“Cybersecurity” has emerged as one of top risks facing
organizations. Considering the steady stream of massive data
breaches affecting millions (sometimes billions), the debilitating
effects of ransomware on an organization’s information systems,
the intrigue of international threat actors, and the mobilization
and collaboration of national law enforcement to thwart these
attacks, it’s no wonder. Notions of privacy have long
underpinned critical principles and rights in our legal system, yet
actors in the space typically do not have names like LockBit or
Black Basta using applications called Colbalt Strike, and [yawn]
may not trigger concerns as seemingly compelling as cybersecurity.
But that may be changing, at least in the minds of insurance
underwriters and persons focused on compliance.
As a recent DarkReading article points out, there is a
growing sense that the “mishandling [of] protected personally
identifiable information (PII) could rival the cost of ransomware
attacks.” The article discusses several reasons driving this
view, citing among other things, the recent uptick in pixel
litigation. That is, litigation concerning the handling of website
users’ personal information obtained from tracking technologies
on websites without consent.
However, the article also alludes to the vast patchwork of
nuanced privacy laws across numerous jurisdictions as support for
an increasing number of insurance professionals viewing privacy as
the “top insurance concern.” In addition to the onslaught
of litigation over the use of website tracking technologies, the
challenges of navigating the ever expanding and deepening maze of
privacy law seem to present much greater compliance and litigation
risks for organizations.
A Insurance Journal article, “The Cyber
Risk Pendulum,” echoed these sentiments earlier this month and
observed:
In 2024, there is a greater focus [by carriers] on controls
related to “wrongful collection” coverage – the
collection of data in a manner that could run afoul of privacy
regulations – whether it be on a state or federal level.
This makes sense considering the emergence of state
comprehensive privacy laws, most notably the California Consumer
Privacy Act (CCPA). Consider that the first “Enforcement Advisory” issued
by the California Privacy Protection Agency, the agency charged
with enforcing the CCPA, focuses on “data
minimization” – a requirement that includes
assessing the collection, use, retention, and sharing of personal
information from the perspective of minimizing the personal
information processed for the intended purpose(s).
For many organizations, different privacy laws can apply
depending on a range of factors, including without limitation:
industry, business location, categories of customers, types of
equipment used, specific services provided, methods of marketing
and promotion, the categories of information collected, and
employment practices.
Consider a health care organization:
- Industry: Of course, most if not all have at
least heard of the Health Insurance Portability and Accountability
Act (HIPAA). Covered entities and business associates (defined
terms under HIPAA generally including healthcare providers and
service providers to those entities) must comply with a
comprehensive set of privacy regulations regulating the use and
disclosure of all protected health information, regardless of
format. - Where it does business: All states have
long-standing health laws regulating the use and disclosure of
patient medical information. Indeed, HIPAA provides that covered
entities and business associates have to comply with more stringent
state laws that conflict with HIPAA, a particular challenge for
multi-state organizations. In addition to state health laws
affecting the use and disclosure of patient information, common law
privacy rights and obligations also need to be considered. - Types of customers: A healthcare provider
might provide services to or on behalf of government entities, in
which case it may have to comply with certain contractor mandates.
Or, it may focus its health services on minors versus adults,
requiring it to understand, for example, the specific rules around
consent pertaining to medical information pertaining to minors.
Mental healthcare providers may have an additional layer of privacy
obligations concerning their patients. - Equipment it uses: Whether dealing with
medical devices, GPS tracking of vehicles, biometric devices used
to verify access certain drugs, or smart cameras for facility
surveillance, healthcare organization must consider the privacy
issues related to the different types of equipment used in the
delivery of care and operations. The increasing use of biometrics,
as one example, has become a major risk in and beyond the
healthcare industry, particularly in Illinois. By some counts, alleged violations of the
Illinois Biometric Information Privacy Act (BIPA) have led to
nearly 2,000 putative class action cases. The BIPA, a privacy
statute, creates a remedy for, among other things, failing to
obtain a consent or written released in connection with collecting
a biometric identifier or biometric information. - Types of services:
- University hospitals, for example, also have compliance
obligations under the Family Educational Rights and Privacy Act
(FERPA). - Providers running certain federally assisted programs involving
substance use services must comply with the substance abuse
confidentiality regulations issued by the Substance Abuse and
Mental Health Services Administration. See 42 USC Part 2 (although recent regulations finalized in February strive to
align these two privacy frameworks). - When treating certain highly contagious diseases, providers
also must consider laws regulating the use and disclosure of
information related to those diseases which often provider stronger
protections and limitations on disclosure. - A healthcare provider that performs genetic testing services
must consider the applicable genetic information privacy laws,
which exist in just about all 50 states. One such law is the Illinois Genetic Information Privacy Act
(GIPA) passed in 1998. This law may become the next significant
privacy target for the Illinois plaintiffs’ bar. Arguably more
nuanced than its sister statute, the BIPA, the GIPA has been the
subject of an increasing number of case filings in the past year.
Compliance can be challenging. For example, the GIPA incorporates
some familiar laws – GINA, ADA, Title VII, FMLA, OSHA, and
others – requiring that certain entities, including
employers, treat genetic testing and genetic information (including
certain family medical history information) in a manner consistent
with such laws. So, it is not just the GIPA that organizations need
to worry about in order to comply with the GIPA.
- University hospitals, for example, also have compliance
- Marketing its services: In addition to the use
of tracking technologies referenced above, other means of
collecting and sharing personal information to promote the
organization’s business may have significant privacy
consequences under federal and state consumer protection laws.
Examples include emailing and texting, use of employee and patient
images and likeness in advertisements, and sharing personal
information with third parties in connection with marketing and
promotion activities. - Categories of personal information: Not all
“personal information” is the same. The
post at the link just scratches the surface on the various
definitions of data that may drive different compliance
obligations, including for healthcare organizations. - Employment practices: The processing of
personal information pertaining to employees, applicants,
contractors, etc. creates an additional layer of privacy
obligations that touch on many of the items noted above. Areas of
particular concern include – increasing use of AI in hiring
and promotion, workplace surveillance, methods of identity
verification, managing employee medical information, and
maintaining employee benefit plans. Each of these areas raise
particular issues under federal and/or state law and which are
shaped by the categories of information at issues.
Attempting to track, never mind become compliant with, the
various privacy laws affecting each of these facets of the business
is no easy task. We have not even considered the broader and more
detailed and comprehensive privacy frameworks established
internationally, such as the EU General Data Protection Regulation
(GDPR). And, of course, it is not just healthcare providers that
face these privacy challenges at various levels of their
operations. Keeping information secure from cyberattacks is one
thing and it too is quite challenging, but there are established
frameworks for doing so that share many common threads. In the case
of privacy, there seems to be many more subtle considerations that
are critical for compliance.
For instance, in most cases establishing a password policy under
a cybersecurity law to protect personal information is solving for
one issue – requiring persons to develop a relatively strong
password that will make it difficult for an unauthorized person to
gain access the protected system. This may be oversimplifying, but
the point is a good password policy might suffice under many
different cybersecurity laws, regardless of state, type of
business, category of data, etc. Complying with a privacy law
regulating the disclosure of health information, on the other hand,
likely will require several factors be considered: the type of
entity, where it does business, the specific type of data, the
individual’s age or medical condition, the reason for the
disclosure, the intended recipient, etc.
Regulatory compliance is not the end of the story for privacy.
For example, organizations can cause self-inflicted wounds when
they make assertions about the handling and safeguarding of the
personal information they collect, and fail to meet those
assertions. A good example is the privacy policy on an
organization’s website. Stating in such a policy that the
organization will “never” disclose the personal
information collected on the site may create a binding obligation
on the organization, even if there is not a law that requires such
a rule concerning disclosure. Check out the Federal Trade
Commission’s enforcement of these kinds of issues in its
recently issued 2023 Privacy and Data Security Update.
Is privacy a bigger risk than cyber? Maybe. Regardless, trying
to keep track of and comply with the wide range of privacy law is
no easy task, particularly considering so much of the application
of those laws are determined by many factors. For this reason, it
is not hard to see why underwriters may view privacy as their top
concern, and why organizations need trusted and experienced
partners to help navigate the maze.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
#Privacy #Cyber #Bigger #Risk #Privacy #Protection
