The Changing Landscape of Consumer Privacy in Cybersecurity Law
By Shaun G. Jamison, Associate Dean of Faculty
You do not need to read obscure journals to be inundated with information about the latest cybersecurity issues. Just turn on the news and you will hear about the latest ransomware attack, a multimillion dollar payout by a retailer for a security breach, interference in elections, stolen credit card rings, government surveillance, and more.
Protecting privacy is a core issue in the cybersecurity space—particularly in industries like health care where patient data needs to be secured and protected. This article discusses the role of privacy in the cybersecurity sector and recent changes to the law to help ensure personal data is protected.
Cybersecurity Privacy Issues in Health Care
Health information is particularly sensitive, as it can affect one’s employment, insurance, and standing with loved ones and the community in general. President Franklin D. Roosevelt famously hid his disability (he used a wheelchair as a result of polio) from the American public; how might they have reacted had they known sooner the condition of his health? How might an employer react if they discover a key employee has a chronic health condition? How might the public react to an elected official with previously undisclosed mental health issues? Suffice to say that most people have no desire to have their health condition made public, regardless of whether their condition is serious or not.
There are two main federal laws applicable to health care privacy. They are HIPAA (Health Insurance Portability and Accountability Act of 1996) and HITECH (Health Information Technology for Economic and Clinical Health Act of 2009). While health care privacy was always a concern, now that health care has modernized with electronic records, it is no longer necessary to have access to the physical location to see someone’s records. Thus, federal law requires those in possession of health care records to safeguard them against disclosure and to report breaches under certain circumstances.
An electronic health record of a person is categorized as protected health information, or PHI, and is required to be protected. Federal statutes and regulations set forth the requirement for safeguarding the information whether the health care provider has custody of the information or has provided it to a vendor.
Under HIPAA, if you possess PHI, you must report if PHI is acquired or accessed, unless you can show a low likelihood the PHI has been compromised. In that event, you would notify the Secretary of Health and Human Services, the affected individuals, and (if 500 or more persons are affected), the media. You likely have obligations under state law as well. If you are part of a publicly traded entity, there will be obligations for disclosure of a breach under the Gramm-Leach-Bliley Act (GLBA) as well. You also need to comply with relevant state laws.
If the data was already encrypted by you according to the appropriate standards, then it is highly unlikely the data could be accessed in recognizable form and you will not need to do an analysis to determine whether you need to report or not. If the PHI was not encrypted on the system, an analysis must be conducted to determine whether it was accessed. If it was, notification procedures must be followed.
As you can imagine, the interaction of statutes, regulations, and cybersecurity standards quickly becomes complex. Many health care organizations will necessarily seek the assistance of legal counsel, so having lawyers with cybersecurity law knowledge is essential. However, not every situation warrants a practicing attorney, and health care and information technology professionals with advanced legal training will be key players in reducing the risk of cyberattacks, enforcement actions for breaches, and liability to consumers impacted by breaches in their privacy.
Concord Law School has the Executive Juris DoctorSM (EJDSM) degree with program options for Law & Technology as well as Health Care Law. The EJD program is a rigorous law degree for professionals who do not want a license to practice law but want the knowledge and skills of an attorney. The program may be completed part time in 3 years. EJD graduates can use their training to enhance current positions, move into new jobs, or manage outside counsel—and thus legal costs—more effectively.
Ransomware—a Threat Across Industries
Regardless of the industry, the escalation of ransomware attacks threatens both the privacy and security of information. Ransomware is malware that infects your system and encrypts data so you cannot access it. The attacker then will demand a ransom to provide a key to release the data. The ransom is normally paid in a cryptocurrency like Bitcoin which makes tracing the payments to catch the perpetrator very difficult. While the threat is normally that you will lose access to your data, variations may include the destruction of the data or the extraction and sharing of the information.
Ransomware attacks increased from 1,000 attacks a day in 2015 to 4,000 attacks a day in 2016. It is estimated that criminal enterprises made $1 billion from ransomware in 2016.* With this kind of success, it is likely the attacks will grow in frequency and sophistication.
Businesses of all kinds are more likely to be targets of ransomware than individuals, as they will typically be willing to pay more to regain access to their data. Industries that work with highly sensitive data, such as health care providers and law firms, have been particularly prone to attacks. Yet individuals are also subject to attack, so each computer user needs to know how to prevent successful attacks. With the rapid growth of ransomware, it is not a question of if you will be attacked, but when and how successfully.
Lessening the impact of ransomware requires a cooperative effort between information technology (IT), legal, and other departments. A major challenge is proper funding for information security efforts. While we often think of properly building defenses such as firewalls, detecting and removing malware, limiting and auditing access, and training and developing procedures are also important.
People are the “soft center” of cybersecurity. Technological defenses are very useful but can be defeated by untrained, careless, or greedy employees. Treating employees well and properly training them to avoid cybersecurity threats can go a long way toward stopping ransomware attacks.
Credit Card Information
Breaches of companies’ credit card data are so common now that we are no longer surprised. We should at least be alarmed, though, as these thefts of credit card information are a significant source of liability for companies and can create financial problems for the individuals with stolen information. Knowing and applying the best standards of cybersecurity is essential, as is having solid documentation and procedures. In the event of a breach, competent legal knowledge is essential. Prior to a breach, an active and functioning compliance program will help prevent or lessen the impact of the breach.
Losses to companies for breaches can run in the millions of dollars. Individuals with stolen information may rack up debts, suffer ruined credit, and even have to defend against undeserved criminal charges.
Opportunities in the Cybersecurity Legal Field
EJD Law and Technology track graduates of Concord Law School at Kaplan University may work in compliance, policy development, and breach response. Juris Doctor students who become licensed attorneys† will have additional opportunities with privacy litigation, breach of contract, and cyber insurance disputes. Graduates already in the IT security field may enhance their responsibilities with their advanced knowledge of the law and legal research. These are just a few examples of opportunities in the cybersecurity legal field.
Cybersecurity is a rapidly growing field, and with it there is a need for legal professionals who are conversant with technology. If you want to practice law in California, consider a Juris Doctor degree. If you want to acquire legal skills, but not necessarily practice law, consider an EJD degree.
Shaun G. Jamison is Associate Dean of Faculty at Concord Law School at Kaplan University. He teaches Cyberlaw, Legal Research, and the Future of Law Practice and provides commentary to the media on emerging issues such as ransomware and social media.
*Maria Korolov, Ransomware took in $1 billion in 2016—improved defenses may not be enough to stem the tide http://www.csoonline.com/article/3154714/security/ransomware-took-in-1-billion-in-2016-improved-defenses-may-not-be-enough-to-stem-the-tide.html (January 5, 2017)
†Concord Law School cannot guarantee employment or career advancement. Note that JD program graduates do not qualify to take the bar exam or to be admitted to practice law in jurisdictions outside of California without additional experience, education, or petition.