HHS Jumps on the Cybersecurity Information Sharing Bandwagon; Third Circuit on Economic Loss as a basis for Negligence Claim; FTC workshop on Ransomware; German draft implementing law for GDPR revealed.

HHS Jumps on the Cybersecurity Information Sharing Bandwagon

Because of recent news reports confirming that cyberattacks against healthcare agencies have increased 125 % in the past five years, HHS is encouraging HIPAA Covered Entities and Business Associates to share information to combat future attacks.

HHS, based on authority from Executive Order 13591 and the Cybersecurity Information Security Act (CISA), is urging Covered Entities and Business Associates to join Information Sharing and Analysis Organizations (ISAOs) to share security threat and vulnerability information related to electronic protected health information (ePHI).

Ideally, ISAOs will provide a mechanism for sharing information bi-directionally “between HHS and the Health Care and Public Health (HPH) sector regarding cyber threats and will also provide outreach and education to the HPH sector.” This press release from HHS follows a similar measure by the Department of Homeland Security, which also encourages information sharing to mitigate the risk of cyberattacks.

In developing ISAOs in the health care sector, it is critical to consider three things:

  • the standards and best practices for the creation of ISAOs to ensure that covered entities and business associates that participate gain the protections of such information sharing under CISA;
  • the data that is shared in light of what is permitted under the HIPAA Privacy Rule; and
  • how participation in an ISAO can support compliance with the HIPAA Security Rule.

Crowell & Moring is a leading expert in the creation of ISAOs and HIPAA compliance and can help stakeholders that seek to comply with HHS’s call to action to consider the intersection of these various legal frameworks

Good News for Defendants: Third Circuit Holds that Economic Loss is NOT Enough to Bring Negligence Claim for Breach

Interpreting Pennsylvania law, the Third Circuit upheld the District Court’s decision to dismiss a negligence action against Benecard, a prescription benefit administration services company. After hackers breached Benecard’s security system and used plaintiffs’ information to file fraudulent tax returns, plaintiffs filed suit against Benecard alleging it was negligent in its protection of their information.

This suit was barred by the “economic loss doctrine.” Under the Pennsylvania formulation, this doctrine provides that “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.”

According to the Third Circuit, only contract damages are available for purely economic loss, such as the loss plaintiffs suffered here. This case may influence other states, which also have an economic loss doctrine, to preclude tort actions for loss of data.

FTC Holds a Workshop on Ransomware

On Wednesday, September 7th, FTC held a workshop on ransomware, focusing on the nature of the threat, steps to guard against ransomware, appropriate responses to an attack, and the future of ransomware attacks.

Chairwoman Ramirez, began the workshop with remarks reiterating that the FTC will bring enforcement actions against companies that fail to maintain reasonable measures to protect against threats. She emphasized the need to maintain good “cyber hygiene,” by, amongst other measures, monitoring and patching vulnerabilities.

Many of the speakers also highlighted the growing threat that ransomware plays to the health care industry, which has become a favorite target of hackers. Experts also predicted that ransomware will increasingly target internet connected products (IoT) and mobile devices.

German draft implementing law for GDPR revealed

A first draft for a German law adapting German data protection law to the GDPR (‘DSAnpUG-EU’) has been revealed at the beginning of September. Although the draft is still subject to discussions and will therefore probably undergo changes, it gives a first impression on how and to which extent Germany intends to make use of its rights to deviate from the GDPR.

The draft bill shows that the German Federal Ministry of the Interior (‘BMI’) intends to make broad use of the national law leeway foreseen under the GDPR. In line with previous announcements, it seems to be the intention to maintain the current German Data Protection Act (‘BDSG’) to the furthest extent possible, which means that also a vast amount of existing German case-law will continue to apply.

In particular, the draft suggests that specific rules for the processing of employment-related data (in line with current Section 32 BDSG) will be maintained. In addition, the appointment of a Data Protection Officer (DPO) will be mandatory in Germany for companies that have 10 or more employees who are “continuously involved in processing of personal data”. Apart from that, the draft envisages limiting the rights of data subjects (Articles 12-22 GDPR) to what is ‘reasonable’. Fines for infringements conducted by natural persons (i.a. CEO, managers, and employees) will be cut to a maximum of up to € 300,000.

It is not unlikely that other EU Member States will also make use of the right under the GDPR to set forth national specifics. In light thereof, companies should monitor developments in the EU Member States where they are active in order to be able to take into account specific national rules, even and in particular once the GDPR has entered into force.