Dino Tsibouris Mehmet Munur (614) 360-1160 (614) 360-1160 dino@tsibouris.commehmet.munur@tsibouris.com Information Security: Changes in the Law, Cost,

Dino Tsibouris Mehmet Munur (614) 360-1160 (614) 360-1160dino@tsibouris.commehmet.munur@tsibouris.com

Information Security: Changes in the Law, Cost, and Complexity of

Responding to Breaches &

Electronic Discovery: Litigation Holds and More

Information Security

Trends for 2010• Increased federal and state regulation of

information security• Increased enforcement• Increased costs to resolve a breach• Increased compliance complexity

Information Security

Overview• HITECH Act• Enforcement Actions under HITECH• Revisions to State Law on Data Security• Enforcement Actions regarding Financial

Security

HITECH ACT

Amends HIPAA• New breach notification rules• New penalties• Increased levels of minimum security• State Attorney General enforcement• Business Associates must comply

HITECH ACT

Amends HIPAA• Covered Entity must notify individuals

if a breach occurs•Must notify HHS in annual log if less

than 500 individuals•Must notify HHS immediately if over

500 individuals•May need to notify FTC

HITECH ACT

Business Associate Requirements•Must comply with Security Rule

regarding administrative, physical, and technical safeguards• Develop policies• Designate a security official• Enforcement

HITECH ACT

Business Associate Requirements• If your Covered Entity violates your

BAA, you are violating HIPAA•Must cure breach, terminate, or report

to HHS•Must amend Business Associate

Agreements

HITECH ACT

Business Associate Requirements• If the Business Associate has a breach,

then it must notify the HIPAA Covered Entity• Covered Entity must then notify

individuals and HHS

HITECH ACT

Penalties• Tier A – inadvertent - $100 per

violation up to $25,000/yr• Tier B – reasonable cause, not “willful

neglect” - $1,000 per violation up to $100,000/yr

HITECH ACT

Penalties• Tier C – “willful neglect” ultimately

corrected - $10,000 per violation up to $250,000/yr• Tier D - “willful neglect” uncorrected -

$50,000 per violation up to $1.5 M/yr

CT Health Net Enforcement

Connecticut Attorney General - HIPAA• Lost portable computer disk drive• Involves privacy of 446,000 Connecticut

enrollees • Health information, social security

numbers, and bank account numbers • Failed to notify on time

CT Health Net Enforcement

Health Net failed to • Ensure the confidentiality and integrity of

electronic protected health information• Implement technical policies and procedures

for electronic information systems • Implement policies and procedures that

govern the receipt and removal of hardware and electronic media

CT Health Net Enforcement

Health Net failed to • Implement policies and procedures to

prevent, detect, contain, and correct security violations • Identify and respond to suspected or known

security incidents; mitigate, to the extent practicable, harmful effects of security incidents • Effectively train all members of its workforce

CT Griffin Hospital Investigation

• Hospital terminates radiologist and his access to the computer systems

• Patients call hospital with complaints• Audit reveals access to one terminal • Ex-radiologist uses usernames and passwords

of other radiology employees for 1 month• Accesses ~1000 records• Solicits patients for service at another hospital

Employee Snooping• UCLA Cardiothoracic Surgeon• Accesses system 323 times in 3 weeks• Snoops on celebrity medical records• Sentenced to 4 months in prison• Similar incident in 2008 • UCLA reveals that 165 employees improperly

viewed files in 13 years• 15 fired for viewing octuplet mom’s records

MA Data Security Regulations

• Creates duty to protect personal data• Applies to the personal information of MA

residents• Sophistication of safeguards increases with

size and scope of business• Requires encryption for transmission of

personal data over public networks• Effective date March 1, 2010

State Laws and PCI-DSS• Minnesota, Washington, Nevada• Requires encryption when electronically

transmitting personal data• Requires compliance with PCI-DSS • May result in liability to Card Issuing Banks• Some include Safe Harbors

Heartland Payment Systems Breach

• 6th Largest Payment Processor• Involved 330 Financial Institutions• Heartland was PCI-DSS certified• SQL injection attack• CC#s, expiration dates, stored magnetic stripe

data• Lost ~130 million card numbers

Heartland Payment Systems Breach

• Removed from VISA CISP list• Reported $105 million in expenses –$90 million to Visa, MasterCard, Banks–$3.5 million to AmEx

• Settles Cardholder Class Action for $2.4 million

• Stockholder Class Action in NJ Dismissed

Countrywide Breach

• Countrywide Financial Services• Former employees• Downloaded and sold customer data• Every week for 2 years• 19,000 individuals notified of breach• Class action settles for over $10 million

Dave & Buster’s FTC Enforcement

• Dave & Buster’s loses 130,000 credit and debit card numbers

• Failed to take sufficient measures to protect credit card information

• Failed to limit access by third parties• Settles with the FTC

Dave & Buster’s FTC Enforcement

Consent agreement requires D&B to:–Appoint responsible employee –Conduct risk assessment –Develop security program and safeguards–Develop criteria for selecting 3rd party

access to information–Obtain biennial third-party audits for 10

years

Preparing for the Inevitable

• Update Business Associate Agreements• Update Privacy and Security Policies• Update IT Systems for Proper Access &

Security• Update Security Incident Policies and

Procedures• Update or Create Breach Notification

Procedures

Electronic Discovery

• Overview of Electronic Discovery

• Sanctions

• Requirements for Compliance

• Zubulake Revisited

• Case Examples

Electronic DiscoveryBasics of Electronic Discovery• Electronically Stored Information (ESI) is

potentially discoverable • Proportionality test• Obligation to preserve • Pending or threatened litigation• Primary source should be active data• Costs usually borne by producing party

Electronic Discovery

Sanctions usually require:• Clear duty to preserve

• Culpable failure to Produce and Preserve Relevant ESI

• Reasonable Probability of Material Prejudice Due to Loss of ESI

E-Discovery Sanctions

• Monetary Sanctions– Shifting or Awarding Discovery Costs, Fines

• Adverse Inference or Inability to use Affirmative Defense

• Terminating Sanctions or Default Judgment

Electronic Discovery

Compliance requires:– Record Retention Policies and Procedures– Litigation Hold Procedures– IT Policies, Procedures, and Systems for • Preservation and Collection • Search• Production• Destruction

Zubulake Revisited

• When the duty to preserve has attached, the following failures constitute gross negligence– Failure to issue a written litigation hold

– Failure to identify all of the key players and to ensure that their electronic and paper records are preserved

Zubulake Revisited

– Failure to cease the deletion of email or to preserve the records of former employees that are in a party's possession, custody, or control

– Failure to preserve backup tapes when they are the sole source of relevant information or when they relate to key players, if the relevant information maintained by those players is not obtainable from readily accessible sources

Pinstripe Inc. v. Manpower Inc.

• Defendant failed to distribute litigation hold notice

• Possibly relevant emails destroyed• 700 emails recovered from recipients• Significant cost to defendant + $30K to outside

vendor• Court finds lack of intentional conduct• Court awards sanctions of $2,500

Southeastern Mechanical Services v. Brody

• Plaintiff SMS alleges spoliation for deleted laptop and Blackberry data

• Defendant argues that laptop emails were stored on server

• Blackberries wiped• Blackberries contained data other than emails• Blackberries contained data before being

synchronized with the server

Southeastern Mechanical Services v. Brody

• Court finds bad faith in deletion of Blackberry data

• Lack of email, text messages, telephone records was suspicious

• Court finds employees, not the corporations, culpable

• Court issues adverse inference

Starbucks v. ADT

• Starbucks seeks archived emails• ADT argues that emails are not accessible• Archived emails stored in a Plasmon System• Exaggerates production costs at $834K• Starbucks obtains two estimates at $17K and

$26K

Starbucks v. ADT

• Court ordered an immediate plan to make copies of the archived discs to an appropriate searchable storage medium

• Court ordered the production of relevant emails

• Court ordered the parties to confer and agree on fees

Conclusion

• Proper record retention policies• Identify all key people and documents• Preserve all relevant ESI• IT Policies, Procedures, and Systems• Proper and searchable archive technology• Written litigation holds

Questions & Answers

Dino Tsibouris Mehmet Munur (614) 360-1160 (614) 360-1160dino@tsibouris.commehmet.munur@tsibouris.com