OCR Issues Checklist for Responding to Cyber-Attack

The Office for Civil Rights (OCR) recently released guidance entitled “My Entity Just Experienced a Cyber-attack! What Do We Do Now?”

The Checklist is a practical tool for health care entities and outlines several steps to take following a cyber-attack.

According to the Checklist, in the event of a cyber-attack or similar emergency an entity:

  • Must execute its response and mitigation procedures and contingency plans
  • Should report the crime to law enforcement agencies
  • Should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs)
  • Must report breaches to OCR as soon as possible, but no later than 60 days after the discovery of a breach.

Of course, there are more steps before, during and after a cyber-attack, and these are the bare minimum, but nonetheless, any time guidance is issued by OCR, it is worth a read.

Companies Using IoT Being Hit with Security Breaches

A new survey released by Altman Vilandrie & Company, which surveyed 400 IT personnel who have purchased Internet of Things (IoT) security products, shows that 46 percent of companies that buy IoT security admitted they have experienced an IoT related security intrusion or breach within the last two years, representing hundreds of millions of dollars.

According to the survey, the reasons why companies are investing in IoT security products are to:

  • prevent loss of control over IoT
  • prevent breaches of customer information
  • prevent breaches of company data
  • compliance
  • customer requirement

IoT continues to be a concern of IT professionals, and as more and more companies and consumers adopt IoT products and services, the evaluation of investment into IoT security may move up on the priority list.

Medicaid Documents Thrown in Dumpster

The North Dakota Department of Human Services has admitted that one of its employees threw Medicaid claim resolution worksheets into a dumpster instead of disposing them in a secure onsite shredding receptacle. The result? The documents were found in the dumpster by a citizen who notified the Department, which then notified almost 2,500 patients of the incident.

The Department is offering one year of credit and identity theft monitoring because the compromised information included the patients’ names, dates of birth, Medicaid provider numbers, Medicaid ID numbers, dates of service, amounts billed and allowed, amounts covered by insurance, procedure and diagnosis codes and dental work performed.

Reader’s Digest Publisher Settles Case Alleging It Sold Subscribers’ Personal Information for $8.2M

In what is being considered the largest-ever settlement of alleged violations of Michigan’s privacy law (the Michigan Preservation of Personal Privacy Act), the publisher of Reader’s Digest has agreed to pay out $8.2 million to settle a proposed class-action lawsuit brought by consumers who allege that the publisher sold subscribers’ personal information to data brokers and other third parties.

The plaintiffs allege that Trusted Media Brands Inc. violated subscribers’ privacy when it sold detailed personal information, including names, home addresses and other demographic data, such as gender, religion and political affiliation, to data brokers and other third parties without their consent.

The settlement proposes to give each class member approximately $50 for their privacy violation claims.

The named plaintiff alleged that she received an inordinate amount of junk mail and telemarketing calls after the publisher sold her contact information to data miners. She alleges that the selling of the contact information violated the Michigan law that prohibits businesses that sell “books or other written materials” from disclosing the consumer’s identity other than to the consumer themselves.

The settlement includes an incentive award for the named plaintiff, as well as expenses for administration of the settlement, and attorneys’ fees for class counsel.

The State of the Drones: Unclear Laws and Anti-Drone Technology

Over the past decade, since the Federal Aviation Administration (FAA) first permitted the use of drones for commercial and hobbyist purposes, after the 2012 directive of Congress for the FAA to come up with a “comprehensive plan” for integrating drones into the National Airspace, drone use has grown substantially. However, with that growth has come concerns among lawmakers and regulators, at both the state and federal level, about privacy, smuggling, collisions with manned aircraft, safety, and national security, as well as private property owners looking to protect their privacy and property interests. That’s where anti-drone technology and systems come into play. From sophisticated technologies like jamming and control override systems to more amateur methods like net launchers or simply shooting a drone out of the sky, the law has yet to catch up with the state of technology –on either side. It has left the drone industry and property owners in a state of limbo.

A legal ecosystem for drones will take time and a lot of coordination. Beyond the FAA, the U.S. Department of Transportation, the U.S. Department of Homeland Security, the U.S. Department of Defense, and the U.S. Department of Justice will need to weigh in on security and law enforcement issues; the Federal Communications Commission will need to weigh in on the frequency spectrum issues related to jammer technology; agencies in charge of critical infrastructure like NASA, will need to weigh in on an air traffic control system, and even agencies like the National Park Service will need to be involved. Almost every federal agency will have some input towards creating an ‘anti-drone’ law to protect national airspace and critical infrastructure. Then comes the even more complicated issue—whether states or local authorities should be granted some authority over the airspace. State and local laws typically regulate real property issues, like trespassing, but at the same time, the FAA has control over the low-altitude airspace down to the ground. While the recently proposed Drone Federalism Act (S. 1272) would require drone operators to obtain permission of property owners when flying at 200 feet or lower above ground level (or above a structure), this could lead to a patchwork of state laws that only make legal compliance even more complicated. Even with an anti-preemption clause, the FAA is still likely to view the use of any anti-drone technology by property owners as a problem because to the FAA, a drone is an aircraft –that is, subject to laws preventing drones from being destroyed or having control taken away –it would be considered hijacking. The FAA is unlikely to steer away from a drone as an aircraft under the law.

So with legislation still in its infancy, the legal status of drones and anti-drone technology is likely to remain uncertain for the foreseeable future. Of course, any clarification would be better than none for both the drone industry and property owners alike.

NJ Law Restricting Drones Will Have to Be Rewritten

The town of Garfield, New Jersey has introduced new regulations related to hobbyist drone operation—or better yet, the non-operation of drones above residences other than your own, commercial zones, roadways, government or public buildings and specific property and parks that the city designates. Hobbyist drone operators may only fly their drones over their own residences. Exceptions for emergency personnel and non-profits, as well as for scientific research and sporting events, as well as private company owners within their own borders, are permitted. Generally, this new ordinance states that drones are “prohibited from flying in any airspace below 400 feet within the city.” This new law would also require drone operators to register with the city clerk annually, with a registration fee of $70. A list of registered operators will be given to the police department, building department and fire prevention bureau. Those departments would also enforce this new regulation. However, only a week after its introduction, this drone ordinance will have to be go back to the city attorney for revisions and approval by the council since the new code goes against Federal Aviation Administration (FAA) regulations. FAA regulations state the opposite, and actually limit flying height to 400 feet. The only time the a drone can go above 400 feet, according to the FAA, is when a structure is in the way of the flight path and is more than 400 feet in height. Garfield’s Mayor, Richard Rigoglioso, said he thought he was voting on an ordinance that set guidelines at below 400 feet. He said the “above” wordage and the council’s approval were a mistake. While this ordinance will go back before the council and undoubtedly be revised, all of the other restrictions will likely remain the same, adding yet another local ordinance to the list of laws that drone operators must keep up with and comply.

Privacy Tip #92 – Finally, HHS Is Removing SSNs from Medicare Cards

For those of you who know me, you know that I have been very frustrated with the federal and state governments for continuing to use Social Security numbers for eligibility, enrollment and participating in Medicare and Medicaid. This includes listing individuals’ Social Security numbers on the Medicare and Medicaid cards.

The good news is that finally, the Department of Health and Human Services (HHS) has figured out a way to take SSNs off of Medicare cards. The bad news is that they won’t start sending new Medicare cards out to beneficiaries until April 2018.

For Medicare recipients, the listing of your SSN on your Medicare card increases your risk for identity theft if your Medicare card or number is lost or stolen. Your Medicare card and any documents that have your Medicare number listed on them should be kept in a secure place and/or shredded when they are no longer needed. Those of you who care for seniors, take heed and assist your loved ones with protecting Medicare data. Scammers prey on seniors through the mail and over the telephone.

In the time between now and when the new Medicare cards are released, the FTC has listed some ways to avoid Medicare scams:

  • Is someone calling, claiming to be from Medicare, and asking for your Social Security number or bank information? Hang up. That’s a scam. First, Medicare won’t call you. Second, Medicare will never ask for your Social Security number or bank information.
  • Is someone asking you to pay for your new card? That’s a scam. Your new Medicare card is free.
  • Is someone threatening to cancel your benefits if you don’t give up information or money? Also a scam. New Medicare cards will be mailed out to you automatically. There won’t be any changes to your benefits.

Updating Medicare cards so they don’t list Social Security numbers is an important step in helping to reduce the risk of identity theft for seniors.

Murder Arrest Warrant Weaves Web of Data Evidence in – Fitbit, Facebook, Alarm Systems and More

The warrant that led to the arrest of a husband for the alleged murder of his wife weaves a web of electronic evidence. Based in large part on Fitbit fitness tracker data, Connecticut authorities have charged Richard Dabate with the murder of his wife, Connie. He also faces charges of tampering with evidence and making false statements.

The warrant is a fascinating read. The prosecution claims that Mr. Dabate’s interview with police following his wife’s death on December 23, 2015, must be false based on the timeline the data creates. Over 50 pages, it documents the investigators’ attempts to track Mr. Dabate and his wife on the day of her death. It compares Mr. Dabate’s version of the events to the electronic trail that he and his wife left on that day – using Fitbit information, various IP addresses, cell phone records, emails, Facebook data, and alarm system records.

The full warrant is available at:


New Nevada Law Recognizes Enforceability of Blockchain Transactions; Blocks Local Government Regulation and Taxation

Senate Bill 398, unanimously passed by the Nevada legislature and signed into law by the Governor on June 5th, represents the most far-reaching state legislation to date concerning the use of blockchain technology. Blockchain is a decentralized database system that can be used to track and manage a broad range of digital transactions. Originally conceived as the technology underlying Bitcoin virtual currency, blockchain technology continues to expand into other applications including “smart contracts.”

Nevada’s new law has two principal components. First, the act grants legal recognition to blockchain transactions by bringing these transactions into line with existing laws governing electronic records and signatures, providing that: “If a law requires a record to be in writing, submission of a blockchain which electronically contains the record satisfies the law.” Second, Nevada’s law prohibits local government entities from (a) taxing or charging fees for use of blockchain, (b) requiring a license or permit to use blockchain, and (c) imposing any other requirements relating to the use of blockchain.

While Nevada becomes the third state (after Vermont and Arizona) to recognize the legal enforceability of blockchain transactions, it is the first to explicitly exclude blockchain from local taxation and licensing requirements and is clearly designed to promote Nevada as a safe haven for start-ups and entrepreneurs looking to build on blockchain’s enormous potential.

AICPA Releases Cybersecurity Risk Management Reporting Fact Sheet for CPAs Without a Key Recommendation

The American Institute of CPAs (AICPA), has released a risk management reporting framework that is intended to “establish a common, underlying language for Cybersecurity risk management reporting—almost akin to US GAAP or IFRS for financial reporting.”

According to AICPA, the framework may be used by both management and CPAs to “enhance cybersecurity risk management reporting of an organization’s cybersecurity efforts.”

This sounds like a good idea, but the guidance has its own inherent risks for companies–which are not mentioned in the fact sheet. The biggest risk is the discoverability of the risk management report(s) and their use in litigation against the company.

Any time a CPA firm, auditing firm or other vendor is engaged to conduct any cybersecurity review, the vendor does its best to uncover every single thing that may be lacking. The reports are not written with litigation or enforcement actions in mind, and often paint the company in a very negative way. Producing these reports in litigation or enforcement actions is extremely painful for outside counsel, like me.

CPA firms, auditing firms and other vendors, as well as their clients, may wish to evaluate whether counsel should be involved in the company’s cybersecurity risk management process in order to preserve the work product under the attorney client privilege or work product doctrine. They may also wish to document the process and write the reports considering the potential that it may be reviewed by plaintiffs’ lawyers or regulators. A set of trained litigator’s eyes on the conclusions is very helpful. Having counsel quarterback the risk management process is a risk management tool in and of itself–the management of litigation risks.