The document summarizes legal issues related to data privacy and security breaches. It discusses (1) the relevant cost-benefit analysis that courts consider for data security, (2) examples of court orders regarding document productions and computer forensics in litigation, and (3) that parties are responsible for errors made by their vendors. The document then provides an agenda on legal issues in data privacy and security, including anticipating threats, incident response, and applying relevant laws and frameworks.
Axa Assurance Maroc - Insurer Innovation Award 2024
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
1. Legal Issues In Data Privacy & Security:
Anticipating, Then Responding To The Breach
Robert W. Dibert
Connie Wilkinson-Tobbe
Lindsay P. Graves
Alison P. Howard
June 14, 2018
1
Views expressed in these materials are those of the authors individually,
and do not constitute legal or any other formal advice.
Presentation for the Technology Assoc. of Louisville Kentucky, Cybersecurity Summit
2. 2
“the relevant inquiry here is a cost-benefit analysis, that considers a number of relevant
factors, including the probability and expected size of reasonably unavoidable harms to
consumers given a certain level of cybersecurity and the costs to consumers that would arise
from investment in stronger cybersecurity.” FTC v. Wyndham Worldwide Corp., No. 14-3514,
Slip Op. at 39-40 (3rd Cir. 8/24/2015)
Defendant “has made a supplemental production of the approximately 15,000 additional
documents inadvertently omitted from its prior production. However, at least 500 pages have
been inadvertently omitted from that production as well. No later than August 23, 2010,
defendant … will produce the omitted pages. Defense counsel will personally supervise the
preparation of this production and will assure the completeness of the production.” Chubb
Custom Ins. Co. v. Grange Mut. Cas. Co., No. 2:07-cv-1285 (S.D. Ohio 8/19/10).
“The defendants are to provide [one defendant]’s wife[‘s] computer image to the plaintiffs.
Mr. Dibert will communicate with the defendants’ IT personnel for the information”). PPG
Indus. v. Payne, No. 3:10-cv-73 (E.D. Tenn. 5/21/10).
In re Seroquel Products Liab. Lit., No. 06-md-1769, Slip Op. at 26 (M.D. Fla. 8/21/07) (“a
party is responsible for the errors of its vendors”).
Why Are Lawyers Here?!?!?
3. 3
Why? (2)
Defendants, must … establish and implement, and thereafter maintain, a comprehensive information security program
that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or
about U.S. consumers … Such program, the content and implementation of which must be fully documented in writing,
shall contain administrative, technical, and physical safeguards appropriate to Defendants’ size and complexity, the nature
and scope of Defendants’ activities, and the sensitivity of the personal information collected from or about consumers,
including:
A. the designation of an employee or employees to coordinate and be responsible for the information security
program;
B. the identification of internal and external risks to the security, confidentiality, and integrity of personal
information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other
compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks.
…
C. the design and implementation of reasonable safeguards to control the risks identified through risk assessment,
and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
D. the development and use of reasonable steps to select and retain service providers capable of appropriately
safeguarding personal information they receive from Defendants, and requiring service providers, by contract, to
implement and maintain appropriate safeguards; and
E. the evaluation and adjustment of the information security program in light of the results of the testing and
monitoring required by sub-Section C, … or any other circumstances that Defendants know or have reason to know
may have an impact on the effectiveness of the information security program.
FTC v Ruby Corp., No. 1:16-cv-02438, Dkt. 1-9 at 4-5 (D.D.C. 12/14/2016) (“Ashley Madison”)
6. 6
Will Read The Fine Print ...?
<Vendor> AND <Vendor>’S LICENSORS, RESELLERS AND/OR DISTRIBUTORS MAKE
NO OTHER WARRANTY OR CONDITION, EXPRESS OR IMPLIED, STATUTORY OR
OTHERWISE, REGARDING THE SERVICES, INCLUDING WITHOUT LIMITATION THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, TITLE, NON-INFRINGEMENT ERROR FREE OPERATION OR NON-
INTRUSION DUE TO HACKING OR OTHER SIMILAR MEANS OF UNAUTHORIZED
ACCESS.
FURTHER <Vendor> DOES NOT GUARANTY THAT ... THE SERVICES WILL MEET
YOUR REQUIREMENTS, SPECIFICATIONS OR EXPECTATIONS. ...
NO REPRESENTATION OR OTHER AFFIRMATION OF FACT, INCLUDING BUT NOT
LIMITED TO STATEMENTS REGARDING CAPACITY, SUITABILITY FOR USE OR
PERFORMANCE OF ANY SERVICES ... WHICH IS NOT CONTAINED IN THIS
AGREEMENT, WILL BE DEEMED TO BE A WARRANTY BY <Vendor> FOR ANY
PURPOSE OR GIVE RISE TO ANY LIABILITY OF <Vendor> WHATSOEVER.
YOU ACKNOWLEDGE THAT IT IS IMPOSSIBLE UNDER ANY AVAILABLE
TECHNOLOGY FOR ANY APPLICATION TO IDENTIFY AND ELIMINATE ALL
MALWARE.
7. 7
I. Three-dimensional Data (And, Therefore, Threats) …
A. What Is The Environment/What Are The Odds?
B. What Is The Environment/What Are The Costs?
II. Anticipating Threats
A. Legal Duties
B. The NIST Framework
C. Cyber Insurance
D. GDPR
E. Data Mapping
III. Incident Response
A. Applying Laws & Frameworks
B. Time For Compliance
1. Notice requirements
2. Courts accelerate compliance
3. Examples of cyber-evidence
Today’s Agenda
8. 8
“In 2015, 43 percent of all attacks were directed at small
businesses. … 42 percent of small businesses surveyed by the
National Small Business Association (NSBA) reported being a
victim of a cyber- attack, with cyber-attacks cost an average
$32,021 for companies whose business banking accounts were
hacked, and $7,115 on average for small businesses overall.”
R. Luft (on behalf of NSBA), “Protecting Small Businesses from
Cyber Attacks: the Cybersecurity Insurance Option” at 2,3; Hearing
before the House Small Business Committee (7/26/2017).
I. Three-D Data And, Therefore, Threats ...
9. 9
What is the Environment/What are the Odds?
The Global
Risks Landscape
2018, World
Economic
Forum, Global
Risks Report
2018
(1/17/2018)
12. 12
What Are The Costs?
“Almost half of organizations represented in this research (47 percent) identified the root cause of the data
breach as a malicious or criminal attack and the average cost was approximately $156 [per compromised
record]. In contrast system glitches and human error or negligence averaged approximately $128 and $126,
respectively.” Ponemon, supra at 4 (6/6/2017).
“Third party involvement in a breach and extensive cloud migration at the time of the breach increases the
cost.” Id., at 6.
Small to medium-sized businesses may face cyber incident losses ranging in the tens of thousands of
dollars per incident. See The Hiscox Cyber Readiness Report 2017, at 5 (Forrester Research survey found an
average cost per incident of $35,967 for businesses with fewer than 99 employees).
Example cyber insurance annual premiums may range from hundreds (for $1-2 million coverage on a
small business) to more than $40,000 (for $5-10 million coverage on a medium-sized business)
The average cyber insurance claim may average $250,000.
“Expenses/fines related to breach of customer/personal information is the primary driver for purchasing a
cyber insurance policy. Conversely, just 10 percent of respondents identified business interruption as the
primary reason for purchasing the cover.” Information Security And Cyber Risk Management Survey 4
(Advisen/Zurich North America Oct. 2017)
13. 13
A. General Legal Duties: Beyond Sectors
B. The NIST Framework
C. Cyber Insurance
D. GDPR
E. Data Mapping
II. Anticipating Threats
14. 14
General Legal Duties: Beyond Sectors
Common law fiduciary duties to protect non-public information: Attorney-client; employer-employee … see also,
Savidge v Pharm-Save, Inc., 2017 WL 5986972 (W.D. Ky. 12/1/2017) (“the Court can draw the reasonable inference
that, because [the employee] Plaintiffs' information was released to unauthorized individuals, Defendants breached their
duties to safeguard that information ... Defendants' motion to dismiss will be denied with respect to Plaintiffs'
negligence claim.”); id. (“these facts [of employees providing ‘personal information for tax purposes and to receive
employment and benefits’] are sufficient for the Court to draw the reasonable inference that Defendants impliedly
assented to protect Plaintiffs' information ... Plaintiffs have adequately pled the existence of an implied contract”).
General statutory duty to protect confidentiality of non-public citizen data: “At least 13 states now have general
information security laws that require reasonable measures to protect defined categories of personal information
(including Arkansas, California, Connecticut, Illinois, Maryland, Massachusetts, Nevada, New Jersey, New York,
Oregon, Rhode Island, Texas, and Utah). ... ‘personal information’is usually defined to include general or specific facts
about an identifiable individual.” I. Hemmans & D. Ries, Cybersecurity: Ethically Protecting Your Confidential Data in
a Breach-A-Day World, at 25 (ABA Law Prac. Div. 4/27/2016).
Mandatory, secure disposal of records containing “personal information” when their legal or business retention
has expired. KRS 365.725.
Duty to notify individuals of a data security breach: “All 50 states, the District of Columbia, Guam, Puerto
Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of
security breaches of information involving personally identifiable information.” Nat’l Conf. of State Legislatures
(NCSL), Security Breach Notification Laws, http://www.ncsl.org/research/telecommunications-and-information-
technology/security-breach-notification-laws.aspx (3/29/2018) (last visited 4/17/2018).
15. 15
The NIST Framework
“This voluntary framework provides a much needed roadmap
for improving the cybersecurity of our most critical
infrastructure… Companies now have a common, but
flexible path forward to better secure their systems, and also
a meaningful way to measure their progress. We must now
focus like a laser on ensuring widespread implementation of
the framework in order to effectively protect our national and
economic security.” - Senator Tom Carper (D-DE), Chairman of the
Committee on Homeland Security and Governmental Affairs:
Image Credit: https://www.nist.gov/cyberframework/new-framework
“The release of the Cybersecurity Framework is a helpful step
forward in providing guidance and best practices to help
companies, particularly small and medium sized companies,
grappling with today's cyber threats.” - Michael Chertoff, Secretary of
Homeland Security under President George W. Bush and Chairman of the Chertoff
Group
22. 22
Cyber Insurance
• Compliance = Policies & procedures.
• Risk = Loss, theft, or damage to
irreplaceable data (ex. customer lists),
sensitive customer information (ex.
social security numbers, credit
information), intellectual property (ex.
the secret recipe….yours, or the
customer’s).
• Loss = liability to others and/or
business losses.
• Insurance = Part of Compliance and
Mitigating Risk of Loss.
• Consider Insurance in Policies &
Response Protocol.
This presentation provides a brief overview
of insurance considerations based on our
legal experience and observations. Please
consult with a licensed agent to determine
your specific coverage needs and available
options.
23. This Photo
by
Unknown
Author is
licensed
under CC
BY-NC
This Photo by Unknown Author is licensed under CC BY-NC-SA
• Require service providers to
demonstrate adequate security
policies and procedures?
• Require 3rd party
indemnification?
• Restrict employee access to
personally identifiable
information on a business-need to
know basis?
• Implement an identity theft
program (aka FTC “Red Flags”)?
• Have a written Intellectual
Property clearance procedure?
• Were such policies reviewed by a
qualified attorney?
• Have a designated Chief
Security Officer? Chief
Privacy Officer?
• Have a disaster recovery
plan? Business continuity
plan?
• Have an incident response
plan for network intrusions
and virus incidents?
• How often are such plans
tested?
• Conduct training for every
employee user regarding
security events and
procedures?
• Encrypt data stored on
laptop computers, back-up
tapes?
Application: First Considerations
23
24. Do existing E&O, CGL,
Crime, etc. coverages …
have: _____?
Review a sample copy of
any Policy you consider
purchasing: The Writing
controls the coverage!
• Theft and Fraud – Destruction or loss of
policyholder’s data
• Forensic Investigation
• Business Continuity – Cyber events and data loss =
investigation, reporting, lost income and costs
• Extortion (Ransomware) – Pay the ransom?
• Computer data loss and restoration
• 3rd party claims (privacy injury, identity theft, etc.)
• Network damage (damage due to viruses),
• Loss or theft of data, including propriety
information.
• Costs to comply with “duty to notify” laws
• Crisis Management/Public Relations
• Regulatory expenses, fines and penalties
• Legal counsel – yours? Or panel counsel?
• Custom coverage – livestock, golf course, etc.
Application: Some Coverage Options
24
26. 26
When – Not “If” – A Cyber Incident Occurs:
STOP … THINK ... what insurance could apply?
E&O? Crime? Cyber?
Know your Duties: (1) Policy (or Policies); and (2) Written Incident Response Plan
Policy Duties -- Follow written procedures preserve coverage. Triggers for incident
response? Definition of “claim”? Concerned about premium effects? Any “pre-notice” or
“pre-claim provisions”? Notification/reporting requirements? Term? Business
changes/insurance revisions?
Incident Response Plan Duties -- Is Insurance Addressed? There may be coverage for
immediate steps following a cyber incident…i.e. forensic investigator, legal counsel,
compliance with notification laws, etc.
Seek Legal Help -- Consult counsel or a designated incident response officer
BEFORE notifying anyone else .
34. 34
Benefits Of Complying With The GDPR
1
Reduce
Reputational
Risks
2
Reduce
Financial
Risks 3
Organize
Your Data
4
Build Trust
5
Reduce
Chaos
6
Peace of
Mind
36. 36
Anticipating Threats: Data Mapping
“Knowing the type of data collected, where it is being held, with whom it is being
shared, and how it is being transferred is a central component of most data privacy and
data security programs. The process of answering these questions is often referred to as
a ‘data map’ or a ‘data inventory.’” D. Zetoony, Data Privacy and Security: A Practical
Guide for In-House Counsel 1 (Wash. Legal Foundation, May 2016).
How is a data map compiled?
System inventories
Organization charts
Classification systems?
How frequently is a map updated?
41. 41
Cybersecurity:
Summary Retention & Compliance Issues
How and Where are your records for customer & employee financial & health data created,
communicated & stored?
Who are the custodians responsible for the security of that data?
Where are the records to define the reasonable administrative, physical & technical safeguards that
protect Critical Cyber Assets, as well as employee & customer financial & health data?
Are the records identifiable within the general categories of administrative, physical &
technical safeguards?
Are the classifications of technical records (such as system security logs) NIST-consistent, and
do they include logs of internet access & use of connected facilities?
Does your RIM taxonomy account for specific jurisdictional requirements (e.g., Massachusetts
encryption and WISP requirements for personal data)?
Who are the custodians responsible for maintaining and updating those records?
How frequently are systems mapped, or otherwise tested, to validate the continuing accuracy of the
records classifications?
42. A. Applying Laws & Frameworks
B. Time For Compliance
1. Notice Requirements
2. Courts accelerate compliance
3. Examples of cyber-evidence
III. Incident Response
42
43. 43
(Choice of) Laws & Frameworks
Whose Law Controls?
“Kentucky has adopted the ‘most significant relationship’test to resolve choice of law issues relating to contract
disputes. … ‘[t]he rights and duties of the parties with respect to an issue in contract are determined by the local
law of the state which, with respect to that issue, has the most significant relationship to the transaction and the
parties …’ Kentucky will override the outcome of the ‘most significant relationship’test and apply its own laws
if ‘a clear and certain statement of strong public policy in controlling laws or judicial precedent’would be
violated in applying another state's laws.“ Henry v. Travelers Personal Security Insurance Co., 2016-CA-
001939-MR (Ky. App. 2/2/2018) (unpublished) (citations omitted).
“Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the
processing activities of natural and legal persons under the jurisdiction of the Member States. … extraterritorial
application of those laws, regulations and other legal acts may be in breach of international law and may impede
the attainment of the protection of natural persons ensured in the Union by this Regulation.” GDPR, at Recital
(115).
∑ Is There a Race to an Agency or Courthouse?
What are the Facts Supporting One Choice Over Another?
Does the Framework Provide Early Answers?
44. 44
Compliance: Notice Requirements
Nature of the Incident?
• Which sector?
• Are specific contracts or other duties implicated?
Time to Notify?
• State data breach notification laws may provide for notice within anywhere
from 14-90 days after discovery of the incident.
• GDPR compresses the notice timeframe to 72 hours (Art. 33:1)
Manner of Notice?
Does the Framework Provide Early Answers?
45. 45
Courts expect parties to have document & data retention practices in order: See Rules 16(b)(2);
26(f)(1) (requiring pre-discovery conference & scheduling order within 90-120 days of the beginning of
an action); In re Direct Southwest, Inc. FLSA Litigation, 2009 U.S. Dist. LEXIS 69142 (E.D. La.)
(requiring execution of supplemental search terms, production of documents & production of privilege log
within 10 days).
[Defendant] “was ordered to “provide a data-map of the ESI involved in this litigation for in-camera
review ... If no data-map exists, then …[defendant] [was to] to explain why no ESI data-map exist[ed] and
how Counsel ... educated themselves about [defendant’s] information and record keeping systems.” Small
v. Univ. Med. Center of Southern Nevada, 2:13-cv-00298 (D. Nev. 8/18/2014). Id., at n. 15 (Court-
appointed Special Master “was forced to create his own data map ... from scratch, by synthesizing
testimony from IT personnel and other employees”).
“[T]he parties have fifteen (15) business days from the date of this order to exchange information
regarding the location and existence of electronic data sources that may contain discoverable ESI (the
"Data Map"), including information regarding the parties' policies and/or procedures regarding data
retention; their computer servers and back-up and archival sources that store ESI; all computers, phones,
tablets, and other storage devices issued to the Custodians or used by the Custodians for business
purposes; all email accounts and cloud-storage/file-sharing service accounts used by the Custodians for
business purposes; and any data source that the party identifies as not reasonably accessible pursuant to
Fed. R. Civ. P. 26(b)(2).” Hydrochem LLC v. Duplessis, Civil No. 14-264 (M.D. La. 5/28/2015).
Courts Accelerate Compliance
46. 46
Examples Of Cyber Evidence
Logs of internet URL/domain access. Microsoft Corp. v. John Does 1-5, No. 15-cv-6565
(E.D.N.Y. 11/23/2015)
Server login records. Tyan v Garcia, No. 15-cv-05443 (C.D. Cal. 5/2/2017)
“more than 42, 000 files on appellant’s computer were intentionally overwritten on February
6, 2011, using [XXXXXX], a program designed to permanently delete and overwrite files.
[Defendants’ expert] was unable to restore or retrieve the content of the overwritten files. In
addition, certain files one would expect to find (such as “Recent Folder Activity, Link Files,
Recycle Bin Info Files, Temp Folders, and Internet Cache Folders”) were missing and could not
be restored or retrieved. [The expert] found remnants of other files …” Braun v. Toyota Motor
Sales, U.S.A., Inc., No. B234212 (Cal. App. 2d Dist. 2/13/2013) (unpublished)
“Defendants have … failed to ascertain that third-party service providers implemented
reasonable security measures to protect personal information.” FTC v Ruby Corp., No. 1:16-cv-
02438, Dkt. 1 at 9, ¶31 (D.D.C. 12/14/2016) (“Ashley Madison”). Cf. Board of Trustees of Ibew
Local 43 Electrical Contractors Health v. D'Arcangelo & Co., LLP, 1 N.Y.S. 3d 659, 124 A.D.3d
1358 (4th Dept. 1/2/2015) (motion to dismiss denied where negligence claim was based on alleged
failure to obtain an audit report)
49. 49
(Today’s) Conclusions
Cyber privacy & security must balance economic, human and technology
resources. Balance is essential to preserve, identify, collect & produce material
information in an appropriate form, that is reasonably necessary to resolve a
privacy/security incident or any other matter.
Educated, empowered and accountable employees are a company’s ultimate
defense against threats to data integrity and security.
An integrated privacy & security program must establish reasonable standards,
verify their implementation, and validate their effectiveness on a regular basis.
Attorneys will be held responsible for assessing and defending “reasonable”
privacy and security standards in particular matters.
50. 50
Lindsay Graves: Lindsay is a senior Attorney in the Electronic Data Discovery
(“EDD”) Group of Frost Brown Todd, LLC. Her experience in the Group includes counseling
clients on privacy policies and practices applicable to financial, healthcare, and retail consumer
businesses. She also has worked with clients in the investigation of both internal and
external/international data misappropriation incidents. Before joining the EDD Group, Lindsay
represented individuals and businesses in commercial litigation, including real estate developers
and brokers, title insurers and financial institutions. She helped those clients obtain successful
outcomes in judicial/appellate, regulatory and mediation/arbitration proceedings throughout the
Commonwealth of Kentucky.
Alison Howard: Alison is a senior Attorney in the Electronic Data Discovery
(“EDD”) Group of Frost Brown Todd, LLC. Her experience in the Group includes research,
analysis and drafting for privacy policies and practices applicable to financial, insurance, land title
and retail consumer businesses. Apart from her work with the Group, Alison has been an
experienced litigator, a licensed insurance and real estate agent, and a licensed property and
casualty adjuster. She also served as compliance counsel for a national real estate title company,
and a conflicts counsel for Frost Brown Todd. Alison has authored and presented multiple official
continuing education courses for real estate licensees and government regulators concerning
liability insurance and claims experiences.
Presenters
51. 51
Presenters (too)
Connie Wilkinson-Tobbe: Connie is a senior Attorney in the Electronic Data
Discovery (“EDD”) Group of Frost Brown Todd, LLC. Her experience in the Group
includes counseling clients on privacy policy and practices applicable to financial,
healthcare, and retail consumer businesses. She also has worked with clients in the
investigation of both internal and external/international data misappropriation incidents.
Before joining the EDD Group, Connie was a trial and compliance attorney for both
individual and business clients. She helped those clients obtain successful outcomes in
bench and jury trials, regulatory and grand jury proceedings, and mediation/arbitration
proceedings in Kentucky state and federal courts.
Robert Dibert: Bob is a Member of the Business Litigation and Electronic
Data Discovery (“EDD”) groups at Frost Brown Todd, LLC. He has more than 30 years’
experience litigating commercial disputes, including cases based upon alleged fraud and
racketeering violations. His data privacy/security experience began with HIPAA
compliance issues in litigation, and has expanded over the last 10 years to include both
counseling for breach preparedness and representation for incident response.
52. Views expressed in these materials are those of the authors individually,
and do not constitute legal or any other formal advice.
I. Identifying Threats
A. Do we maintain an annual profile of predominant threats to our business sector?
B. Do we maintain an annual profile of costs in our sector?
1. Costs/potential financial impact of predominant threats
2. Costs of safeguards to prevent or mitigate threats
3. Costs of insurance to offset impacts of threats
II. Preparing For Threats
A. Have we established a Framework to anticipate and respond to threats?
1. Does that Framework reasonably reflect the scope of our business & legal
environment?
2. Do we verify our use and maintenance of that Framework?
3. Do we validate the scope and effectiveness of that Framework?
B. Does our records retention & compliance program include categories for the
profiles, Framework, and types of information likely to be necessary for incident
response?
III. Incident Response
A. Have we identified a team for first response?
B. Do we maintain a scope and choice of law analysis for how, and how quickly,
responses must be made?
C. Do we have data maps to help identify and contain the compromised area(s)?
D. Do we have tools or providers necessary to preserve potentially relevant
information from the compromised area(s)?
Robert W. Dibert
Connie Wilkinson-Tobbe
Lindsay P. Graves
Alison P. Howard
June 14, 2018
54. Snooping is one of the most common
causes of a HIPAA breach. This can occur in
a HIPAA-covered entity if an employee looks
at PHI beyond what is necessary to perform
their responsibilities for the employer.
Case Study: Compliance Following a
HIPAA Privacy Breach
This incident is a cautionary tale for HIPAA-covered entities
(health care providers, insurers or group health plans
sponsored by an employer) which may have access to
HIPAA-protected information in their files.
Incident: As part of her job responsibilities for a medical
practice, “Employee A” reviews medical records for
purposes of determining the proper charge for the services
provided by the medical practice. One day, she realizes
that the medical record she is reviewing is for a fellow
employee, “Employee B,” who has received services by
the medical practice. Instead of limiting her current review
to the specific medical record for the recent office visit of
“Employee B,” “Employee A,” apparently out of curiosity,
looked at a number of other “Employee B” medical records.
In a routine audit, the medical practice’s information
technology staff determined that “Employee A” looked at
numerous medical records on one specific date. Because
“Employee A” has no legitimate reason to review the prior
test information to perform her duties, this unauthorized use
of protected health information (PHI) was a HIPAA breach
required to be reported to the patient and to Health and
Human Services in year-end breach reporting.
Result: The medical practice had a robust HIPAA policy and
practice, which lessens the risk of governmental penalties,
but the employee involved was disciplined, as required by
HIPAA. Routine review of records accessed is a best practice
that should be used by all businesses that hold HIPAA-
protected data. If a HIPAA-covered entity believes there
has been an unauthorized use or disclosure of PHI as there
was in the example above, the covered entity is required to
investigate the matter and report a HIPAA breach.
Representative Experience
»» Assisted a national restaurant chain from start to finish
with a credit card data breach in dozens of states
with over one million card exposures. Responsibilities
included emergency response coaching, breach
evaluation, breach notification, breach vendor
management, liability assessments, negotiations with
processors, acquiring banks, issuing banks and card
brands, and litigation support.
»» Assisted a large multinational corporation with its
evaluation of and response to a ransomware attack that
crippled all corporate servers including human resources
and payroll.
»» Assisted a company with response and notification
arising from infiltration of the company’s system that
altered payroll files processed by a third-party payroll
processor. Responsibilities included working with a
forensics investigation firm, coordination of notification
to employees, and negotiation with the cyber liability
insurance provider.
»» Consulted proactively with a national manufacturing
business regarding appropriate privacy and security
provisions for maintenance of employee personal
information, both internally and for purposes of data
sharing and transfer agreements.
»» Advised a national restaurant chain regarding incident
response for potential misuse of Wi-Fi services. Scope of
the matter included working with the client’s information
technology department to identify potential access and
use of facilities in question, and response to information
requests from law enforcement and private litigants.
»» Consulted with an international manufacturing business
regarding a "phishing" incident directed at employees'
personal data. Scope of the matter included identification
of the scope of attempted intrusion, analysis of
potentially applicable law of multiple jurisdictions, and
assessment of technological safeguards in place to
prevent an actual breach of the security of information
systems in question.
»» Advised a mid-sized consumer retail services
business on response to employee theft of personal
information from company systems. The scope of the
matter included working with the client’s information
technology department to identify access and attempted
misappropriation of information, and coordination
with law enforcement for potential prosecution and
assessment of any breach notification.
Frost Brown Todd | Defending Your Company from a Data Breach
55. Jane Hils Shea | Member | jshea@fbtlaw.com | 513.651.6961
Jane leads FBT’s privacy and information security practice. She has significant experience in the law governing
data privacy and information security, assisting clients with the development of written information security
programs, the European Union’s General Data Protection Regulation (GDPR) compliance, appropriate internal
policies and procedures, as well as incident response measures and data breach notification. Jane is a member
of the International Association of Privacy Professionals and is a Certified Information Privacy Professional for
the U.S. private-sector (CIPP/US).
frostbrowntodd.com
Michael T. Bindner I Member | mbindner@fbtlaw.com I 317.237.3863
Michael assist clients with various HIPAA privacy matters, including privacy training, investigating and reporting
HIPAA privacy breaches, and with breaches of personal information. He speaks frequently on topics related to
employee benefits, HIPAA and other health care issues.
Robert W. Dibert | Member | bdibert@fbtlaw.com | 502.568.0379
Bob works with businesses in the educational, financial, health care, manufacturing, professional services, and
consumer retail sectors on data privacy and security matters, beginning with the proactive incorporation of
privacy/security-related records, procedures into retention and compliance programs, and breach notifications.
The nature of incidents include commercial espionage, employee theft, lost or stolen devices, misuse of
facilities by outsiders, and so-called “phishing” for personal information.
Milton C. Sutton | Senior Associate | msutton@fbtlaw.com | 614.559.7271
Milton practices in FBT’s intellectual property and government services practice groups. His practice focuses
on complex information technology matters including computer systems, telecommunications, data, software
development, web hosting, licensing, cloud computing, cybersecurity and privacy. He is a Certified Information
Privacy Professional for the U.S. private-sector (CCIP/US). He assists entities on general privacy issues, GDPR
compliance, cybersecurity preparation as well as responding to large data breach incidents.
Frost Brown Todd Data Breach Attorneys