<?xml version="1.0" encoding="utf-8"?>
	<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
	<channel>
	<title>An RSS Feed from melniklegal.com</title>
<description>melniklegal.com Blog</description>
<link>http://melniklegal.com/programs/weblog.cgi</link>
<category>e-commerce</category>
<copyright>Copyright melniklegal.com </copyright>
<language>en-us</language>
<lastBuildDate>Wed, 15 Jul 2026 21:16:53 EST</lastBuildDate>
<managingEditor>tatiana@melniklegal.com (Web Master)</managingEditor>
<pubDate>Wed, 15 Jul 2026 21:16:53 EST</pubDate>
<webMaster>tatiana@melniklegal.com (Tatiana)</webMaster>
<generator>e-commerce-inc.com sitebuilder blog press</generator>
<atom:link href="http://melniklegal.com/programs/blogrss.cgi" rel="self" type="application/rss+xml" />

			
<item>
<title><![CDATA[FTC is Hosting Three Spring Seminars Covering Emerging Consumer Privacy Issues]]></title>
<description><![CDATA[
 
 
 
 
    <font face="Arial"> </font><div align="left"><font face="Arial">Increasingly, the Federal Trade Commission (FTC) has taken a more active role in addressing data privacy and security issues involving consumer data. The FTC is also active in exploring how new uses of technologies impact consumer privacy. In a series of three seminars this coming Spring, the FTC is set to "shine a light on new trends in Big Data and their impact on consumer privacy" with respect to a number of areas:<br></font><ul><li><font face="Arial"><b>Mobile device tracking</b> – tracking consumers in retail and other businesses using signals from their mobile devices.</font></li><ul><li><font color="#006600" face="Arial"><b>Feb. 19, 2014</b></font><font face="Arial"> (10 a.m. to noon); FTC Conference Center, 601 New Jersey Ave., NW, Washington, DC</font></li><li><font face="Arial"><b>Subject</b>: "Recently, retailers and other businesses have begun tracking consumers’ movements throughout and around retail stores and other attractions using technologies that identify signals emitted by their mobile devices."</font></li></ul></ul><ul><li><font face="Arial"><b>Alternative scoring products</b> – using predictive scoring to determine consumers’ access to products and offers.</font></li><ul><li><font color="#006600" face="Arial"><b>March 19, 2014</b></font><font face="Arial"> (10 a.m. to noon); FTC Conference Center, 601 New Jersey Ave., NW, Washington, DC</font></li><li><font face="Arial"><b>Subject</b>: "Many data brokers offer companies scores to predict trends and the behavior of their customers. Companies are using predictive scores for a variety of purposes, ranging from identity verification and fraud prevention to marketing and advertising...Consumers are largely unaware of these scores, and have little to no access to the underlying data that comprises the scores. As a result, these predictive scores raise a variety of potential privacy concerns and questions."</font></li></ul></ul><ul><li><font face="Arial"><b>Consumer-generated and controlled health data</b> – information provided by consumers to non-HIPAA covered websites, health apps and devices. </font></li><ul><li><font face="Arial"><b><font color="#006600">Date and location TBD</font></b></font></li><li><font face="Arial"><b>Subject:</b> "Increasingly, consumers are taking a more active role in managing and generating their own health data...Consumers are also uploading their information into personal health records and apps that allow them to manage and analyze their data, and utilizing connected health and fitness devices that regularly collect information about them and transmit this information to other entities. The movement of health data outside the traditional medical provider context has many potential benefits; however, it also raises potential privacy concerns." </font></li></ul></ul><font face="Arial"><b>The FTC has <a href="https://ftc.gov/opa/2013/12/springprivacy.shtm">requested comments</a> from the public on the proposed topics</b>. Those who are involved in these areas should consider submitting comments because the FTC does review feedback from the public and industry.<br></font></div><hr align="left"><div align="left"><font face="Arial"><b>Full Text of the Press Release:</b><br><br></font></div><div id="date" align="left"> <font face="Arial" size="2"><b><span class="type">For Release:</span> 12/02/2013</b></font></div><font face="Arial"> <align="left"><font size="4"><b><br>FTC to Host Spring Seminars on Emerging Consumer Privacy Issues <br><br> </b></font><align="left"><font size="3"><b>Events Will Explore Retail Tracking, Alternative Scoring, and Consumer Health Information</b></font><p align="left">This spring, the Federal Trade Commission will host a series of seminars to examine the privacy implications of three new areas of technology that have garnered considerable attention for both their potential benefits and the possible privacy concerns they raise for consumers.</p> <p align="left"> As the tools available to track, market to and analyze consumers – often without their knowledge – grow, businesses are able to meet consumers’ demands more efficiently and effectively. But these tools may also carry significant risks to consumers’ privacy. The seminars, taking place over three months, will shine a light on new trends in Big Data and their impact on consumer privacy. The topics will include:</p> <div align="left"><ul><li>Mobile device tracking – tracking consumers in retail and other businesses using signals from their mobile devices.</li><li>Alternative scoring products – using predictive scoring to determine consumers’ access to products and offers.</li><li>Consumer-generated and controlled health data – information provided by consumers to non-HIPAA covered websites, health apps and devices. </li></ul></div> <p align="left">The series will bring together academics, business and industry representatives, and consumer advocates for two-hour discussion sessions, which will take place in Washington, D.C. and will be open to the public. The <a href="https://ftc.gov/os/2013/12/131202springprivacycomments.pdf">FTC invites comment from the public on the proposed topics</a>, and will issue staff reports following the sessions.</p> <p align="left"><strong>Mobile Device Tracking</strong> – 10 a.m. to noon, Feb. 19, 2014 <br> FTC Conference Center, 601 New Jersey Ave., NW, Washington, DC</p> <p align="left">Recently, retailers and other businesses have begun tracking consumers’ movements throughout and around retail stores and other attractions using technologies that identify signals emitted by their mobile devices. While the technologies differ, many work by identifying and collecting the MAC address – which is unique to a particular device – broadcast when a mobile device searches for Wi-Fi networks. Companies can use these technologies to reveal information about consumers including the path taken throughout a location, length of time in one location, whether a visitor is new or returning, and the frequency of visits to a location. According to media reports, major retailers in the United States are using or have tested the technology in their stores in order to gain insights into the behavior of their customers. </p> <p align="left">In most cases, this tracking is invisible to consumers and occurs with no consumer interaction. As a result, the use of these technologies raises a number of potential privacy concerns and questions. The seminar will address questions such as: </p> <div align="left"><ul><li>What different types of mobile device tracking are companies currently implementing, how do they work, and where are they used?</li><li>What are potential future uses of these technologies?</li><li>What are the similarities or differences between mobile device tracking and online tracking technologies?</li><li>What types of information and benefits do retailers gain from these technologies?</li><li>What benefits do consumers derive from these technologies?</li><li>What are the privacy and security risks associated with these technologies?</li><li>How are companies addressing these risks?</li><li>What information and choices are provided to consumers about this type of tracking? </li><li>How anonymous is the tracking? </li><li>How can companies implement the principles of privacy by design, simplified consumer choice, and increased transparency when designing and using these technologies? </li></ul></div> <p align="left"><strong>Alternative Scoring Products</strong> – 10 a.m. to noon, March 19, 2014<br> FTC Conference Center, 601 New Jersey Ave., NW, Washington, DC</p> <p align="left">Many data brokers offer companies scores to predict trends and the behavior of their customers. Companies are using predictive scores for a variety of purposes, ranging from identity verification and fraud prevention to marketing and advertising.</p> <p align="left">For example, companies are using scores to predict the likelihood that a person has committed identity fraud; the likelihood that a certain transaction will result in fraud; the credit risk associated with certain mortgage loan applications; whether contacting a consumer by mail or phone will lead to successful debt collection; whether sending a catalog to a certain address will result in an in-store or online purchase; the likelihood that an individual is taking his or her medication; a person’s presence on the Internet and his or her influence over others; or whether a customer is pregnant, and if so, when the baby is due. </p> <p align="left">According to media reports, these scores are determining whether transactions trigger further scrutiny, the kind of special offers that companies make to certain individuals (and those they don’t), and even whether the customer should speak to a high-ranking customer service agent at a company. </p> <p align="left">Consumers are largely unaware of these scores, and have little to no access to the underlying data that comprises the scores. As a result, these predictive scores raise a variety of potential privacy concerns and questions. The panel will discuss questions such as:<br> &nbsp;</p> <div align="left"><ul><li>What are the current types of predictive scores available to companies and what scores can we expect data brokers to offer in the future?</li><li>How are companies utilizing these predictive scores?</li><li>How accurate are these scores and the underlying data used to create them?</li><li>How can consumers benefit from the availability and use of these scores? </li><li>What are the privacy concerns surrounding the use of predictive scoring? </li><li>What legal protections currently exist for consumers regarding the use of predictive scoring, both in the United States and internationally? </li><li>What consumer protections should be provided; for example, should consumers have access to these scores and the underlying data used to create them? Should some of these scores be considered eligibility determinations that should be scrutinized under the Fair Credit Reporting Act?</li></ul></div> <p align="left"><strong>Consumer Generated and Controlled Health Data – </strong>Date and location TBD</p> <p align="left"> Increasingly, consumers are taking a more active role in managing and generating their own health data. For example, consumers are researching their health conditions and diagnosing themselves online. Consumers are also uploading their information into personal health records and apps that allow them to manage and analyze their data, and utilizing connected health and fitness devices that regularly collect information about them and transmit this information to other entities. </p> <p align="left">The movement of health data outside the traditional medical provider context has many potential benefits; however, it also raises potential privacy concerns. The seminar will address questions such as: </p> <div align="left"><ul><li>What types of websites, products, and services are consumers using to generate and control their health data, and how are consumers using them? </li><li>Who are the companies behind these websites, products, and services, what are their business models, and what does the current marketplace look like? </li><li>How can consumers benefit from these companies’ websites, products, and services?</li><li>What actions are these companies taking to protect consumers’ privacy and security? </li><li>What do consumers expect from these companies regarding privacy and security protections? Do consumers differentiate between these companies and those that offer traditional medical products and services that are covered by HIPAA? </li><li>What restrictions, if any, do advertising networks and others impose on tracking of health data?&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </li></ul></div> <p align="left">The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online <a href="https://www.ftccomplaintassistant.gov/">Complaint Assistant</a> or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides <a href="https://www.consumer.ftc.gov/">free information on a variety of consumer topics</a>. Like the FTC on <a href="https://www.ftc.gov/leaving/facebook/index.shtml">Facebook</a>, follow us on <a href="https://www.ftc.gov/leaving/twitter/index.shtml">Twitter</a>, and <a href="https://www.ftc.gov/opa/subscribe.shtm#pr">subscribe to press releases</a> for the latest FTC news and resources.</p> <div align="left"><dl><dt>MEDIA CONTACT: </dt><dd>Jay Mayfield<em><br> Office of Public Affairs</em><br> 202-326-2181</dd><dt><br></dt><dt>STAFF CONTACT:</dt><dd>Amanda Koulousias<br> <em>Bureau of Consumer Protection</em><br> 202-326-3334</dd></dl><br><br><br></div></align="left"></align="left"></font><font face="Arial"> </font>  
 
 
 
 
 
 ]]></description>
<link>http://melniklegal.com/weblog/1386096894_Privacy.html</link>
<guid>http://melniklegal.com/weblog/1386096894_Privacy.html</guid>
<pubDate>Tue, 03 Dec 2013 13:54:54 EST</pubDate>
</item>
			
			
			
<item>
<title><![CDATA[Just in Time for the New Year - Dermatology Clinic Settles with OCR for $150K]]></title>
<description><![CDATA[
 
 
 
 
  <div align="left"><div><table border="0"><tbody><tr><td align="left" valign="top"><font face="Arial"><img src="https://melniklegal.com/images/1388165257.jpg"><br></font></td><td align="left" valign="top"><font face="Arial">As we close out 2013, the Office of Civil Rights (OCR) announced on December 26 that it settled potential HIPAA violations with Adult &amp; Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) for $150,000.<br><br></font><font face="Arial">APDerm is a private practice delivering dermatology services in four locations in Massachusetts and two in New Hampshire.</font><font face="Arial"><br><br>According to OCR, "this case marks the <b>first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions</b> of the Health Information Technology for Economic and Clinical Health (HITECH) Act." [1]<br></font><br></td></tr></tbody></table><font face="Arial"><font face="Arial"><font face="Arial">In a statement, Leon Rodriguez, the Director of OCR, advised that "Covered entities of all sizes need to give priority to securing electronic protected health information." [2]<br><br></font><a href="#few">[Jump to A Few Things to Note]</a><br><br></font></font><div><div><font face="Arial">On October 7, 2011, APDerm notified OCR that a USB drive containing&nbsp;</font><font face="Arial"><font face="Arial">unencrypted electronic protected health information (ePHI)</font> of approximately 2,200 individuals was stolen out of the vehicle of one of its workforce members. According to the Resolution Agreement, APDerm "impermissibly disclosed the ePHI . . . </font><font face="Arial"><font face="Arial">by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule</font>." [3] </font><br><br><font face="Arial">On November 9, 2011, OCR notified APDerm that it would be launching an investigation into the incident. </font><br><br><font face="Arial"><u>During its investigation, OCR found the following problems</u>:</font><br><ul><li><font face="Arial">&nbsp;APDerm did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process until October 1, 2012.</font></li></ul><ul><li><div><font face="Arial">APDerm failed to comply with the administrative requirements of the Breach Notification Rule until February 7, 2012:</font></div></li><ul><li><div><font face="Arial">APDerm did not have written policies and procedures to address the Breach Notification Rule</font></div></li></ul></ul><ul><ul><li><div><font face="Arial"><font face="Arial">APDerm did not </font>train members of its workforce regarding the Breach Notification requirements</font></div></li></ul></ul></div><div><div><ul><li><font face="Arial">APDerm "impermissibly disclosed the ePHI of up to 2,200 individuals by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule when it did not reasonably safeguard an unencrypted thumb drive that was stolen from the unattended vehicle of one its workforce members." [4]<br></font></li></ul><font face="Arial"><u>Under the Corrective Action Plan, APDerm must take the following steps</u>:</font><br></div><div><div><ul><li><b><font face="Arial">Security Management Process</font></b></li></ul><ul><ul><li><font face="Arial">Conduct a comprehensive, organizational-wide risk analysis of the ePHI security risks and vulnerabilities, including review of electronic media and systems.</font></li></ul></ul><ul><ul><li><font face="Arial">Develop a risk management plan to address and mitigate any security risks and vulnerabilities following the risk analysis and, if necessary, revise its present policies and procedures. <br></font></li></ul></ul><ul><ul><li><font face="Arial">Provide to OCR for review and approval the risk analysis, risk management plan and any revised policies and procedures and implement any revisions suggested by OCR.</font></li></ul></ul><ul><ul><li><font face="Arial">Implement, distribute, and train all appropriate staff members on the revised policies and procedures within 30 days.</font></li></ul></ul><ul><li><b><font face="Arial">Track and Report to OCR Any Further Breaches</font></b></li></ul></div><div><ul><ul><li><font face="Arial">APDerm must, "upon receiving information that a workforce member may have failed to comply with any provision of its Privacy, Security, and Breach Notification policies and procedures, promptly investigate the matter."</font></li></ul></ul><ul><ul><li><font face="Arial">If, after the investigation, APDerm "determines that a member of its workforce has failed to comply with a provision of its Privacy, Security, and Breach Notification policies and procedures, the Covered Entity shall notify OCR in writing within thirty (30) days." <br></font></li></ul></ul><ul><ul><li><font face="Arial">The report to OCR must include:</font></li></ul></ul><ul><ul><ul><li><font face="Arial">"A complete description of the event, including relevant facts, the persons involved, and the implicated provision(s) of the Covered Entity’s Privacy, Security, and Breach Notification policies and procedures; and" [5]<br></font></li></ul></ul></ul><ul><ul><ul><li><font face="Arial">"A description of actions taken and any further steps the Covered Entity plans to take to address the matter, to mitigate the harm, and to prevent it from recurring, including the application of appropriate sanctions against workforce members who failed to comply with its Privacy, Security, and Breach Notification policies and procedures." </font><font face="Arial">[6]</font></li></ul></ul></ul><ul><li><font face="Arial"><b>Provide to OCR an Implementation Report, which is to include, among other things,</b><br></font></li></ul><ul><ul><li><font face="Arial">"An explanation of how the Covered Entity implemented its security management process ... focusing specifically on how The Covered Entity determined whether its policies and procedures should be revised based on the risks and vulnerabilities identified in the risk analysis.</font><font face="Arial">" [7]<br></font></li></ul></ul><ul><ul><li><div><font face="Arial">An attestation from an APDerm officer that any revisions to policies and procedures were fully implemented and distributed to all workforce members.</font></div></li></ul></ul><ul><ul><li><font face="Arial">"An attestation signed by an officer of the Covered Entity stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful." </font><br><font face="Arial">[8]</font></li></ul></ul><p><font face="Arial"><b>Entities subject to HIPAA compliance should take note of the requirements in the Corrective Action Plan, particularly the list of details that a report to OCR should include</b>. The details noted by OCR should be included in the entity's breach investigation and report checklist.&nbsp;Specifically, any HIPAA breach investigation checklist should include, at least, the following elements:</font></p></div><div><blockquote><div><ol><li><font face="Arial">Description of the event</font></li><li><font face="Arial">Person(s) involved in the event</font></li><li><font face="Arial">Policies and procedures that were impacted by the event</font></li><ul><li><font face="Arial">Privacy policies</font></li><li><font face="Arial">Security policies</font></li><li><font face="Arial">Breach notification policies</font></li></ul><li><font face="Arial">Steps covered entity took to mitigate any perceived harm</font></li><li><font face="Arial">Steps covered entity will take to address the specific incident</font></li><ul><li><font face="Arial">Workforce member sanctions</font></li><li><font face="Arial">Additional training requirements for all workforce members</font></li></ul><li><font face="Arial">Steps covered entity will take to prevent the harm in the future</font><br></li></ol></div></blockquote></div></div><font face="Arial"><a name="few"><u><b>A few things to note...</b></u></a></font><br></div><ul><li><font face="Arial">OCR notified APDerm in November 2011 that it would launch its investigation. But, this settlement was not announced until December 2013, a full 2 years after the launch date. One has to wonder how many other investigations and settlements are currently pending.</font></li></ul><ul><li><font face="Arial">Neither the Press Release nor the Resolution Agreement provided details on the specifics of APDerm disclosing ePHI "by providing an </font><font face="Arial"><font face="Arial">unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule." But, covered entities and their business associates should take this opportunity to carefully review the roles and responsibilities of their workforce members to ensure that only authorized individuals have access to ePHI.</font></font></li></ul><ul><li><font face="Arial">The OCR appears to be adopting the approach taken by the SEC, where it is requiring that any submissions being made to OCR are signed and attested to by an officer of the company. This has the potential to expand the scope of liability for the attesting officer for any false statements made in the reports to OCR. </font><br></li></ul><ul><li><font face="Arial"><font face="Arial">This is yet another case where a breach could have been prevented if the portable media device was encrypted. Covered entities, their business associates and the subcontractors of such business associates need to carefully evaluate their existing policies and, to the extent possible, implement encryption for all portable media devices, including thumb drives and laptops.</font></font><br></li></ul></div></div><font face="Arial"><br>------------------<br><font size="2">[1] HHS, Office of Civil Rights, Press Release, Dermatology practice settles potential HIPAA violations, Dec. 26, 2013, <i>available at</i> https://www.hhs.gov/news/press/2013pres/12/20131226a.html.<br><br>[2] Id.<br><br>[3] HHS, Resolution Agreement with </font></font><font face="Arial"><font size="2"><font face="Arial">Adult &amp; Pediatric Dermatology, P.C., p. 2, Dec. 24, 2013, https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf.<br><br>[4] Id.<br><br>[5] </font></font></font><font face="Arial"><font size="2"><font face="Arial"><font face="Arial"><font size="2">HHS, Resolution Agreement with </font></font><font face="Arial"><font size="2"><font face="Arial">Adult &amp; Pediatric Dermatology, P.C., Appendix A: Corrective Action Plan, p. 3 (of Appendix A), Dec. 24, 2013, https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf.<br><br>[6] Id.<br><br>[7] Id.<br><br>[8] Id. at 4.<br></font></font></font></font></font><br></font></div>    
 
 
 
 
 
 ]]></description>
<link>http://melniklegal.com/weblog/1388165329_HIPAA.html</link>
<guid>http://melniklegal.com/weblog/1388165329_HIPAA.html</guid>
<pubDate>Fri, 27 Dec 2013 12:28:49 EST</pubDate>
</item>
			
			
			
<item>
<title><![CDATA[Target's Data Breach Costs Reach $148 Million]]></title>
<description><![CDATA[
 
 
 
 
    <div align="left"><font face="Arial">In a Press Release issued on August 5, 2014, Target Corporation announced that its costs to address the December 2013 data breach have reached approximately $148 million. This number is "partially offset by a $38 million insurance receivable,"<font size="2">[1]<font size="3"> of the $100 million network security insurance coverage available.</font></font><font size="2"><font size="3"><font size="2">[2]</font></font><br><br></font></font><div align="left"><font face="Arial">The Company further noted that, "[e]xpenses for the quarter include an increase to the accrual for estimated probable losses for what the Company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks." In its 10-Q <font size="3">report from May 29, 2014, Target advised that it expects these claims to "include amounts for incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred."<font size="2">[3]</font> Interestingly, Target specifically noted that, "[w]hile an independent third-party assessor found the portion of [its] network that handles payment card data to be compliant with applicable data security standards in the fall of 2013, the forensic investigator working on behalf of the payment card networks claimed that [Target was] not in compliance with those standards at the time of the Data Breach."</font></font><font face="Arial"><font size="3"><font size="2">[4]</font></font></font></div><br><font face="Arial"><font size="3">As of May 29, Target also had more than 100 actions filed against the Company "on behalf of guests, payment card issuing banks, shareholders or others seeking damages or other related relief, allegedly arising out of the Data Breach."</font></font><font face="Arial"><font size="3"><font face="Arial"><font size="3"><font size="2">[5]</font></font></font> Additionally, Target reported that "State and federal agencies, including the State Attorneys General, the Federal Trade Commission and the SEC are investigating events related to the Data Breach, including how it occurred, its consequences and [Target's] responses."</font></font><font face="Arial"><font size="3"><font face="Arial"><font size="3"><font face="Arial"><font size="3"><font size="2">[6]</font></font></font></font></font><br><br>On July 24, 2014, U.S. District Judge Paul Magnuson, U.S. District Court, District of Minnesota, rejected Target's motion to stay discovery in a multidistrict litigation over the data breach. Target requested the stay pending the court's decision on a motion to dismiss that Target intends to file, noting that, "any motions to dismiss will be fully briefed by the end of October in the bank cases and the end of November in the consumer cases."</font></font><font face="Arial"><font size="3"><font face="Arial"><font size="2">[7]&nbsp; </font></font>Judge Magnuson ruled that, </font></font><font face="Arial">"[g]iven the Court's practice of issuing rulings on dispositive motions within one month of the hearing date, if not sooner, discovery will have proceeded for only a few months by the time the Court rules on Defendants' motions. Ninety days' worth of discovery does not impose such a burdensome expense to warrant disturbing the case's schedule."</font><font face="Arial"><font size="3"><font face="Arial"><font size="3"><font face="Arial"><font size="2">[8] </font></font></font></font>Discovery is scheduled to begin in September 2014.</font></font><font face="Arial"><font size="3"><br><br></font></font><table style="text-align: left; margin-left: auto; margin-right: auto;" align="left" border="0"><tbody><tr><td style="border: 1px solid #edad27; padding:3px;" color="#FFFFFF" size="3" bgcolor="#001c31" valign="top"><font face="Arial"><font face="Arial"><font color="#FFCC00"><b><i>A few comments....</i> </b></font><font color="#FFFFFF">Data breach remediation is clearly expensive. The Target incident is also a good reflection of what we continue to see in the market for both payment card and protected health information related data breaches - numerous class actions combined with federal and state government investigations. Additionally, as noted by Target in its 10-Q report, a third-party vendor found Target in compliance "with applicable data security standards" (presumably PCI-DSS) in fall 2013, but "the forensic investigator working on behalf of the payment card networks claimed that [Target was] not in compliance with those standards at the time of the Data Breach." </font></font></font><font face="Arial"><font face="Arial"><font color="#FFFFFF">Organizations storing personally identifiable information, whether it be credit card data or medical records, must carefully assess their risk on a continuous basis. </font></font></font></td></tr></tbody></table><div align="left"><br><br><br><br></div></div><div align="left"><div align="left"><br></div><font face="Arial"><br><br>-------------------------------------------</font><br></div><div align="left"><font face="Arial" size="2">[1] SEC, Form 8-K, Target Corporation, Aug. 5, 2014, <i>available at</i> <a href="https://investors.target.com/phoenix.zhtml?c=65828&amp;p=irol-sec">https://investors.target.com/phoenix.zhtml?c=65828&amp;p=irol-sec</a>.</font><font face="Arial"><br><br><font size="2">[2] SEC, Form 10-Q, Target Corporation, May 29, 2014, p. 9, <i>available at</i> <a href="https://investors.target.com/phoenix.zhtml?c=65828&amp;p=irol-sec">https://investors.target.com/phoenix.zhtml?c=65828&amp;p=irol-sec</a>.<br></font></font><br><font face="Arial"><font size="2">[3] <i>Id</i>. at 8.<br></font></font><br><font face="Arial"><font size="2"><font face="Arial"><font size="2">[4] <i>Id</i>. at 8.</font></font></font></font><br><br><font face="Arial"><font size="2">[5] <i>Id</i>. at 9.<br></font></font><br><font face="Arial"><font size="2"><font face="Arial"><font size="2">[6] <i>Id</i>. at 9.<br></font></font></font></font><br><font face="Arial"><font size="3"><font face="Arial"><font size="2">[7] <i>In re: Target Corporation Customer Data Security Breach Litigation</i>, MDL No. 14-2522, Order, July 24, 2014 (Court Order denying Defendants’ Motion to Stay Discovery (Docket No. 125)), <i>available at</i> <a href="https://www.mnd.uscourts.gov/MDL-Target/Orders/2014/2014-0724-14MDL2522-Order.pdf">https://www.mnd.uscourts.gov/MDL-Target/Orders/2014/2014-0724-14MDL2522-Order.pdf</a>.<br></font></font></font></font><br><font face="Arial"><font size="2"><font face="Arial"><font size="2">[8] <i>Id</i>.<br><br></font></font></font></font><font face="Arial">-------------------------------------------<br><font size="2"><br><br>Posted by Tatiana Melnik on August 6, 2014</font><br></font>  </div>  
 
 
 
 
 
 ]]></description>
<link>http://melniklegal.com/weblog/1407333079_Data-Breach.html</link>
<guid>http://melniklegal.com/weblog/1407333079_Data-Breach.html</guid>
<pubDate>Wed, 06 Aug 2014 09:51:19 EST</pubDate>
</item>
			
			
			
<item>
<title><![CDATA[FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring]]></title>
<description><![CDATA[
 
 
 
 
     <div align="left"><div align="left"><font face="Arial">It's a sure sign that the tide on privacy and security enforcement has turned when the Federal Communications Commission (FCC), not one known to take enforcement actions in the data privacy and security space, fines two telecoms for $10 million dollars. On Friday, October 24, 2014, the FCC issued a Notice of Apparent Liability for Forfeiture (Notice) against TerraCom, Inc. and YourTel America, Inc., levying, in a 3-2 vote, a fine against the two companies for failing to protect the "proprietary information" of low income Americans.<font size="2">[1]</font></font><br></div><br></div><table style="text-align: left; margin-left: auto; margin-right: auto;" align="left" border="0"><tbody><tr><td style="border: 1px solid #edad27; padding:3px;" color="#FFFFFF" size="3" bgcolor="#001c31" valign="top"><font face="Arial"><font face="Arial"><font color="#FFCC00"><b><i>A brief summary and comparison to other enforcement actions and settlement agreements....</i> </b></font><font color="#FFFFFF">The facts and circumstances in the action against TerraCom and YourTel read very similar to enforcement actions from the Federal Trade Commission, where it frequently relies on statements made in privacy policies. Here, we have two telecoms that used a third-party vendor to provide a significant amount of services, including the storage of sensitive data. The companies advertised on their websites and privacy policies that they safeguarded consumer information, but in fact, "failed to employ reasonable practices to safeguard this information as they represented, expressly or by implication, in their privacy policies." Importantly, the FCC looks to what the companies represented and noted that they were looking at the express language or "by implication." That is, it appears that the FCC, like the FTC, will look more broadly at what the materials meant to convey. <br><br>Further, the FCC found the use of passwords and encryption important noting that, "the Companies' choice to store, or its vendor's choice to store, files containing the PI of customers in a publicly accessible folder on the Internet, without password protection or encryption, is the practical equivalent of having provided no security at all." But, then the FCC went further, stating that "given the state of technology, we believe the lack of encryption clearly evidences the unjust and unreasonable nature of the Companies' data security practices." This speaks directly to the approach taken by the Office of Civil Rights in its settlement agreements with covered entities that have failed to encrypt laptops that were subsequently lost.<br><br>Finally, the FCC found it troubling that the Companies failed to notify all potential victims. This speaks directly to that basis of several enforcement actions brought by State's Attorneys' General, including, for example, the Attorney General of Indiana and the Attorney General of Massachusetts.<br><br>Moving forward, this enforcement action may signal an important turn in the discussion of the regulatory framework of the Internet of Things, where the FCC is sure to be a strong player.<br></font></font></font></td></tr></tbody></table><div align="left"><br><font face="Arial"><br></font><div align="left"><font face="Arial">The issue was brought to light when, in 2013, a reporter from the Scripps Howard News Service discovered that the companies were storing the information in an unsecured manner and, over the period of several days, Scripps' reporters accessed 128,066 documents. When the news service brought the issue to the attention of the two companies, the companies sent a cease and desist letter to Scripps calling the reporters "hackers".<font size="2">[2]</font>&nbsp; The companies notified the FCC Enforcement Bureau on May 7, 2013 regarding the incident "claim[ing] that the Companies were victims of a security breach."</font><font face="Arial"><font face="Arial"><font size="2">[3]</font></font> The FCC alleges that the companies exposed the proprietary information of more than 300,000 consumers.</font><br><br><font face="Arial">As the opening paragraph of the Introduction explains:</font><br><blockquote><font face="Arial">Today, we take action against two companies that collected names, addresses, Social Security numbers, driver's licenses, and other proprietary information (PI) belonging to low-income Americans and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation. The companies stored such consumer PI in two publicly accessible folders on the Internet without password protection or encryption. By not employing appropriate or even reasonable&nbsp;&nbsp;&nbsp; security measures, the companies exposed their customers to an unacceptable risk of identity theft and other serious consumer harms.</font><font face="Arial"><font face="Arial"><font size="2">[4]</font></font></font></blockquote></div><font face="Arial">The FCC found that the companies violated Sections 201(b) and 222(a) of the Communications Act of 1934 as well as FCC Rules when they:<br></font><blockquote><font face="Arial">(i) failed to properly protect the confidentiality of consumers' PI they collected from applicants for the Companies' wireless and wired Lifeline telephone services; </font><br><br><font face="Arial">(ii) failed to employ reasonable data security practices to protect consumers' PI; </font><br><br><font face="Arial">(iii) engaged in deceptive and misleading practices by representing to consumers in the Companies' privacy policies that they employed appropriate technologies to protect consumers' PI when, in fact, they had not; and</font><br><br><font face="Arial">(iv) engaged in unjust and unreasonable practices by not fully informing consumers that their PI had been compromised by third-party access.</font><br> </blockquote><div align="left"><table border="0"><tbody><tr><td align="left" valign="top"><font face="Arial">Both companies provide subsidized telephone services to low income Americans under the Lifeline program. While the companies "have common shareholders, share key management employees, and are joint owners of a third company, BrightStar Global Solutions, LLC (BrightStar), [they] are separate corporate entities headquartered in Oklahoma and Missouri."</font><font face="Arial"><font face="Arial"><font face="Arial"><font size="2">[5]</font></font></font>&nbsp; In providing the services, Brightstar retained a third party vendor, CallCenters India, Inc., d/b/a Vcare Corporation (Vcare), to provide certain hosted services, including the call center, back office support, billing, software, and data storage for customer application files.</font><font face="Arial"><font face="Arial"><font face="Arial"><font face="Arial"><font size="2">[6]</font></font></font></font>&nbsp; According to the FCC Notice, Vcare stored customer files in "in clear, readable text and in electronic format accessible via the Internet."</font><font face="Arial"><font face="Arial"><font face="Arial"><font face="Arial"><font size="2">[7]</font></font></font></font>&nbsp; These files contained all the information that customers needed to apply for the Lifeline program including, for example, "their name and address, date of birth, Social Security Number, . . . driver's license or state ID card . . .&nbsp; annual statement of government benefits; the prior year's state, federal or Tribal tax return; paycheck stubs; Social Security benefit statements; Veterans Administration benefit statements; retirement or pension information; Unemployment or Workers' Compensation benefit statements; Federal or Tribal notice letters of participation in General Assistance; divorce decrees or child support awards; or other official documents establishing the applicant's income level."<br><br></font><font face="Arial">As describe above, an investigative reporter discovered that the telecoms were storing information in an unsecured manner. When the news service notified the telecoms regarding their security hole, the companies called the reporters working for the news service hackers and then proceeded notify the FCC regarding the security incident.</font><br></td><td align="left" valign="top"><font face="Arial"> </font><font face="Arial"><img src="https://melniklegal.com/images/telephone.jpg"></font><br></td></tr></tbody></table><font face="Arial"></font><font face="Arial"><br>In its action, the FCC explains, TerraCom and YourTel "apparently willfully and repeatedly" violated their duties under Section 222(a) of the Communications Act of 1934, which requires carriers "to protect the confidentiality of proprietary information of, and relating to . . . customers."<font size="2">[8]</font>&nbsp; The FCC further notes that, "[t]he Commission has made clear that section 222(a) requires carriers to take every reasonable precaution to protect the confidentiality of proprietary or personal customer information and that it was committing to taking resolute enforcement action to ensure that the goals of section 222 are achieved."<font size="2">[9]</font>&nbsp; While declining to adopt the NIST definition of personally identifiable information, the Commission found it instructive in formulating its definition of proprietary information and read the definition of proprietary information broadly:</font><br><div align="left"><blockquote><font face="Arial">In the context of Lifeline service at issue here, "proprietary information" includes all documentation submitted by a consumer or collected by an ETC to determine a consumer's eligibility for Lifeline service, as well as all personally identifiable information contained therein. Specifically, information such as a consumer's (i) first and last name; (ii) home or other physical address; (iii) email address or other online contact information, such as an instant messaging screen name that reveals an individual's email address; (iv) telephone number; (v) Social Security Number, tax identification number, passport number, driver's license number, or any other government-issued identification number that is unique to an individual; (vi) account numbers, credit card numbers, and any information combined that would allow access to the consumer's accounts; (vii) Uniform Resource Locator ("URL") or Internet Protocol ("IP") address or host name that identifies an individual; or (viii) any combination of the above, constitutes "proprietary information" protected by Section 222(a).<font size="2">[10]</font></font></blockquote></div></div><div align="left"><font face="Arial">This broad reading is consistent with the approach taken by the Health Insurance Portability and Accountability Act (HIPAA) in its definition of protected health information as well as the definitions of personally identifiable information adopted by more recent state data breach laws, such as the Florida Information Protection Act of 2014.</font><br><br><font face="Arial">Interestingly, in assessing consumer expectations, like the Federal Trade Commission, the FCC also looked at the promises the telecoms made in their privacy policies, noting specifically that:</font><br><blockquote><font face="Arial">The Companies' privacy policies assure those persons submitting"[c]ustomer specific information" through their website that they will protect that information and, in fact, inform such applicants that"[b]y providing us with your information, you acknowledge that you have read this privacy policy, understand it, agree to its terms and consent to the transfer of such information outside your resident jurisdiction.<font size="2">[11]</font></font></blockquote><font face="Arial">Therefore, the telecoms set certain expectations in the minds of their consumers that they failed to meet.</font><br><br><font face="Arial">Further, the FCC found that TerraCom and YourTel violated Section 201(b) of the Communications Act of 1934, because their "failure to protect and secure the PI of their customers . . . constitute[d] an unjust and unreasonable practice."<font size="2">[12]</font></font><br><br><font face="Arial"><i><b>Unreasonable Data Privacy and Security Practices</b></i></font><br><br><font face="Arial">According the FCC, the "evidence shows that the Companies' security measures lacked even the most basic features to protect consumers' PI."<font size="2">[13]</font>&nbsp; The FCC noted the following practices as being unreasonable:</font><br><ul><li><font face="Arial">Storing the information in plain text thereby enabling it to be read by search engines - "the PI hosted by Vcare on its server was widely available on public websites online through a simple Google search," at least two applications were cached by the Google search engine, and these applications remained cached until the FCC contacted Google to have them removed<font size="2">.[14]</font></font> </li></ul><ul><li><font face="Arial">Failing to properly secure the server directories storing the PI and using applicant names in the URLs - </font></li></ul><ul><ul><li><font face="Arial">"The Companies knew or should have known that the use of random URLs without more (e.g., encryption) to protect applicant records provided inadequate security and left the documents vulnerable to exposure via search engines-which operate by visiting websites, indexing all or much of the content available on them, and then delivering links to the indexed results to anyone that queries the engine."<font size="2">[15]</font></font></li></ul></ul><ul><ul><li><font face="Arial">"[T]he Companies' URL naming convention for one of the folders containing PI that was stored on Vcare's server also exposed the names of the applicants or customers directly in the URL, further demonstrating the lack of security of the records."<font size="2">[16]</font></font></li></ul></ul><ul><li><font face="Arial">Failing to use encryption - "We do not hold here that encryption without more would satisfy a carrier's duty under Section 201(b); however, given the state of technology, we believe the lack of encryption clearly evidences the unjust and unreasonable nature of the Companies' data security practices.<font size="2">"[17]</font></font> </li></ul><font face="Arial"><i><b>Failing to Notify Consumers</b></i></font><br><br><font face="Arial">The FCC also found it troubling that the companies only notified 35,129 consumers of the potentially 300,000+ that were impacted. The telecoms argued that they followed the state data breach laws for each of the individual states, but the FCC found the "failure to notify all affected consumers of the breach unjust and unreasonable because it left consumers ignorant about the risks of identity theft problems that may occur due in whole or part to the breach-a problem made even more troubling in light of the Companies' admission that they do not know the extent or breadth of the breach."<font size="2">[18]</font></font><br></div><br><br><font face="Arial">-------------------------------------------</font><br><font face="Arial"><font size="2">[1] FCC, In the Matter of TerraCom, Inc. and YourTel America, Inc., File No.:EB-TCD-13-00009175, FRNs:0010103745 and 0020097572 (Oct. 24, 2014), <a href="https://transition.fcc.gov/Daily_Releases/Daily_Business/2014/db1027/FCC-14-173A1.pdf">https://transition.fcc.gov/Daily_Releases/Daily_Business/2014/db1027/FCC-14-173A1.pdf</a>.</font></font><br><br><font size="2"><font face="Arial">[2] <i>Id</i>. at para 6-7.<br><br>[3] </font></font><font size="2"><font face="Arial"><font size="2"><font face="Arial"><i>Id</i>. at para 8.</font></font><br><br>[4]</font></font> <font size="2"><font face="Arial"><font size="2"><font face="Arial"><i>Id</i>. at para 1 (emphasis added).</font></font></font></font><br><br><font size="2"><font face="Arial">[5]</font></font> <font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><i>Id</i>. at para 3.</font></font></font></font><br><br>[6]</font></font> <font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><i>Id</i>. at para 5.</font></font></font></font></font></font><br><br>[7] <i>Id</i>.<br></font></font><br><font size="2"><font face="Arial"><font size="2"><font face="Arial">[8] </font></font></font></font><font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><i>Id</i>. at para 13.</font></font></font></font></font></font><br><br>[9] <i>Id</i>. (internal quotations and citations omitted.)<br></font></font><br><font size="2"><font face="Arial">[10] </font></font></font></font><font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><i>Id</i>. at para 19.</font></font></font></font></font></font></font></font></font></font><br><br>[11] <i>Id</i>. at para. 25. See also the discussion starting in para. 36.<br><br>[12] <i>Id</i>. at para. 31.<br><br></font></font></font></font><font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial">[13] </font></font></font></font><i>Id</i>. at para. 29.<br><br>[14] <i>Id</i>.<br><br>[15] <i>Id</i>.<br><br>[16] <i>Id</i>. at para. 33.<br><br>[17] <i>Id</i>. at para. 32.<br></font></font></font></font><br><font size="2"><font face="Arial"><font size="2"><font face="Arial">[18] <i>Id</i>. at para. 39.<br></font></font></font></font><font face="Arial"><font face="Arial">-------------------------------------------</font></font><br><br><br><font face="Arial"><font size="2">Posted by Tatiana Melnik on October 27, 2014.</font></font><br></div><font face="Arial"> </font>    
 
 
 
 
 
 ]]></description>
<link>http://melniklegal.com/weblog/1414465469_FCC.html</link>
<guid>http://melniklegal.com/weblog/1414465469_FCC.html</guid>
<pubDate>Mon, 27 Oct 2014 23:04:29 EST</pubDate>
</item>
			
			
			
<item>
<title><![CDATA[Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing]]></title>
<description><![CDATA[
 
 
 
 <div align="left"><font face="Arial">On November 14, 2014, the Court of Appeals of Indiana issued a decision in the Hinchy v. Walgreen Co. case, upholding the jury verdict in favor of Ms. Hinchy. After a four-day jury trial that began in July 23, 2013, the jury found that Ms. Hinchy suffered damages in the amount of $1.8 million, with $1.4 million of that (80%) to be borne jointly by Walgreens and Ms. Withers, a Walgreen's pharmacist. The rest (20%) was to be borne by Mr. Peterson, Ms. Hinchy's ex-boyfriend and the father of her child and Ms. Withers's husband. </font><br><br><font face="Arial">In upholding the jury verdict, which courts are "loathe to disturb," the Appellate Court began its decision as follows: "In this case, a pharmacist breached one of her most sacred duties by viewing the prescription records of a customer and divulging the information she learned from those records to the client's ex-boyfriend."<font size="2">[1]</font> Walgreens vowed to appeal the decision to the Indiana Supreme Court, but first petitioned the Appellate Court for a rehearing. On January 15, 2015, the Court of Appeals of Indiana ruled on Walgreen Co.'s petition for a rehearing and declined to disturb its original decision.<font size="2">[2]</font> As such, the Court of Appeals of Indiana's decision to uphold the jury verdict stands. Walgreen may yet appeal to the Indiana Supreme Court.</font><br></div><div align="left"><font face="Arial" size="2"><br></font><style> .linkcolorchange A:link {color: #edad27; text-decoration: underline}.linkcolorchange A:visited {color: #edad27; text-decoration: underline}  .linkcolorchange A:active {text-decoration: underline}  .linkcolorchange A:hover {text-decoration: underline; color: #edad27;} </style><table style="text-align: left; margin-left: auto; margin-right: auto;" class="linkcolorchange" border="0"><tbody><tr><td style="border: 1px solid #edad27; padding:3px;" color="#FFFFFF" size="3" bgcolor="#001c31" valign="top"><font color="#FFCC00" face="Arial"><b><i>A few preliminary comments....</i></b></font><font color="#FFFFFF" face="Arial">The <i>Hinchy </i>case has garnered a good amount of attention in the media, among attorneys, and more importantly, businesses that handle protected health information. While this case does arise under Indiana law, as Mr. Eggeson, the attorney that tried this case on behalf of Ms. Hinchy noted to me in an interview I conducted with him in December 2014, "[this case] has now created a precedent which will make life MUCH easier for privacy victims across the country--showing those victims how to bring their claims, how to structure and argue their claims so as to make corporate employers liable for the acts of their employees, and how to earn large damages awards from the jury." (<i>The full interview is to be published in an upcoming article for the Journal of Health Care Compliance.</i>)<br><br>Covered entities, business associates, and subcontractors should pay careful attention to the circumstances in this case because this can very easily be them. Here is a company that, arguably, has a strong HIPAA training program, where employees are educated on how they can and cannot access and use protected health information. Yet, a jury still found Walgreen liable under <i>respondeat superior</i>. That is, the jury determined that the pharmacist's actions were within the scope of employment because they were of the same general nature as those authorized, or incidental to the actions that were authorized, by Walgreen. Importantly, the jury found Walgreen's failure to terminate the pharmacist after it learned of the actions as problematic and, as counsel for Walgreen stated during the oral arguments, one juror specifically noted that Walgreen should have fired the pharmacist. </font><font color="#FFFFFF" face="Arial"><font color="#FFFFFF" face="Arial">As Mr. Eggeson succinctly explained it to me, "<font color="#FFFF33"><b><i>From a plaintiff's perspective, the 'good' privacy case is the one where a compliance officer or defense attorney mistakenly believes that corporate policies will be more persuasive to a jury than a tearful privacy victim</i></b></font>."<br><br></font>All companies that handle protected health information (or any sensitive information, including credit card numbers, social security numbers, and driver's licenses) should take the time to review their data breach insurance coverage. Healthcare providers in particular should work with counsel to review the extent of their coverage. Many malpractice carriers now include at least some basic coverage for data breach liability in malpractice policies. But, generally, this coverage is insufficient. You may learn more about cyberliability coverage in a three part series that I wrote for the Mature Market Experts blog: <a href="https://maturemarketexperts.com/2014/12/things-consider-purchasing-cyberliability-insurance/">Part One</a> (A <i>Few Things to Consider When Purchasing Cyberliability Insurance</i>), <a href="https://maturemarketexperts.com/2014/12/cyberliability-insurance-much-coverage-organizations-need/">Part Two</a> (<i>How Much Coverage Do Organizations Need?</i>) and <a href="https://maturemarketexperts.com/2014/12/cyberliability-insurance-kind-coverage-available/">Part Three</a> (<i>How Much Do Policies Cost?</i>).<br><br>The oral argument before the </font><font color="#FFFFFF" face="Arial"><font face="Arial">Court of Appeals of Indiana</font> is available online - <a href="https://mycourts.in.gov/arguments/default.aspx?&amp;id=1724&amp;view=detail">https://mycourts.in.gov/arguments/default.aspx?&amp;id=1724&amp;view=detail</a>. The argument is about an hour and is worth watching to see the issues that the judges picked out and found important as well as the facts the attorneys cited in defense of their specific position(s). There was a rather lengthy discussion regarding the <i>respondeat superior</i> issue as well as the need to track employee access.<br></font></td></tr></tbody></table><font face="Arial"><br><i><u><b>How this Case Arose</b></u></i><br></font><div><font face="Arial"><br>This privacy breach case arose as these cases typically arise - there was a love triangle of sorts and someone disclosed information they should not have. Sometime between fall 2006 and spring 2010, Ms. Hinchy was involved in a relationship with Mr. David Peterson.<font size="2">[3]</font> As the Appellate Court recited:<br></font><blockquote><font face="Arial">During this [2006 - 2010] period, Hinchy filled all of her prescriptions, including oral birth control pills, at a Walgreen pharmacy. At some point in 2009, Peterson began dating Walgreen pharmacist Audra Withers. In August 2009, Hinchy became pregnant with Peterson's child. On an unknown date, Peterson learned that he had contracted genital herpes. Hinchy gave birth to a son on May 22, 2010.<br><br>At some point during the week of May 26, 2010, Peterson mailed a letter to Withers informing her about the baby and about the possibility that he may have exposed her to genital herpes. Withers became terrified about the possibility of contracting a sexually transmitted disease. Consequently, during her shift and while at work, Withers looked up Hinchy's prescription profile in the Walgreen computer system to see if she could find any information about Hinchy's sexually transmitted disease. The next day, Withers again looked up Hinchy's profile to confirm that she had spelled it correctly the day before.<font size="2">[4]</font><br></font></blockquote><font face="Arial">Subsequently on May 29, 2010, Mr. Peterson sent Ms. Hinchy a number of accusatory text messages and disclosed to her that he had a copy of her prescription records. Ms. Hinchy tried to determine how Mr. Peterson obtained a copy of her records and was told by an employee at Walgreens "that there was no way to track whether her records had been accessed."<font size="2">[5]</font> Ms. Hinchy let the matter go at that time because she did not know how to proceed. But, in March 2011, Ms. Hinchy learned that Mr. Peterson was married to Ms. Withers and that Ms. Withers was a pharmacist at the local Walgreens where Ms. Withers fills her prescriptions. Ms. Hinchy reported the matter to the local Walgreens, which investigated the matter:<br></font><blockquote><font face="Arial">When Withers was confronted about the situation, she admitted that she had accessed Hinchy's prescription profile for personal reasons. On April 15, 2011, Loss Prevention Detective Michael Bryant confirmed to Hinchy that (1) a HIPAA/privacy violation had occurred, (2) Withers had viewed Hinchy's prescription information without consent and for personal purposes, and (3) Walgreen could not confirm that Withers had revealed that information to a third party. As a result of Walgreen's investigation, Withers received a written warning and was required to retake a computer training program regarding HIPAA.<font size="2">[6]</font><br></font></blockquote><div><font face="Arial">Ms. Hinchy filed suit against both Walgreens and Ms. Withers on August 1, 2011. Against Ms. Withers, Ms. Hinchy filed claims of:<br></font><blockquote><font face="Arial">(1) negligence/professional malpractice, </font><br><font face="Arial">(2) invasion of privacy/public disclosure of private facts, and </font><br><font face="Arial">(3) invasion of privacy/intrusion.</font><br></blockquote><font face="Arial">Against Walgreens, Ms. Hinchy filed claims: </font><br><blockquote><font face="Arial">(1) seeking liability for the counts she filed against Withers by way of respondeat superior, </font><br><font face="Arial">(2) direct claims for:</font><br><font face="Arial">(a) negligent training, </font><br><font face="Arial">(b) negligent supervision, </font><br><font face="Arial">(c) negligent retention, and </font><br><font face="Arial">(d) negligence/professional malpractice.</font><br></blockquote><font face="Arial">Walgreens appealed the jury verdict on a number of grounds, but this discussion will only focus on the Appellate Court's discussion of the underlying liability, the respondeat superior claim, and the amount of damages.<br><br><b><i>Underlying Liability</i></b><br><br>The Appellate Court first looked at "the tort of negligence by virtue of professional malpractice of a pharmacist. Negligence is comprised of three elements: (1) a duty on the part of the defendant to the plaintiff; (2) a breach of that duty; and (3) an injury to the plaintiff resulting from the breach."<font size="2">[7]</font> The Court found that Ms. Withers had a duty under Indiana law to keep the medical information she learned confidential. Ms. Withers breached that duty when she disclosed the information to Mr. Peterson. Ms. Hinchy further testified that, among other things, she suffered a number of emotional damages which impacted her ability to care for her child, she was humiliated, that she had a general distrust of healthcare providers, and that she was now taking a stronger anti-depressant.<font size="2">[8]</font> As such, the Appellate Court found that Ms. Withers was negligent by virtue of professional malpractice.<br><br><i><b>Respondeat Superior and Having the Ability to Track Access</b></i><br><br>The doctrine of respondeat superior allows for vicarious liability to be imposed on an employer "where the employee has inflicted harm while acting within the scope of employment."<font size="2">[9]</font> As the Appellate Court explained:<br></font><blockquote><font face="Arial">To fall within the scope of employment, the injurious act must be incidental to the conduct authorized or it must, to an appreciable extent, further the employer's business. An act is incidental to authorized conduct when it is subordinate to or pertinent to an act which the servant is employed to perform, or when it is done to an appreciable extent, to further his employer's business. . . . An employer is not held liable under the doctrine of respondeat superior because it did anything wrong, but rather because of the employer's relationship to the wrongdoer. . . . Furthermore, conduct is within the scope of employment when it is of the same general nature as that authorized, or incidental to the conduct authorized.<font size="2">[10]</font></font><br></blockquote><font face="Arial">In this case, the jury determined that Ms. Wither's actions were within the scope of employment because they "were of the same general nature as those authorized, or incidental to the actions that were authorized, by Walgreen. Specifically, Withers was authorized to use the Walgreen computer system and printer, handle prescriptions for Walgreen customers, look up customer information on the Walgreen computer system, review patient prescription histories, and make prescription-related printouts. Withers was at work, on the job, and using Walgreen equipment when the actions at issue occurred."<font size="2">[11]</font> This issue of whether the actions were within the scope of employment is for the jury to determine and the Appellate Court declined to disturb the jury's decision.<br><br>Another important issue in this case is Walgreen's ability to track who accessed a patient's record and the actions that Walgreen took after it learned from Ms. Hinchy that someone had improperly accessed her record. The issue was raised during oral arguments before the Indiana Court of Appeals when the Court and counsel were discussing the issue of respondeat superior, how it relates to other claims (<i>e.g.</i>, negligent training) as well as the disciplinary actions Walgreen took after it found out what happened.<font size="2">[12]</font></font><font face="Arial"><br></font><br><font face="Arial"><font face="Arial">Ms. Maggie Smith, counsel for Walgreen noted that 
 prior to this issue, Ms. Wither's had not violated Walgreen's policies. 
 But, the Court challenged this assertion because Walgreen had 
 acknowledged that the Company did not have any way of knowing since the 
 Company had no means to track access. Ms. Smith specifically asserted 
 that other pharmacies did not have the means to track access and 
 therefore Walgreen could not be negligent for failing to do something 
 that is not done in the community. Ms. Smith noted that, "the jury found
  that the discipline imposed by Walgreen was inadequate. But, there is 
 nothing in negligent retention or supervision jurisprudence that says 
 that the action that you take after learning an employee has acted 
 incorrectly is to fire that employee. Instead what happened here is 
 [that Walgreen took certain disciplinary actions against Ms. Withers.] 
 They took steps to make sure this didn't happen again. They didn't fire 
 her and one of the jurors felt that that's what they should have done."<font size="2">[13]<br><br></font></font></font><table border="0"><tbody><tr><td align="left" valign="top"><font face="Arial">Mr. Neal Eggeson, counsel for Ms. Hinchy, noted that 
 whether access tracking systems were in place at pharmacies was a 
 dispute between the experts. Mr. Eggeson specifically note that, Curtis 
 Baldwin, the expert that he presented, "said not only is tracking 
 systems something that he's been using at Kroger for 30 years, this is 
 something that he does everyday. The expert that [Walgreen] hired from 
 Perdue, on the other hand, suggests that, to his knowledge, even though 
 he has not worked in any pharmacies, he does not know of any tracking 
 system by any pharmacy. That was a disputed fact and the jury came down 
 on [Ms. Hinchy's] side on that issue."<font size="2">[14]</font></font><br></td><td align="left" valign="top"><font face="Arial"> </font><font face="Arial"><img src="https://melniklegal.com/images/court.jpg" border="1"></font><br></td></tr></tbody></table><font face="Arial"><font size="2"></font><br><i><b>Amount of Damages<br><br></b></i>The amount of damages has garnered a significant amount of attention. In its appeal, Walgreen argued "that the damages award was excessive and based on improper factors."<font size="2">[15]</font> Appellate Courts do have the power to set aside jury verdicts if they are excessive. "Where a damage award is so outrageous as to indicate the jury was motivated by passion, prejudice, partiality, or the consideration of improper evidence, [Courts will] find the award excessive."<font size="2">[16]</font> To support that the award was excessive, Walgreen argued that, "(1) Hinchy does not have a physical injury or condition resulting from the breach, (2) Hinchy has had no lost wages as a result of the breach, and (3) Hinchy did not offer any testimony from a medical professional or counselor supporting her claim of emotional distress."<font size="2">[17]</font> Interestingly, some of these damages types have been cited by courts in other jurisdictions as grounds for <i>dismissing </i>data breach class actions, arguing that, because plaintiffs failed to demonstrate 'damages,' they lacked standing to bring their claim(s).<br><br>But, as the Court here explained, Walgreen's argument amounted to "a request that [the Court] reweigh the evidence, a practice in which we do not engage when evaluating a damages award. We find that the evidence in the record supporting the award is sufficient to affirm it."<font size="2">[18]</font> The Appellate Court identified the following evidence in support of the damages award:<br></font><blockquote><ul><li><font face="Arial">Withers gained information about Hinchy's private health information, including her social security number, and then shared that information with Peterson, who then shared the information with at least three other people</font></li></ul><ul><li><font face="Arial">Hinchy's father learned about Hinchy's use of birth control, that Hinchy had herpes, and that Hinchy had stopped taking birth control shortly before becoming pregnant.</font></li></ul><ul><li><font face="Arial">Hinchy testified that she experienced mental distress, humiliation, and anguish as a result of the breach. She stated that she was upset, crying, and feeling "completely freaked out . . . ." She felt "violated," "shocked," and "confused."</font></li></ul><ul><li><font face="Arial">The disclosure led to Peterson berating Hinchy for "getting pregnant on purpose" and eventually extorting Hinchy by threatening to release the details of her prescription usage to her family unless she abandoned her paternity lawsuit.</font></li></ul><ul><li><font face="Arial">Hinchy testified that she experienced uncontrollable crying that affected her ability to care for her child, going to a counselor to address the emotional toll of the privacy breach, experiencing a general distrust of all healthcare providers, and feeling a persistent and continuous loss of "peace of mind."</font></li></ul><ul><li><font face="Arial">Hinchy also testified that she now takes Celexa, an anti-depressant, which costs $75 per month. Before the breach, she had taken a weaker anti-depressant intermittently, and had not taken it for more than one year before the breach.<font size="2">[19]</font></font></li></ul></blockquote><font face="Arial">The Appellate Court declined to disturb the awarded damages.<br><br><i><u><b>Walgreen's Petition for Rehearing</b></u></i><br><br>Subsequent to the first decision from the Appellate Court, Walgreen petitioned for a rehearing from the Court of Appeals of Indiana. On January 15, 2015, the Court denied the petition. As a result, the jury's decision and that of the Appellate Court upholding the decision stands.<br><br></font><br></div></div><font face="Arial" size="2">-------------------------------------<br></font><font face="Arial" size="2">[1] Hinchy v. Walgreen Co., Case. No. 49A02-1311-CT-950, *2 (App. Ct. Ind., Nov. 14, 2014), <i>available at</i> <a href="https://www.in.gov/judiciary/opinions/pdf/11141404jgb.pdf">https://www.in.gov/judiciary/opinions/pdf/11141404jgb.pdf</a> [hereinafter the "First Appellate Decision"].<br><br>[2] Hinchy v. Walgreen Co., Case. No. 49A02-1311-CT-950, (App. Ct. Ind., Jan. 15, 2015), <i>available at </i><a href="https://www.in.gov/judiciary/opinions/pdf/01151503jgb.pdf">https://www.in.gov/judiciary/opinions/pdf/01151503jgb.pdf</a>.<br><br>[3] First Appellate Decision at *2-3.<br><br>[4] Id. at *3.<br><br>[5] Id. at *4.<br><br>[6] Id. at *5.<br><br>[7] Id. at *14.<br><br>[8] Id. at *22.<br><br>[9] Id. at *8 (internal quotations and citations omitted).<br><br>[10] Id. at *8-10 (internal quotations and citations omitted).<br><br>[11] Id. at *11.<br><br>[12] Hinchy v. Walgreen Co., Case. No. 49A02-1311-CT-950, Oral Arguments, Oct. 14, 2014,<i> available at </i><a href="https://mycourts.in.gov/arguments/default.aspx?&amp;id=1724&amp;view=detail">https://mycourts.in.gov/arguments/default.aspx?&amp;id=1724&amp;view=detail</a>. <br><br>[13] Id. at 14:57 - 15:49 (argument of Maggie Smith).<br><br>[14] Id. at 28:26 - 28:51 (argument of Neal Eggeson).<br><br>[15] First Appellate Decision at *21.<br><br>[16] Id. (internal quotations omitted).<br><br>[17] Id. at *22.<br><br>[18] Id. at *22-23.<br><br>[19] Id.<br></font><font face="Arial" size="2"><font size="2"><br></font></font><font face="Arial" size="2">-------------------------------------<br><br>Posted by Tatiana Melnik on January 25, 2015<br></font></div><font face="Arial"> </font>   
 
 
 
 
 
 ]]></description>
<link>http://melniklegal.com/weblog/1422230063_Data-Breach.html</link>
<guid>http://melniklegal.com/weblog/1422230063_Data-Breach.html</guid>
<pubDate>Sun, 25 Jan 2015 18:54:23 EST</pubDate>
</item>
			
			
</channel>
</rss>