2021 proved to be a momentous year for privacy and data security law. The scourge of ransomware continued last year, leading to record-setting ransomware payments, a muscular response from the federal government, a hardening insurance market, and significant corporate anxiety. Two more U.S. states passed comprehensive data privacy laws in 2021. The FTC was very active, issuing new guidance for artificial intelligence (AI), publishing revisions to the GLBA Safeguards Rule, and bringing new enforcement actions. The U.S. Supreme Court issued a number of opinions that had the effect of narrowing the scope of key privacy statutes while biometric litigation in Illinois exploded. The European Commission promulgated new rules for cross-border transfers, and U.S. state regulatory enforcement activities ramped up. Continue Reading Predictions for Privacy & Data Security in 2022
As anticipated, the Department of the Treasury’s Office of the Comptroller of the Currency (“OCC”), the Board of Governors of the Federal Reserve System (“Federal Reserve”), and the Federal Deposit Insurance Corporation (“FDIC”) recently approved and released the Final Rule Requiring Computer-Security Incident Notification (“Final Rule”). This Final Rule is designed to promote early awareness and stop computer security incidents before they become systemic. It places new reporting requirements on both U.S. banking organizations, as well as bank service providers. Continue Reading Federal Financial Regulators Tighten Timelines for Reporting Ransomware Attacks
On October 27, the Federal Trade Commission (FTC) announced a final rule (Final Rule) and supplemental notice of proposed rulemaking (NPRM) to amend the Safeguards Rule promulgated under the Gramm-Leach-Bliley Act (GLBA), which requires covered financial institutions to implement certain security safeguards to protect their customers’ financial information against data breaches and cyberattacks. The FTC also issued another rule adopting largely technical revisions to the scope of its Privacy Rule, a separate GLBA rule that requires financial institutions to inform customers about their information-sharing practices and allow customers to opt out of having their information shared with certain third parties. Continue Reading FTC Strengthens GLBA Financial Safeguards and Privacy Rules
California continues to be at the vanguard of privacy protection. On October 11, 2021 California’s Governor Newsom signed several bills addressing privacy and data security. These new laws go into effect January 1, 2022 and include:
- AB 335, which adds an exemption to the California Consumer Privacy Act (CCPA) consumer personal information sales opt-out right. This exemption applies to vessel information and ownership information shared between vessel owners and dealers, if the sharing is because the entity anticipates or is effectuating a warranty repair or vessel recall.
- AB 430, which amends California’s identity theft and debt collection laws. The amendment permits victims of identity theft to provide an FTC identity report in lieu of a police report in instances (i.e., stopping debt collection, civil judgment for identity theft) that formerly required a police report.
- AB 694, which adds technical and non-substantive changes to the California Privacy Rights Act. This clarifies that the California Privacy Protection Agency’s authority begins six months after it notifies the AG that it is prepared for rulemaking.
- AB 825, which expands California’s existing data breach notification laws to include genetic data in the definition of “personal information.” This indirectly broadens the CCPA’s private right of action for some data breaches that use this definition.
- AB 1391, which addresses the sale of data obtained unlawfully. This law:
- prohibits selling data and selling access to data that was obtained pursuant to the commission of a crime;
- makes buying data unlawful if the buyer has actual or constructive knowledge that the data was accessed or obtained through criminal activity; and
- carves out exceptions including press reporting matters of public concern, whistleblowers, and obtaining data for specific security purposes.
- AB 1184, which amends the Confidentiality of Medical Information Act and the Insurance Code to increase privacy protections for patients receiving sensitive healthcare services including mental health, reproductive health, and gender-affirming care. The law restricts certain disclosures even where the patient is not their health insurance’s policyholder.
California also joins a minority of states in passing a new law protecting the privacy of genetic information. SB 41, which creates the Genetic Information Privacy Act, requires direct-to-consumer genetic testing companies to:
- clearly inform consumers how the company collects, uses, maintains, and discloses genetic data;
- obtain express consent for use, collection, and disclosure of genetic data;
- obtain separate express consent for specific activities including transfers to third parties, storage of biological samples, and marketing facilitated by genetic data;
- implement mechanisms through which consumers may easily access and delete their account and genetic data;
- destroy the consumer’s sample and associated data within 30 days of consent revocation, unless the company is otherwise prohibited from doing so; and
- maintain and implement reasonable security practices and procedures.
Notably, none of the new laws passed by California permit a new private right of action. AB 825, however, adds genetic data to the definition of “personal information” under California Civil Code § 1798.81.5(d)(1)(A) and thus expands the CCPA private right of action for data breaches involving “personal information” under this law.
AB 1184 increases protections for certain medical information that is particularly sensitive (mental health, reproductive health, gender-affirming care). The Confidentiality of Medical Information Act (CMIA) already has a private right of action for negligent release of medical information. Thus, the private right of action is expanded to include violations of the heightened protections that result in negligent release of the sensitive info.
The U.S. Department of Health and Human Services (HHS) released guidance to address how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies to various entities’ requests for information related to an individual’s COVID-19 vaccination status.
HHS emphasized that the Privacy Rule applies only to covered entities, including health plans and most health care providers, and their business associates (those who obtain protected health information in performing services for a covered entity). The Privacy Rule does not apply to other individuals and entities. Employers, schools, stores, restaurants, and many others may request that an individual disclose whether he or she has been vaccinated without violating the Privacy Rule. Thus, schools may request students to disclose their vaccination status. Businesses may request that information from their patrons. Employers may request that information from their employees. None of these requests violate HIPAA’s Privacy Rule. However, these entities must comply with other applicable state and federal laws that impose restrictions on the design and implementation of COVID-19 vaccination requirements and requirements that apply to the maintenance and storage of information related to individuals’ vaccination status.
If an organization is considered a covered entity, such as a health care provider or business associate, the organization will generally be treated like other organizations when acting as an employer. For example, a hospital may request information about the vaccination status of an employee. When the organization acts as a covered entity or business associate, it may still collect vaccination information. For example, doctors may collect that information from their patients (and the patients may provide it). But the organization will be subject to HIPAA in its handling of the information. As a result, a covered entity may disclose an individual’s vaccination status only if it is expressly permitted or required by the Privacy Rule or if the disclosure is authorized by the individual.
The guidance describes certain situations when disclosure is permitted without authorization. For example, a health care provider may disclose an individual’s vaccination status to a health plan for payment or to a public health authority or vaccine manufacturer to report appropriately on the quality, safety or effectiveness of the COVID-19 vaccine. In certain situations, as when an employer engages a health care provider to assist in medical surveillance of its workplace pursuant to OSHA requirements, a health care provider may disclose an individual’s vaccination status to the employer, although even then the individual must be notified of the disclosure.
If the disclosure is not expressly permitted by the Privacy Rule, a health care provider may not disclose an individual’s vaccination status without his or her written authorization. For example, a health care provider could not generally disclose an individual’s vaccination status to entertainment and sporting venues, airlines, cruise ships, resorts or hotels, although they may ask individuals – and individuals may provide – this information.
On September 15, 2021, the Federal Trade Commission (“FTC”) issued a policy statement affirming the applicability of its Health Breach Notification Rule (the “Rule”), 16 CFR Part 318, to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”) but are capable of drawing information from multiple sources. Continue Reading FTC Guidance Affirms Breach Notification Obligations for Health Apps and Connected Devices
OFAC Updates Advisory on Enforcement Risks Relating to Agreeing to Pay Ransomware
First Post in a Two-Part Series on Recent OFAC Designations
On September 21, 2021 OFAC issued its first sanctions designation against a virtual currency exchange by designating the virtual currency exchange, SUEX OTC, S.R.O. (SUEX) “for its part in facilitating financial transactions for ransomware variants.” Although this is a unique development, the broader and more important issue for any financial institution or company facing a ransomware attack is the continuing problem encapsulated in OFAC’s six-page Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, which OFAC released in conjunction with the announcement of the SUEX designation. The Updated Advisory illustrates a “Catch 22” scenario, in which a victim that halts a ransomware attack by making the demanded payment then may find itself under scrutiny from OFAC on a strict-liability basis if it turns out that the attackers were sanctioned or otherwise had a sanctions nexus. The Updated Advisory states that OFAC will consider self-reporting, cooperation with the government and strong cybersecurity measures to be mitigating factors in any contemplated enforcement action.
OFAC has been busy. Tomorrow, we will blog on a more traditional action announced by OFAC right before the SUEX designation: OFAC’s designation of members of a network of financial conduits funding Hizballah and Iran’s Islamic Revolutionary Guard Corps-Qods Force. This designation is notable for the targets’ alleged use of gold as a vehicle to launder illicit funds through front companies.
The Blacklisting of SUEX
According to OFAC, over 40% of SUEX’s known transaction history is associated with illicit actors. As a result, SUEX is prohibited from transacting with U.S. persons or transacting within the United States, and financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. OFAC issued the designation pursuant to Executive Order (E.O.) 13694, entitled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” and which was initially signed by President Barrack Obama in 2015. We previously have blogged about the ability of OFAC in other contexts to block assets and prohibit financial transactions with designated individuals and entities here, here, and here.
SUEX operates in Russian and is registered in the Czech Republic. The designation specifically blacklisted 25 blockchain addresses used by or associated with SUEX. Arguably, the designation reflects a tactic by the U.S. government to turn to sanctions, a tool that the government may employ relatively easily and swiftly, in order to punish illicit foreign actors that may be very difficult to prosecute in U.S. courts, at least without a considerable expenditure of effort, time and resources.
According to the press release issued by the U.S. Treasury Department, OFAC’s designation of SUEX is occurring against the backdrop of an increase in the scale, sophistication, and frequency of ransomware attacks. Ransomware (on which we previously have blogged here, here and here) is a form of malicious software designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data. The Treasury Department noted that “[t]he U.S. government estimates that these payments represent just a fraction of the economic harm caused by cyberattacks, but they underscore the objectives of those who seek to weaponized technology for personal gain[.] . . . [T]he disruption to critical sectors, including financial services, healthcare, and energy, as well as the exposure of confidential information, can cause severe damage.” According to the FBI, ransomware payments reached over $400 million in 2020, which is more than four times the amount of ransomware payments made in 2019. Ransomware schemes unfortunately appear to have proliferated even more in 2021, including the notorious cyberattack on Colonial Pipeline, which resulted in significant gasoline supply shortages in the U.S.
The press release further observed that virtual currencies, while frequently used for lawful activity, also can be used for sanctions evasion, ransomware schemes, and other cybercrimes through the use of peer-to-peer exchangers, mixers, and exchanges. In some cases, malicious actors exploit virtual currency exchanges, but other times, the virtual currency exchange allegedly facilitates illicit activities for its own illicit gains – which is what OFAC has alleged in regards to SUEX.
The Treasury Department emphasized that many agencies across the globe, including the U.S. Financial Crimes Enforcement Network, the Group of Seven and the Financial Action Task Force, are attempting to address ransomware and ransomware-related money laundering, and their nexus with the illicit finance risks posed by virtual assets. The Treasury Department encouraged readers to visit StopRansomware.gov, touted as a “one-stop resource for individuals and organizations of all sizes to reduce their risk of ransomware attacks and improve their cybersecurity resilience.” OFAC’s Frequently Asked Questions on Virtual Currency can be found here.
OFAC Advisory on Ransomware
The SUEX designation was accompanied by OFAC’s Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (“Updated Advisory”), which “describes the potential sanctions risks associated with making and facilitating ransomware payments and provides information for contacting relevant U.S. government agencies, including OFAC if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.” Of course, many ransomware schemes indeed have a sanctions nexus, which puts the victim in a potentially untenable spot, particularly because a de facto sanctions nexus may not be entirely clear to the victim. Regardless of the fact that trying to obtain an OFAC license to make an otherwise prohibited payment would take much more time than is even remotely practical when dealing with the exigencies imposed by a ransomware attack, OFAC indicates in the Updated Advisory that “license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will continue to be reviewed by OFAC on a case-by-case basis with a presumption of denial.” (emphasis added).
After describing a list of alleged malicious cyber actors designated by OFAC for perpetrating or facilitating ransomware attacks, including the aptly-named Evil Corp, the Updated Advisory stresses that the U.S. government “strongly discourages” the payment of cyber ransom, which:
. . . . may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no guarantee that companies will regain access to their data or be free from further attacks themselves.
The Updated Advisory then provides an ominous reminder that OFAC may impose civil penalties for sanctions violations based on strict liability – i.e., a company can be held liable even if it did not know or have reason to know that it was engaging in a transaction that was prohibited by OFAC. “Enforcement responses range from non-public responses, including issuing a No Action Letter or a Cautionary Letter, to public responses, such as civil monetary penalties.”
OFAC offers two basic paths to minimizing the potential penalties posed by this dilemma.
First, financial institutions and other companies should implement a risk-based compliance program to mitigate exposure to sanctions-related violations. The program should account for the risk that a ransomware payment may involve a Specially Designated National (“SDN”) or blocked person, or a comprehensively embargoed jurisdiction (such as North Korea). Effective cybersecurity measures likewise can mitigate any OFAC enforcement response; such measures can include “maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols[.]” The Updated Advisory specifically notes that financial institutions covered by the Bank Secrecy Act also will have related anti-money laundering obligations.
Second, “OFAC strongly encourages victims and related companies to report these incidents to and fully cooperate with law enforcement as soon as possible to avail themselves of OFAC’s significant mitigation related to OFAC enforcement matters and receive voluntary self-disclosure credit in the event a sanctions nexus is later determined.” The Updated Advisory states that OFAC will be more likely to resolve apparent violations involving ransomware attacks with a non-public response (i.e., a No Action Letter or a Cautionary Letter) if the victim reports the ransomware attack to OFAC, law enforcement and other relevant agencies as soon as possible and provides cooperation during and after a ransomware attack. This “encouragement” suggests that in practice any ransomware attack should be reported to OFAC and other agencies, because it ultimately may turn out to be the case that the attack had a sanctions nexus.
Even if strong cyber-security measures, self-reporting and cooperation with the government leads to a non-public response by OFAC, a lurking issue remains: what enforcement risks face a company that finds itself to be the victim of a second attack involving a sanctions nexus?
On Monday, the White House announced the nomination of Alvaro Bedoya to serve as FTC Commissioner. Mr. Bedoya is slated to fill the seat on the Commission currently held by Rohit Chopra, which Mr. Chopra will vacate upon his confirmation as CFPB Director. Mr. Chopra is expected to be confirmed as CFPB Director before the end of the year.
If confirmed, Mr. Bedoya would join the two other Democratic FTC Commissioners, Lina Khan, Chair of the Commission, and Rebecca Slaughter, and allow Democrats to maintain a 3-2 majority.
Mr. Bedoya is currently a law professor at Georgetown University Law School, where his research has focused on how technologies such as facial recognition have led to discrimination against immigrants and people of color. He was the founding director of Georgetown University’s Center on Privacy & Technology. Mr. Bedoya also served as the first Chief Counsel for the Senate Judiciary Committee’s Subcommittee on Privacy, Technology & the Law. As a result, some observers view Mr. Bedoya’s nomination as a precursor to greater FTC focus on potential discrimination arising from the use of artificial intelligence and other technological innovations as well as privacy considerations for both consumer protection and competition among Big Tech companies.
On August 12, 2021, the United States District Court for the District of South Carolina issued an opinion denying in part and granting in part a motion by Blackbaud to dismiss seven statutory claims brought by plaintiffs in a multidistrict consolidated action stemming from a ransomware attack. The most notable aspect of the opinion is the Court’s interpretation of the California Medical Information Act (CMIA), which may have the effect of broadening the scope of liability for California-based cloud service providers that suffer data breaches. Continue Reading Federal Court Holds that Cloud Service Provider is Subject to CMIA
The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has continued its enforcement of HIPAA’s privacy and security rules in the new administration, announcing a number of settlements of alleged violations in the first seven months of 2021. This settlement activity followed a few other significant HIPAA developments that occurred in January of 2021, including HHS’s release of proposed regulations to the HIPAA Privacy Rule and a Fifth Circuit Court of Appeals opinion vacating an OCR penalty of approximately $4.44 million for a HIPAA security breach involving the University of Texas MD Anderson Cancer Center (MD Anderson). The Fifth Circuit took issue with the standards that OCR (and an administrative law judge) had applied in assessing the penalty. It found that MD Anderson had implemented a mechanism for the encryption of data, even if certain employees did not follow that mechanism. It held that the government had not demonstrated that MD Anderson made any affirmative disclosure of protected health information to an outside person. The Court explained that even if the government had established that MD Anderson was liable, the Court would have lowered the penalties substantially, finding that the amount assessed exceeded applicable limits. Although it is unclear how the Fifth Circuit’s opinion will affect OCR’s enforcement activity (or the willingness of parties to settle) going forward, this year’s settlements demonstrate that OCR has remained active in enforcing HIPAA’s rules.
OCR’s first settlement of 2021 was also its largest of the year to date. OCR learned of the breach when Excellus Health Plan reported to OCR that cyber-attackers had installed malware and gained unauthorized access to its systems from December 2013 to May 2015. The breach resulted in the impermissible disclosure of more than 9.3 million individuals’ protected health information, including their social security numbers, bank account information, health plan claims, and treatment information. HHS investigated the breach and alleged that Excellus Health Plan did not conduct a thorough analysis of the risks and vulnerabilities of the electronic protected health information (ePHI), implement security measures to mitigate risks and implement procedures to regularly review information system activity records. Excellus Health Plan agreed to pay a resolution amount of $5.1 million and entered into a Corrective Action Plan, requiring it to perform a comprehensive risk analysis to identify any other potential risks or vulnerabilities to its systems maintaining ePHI, prepare written policies to address the monitoring of suspicious activity and submit the policies to HHS for review, provide training to employees on such policies and submit to monitoring by HHS for a period of two years. OCR’s analysis of the severity of the potential violations and determination of the resolution amount appears to have been heavily influenced by the length of time that the breach went undetected, as the director of OCR commented: “In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries.” This settlement serves as a reminder that covered entities should be vigilant in reviewing activity within their systems so they may respond quickly if a breach does occur.
OCR has also demonstrated a continuing commitment to enforce the obligation to provide individuals with timely access to their health information upon request. OCR entered into six separate Resolution Agreements between January and June of 2021, amounting to 19 total actions under its Right of Access Initiative. All six settlements involved health care providers that failed to provide patients’ medical records in a timely manner, ranging from a 6-month delay to a complete failure to provide the requested documents. Each entity entered into a Resolution Agreement and Corrective Action Plan with OCR, with resolution payments ranging from $5,000 – $200,000. Based on the limited information available in the Resolution Agreements, it is unclear how the monetary resolution amounts were set. They may have been based on a combination of factors such as the time that passed between the initial request and the date the entity provided the medical records, the number of complaints that HHS received with respect to each entity, or the size and sophistication of each entity. Although the settlement amounts for breaches of the access to information requirements tend to be less than those involving an actual breach of privacy, the Corrective Acton Plans still require the entities to undertake significant compliance measures, including revising internal policies and procedures for HHS review, providing training to all employees with job duties that relate to processing these requests, and submitting to monitoring by HHS for up to two years. These Resolution Agreements and accompanying press releases indicate that HHS will continue pursuing its Right of Access Initiative, demonstrating the importance of health care entities to maintain sufficient policies to ensure timely, comprehensive and accurate responses to patients’ requests for medical records.