Breaches: A Case for Bringing You in front of the Regulatory Eye

It seems like practically every week we are “treated” to the news of a new data breach affecting the personal information of consumers. And this week was no exception. Yes, this week the cannabis industry seems to need a security Toke(n).  (Sorry, I couldn’t help myself!). 

According to reports, the breach (potentially affecting multiple U.S. marijuana dispensaries) was caused by point-of-sale software company THSuite. For those of you who regularly follow our blog, this is a classic example of a third party causing a data breach. And, thereby highlighting (again) the need to perform appropriate due diligence on all vendors an organization uses. However, while this is yet another example of the importance of vendor due diligence, we would like to use this breach to illustrate another important point- namely regulatory actions. HUH?? I know, probably not where you thought this blog was going, but this breach gives us an opportunity to show how regulatory actions can easily flow from a data breach. 

And why did this breach inspire this blog? Easy. The cannabis industry involves and implicates numerous privacy regulations including, among many others, the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS). Despite the fact that regulators are not yet involved, it does not take a soothsayer to guess that they will be in the near future.  

To illustrate the point, let’s examine some data breaches and the regulatory issues that flow from similar breaches. There are numerous examples of companies that suffered a data breach and then were subject to regulatory fines or penalties as a result of the breach. So, let’s start with Uber, our favorite cyber-badboy. In 2016, Uber suffered a cyberattack whereby hackers accessed personal data of Uber customers. After sitting on it for over a year, Uber finally admitted to the hack after it was revealed that the company had paid hackers over $100,000 to delete the personal data that had been taken. There is just too much wrong to dissect Uber’s actions in this instance and it would take this blog down a rabbit hole that is not intended. To stay on topic, suffice it to say Uber’s actions were a classic example of what not to do in response to a breach. 

From a regulatory perspective, the breach shone a light on Uber’s data practices. Once a data breach occurs, and authorities are notified (as organizations are often required to do in certain instances under the law), investigations necessarily follow. And what did the investigation of Uber reveal? Well, the United Kingdom’s ICO found a “serious breach” the UK’s Data Protection Act of 1998 and the Dutch regulator fined Uber because it failed to report in the 72 hour window. Here in the US, attorneys general from all 50 states and the District of Columbia filed a lawsuit over the breach. The terms of the settlement included a penalty and providing quarterly reports on Uber’s efforts to bolster its data security practices. All in all, Uber’s regulatory fines totaled approximately $148 million. 

Another cyber breach that is causing regulatory headaches for an organization is Arizona’s Banner Health. In 2016, Banner reported that its payment processing system of their food and beverage outlets had been compromised. Using this access point as an opportunity to delve further into Banner’s systems, they were able to eventually access areas of Banner’s systems that contained patient data.

Banner Health faced two onslaughts for their actions: one, a private class action lawsuit; and, two, regulatory investigations. First, at the end of 2019, Banner Health reached a proposed settlement with class action plaintiffs related to its 2016 data breach. Second, the Office of Civil Rights (OCR), the regulatory body that administers the Health Insurance Portability and Accountability Act (HIPAA), is still investigating Banner. An Ernst & Young year-end financial report discussed the OCR investigation of Banner. According to the EY report, “Banner is cooperating with the investigation.” and the “OCR has indicated that the initial Banner responses with respect to its past security assessment activities are inadequate.”  The report goes on to state that, “Banner anticipates that it may receive negative findings with respect to its information technology security program, and that a fine may be assessed against Banner,” the report continued. 

Another data breach that caused scrutiny, and in this case ultimately a fine by the OCR, was Fresenius Medical Care North America (FMCNA). FMCNA reported five separate data breaches to the OCR that occured between February 23, 2012 and July 18, 2012. The data breaches compromised protected health information (PHI) from five FMCNA facilities. 

The OCR found the five FMCNA facilities (which are considered covered entities) did not conduct accurate and thorough risk analysis related to the risks and vulnerabilities of its PHI. The OCR concluded, “[t]he number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity. Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.” OCR and FMCNA ultimately reached a settlement of $3.5 million. It also resulted in the OCR requiring a corrective action plan which requires FMCA to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures.

A conversation about regulatory penalties would simply not be complete without discussing the elephant in the room, the EU’s General Data Protection Regulation (GDPR) and its (potentially) behemoth fines. Nearly every organization has heard the tale of the regulatory boogieman, i.e. the GDPR, and the 4% of gross revenue or £20 million (whichever is higher) regulatory fine potential. 

However, how exactly are the regulators in the EU wielding this power? Let’s examine the British Airways data breach. British Airways problems began when its website redirected customers to a fake website which compromised the customer’s personal data. After reporting the breach and the ensuing investigation by regulators, it was announced toward the end of 2019 that British Airways is facing a fine of £183 million. Ouch! 

For organizations that are not compliant with these regulations, you proceed at your own risk in a veritable minefield of regulatory liabilities. Just recently, California’s Attorney General Xavier Becerra said, when responding to questions about how California would handle compliance for the California Consumer Privacy Act (CCPA), 

“If they [companies] are not (operating properly) … I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.” 

And while states can suffer from a lack of resources to investigate every company, the easiest way for regulators or authorities to become aware of vulnerabilities in an organization’s systems, and test a company’s compliance with those applicable regulations, is a data breach. Companies must report, in accordance with data breach notification laws (in every state), when a data breach occurs. It follows that once its reports, it will trigger an investigation. That investigation can, and oftentimes does, reveal gaps in regulatory compliance generally. 

What can an organization do to avoid these issues? First, get a regulatory impact assessment. The only way to know what regulations impact your business is to know what regulations impact your business! Once your company knows this, take action. It is doing nothing that is the enemy, and potentially the liability. Gone are the days when organizations can simply stick their head in the proverbial sand. Data privacy and data security laws will simply not allow that position to stand. In the legal sphere we see a risk in not just regulatory actions, but litigation as well. Class action lawsuits, like the one involving Banner, are becoming commonplace. We are at the dawn of a new error and companies need to be proactive and not reactive. Because, when it comes to avoiding regulatory penalties, luck favors the prepared! 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.