What the Wyndham v. FTC Ruling Means to You – Prepare to Get Wynded

On August 24, 2015, a US Appeals Court ruled that a company can be sued by the Federal Trade Commission (“FTC”) for the criminal behaviors of a third party; based upon the failure of a company to meet its duty to protect its clients’ data. This is a remarkable shift in both power and scope for the FTC.

The genesis of that case comes from Wyndham repeatedly failing to protect the consumer data of ~619,000 individuals. The FTC found that between 2008-2009 hackers successfully breached and stole data three times, each time using hacked administrator credentials and exploiting network vulnerabilities. While many business leaders, congressmen, and legal pundits are criticizing this case as an overstep of authority, read these highlights of the Wyndham Cybersecurity handbook and decide for yourself:

  1. PCI Compliance – None, credit card data stored in clear text.
  2. Password Policy for Network Components – None, default user IDs and passwords permitted (Actual Sun Microsystems login info – ID: micros; password: micros).
  3. Network Password Policy – None, default passwords and IDs permitted.
  4. Network Hardware Security – None, firewalls were not used on the network.
  5. Network Components – No inventory or asset tracking system used.
  6. Patch Policy – Un-patched operating systems permitted (*Some without patches in three (3) years).
  7. IP Restrictions – None, Wyndham failed to restrict specific IP addresses, at all.
  8. Network Intrusion Detection Policy – None, second and third attack undetected until consumers notified Wyndham.
  9. Incident Response Policy – None, Wyndham failed to fix security gaps after first and second attacks.

What’s amazing is that the above policies remained in place after not one, but two large scale hacking events resulting in hundreds of thousands of people having their data compromised. The nine bullet points above reflect the state of Wyndham data security after the third time they were hacked. It appears that after each attack Wyndham decided to continue with business as usual and not make any changes or improvements to the cybersecurity infrastructure.

what’s next

As of the date of the ruling, companies are officially on notice that the FTC has the authority to go after companies who fail to be good stewards of our data  (Note: The court found that companies were all ready on notice prior to this case). Watch in the coming months for more updates as the FTC fully pursues its case against Wyndham, odds are more is yet to come.

The question on everyone’s mind is what types of security measures should I employ that will help me avoid the FTC wrath? Fortunately for us, in June 2015 the FTC broke ground and became the first government agency to actually set forth data security guidelines: “Start with Security: A Guide for Business.” This document summarizes the ten most important data security lessons a business must heed, all drawn from the FTC’s 50+ data security settlements. Here is my rundown on Data Security Standards in a Post-Wyndham v. FTC World over at Tripwire – State of Security.

Once you’ve read the above, work with your IT and legal departments to audit your data security policies and procedures with an eye towards the FTC’s ten lessons.

Prepare now, or get wynded later.

/s/ HH @LegalLevity

Anthem HIPAA Breach

Unless you have been hiding from the television, internet and/or smoke signals, you have heard something about the recent data breach at Anthem. On February 5, 2015, initial reports surfaced indicating a massive consumer data breach. The first few articles placed the number of affected individuals just north of 40 million people; more recent reports are doubling that number.

So far, Anthem has identified the following information as compromised: Name, Date of Birth, Social Security Number, Medical ID, Home Addresses, E-mail Addresses, Employment Information and Income Data. In a remarkably quick response, Anthem posted this letter to its members (past and present) at anthemfacts.com:

“To Our Members, Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised…”

For those affected directly by the breach, many received personal notices from Anthem and/or their employer. Here is one of those letters:

“As you may have heard in the news, Anthem, was recently the target of a cyber attack.

 While we don’t yet know if our employees’ personal information was involved, we do know that the attackers obtained information from as many as 80 million of Anthem’s current and former members, including:

  • Names
  • Birthdays
  • Medical IDs/Social Security numbers
  • Street addresses
  • Email addresses
  • Employment information, including income data

According to Anthem there is no evidence, at this time, that credit card or medical information was compromised.

  • If your information was accessed, Anthem will individually notify you via mail or email (if possible).
  • Anthem will provide credit monitoring and identity protection services free of charge.
  • You can access information as it becomes available on this website: www.AnthemFacts.com or via this toll-free number: 1-877-263-7995.

 I’m passing along information from the Better Business Bureau web site that addresses data breach situations.  The BBB offer some great suggestions and advice – many of these items were discussed during the seminar today. 

 http://www.bbb.org/council/news-events/consumer-tips/2015/02/bbb-advice-on-what-to-do-after-a-data-breach-compromises-your-identity/ “

Somewhat amazingly, not only was client information exposed, but Anthem employee data was stolen as well. It begs the question, why was client and employee data on the same system, or even on mutually accessible systems? Even further, why weren’t these databases encrypted? Encryption would have done wonders for Anthem in this breach. While encryption is not perfect, it certainly ensures that data is, at a very minimum, not presented in an easily accessible format.

Even more confounding than the facts leading up to the breach is the misinformation being pushed out by the media. Several articles have made statements indicating that the leaked information is not PHI. The media logic seems to be that since the data itself is not medical information, it is not PHI. This is incorrect.

According to HHS:

“Protected health information is information, including demographic information, which relates to:

  • the individual’s past, present, or future physical or mental health or condition,
    the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
  • Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.”

The key phrase in the first sentence is “demographic information.” Contrary to common opinion (including the media’s), demographic information held by a covered entity is PHI. This is further supported by the third bullet point above, which states: “Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”

Despite the media misconceptions, the data breached by Anthem is PHI and subject to the fines and sanctions imposed by HIPAA. Further, the protections of HIPAA apply to PHI held by covered entities and their business associates. HIPAA defines a covered entity as 1) a health care provider that conducts certain standard administrative and financial transactions in electronic form; 2) a health care clearinghouse; or 3) a health plan.

Under HIPAA, fines range from $100 to $50,000 per violation. The level of the fine depends on whether the entity knew of the security gap, acted on the gap, or even whether the decision to not address the gap was a willful decision. There are fine caps for each statutory violation. Assuming OCR finds that 1) Anthem failed to safeguard the data and 2) there was an impermissible use or disclosure, the statutory fines would cap out at $1.5million for each violation, for a total of $3million.

While, this fine represents the maximum amount that could be levied as a statutory penalty, it does not include costs of credit monitoring and notification. Generally, these costs account for $100 per affected person, for a total of $8 billion ($100 per person affected). This means that even conservatively, the potential HIPAA related fines and administrative costs for Anthem could exceed $8 billion.  Add to this, the class action law suits for negligence, state mandated penalties/fines, and Anthem is staring down the barrel of a very serious problem.

Let’s take a minute to appreciate the volume of those potential fines. Anthem brought in $74 billion last year in revenue. Of that amount, $69 billion went to overhead, leaving an annual profit of roughly $5 billion for 2014. This means that even assuming a conservative estimate, the administrative costs and fines could far surpass the profit and/or revenue of Anthem. It also does not take into account the investor cost, client flight, or credibility loss. This is shaping up to not only be the single largest HIPAA breach on record, but also a gargantuan financial cost. It also bears mentioning that this is not the first large scale HIPAA breach by Anthem. In 2009-2010, over 230,000 individuals had their PHI compromised due to a known security flaw that was not patched. The 2009 breach resulted in a $1.7 million fine.

Takeaways: While we are still in the early days of this breach, the early information looks startlingly poor. Anthem, one of the top three healthcare providers in the country, appears to have failed yet again at ensuring the security of its data. Given the severity of the consequences and their prior breach, it’s a wonder they are here yet again. Prior planning coupled with up to date security measures are only the beginning of securing electronic PHI. Companies must work to utilize data security philosophies such as data silos, device hardening, and robust password management if they want to prevent the types of breaches we hear about in the news.

/s/ HH @legalevity