With ongoing changes in the threat ecosystem and regulatory climate, employers need to be looking beyond the Health Insurance Portability and Accountability Act (HIPAA) and other traditional breach laws to prioritize the organization’s critical knowledge assets, according to data security attorneys who spoke at a recent American Bar Association (ABA) conference.
“The threat groups today are sophisticated, highly organized, and highly resourced,” according to Julie Grundman, an attorney with Kilpatrick Townsend & Stockton LLP. They include “hacktivists,” criminals, insiders, and now nation-states, Grundman said. “China was probably behind the Anthem breach,” although it is unclear why.
The focus of these attacks is shifting, added Kilpatrick Townsend attorney Jon Neiditz. “The market for personal information is somewhat saturated,” so cyber-attackers are increasingly targeting “high-value data,” he said. They also are “de-emphasizing malware because it’s detectable now; instead they’re going into the systems and living off the land.”
“This is a different paradigm than when HIPAA was developed,” continued Neiditz, a member of the editorial board for BLR’s Employer’s Guide to HIPAA Privacy Requirements. “You need to think about the crown jewels of your organization because those crown jewels are being targeted.”
“We’re dealing with lots of nation-state issues,” and scams such as e-mails purporting to be from company executives requesting records such as Forms W-2. “They’re getting so old but payroll departments are still falling for them,” he said.
Laws like California’s pioneering 2002 breach notification statute focused exclusively on the confidentiality of personal information, so many incident response plans didn’t involve lawyers in preparing for these other types of attacks, Neiditz said. Such “targeted attacks on the crown jewels” include the Sony breach, which disclosed “sensitive corporate information to embarrass the organization.”
The emergence of ransomware as “the winning criminal business model” calls for a new focus on incident response and business continuity, including data backup, Neiditz said. If a company does suffer a ransomware attack, deciding whether to pay the ransom should involve a lawyer, but that’s not in many response plans, he added.
If you have cyber-liability insurance, the insurer generally will pay for the ransom, Neiditz noted. “They don’t want you doing any heroics.”
The U.S. Department of Health and Human Services (HHS) has struggled to fit ransomware into the HIPAA scheme, because the law’s breach notification requirements adopted the “old-style breach” provisions of the California law, Neiditz said.
Because these rules do not apply to encrypted protected health information, HHS had to say that ransomware is only a reportable breach if the ransomware encryption breaks the covered entity’s own encryption, Neiditz continued. But in reality, “what do we want to know about more”—a routine information breach or a ransomware attack? In this instance, HHS is constrained by the statute from addressing the real harms.
New York Law
However, employers should keep an eye on New York state’s new cybersecurity rules for financial institutions, which require reporting within 72 hours of any breach of nonpublic information, including business information. This brings in ransomware and other “targeted attacks” on data availability and integrity, Neiditz said.
Because the New York rules extend to insurance companies, many group health plans’ insurers and third-party administrators will soon “be subject to very stringent requirements under these rules,” Neiditz added.
The New York law represents a trend toward more prescriptive cybersecurity regulation that may “open the floodgates,” Grundman said. To prepare, the National Institute of Standards and Technology’s cybersecurity framework is “a good place to start.” This document breaks cybersecurity activities down into five basic functions: identify, protect, detect, respond, and recover.
Grundman and Neiditz spoke September 26 in Arlington, Virginia., at the Health and Welfare Benefit Plans National Institute, sponsored by the ABA Joint Committee on Employee Benefits.
| David A. Slaughter, JD, is a Senior Legal Editor for BLR’s Thompson HR products, focusing on benefits compliance. Before coming to BLR, he served as editor of Thompson Information Services’ (TIS) HIPAA guides, along with other writing and editing duties related to TIS’ HR/benefits offerings. Mr. Slaughter received his law degree from the University of Virginia and his B.A. from Dartmouth College. He is an associate member of the Virginia State Bar.
Questions? Comments? Contact David at firstname.lastname@example.org for more information on this topic.