mehmet munur dino tsibouris (614) 360-2065 (614) 360-1160...
TRANSCRIPT
Mehmet Munur Dino Tsibouris(614) 360-2065 (614) 360-1160
[email protected] [email protected]
Information Security and Electronic Discovery
Trends for 2010
• Increased federal and state regulation of information security
• Increased enforcement• Increased costs to resolve a breach• Increased “compliance complexity” as
technology changes
Examples
• HITECH Act - Amendments to HIPAA by the Stimulus Act
• Increased business associate requirements• Enforcement Actions under HITECH• Managing protected health information in
the cloud
HITECH ACT
Amends HIPAA•New breach notification rules•New penalties• Increased levels of minimum
security• State AG enforcement•Business associates must comply
HITECH ACT
Amends HIPAA•Covered entity must notify
persons if a breach occurs•Must notify DHS for publication if
over 500 persons•Vendors of PHR must notify
individuals if breached
HITECH ACT
Business Associate Requirements•Must comply with Security Rule
regarding administrative, physical, and technical safeguards•Develop policies•Designate a security official• Enforcement
HITECH ACT
Business Associate Requirements• If your covered entity violates
your BAA, you are violating HIPAA•Must cure breach, terminate, or
report to DHHS
HITECH ACT
Business Associate Requirements•Does your contract allow for
amendment to comply with changes in the law?• Sample DHHS OCR contractual
clause requires parties to amend to address changes in law
HITECH ACT
Business Associate Requirements• If you have a breach, must notify
HIPAA-covered entity•Covered entity must then notify
individuals
HITECH ACT
Penalties• Tier A – inadvertent - $100 per
violation up to $25,000/yr• Tier B – reasonable cause, not
“willful neglect” - $1,000 per violation up to $100,000/yr
HITECH ACT
Penalties• Tier C – “willful neglect”
ultimately corrected - $10,000 per violation up to $250,000/yr• Tier D - “willful neglect”
uncorrected - $50,000 per violation up to $1.5 M/yr
Connecticut Health Net Enforcement
Connecticut Attorney General - HIPAA• Lost portable computer disk drive• Involves privacy of 446,000 Connecticut
enrollees • Health information, social security numbers,
and bank account numbers • Failed to notify on time
Connecticut Health Net Enforcement
Health Net failed to • Ensure the confidentiality and integrity of
electronic protected health information• Implement technical policies and procedures
for electronic information systems • Implement policies and procedures that
govern the receipt and removal of hardware and electronic media
Connecticut Health Net Enforcement
Health Net failed to • Implement policies and procedures to prevent,
detect, contain, and correct security violations • Identify and respond to suspected or known
security incidents; mitigate, to the extent practicable, harmful effects of security incidents
• Effectively train all members of its workforce
Medical Data in the Cloud• Data stored in the cloud more and more frequently• Third-party contractors more common– Security and background checks for companies a
necessity– Conduct audits or obtain results–Ownership of data– Prohibiting sales to others– Return in appropriate format
HIPAA - Employee Snooping
• UCLA employee• Accesses system 323 times in 3 weeks• Snoops on celebrity medical records• Similar incident in 2008 • UCLA reveals that 165 employees improperly
viewed files in 13 years• 15 fired for viewing octuplet mom’s records
Countrywide Breach
• Countrywide Financial Services• Former employees• Downloaded and sold customer data• Every week for 2 years• 19,000 individuals notified of breach• Class action settles for over $10 million
MassachusettsData Security Regulations
• Creates duty to protect personal data• Applies to the personal information of MA
residents• Sophistication of safeguards increases with size
and scope of business• Requires encryption for transmission of personal
data over public networks• Effective date March 1, 2010
Electronic Discovery
• Overview of Electronic Discovery
• Sanctions
• Requirements for Compliance
• Zubulake Revisited
• Case Examples
Electronic Discovery• Basics of Electronic Discovery– Electronically Stored Information (ESI) is
potentially discoverable – Proportionality test–Obligation to preserve – Pending or threatened litigation– Primary source should be active data– Costs usually borne by producing party
Electronic Discovery
• Sanctions usually require:– Clear duty to preserve
– Culpable failure to Produce and Preserve Relevant ESI
– Reasonable Probability of Material Prejudice Due to Loss of ESI
E-Discovery Sanctions
• Monetary Sanctions– Shifting or Awarding Discovery Costs, Fines
• Adverse Inference or Inability to use Affirmative Defense
• Terminating Sanctions or Default Judgment
Electronic Discovery
• Compliance requires:– Records Retention Policies and Procedures– Litigation Hold Procedures– IT Policies, Procedures, and Systems for • Preservation and Collection • Search• Production• Destruction
Zubulake Revisited
• When the duty to preserve has attached, the following failures constitute gross negligence to– Issue a written litigation hold
– Identify all of the key players and to ensure that their electronic and paper records are preserved
Zubulake Revisited
– Cease the deletion of email or to preserve the records of former employees that are in a party's possession, custody, or control
– Preserve backup tapes when they are the sole source of relevant information or when they relate to key players, if the relevant information maintained by those players is not obtainable from readily accessible sources
Pinstripe Inc. v. Manpower Inc.
• Defendant failed to distribute litigation hold notice
• Possibly relevant emails destroyed• 700 emails recovered from recipients• Significant cost to defendant + $30K to outside
vendor• Court finds lack of intentional conduct• Court awards sanctions of $2,500
Southeastern Mechanical Services v. Brody
• Plaintiff SMS alleges spoliation for deleted laptop and Blackberry data
• Defendant argues that laptop emails were stored on server
• Blackberries wiped• Blackberries contained data other than emails• Blackberries contained data before being
synchronized with the server
Southeastern Mechanical Services v. Brody
• Court finds bad faith in deletion of Blackberry data
• Lack of email, text messages, telephone records was suspicious
• Court finds employees, not the corporations culpable
• Court issues adverse inference
Arista Records v. Usenet• Copyright Infringement Case• 7 hard-drives wiped• Employees sent abroad on vacations• Employees allowed to take laptops with them• Failing to preserve email• Court finds bad faith, but declines to award
default judgment• Instead, court takes away affirmative defense
Lawson v. Sun Microsystems
• Defendant produces hard-drive • ESI includes privileged documents and
password protected documents• Plaintiff accesses privileged, password
protected documents• Plaintiff’s behavior mitigated by both parties
actions• Sanctions of $54K , 25% to attorney
Starbucks v. ADT
• Starbucks seeks archived emails• ADT argues that emails are not accessible• Archived emails stored in a Plasmon System• Exaggerates production costs at $834K• Starbucks obtains two estimates at $17K and
$26K
Starbucks v. ADT
• Court ordered an immediate plan to make copies of the archived discs to an appropriate searchable storage medium
• Court ordered the production of relevant emails
• Court ordered the parties to confer and agree on fees
Doppes v. Bentley Motors• Foul odor from $214K Bentley Arnage• Bentley fails at numerous times to produce
documents• Destroys relevant emails• Fails to provide court ordered access• Trial court only issues monetary fines, jury
instructions• Appeals court reverses, issues terminating
instructions
Conclusion
• Proper record retention policies• Identify all key people and documents• Preserve all relevant ESI• IT Policies, Procedures, and Systems• Proper and searchable archive technology• Written litigation holds
Questions & Answers
Mehmet Munur Dino Tsibouris(614) 360-2065 (614) 360-1160