Tag Archives: investigations

Smaller Healthcare Breaches to Receive More Attention from the OCR

PrintThe Office for Civil Rights (OCR) has been aggressive about enforcing HIPAA regulations this year. And we are likely to see the scope of their investigations widen.

Currently, the OCR investigates all reported breaches involving the Protected Health Information (PHI) of 500 or more individuals. Recent settlements have shown that the OCR is taking an interest in smaller breaches, and not only focusing on those making headlines.

The OCR announced they are starting to broaden their investigations to include breaches with fewer than 500 individuals. The initiative is focused on analyzing the root causes of smaller breaches.

When determining whether or not to investigate a breach affecting fewer than 500 individuals, the OCR will take several factors into consideration:

  1. The size of the breach,
  2. Theft or improper disposal of unencrypted PHI,
  3. Breaches involving unwanted intrusion to IT systems – i.e. hacking,
  4. The amount, nature, and sensitivity of the PHI involved, and
  5. Situations where numerous breach reports from a healthcare organization raise concern.

Key Takeaway

Organizations should approach every data breach or security incident as if the will lead to an investigation by the OCR. The OCR is lowering the bar and making each data breach the potential target for a regulatory investigation.

How the SEC Chooses its Cyber Investigations

SEC investigation“Are they going to investigate us?” That’s the biggest fear companies have when it comes to regulators. Deputy Director of the SEC’s Division of Enforcement, Stephanie Avakian, addressed this fear during the SEC Speaks conference when she explained how the SEC decides whether to investigate companies that suffer a cyber breach.

Companies can be hesitant to report cyber breaches thinking that will make them the next target of an investigation and enforcement action. With many regulators stepping up in cybersecurity enforcement, this is an understandable concern. But Ms. Avakian noted during her speech that companies that self-report cyber breaches will be looked upon favorably for cooperating.

The SEC’s expectations in responding to a cyber breach include:

  1. Assessing the situation,
  2. Addressing the problem, and
  3. Minimizing the damage.

To help ease the tension, the SEC says that their goals are in line with victim companies – protecting customer data and maintaining the normal operations of the financial system.

Key Takeaway

So what’s the skinny? Yes, the SEC can bring enforcement actions on companies that suffer cyber breaches and fail to protect customer data. However, the most common scenarios resulting in SEC enforcement actions are:

  1. Registrants suffer a cyber breach and fail to have policies and procedures in place to protect customer data, or
  2. Public companies have “significant” disclosure issues.

So that’s the gist… the main focus is on whether the victim has policies and procedures designed to protect customer data. At this point, it seems like a fundamental benchmark for companies across the board. And with public companies, it looks like the SEC isn’t looking to punish companies that make good-faith decisions about data privacy.

It’s time to dust off the policies about data privacy or review the ePlace sample policies available to you as part of your cyber insurance policy! To access the sample policies reach out to cyberteam@eplaceinc.com.

Five Important Changes to Canada’s PIPEDA

The Canadian government passed the Digital Privacy Act to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) which governs the collection, use, and disclosure of personal information by private organizations in Canada. There are several important changes for Canadian organizations to take note of.

It’s also worth noting that these amendments expand the situations in which organizations are allowed to share personal information without consent. However, organizations should be aware that PIPEDA requires use or disclosure of personal information to be reasonable, and appropriate safeguards must be in place when personal information is transferred from one entity to another.

1. Data breach notification requirements

PIPEDA now includes data breach notification requirements that will come into effect at a later date to be announced. Organizations affected by a data breach will be required to disclose the incident to the Office of the Privacy Commissioner of Canada (OPC) and to affected individuals when a reasonable expectation of harm exists as a result of the breach. Violations may result in fines up to C$100,000. Additionally, the OPC will be able to publicize data breaches as they see fit.

2. Sharing personal information during business transactions

Organizations are now allowed to use and disclose personal information without consent in a situation when it is necessary to determine whether to proceed with the business transaction or not. This does not apply when the purpose of the transaction is to buy, sell, or lease personal information. And if the transaction is not completed, all personal information must be returned or destroyed within a reasonable amount of time.

3. Notice required for using employee information

Federal works, undertakings (FWUB), or businesses are now allowed to collect, use, and disclose the personal information of an individual without his or her consent in situations where it’s necessary in order to establish, maintain, or terminate an employment relationship with that individual. However, the FWUB is required to inform the individual of the purpose of the collection, use, and disclosure.

4. Sharing personal information during investigations

Organizations are now allowed to disclose personal information to another organization without consent when it is reasonable for the purposes of investigations relating to a breach of agreement or Canadian law and when it is reasonable to expect that obtaining consent from the individual would compromise the investigation.

5. OPC enforcement actions include compliance agreements

The OPC now has the authority to enter into compliance agreements with organizations where they believe an organization is likely to violate PIPEDA. Compliance agreements are voluntary for organizations and can be entered with the intent to demonstrate a commitment to privacy protection.

SEC Cybersecurity Investigations: How-to-Guide

SEC logoHunton & Williams LLP partners Lisa Sotto, Scott Kimpel, and Mathew Bosher published an article in Westlaw Journal’s Securities Litigation & Regulation entitled SEC Cybersecurity Investigations: A How-to-Guide. The article outlines the Securities and Exchange Commission’s (SEC) expanding role in cybersecurity regulation and enforcement.

Here are a few of the tips mentioned for surviving the SEC’s investigative process:

  • React swiftly after receiving an informal inquiry or subpoena. The timing and attentiveness of an organization’s response can help present a proactive approach.
  • Take action to preserve documents and information after hearing from SEC staff. A surefire way to hurt yourself in the investigation is failing to preserve documents or information that the staff may deem relevant.
  • Request access to and a copy of any subpoena or a formal order.
  • Consider the pros and cons to disclosing the investigation to investors.
  • Request to view the staff’s investigative file when there is a Wells notice. Sometimes the staff will allow organizations’ counsel to review documents or testimonies.
  • During the Wells process, request to meet with enforcement staff senior leadership. This will give your organization a chance to find out the senior staff’s theories of potential liability and make the best case for why an investigation should be dropped without enforcement action.

Organizations under SEC jurisdiction should be aware of the expanding oversight the SEC is taking in cybersecurity issues. Enforcement of federal security laws is expected to increase and could cover data breaches along with basic failures to establish adequate information security programs.