Data Breach Prevention and Response...Assess Your Risk Tolerance Whose opinion matters and why Educated risk assessment Varied views: legal vs. business vs. others Role of “price”

1

©2014 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500 1

October 7, 2014

Data BreachPrevention andResponse

©2014 Foley & Lardner LLP

Introductions

Chanley HowellPartner, Technology Transactions &Outsourcing

Foley & Lardner

[email protected]

(904) 359-8745 | office

Peter SanbornAssociate, Technology Transactions &Outsourcing

Foley & Lardner

[email protected]

(617) 502-3367 | office

Kate Bolland EshghiVice President, General Counsel

UMassMemorial Health Care

[email protected]

(508) 334-1700 | office

Leeann HabteSenior Counsel, Health Care IndustryTeam

Foley & Lardner

[email protected]

(213) 972-4679 | office

2

2


Agenda

I. Overview− Nature of the Risk

− Types and Sources of Risk

− Stakeholders

II. Phase 1: Preparation, Planning and Day-to-Day− Assessing the Data

− Assessing Risk Tolerance

− Mitigating the Risk

− Health Checkups

− Plan for Milestones

III. Phase 2: Post Breach− Assess Data

− Activate Team

− Take Action3


Overview

4

3


Top Settlements for Breaches of PHI

■ Settlements in Past 12 Months

− 6/2014 – health care system paid $800,000 insettlement of medical records dumping case to theOffice for Civil Rights (OCR)

− 5/2014 - $4.8 million paid by two providers to OCR forfailure to secure ePHI on their network

− 4/2014 – two entities paid $2 million collectively toOCR related to thefts of unencrypted stolen laptops andother mobile devices

− 3/2014 – health care provider paid $4 million insettlement of class action related to security breach bycontractor

5


Top Settlements for Breaches of PHI

■ Settlements in Past 12 Months (cont.)

− 2/2014 – health care provider paid $3 million insettlement of class action related to theft ofunencrypted laptops

− 11/2013 – health plan paid just over $1.2 million insettlement with OCR when photocopier containingPHI was compromised

6

4


Types of Breaches

■ “My data falls into the wrong hands”

− Inadvertently or maliciously accessed, disclosed orused inappropriately by employee or third party

− Stolen by hacker

− Lost or stolen, and we don’t know who has it (ifanyone)

− Looks like it was lost or stolen (even if it wasn’t)

7


Types & Sources of Risk

■ Types

− Legal/compliance/regulatory: Breaking a law (federal,state, international, HIPAA, etc.)

− Financial: Loss of revenue; Damages; Penalties/fines,litigation

− Reputational: Damage to customer relationships; Lostrevenue; “Bad Press”

− Security: Theft of valuable data; Holes in IT systemsexposed

− Operational/Clinical: Loss, destruction or compromiseto integrity of data

8

5


Types & Sources of Risk (cont.)

■ Sources

− Technical vs. Human: Firewalls vs. Phishing vs.Human Error or Wrongdoing

− Roles of vendors/third parties (and their contractors)

9


Stakeholders

− Legal

− Compliance/Audit/Risk Management

− Security Teams

− Regulators

− Executives

− Board of Directors

− Physicians and otherCare Providers

− Customers

− BusinessTeams/Sales Teams

− Vendors

− General Public

− Investors/Partners

− Others?

10

■ Who is or should be concerned about the risk?

6


Lifecycle of Risk Mitigation

■ Two Phases:

− Preparation, Planning and Day-to-Day

− Post-Breach

11


Phase 1: Preparation, Planning andDay-to-Day

12

7


Start With The Data

■ Questions to Ask:

− What is the data?

− How sensitive is thedata?

− How much data isthere?

− Where is the data?

− Who has access to thedata?

− What is the purpose ofthe data?

■ Types of Data:

− PHI

− PII

− Proprietary Information(“Secret Sauce”)

− Other Party’s data

13


Assess Your Risk Tolerance

■ Whose opinion matters and why

■ Educated risk assessment

■ Varied views: legal vs. business vs. others

■ Role of “price” in the risk tolerance analysis

− Are you willing to pay more to reduce your risk?

■ Role of business/operational needs

− 100% secure data = useless data

14

8


Put the Right Practices in Place

■ Invest in robustprivacy/securityprogram

■ Education

■ Policies

■ Encryption− BYOD

■ Enforcement− Audit

− Reporting

− Discipline

■ CyberliabilityInsurance

■ Breach Response Plan− Team

− Protocols


Assess Your Vendor’s RiskTolerance/Preparedness

■ This step is often overlooked

■ Want to match tolerance levels

■ What to watch for

− Companies that need to land the deal

− Companies that are new to the space

− Companies that agree to security/privacy provisionswithout markups

− Companies that do not have privacy/securityprofessionals

16

9


Assess Your Vendor’s RiskTolerance/Preparedness (cont.)

■ No vendor is too small

− The case of the Chinese menu

− The case of Target’s HVAC vendor

■ With whom is the Vendor subcontracting?

17


Put the Right Paper in Place:Contracting Tips

■ Key contract provisions to include whensensitive data is involved

■ Important supplemental agreements/exhibits:BAAs, Security exhibits, etc.

■ Getting the right eyes on the contract: Whoneeds to review and approve language?

18

10


Put the Right Practices withVendors in Place

■ Good paper does not replace good practices

■ Diligence and Security Audits

■ Have a data breach response plan in placebeforehand

■ Insurance (yours & theirs)

■ Ongoing “Health Checkups”

− Educate and review security policies and procedures

− Use audit provisions

− Get to know vendor security teams

19


Plan for Vendor RelationshipMilestones

■ Launch of a new service, system, functionality

■ Use contract renewals as a checkpoint

■ Changes to data (type, amount, flow)

■ Regulatory updates

■ Internal business owners

20

11


Phase 2: Post Breach

21


Look at the Data

■ Is the breach ongoing?

■ What kind of data is involved?

■ Whose data is it?

■ How much data is involved?

■ How sensitive is the data?

■ Who has the data?

■ Who was responsible for the data?

■ Is it completely lost? Is it retrievable?

22

12


Taking Action

■ Role of Core Values:

− Transparency vs. liability?

■ Making Decisions with Partial Information

− Risks of delayed response vs. risk of acting onbad/incomplete information

23


Activate Your Team

■ Who needs to be at the table and why?

− Breach response team Remediation

Investigation

Notification

■ Who are stakeholders that aren’t at the table?

24

13


Responding to a Breach

■ Immediate and long term response

− Is risk ongoing

− Notify cyber liability carrier

− Litigation hold/preserve evidence

− Legal requirements Notice individuals and regulators

− Law enforcement?

− Root cause analysis

− Risk mitigation

− Reputation


Unpacking the Risks Arising froma Breach

■ Security: Is the threat over? Have we fixed thesource of the problem?

■ Legal/compliance/regulatory: Did we breach alaw?

■ Financial: Are we liable to third parties? Are wesubject to fines? Will this impact revenue?

■ Reputational: How will this impact theorganization’s reputation among stakeholders?

26

14


Data Breach Incident ResponseBusiness Process


Multiple Sources of NotificationRequirements

■ Considerations

− Statutory/Regulatory Requirements HIPAA

State laws re: Personally Identifiable Information

State laws re: breaches of medical information

− Contractual Notification Requirements CMS Data Use Agreements

Medicaid Managed Care Contracts

28

15


Complexities re: BreachesInvolving Third Party

■ Establishment of process/liability viacontract/Business Associate Agreement?

− Determination of breach

− Attribution of fault for breach

− Responsibility for notification

− Right to review and approve notice

− Right to approve communication to media

− Payment for costs of notification (direct costs, creditmonitoring, public relations, attorney fees)/Indemnification (HIPAA and state law)/Insurance

− Requirements regarding notification/assistance withlitigation

29


OCR Investigations

■ Reports of breaches of 500+ will result ininvestigation

■ First step is response to request for data fromOCR

■ Based on response, scope of investigation canexpand

■ Covered Entity/Business Associate is liable forany non-compliance uncovered

30

16


Dealing with OCR

■ Address all requests – responses should belimited to issues identified by OCR.

■ Consider OCR’s audit criteria - to target entity’sresponse, if feasible.

■ Respond timely or request extension.

■ Cooperate!

■ Highlight prompt corrective actions to addresscause of breach.

31


Questions

32

Chanley HowellPartner, Technology Transactions &Outsourcing

Foley & Lardner

[email protected]

(904) 359-8745 | office

Peter SanbornAssociate, Technology Transactions &Outsourcing

Foley & Lardner

[email protected]

(617) 502-3367 | office

Kate Bolland EshghiVice President, General Counsel

UMassMemorial Health Care

[email protected]

(508) 334-1700 | office

Leeann HabteSenior Counsel, Health Care IndustryTeam

Foley & Lardner

[email protected]

(213) 972-4679 | office

17


Thank You

■ Thank you for joining us today

■ For more information on this topic, register toattend the 2014 FOLEYTech Summit, October14 in Boston, MA – www.foley.com/events

33

Documents

Data Breach Prevention and Response...Assess Your Risk Tolerance Whose opinion matters and why Educated risk assessment Varied views: legal vs. business vs. others Role of “price”