IAPP Practical Privacy Series Data Breach Hypothetical Presented by: Jennifer L. Rathburn, Partner, Quarles & Brady LLP Frances Wiet, CPO and Assistant General Counsel, Takeda Pharmaceuticals U.S.A., Inc. Session Overview and Description: This session will provide participants with practical tools to evaluate and respond to data breaches. We will begin with a short data breach response overview. We will then provide three data breach scenarios of increasing complexity. We will offer participants an opportunity to explore responses to those scenarios in small group and large group discussions using checklists and other tools provided in the session. A question and answer opportunity will conclude the session, offering participants an opportunity to share ideas from the session or innovative solutions to data breach problems that they have encountered.
SCENARIO #1 Health Care Provider Company learns that a consultant auditing financial data accessed a server that stores health care data (including names, personal e-mails, social security numbers). Company also learns that the consultant downloaded this information to its laptop. The initial investigation finds the consultant accessed and downloaded the data accidently when performing services for the Company. The data was accessed several times over the course of 2 days. When the issue is brought to the attention of the consultant, the data was deleted from the laptop. Approximately 1000 individuals may be compromised. States impacted include California and Texas. SCENARIO #2 Company learns that 2 of its servers containing its employees (and their dependents ) information (i.e., health insurance benefit elections, FMLA information, occupational health records, and health plan claims data) and financial data (bank account information), have been inappropriately accessed by an unauthorized third party. The servers are located at a hosting facility which provides a private cloud computing arrangement. The initial investigation finds the servers are infected with malware. The servers contain data for 5,000 individuals living across the US. SCENARIO #3 Investigation has continued on Scenario #2 and Company learns that one of the infected servers contains name, personal address, limited health information (health insurance benefit elections) and financial data (bank account information) for 10 EU residents who are on assignment in the U.S. from Germany. ~ 2 ~
Worksheet for Data Breach For Scenario #1 Affected Entities and Data Elements at Issue State Laws at Issue HIPAA Issues (if any) Simple Description of Root Cause and Mitigation Efforts Decision to Notify or Not to Notify If decision is to notify, when? ~ 3 ~
Worksheet for Data Breach For Scenario #2 Affected Entities and Data Elements at Issue State Laws at Issue HIPAA Issues (if any) Simple Description of Root Cause and Mitigation Efforts Decision to Notify or Not to Notify If decision is to notify, when? ~ 4 ~
Worksheet for Data Breach For Scenario #3 Affected Entities and Data Elements at Issue State Laws at Issue HIPAA Issues (if any) Simple Description of Root Cause and Mitigation Efforts Decision to Notify or Not to Notify If decision is to notify, when? ~ 5 ~
BREACH RESPONSE & INVESTIGATION CHECKLIST Action Step Description of Incident Incident Received and Documented Reported By (and contact information) Date and Time Report Received Date and Time of Incident Date and Time Incident Discovered Location/Department/Building Source/Media (e.g., EHR, Paper, Fax, etc.) Detail Data Elements Potentially at Risk (e.g. name, address, account information, SSN, medical information) Does any data at issue potentially include: o Protected Health Information? (see Attachment B (HIPAA/HITECH Requirements) o Financial Data? o EU data or data from other foreign jurisdictions? Vendor Involvement Description of Incident Privacy Breach Investigation Record Initiated Request Originals/Media to be Returned or Destroyed with Written Verification of Such If Applicable, Security Incident Initiated Review Applicable Laws Where do potentially affected individuals reside? What State laws apply? What are State requirements? See Attachment A. Based on data subject to exposure, what other laws may apply (e.g., HIPAA/HITECH Requirements -see Attachment B, EU Data Protection Laws - see Attachment C)? Internal Notification (as Appropriate) IT Leadership Risk Management, Compliance Officer, Human Resources, Leadership, etc. Internal Legal Counsel Line of Business Head Publication Relations & Communications/ Customer Service Building Services/Facilities External Notification (as Appropriate) External Legal Counsel Law Enforcement Officials Responsible Contact Security Officer To be Notified by or Risk Management ~ 6 ~
Action Step Responsible Contact Date/Time Agency Officer Insurance Carrier (e.g., Facility, Cyber, Malpractice, etc.) Date/Time Agency Agent Office for Civil Rights (see Attachment B (HIPAA/HITECH Requirements) Individuals Media Outlets State and/or Federal Agency, if Required (e.g., Health Plans with Medicare Plans Contact CMS) Investigation Components Complete Risk Assessment to Determine Potential for Significant Risk of Financial, Reputational, or Other Harm (for state breach requirements - see Attachment A, for HIPAA/HITECH Security Requirements - see Attachment B) Assess/Engage Need for Forensics Assess/Engage Need for Private Investigator (e.g., research Craigslist, E- Bay, etc. for stolen equipment) Mitigation/Follow-Up Activities Vendor/Business Associate (as Applicable): Request a document from the Vendor outlining the mitigation plan, Vendor responsibilities for breach management, and documentation of steps on how the Vendor will ensure the event does not reoccur. Consideration of External Vendor Specializing in Breach Notification Consideration of External Vendor Specializing in Credit Monitoring Prepare Communication Plan to Cover Oral, Electronic and Written Communications to Victims as Well as Information to Assist with Personal Needs; Include Organizational Contact Information. Report to Senior Leadership/BOD Completion of Investigation Report Completion of Workforce Member Sanctions Root Cause Analysis (when warranted) Implement Additional Controls (if needed) Communication to Staff Learning Opportunity (e.g., newsletter article, meeting presentation, etc.) If HIPAA/HITECH is Applicable, Record Disclosure Information in Accounting of Disclosures Records as Required. Completed Checklist Retained with Supporting Documentation for six years To be Notified by or Risk Management Oversight Public Relations Chief Information Officer and or other Legal Counsel or Risk Management /Public Relations Leader Director of Human Resources ; Director of HIM/MR Department ~ 7 ~
Key Contacts/Information Sources Name Title Location Office Cell Phone # E-Mail Address Internal Resources Security Officer Compliance Leader Legal Counsel Director, Human Resources Director, Health Information Mgmt Director, Risk Management Chief Information Officer Director, Facility Management List Relevant Internal Policies and Procedures and Web Sites - Provide Web Links External Resources FTC website - http://www.ftc.gov/ OCR website - http://www.hhs.gov/ocr/privacy/ HIPAA Collaborative of Wisconsin ( HIPAA COW ) - http://www.hipaacow.org ~ 8 ~
Attachment A State Breach Requirements STEP 1: Is Company governed by state breach law (e.g., is Company an entity that owns or licenses data or is a service provider or other entity that maintains data)? STEP 2: Is the data at issue governed under state law? STEP 3: Has a breach occurred? Does an exception to notification apply (e.g., harm threshold, good faith acquisition)? ~ 9 ~
Attachment B HIPAA/HITECH Security Breach Requirements STEP 1: Is Company governed by HIPAA/HITECH? STEP 2: Is Protected Health Information (PHI) involved? Name Geographic Subdivision Smaller than a State (Except for Initial 3 Digits of Zip Codes in Certain Instances) All Elements of Dates (Except Year) Related to Individual (Birth, Death, Adm, Discharge) and all Ages over 89 and all Elements of Dates Indicative of Such Age Including Year (Except for Aggregation into a Single Category of Age 90 or Older) Telephone Numbers Fax Numbers Electronic Mail Addresses Social Security Number Medical Record Numbers Health Plan Beneficiary Numbers Account Numbers Certification/License Numbers Vehicle Identifiers and Serial Numbers Including License Plates Device Identifiers and Serial Numbers Web URLs Internet Protocol Addresses Biometric Identifiers, Including Finger and Voice Prints Full Face Photos and Comparable Images Any Unique Identifying Number, Characteristic or Code STEP 3: Determine whether there has been an impermissible, acquisition, access, use or disclosure of PHI in violation of the HIPAA Privacy Rule. STEP 4: Determine if the PHI is unsecured (meaning not secured in accordance with the DHHS Guidance). STEP 5: Evaluate whether the incident falls under one of the exceptions to the notification obligations. STEP 6: Resist the urge to automatically assume notification is required until risk assessment is conducted. STEP 7: Conduct a risk assessment to determine whether the impermissible use or disclosure poses a significant risk of financial, reputational or other harm to the individual. Specifically, use the following factors DHHS set forth in the Breach Notification for Unsecured Protected Health Information; Interim Final Rule: Who impermissibly used the PHI: To whom the PHI was impermissibly disclosed The type and amount of PHI involved Whether the immediate steps to mitigate the harm rendered the risk of harm to the individual to be less than significant Whether the impermissibly disclosed PHI was returned prior to it being accessed for an improper purpose STEP 8: As required, notify Individuals, OCR and Media (if greater than 500 Individuals). STEP 9: Mitigation/Accounting of Disclosures ~ 10 ~
Attachment C EU Data Protection Law Current Analysis STEP 1: In which country do the EU residents reside? STEP 2: Does that country currently have a data breach reporting requirement? Germany currently has a reporting obligation for special categories of data such as health information as well as obligations for bank account information STEP 3: What are the requirements of that law? Future Analysis Must Include the Data Directive Reform The current draft states: Personal data breach is a breach of security leading to the accidental or unlawful unauthorized access to personal data transmitted, stored or otherwise processed Notification to supervisory authority required within 24 hours of becoming aware of an issue More to come on the EU issues in the next session today. ~ 11 ~