risks identified for both senior management members and the executive risk committee were risks that (i) an intruder could hack into the Platform and cause financial loss to advisers and customers; and (ii) an unauthorized individual could steal client information or execute unauthorized trades. The firm’s executives were further warned that more than 90% of all security breaches involved loss of information in digital form. The firm’s enterprise risk management organization cautioned that further review of access control issues for the Platform identified in the audit report could lead to a finding or opinion by its independent auditors that the firm had ineffective controls. The firm’s internal audit department reported that password complexity controls and session inactivity controls for the Platform could be implemented at an estimated cost exceeding $500,000. In June 2007, the firm created a separate committee to evaluate and implement security for the Platform.

Violations and Sanctions . The SEC found that the firm willfully violated the Safeguards Rule and, in particular, that the firm’s failure to take immediate corrective action in response to the weaknesses identified in the internal audit by the time of the security breach in July 2007 constituted reckless disregard of its duties under the Safeguards Rule. Under the terms of the settlement, which reflected the SEC’s consideration of the firm’s remedial efforts and cooperation, the firm is subject to a cease and desist order and censure, and will be required to pay a penalty of $275,000. The firm also agreed to undertake the following remedial measures: (i) devising and implementing a policy and a set of procedures for training employees and RRs on safeguarding customer records and information; and (ii) engaging an independent consultant to review the firm’s written policies and procedures relating to the Safeguards Rule, and to make recommendations designed to assure the policies and procedures comply with the Safeguards Rule.

Beginning on October 1, 2008, Nevada law will require that certain personal information be encrypted before the information can be transmitted electronically. The encryption requirements were originally enacted in 2005 as part of a broad identity theft prevention law that also included security breach notification requirements but only become effective as of October 1, 2008.

The new encryption requirements apply to a “business in [Nevada].” This term appears narrower than those “doing business” in Nevada, making it possible that businesses without a physical presence in the state may not be covered. For those businesses subject to the law, the encryption requirement appears to apply to all personal information, and not just the personal information of customers residing in Nevada. Enforcement of the encryption requirement is uncertain since the law does not explicitly address which, if any, government entity may enforce the law and the law contains no penalty provisions. While the section falls under the Miscellaneous Trade Regulations and Prohibited Acts chapter, this chapter also does not include any generally applicable penalty provisions.

The law, codified at Nev. Rev. Stat. § 597.970, will prohibit those within its scope from transferring “any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” “Personal information” is defined  in the same way as it is in the state’s security breach notice requirements, namely, as “a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

• Social security number or employer identification number.
• Driver’s license number or identification card number.
• Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account,” but excludes “publicly available information that is lawfully made available to the general public.”

The measure, by reference, defines “encryption” as “the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:

• Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
• Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
• Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.”

This new Nevada measure is yet one more reason to consider whether your enterprise is doing all that is required and/or recommended to ensure the protection of data in its possession. Given the protection that encryption affords and the continuing risks to information security, it is plausible that other jurisdictions may follow suit and impose similar requirements. In fact, measures are already being considered in Washington and Michigan.