LITIGATION SUPPORT TIP OF THE NIGHT

The Security Rule for the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA), does not require that Electronic Protected Health Information (EPHI) be encrypted. Encryption of personal health is not mandatory, but may be an addressable specification - meaning that an entity must assess if it's a reasonably required in particular circumstances. The HIPAA Security Rule is codified under 45 CFR 164.312, which sets down four guidelines for the security of patient data.

1. User IDs must track who accesses EPHI. Implementing this measure is required.

2. There must be a way to access EPHI in an emergency. Implementing this measure is required.

3. Automatic logoffs can terminate access to EPHI. Entities must address whether or not this measure is necessary.

4. Encryption is an addressable measure.

It also necessary to address if security audits are needed to detect the improper alteration or disposal of EPHI.

FedRAMP provides standards in cloud security for federal agencies; cloud service providers; and third party assessor organizations (3PAOs). The Federal Risk and Authorization Management Program is a joint project of the Office of Management and Budget; the Department of Defense; the Department of Homeland Security; the General Services Administration; the Chief Information Officer Council; and the National Institute for Standards and Technology.

The FedRAMP documentation web page, has an Excel spreadsheet which lists baseline security controls.

There are 17 ares to focus on:

ACCESS CONTROL AWARENESS AND TRAINING AUDIT AND ACCOUNTABILITY SECURITY ASSESSMENT AND AUTHORIZATION CONFIGURATION MANAGEMENT CONTINGENCY PLANNING IDENTIFICATION AND AUTHENTICATION INCIDENT RESPONSE MAINTENANCE MEDIA PROTECTION PHYSICAL AND ENVIRONMENTAL PROTECTION PLANNING PERSONNEL SECURITY RISK ASSESSMENT SYSTEM AND SERVICES ACQUISITION SYSTEM AND COMMUNICATIONS PROTECTION SYSTEM AND INFORMATION INTEGRITY

Each of the 17 areas or families, contains multiple areas of control . For example the Personnel Security area contains the following areas of control:

PERSONNEL SECURITY POLICY AND PROCEDURES POSITION RISK DESIGNATION PERSONNEL SCREENING PERSONNEL TERMINATION PERSONNEL TRANSFER ACCESS AGREEMENTS THIRD-PARTY PERSONNEL SECURITY PERSONNEL SANCTIONS

There is a specific description for each control. For example, for Position Risk Designation, we see that an organization should implement different screening procedures for people occupying different positions that are assigned different risk designations.

On March 26, 2018, Judge Martin Reidinger issued a decision in Curry v. Schletter, 1:17-cv-0001-MR-DLH, 2018 U.S. Dist. LEXIS 49442 (W.D.N.C.). This case concerned a suit brought against a business by its former employees. The business required its employees to disclose personal identifying information as a condition of employment. The defendant was the victim of a scam it had notice of - the Business Email Compromise. The employees' 2015 W-2 tax information was sent to an authorized party in a phishing email attack.

Judge Reidinger noted Schletter, Inc.'s failure to provide its employees with training in cyber security and information transfer protocols. It did not follow best practices and industry standards concerning computer security. The plaintiffs were not informed of the data disclosure in a prompt manner or told the extent of the breach.

The court did not grant a motion to dismiss the plaintiffs' negligence and breach of implied contract, finding that both causes of action had been adequately stated. "At the heart of both causes of action is the Plaintiffs' assertion that the Defendant, as their employer, had a duty to safeguard and protect the confidential information provided by their employees. Whether such duty arose from the parties' employment contract or from other source remains to be determined from the facts and evidence to be presented." Id. at 10-11. It also declined to dismiss an invasion of privacy claim. "The Plaintiffs have sufficiently pled allegations to plausibly allege that the Defendant's actions would be highly offensive to the reasonable person, thus constituting an 'intrusion' necessary to sustain a claim for invasion of privacy under North Carolina law." Id. at 12-13.

The plaintiffs' breach of fiduciary claim was dismissed, because under North Carolina law such a duty does not arise in an employer/employee relationship.

The plaintiffs also brought causes of action under The Uniform Deceptive Trade Practice Act and the North Carolina Identity Theft Protection Act which bar the intentional disclosure by a business of social security numbers to the general public. The decision states that, "it is not implausible that the Defendant's actions in responding to this phishing scam effectively made the Plaintiffs' Social Security numbers 'available to the general public.'" Id. at 15-16.

Crucially Judge Reidinger declined to dismiss the UDTPA and NCITPA claims on the basis of the defendant's argument that its actions were not intentional. He drew a distinction between unintentional data breaches, and data disclosures:

"As the Plaintiffs cogently set out in their brief, this was not a case of a data breach, wherein a hacker infiltrated the Defendant's computer systems and stole the Plaintiffs' information, but rather was a case of data disclosure,wherein the Defendant intentionally responded to anemail request with an unencrypted file containing highly sensitive information regarding its current and formeremployees. Based on these allegations, the Plaintiffs have sufficiently alleged that the Defendant acted with the requisite intent in communicating this information." Id. at 16.