Page 1

Trust the a publication of smith, gambrell & russell, llp

Winter 2019

SGRLAW.com

Cybersecurity and Data Privacy

Keeping up with the challenges of compliance


Trust the Winter 2019

3  Editor’s Letter

Smith,Gambrell

&Russell, llp Attorneys at Law

4  Legal Briefs

News and views from the offices of Smith, Gambrell & Russell.

10  California’s Consumer Privacy Act How the new legislation impacts companies both inside and outside the state.

16  Pending European ePrivacy Regulation What the new law means for U.S. companies.

18  FTC Enforcement Actions on Privacy Violations Companies that violate consumers’ privacy rights or mishandle sensitive personal data face severe penalties from the Federal Trade Commission.

22  Data Breaches and HIPAA

The key considerations when storing and managing personal health care information in the digital era.

26  Finish Line

How SGR celebrated its 125th anniversary with a series of volunteer projects within local communities.

1230 Peachtree Street, N.E. Promenade, Suite 3100 Atlanta, GA 30309-3592 editor@sgrlaw.com editor-in-chief

Dana Richens editorial advisory board

Nicole Haff Brett Lockwood Jim Monacell Jim Porter

sgr marketing team

Lee Watts Kerry Franklin Jaleesa Smith Cheryl Walker Mollie Werner Sharon Williams

Trust the Leaders is published on behalf of Smith, Gambrell & Russell, LLP by Fourth Element Creative. www.fourthelementcreative.com The information contained herein has been obtained from sources believed to be reliable. The content and information in this publication do not constitute legal advice, do not in all cases reflect the opinions of SGR or its attorneys and are not in all cases complete or current as of the publication date. This publication is not intended to and does not create an attorneyclient relationship or provide legal advice or legal opinion. Legal advice should be obtained from one’s legal counsel. Permission is granted to use and reproduce this publication in whole or in part for internal and personal reference, provided that proper attribution of authorship is given. Except for material in the public domain, this publication may not be further copied, modified, used or distributed, in whole or in part, in any form or by any means without the written permission of Smith, Gambrell & Russell, LLP. All other rights expressly reserved. © 2019 Smith, Gambrell & Russell, LLP. Leaders

used with permission of Leaders Magazine, Inc.

02

TRUST THE LEADERS | Winter 2019 | SGRLAW.com


Editor’s Letter

Editor’s Letter Welcome to the Winter 2019 issue of Trust the Leaders, the magazine of Smith, Gambrell & Russell, LLP. This issue focuses on cybersecurity and data privacy. While at first blush these might seem like esoteric topics, they aren’t really, as they touch all of us daily in our professional or personal lives. If you are a company with customers in California, you may be impacted by California’s new Consumer Privacy Act (p. 10), which bestows upon California consumers a host of rights and controls with respect to personal information collected about them. Similarly, your business may be impacted by the proposed European ePrivacy Regulation (p. 16), which, following on the heels of the European Union’s General Data Protection Regulation that went into effect last year, will apply to all instances in which electronic communications services are provided to and used by end users located within the EU. As a consumer of retail goods and services, you should be concerned about the security of your personal financial and other data. The Federal Trade Commission is very active in pursuing legal action against businesses that violate consumers’ privacy rights or mishandle sensitive consumer information (p. 18). And as a consumer of health care services, how can you be sure that your most sensitive personal health information, now routinely stored and accessed digitally, is protected from improper disclosure? Providing such protection is one of the goals of HIPAA and related enforcement actions by HHS’s Office of Civil Rights (p. 22). Hope you enjoy the issue!

FOLLOW US ONLINE

Our attorney blogs cover the following SGR practices:

Appellate Construction Co-op Condo Estate Planning Franchise Health Care Insurance Intellectual Property Israeli Litigation Sustainability

Dana Richens

Technology

Editor-In-Chief editor@sgrlaw.com

FOLLOW

sgrlaw.com

ONLINE

BLOGS: sgrlaw.com/blog TWITTER:  twitter.com/sgrlaw LINKEDIN: linkedin.com/companies/27889

03


LEGAL BRIEFS THE LATEST NEWS AND UPDATES FROM THE SGR OFFICES

ATTORNEYS IN THE NEWS Elite group of global transport attorneys head new SGR office in Miami SGR’s largest and longest-standing practices. Since its inception, the Firm’s Global Transport Practice has broadened its representation beyond airlines to include railroads, operating lessors, financiers, aviation equipment owners, managers and investors, aviation joint ventures and joint venture partners, maintenance repair and overhaul facilities, and aircraft teardown/part-out companies. The practice has also recently expanded

Smith, Gambrell & Russell has

regarded lawyers fits perfectly with our

opened its 10th office, located

global platform in aviation and the broader

with the addition of a highly experienced

in Miami. The office will be led

international transportation sectors,” said

team of aviation lawyers based in two

by well-known global transport

Steve Forte, SGR’s chairman and managing

new offices in the United Kingdom, along

attorney Jeff Tenen, partner.

partner. “We seek to capitalize on the

with additional experienced aviation and

Israel Sanchez, partner, and

city’s international accessibility and diverse

transportation attorneys in Chicago, Los

Ellen Fontanella, counsel, have

business climate.”

Angeles, Atlanta and New York.

The new Miami location will focus

also joined SGR’s Miami Global Transport Practice. “This elite team of highly

on global transport services, one of

SGR’s Global Transport Practice now has approximately 30 attorneys globally.

SGR honored with namesake suite at Emory Law SGR has been recognized by the Emory

1930s while also practicing law in Atlanta. In

University School of Law through the new

memory of his parents, Mr. Gambrell provided

Smith, Gambrell & Russell, LLP Suite in the

the lead gift for Gambrell Hall, the building

Center for Professional Development and

that has housed the law school since 1973.

Career Strategy. The honor was bestowed

Mr. Gambrell was a proponent of pro bono

upon SGR in recognition of the Firm’s

activities and founded the Atlanta Legal

contribution to the university during

Aid Society in 1924, serving as its president

the law school’s centennial year.

for almost two decades.

In long-term partnership with Emory

SGR counts Emory Law among its most

Law, SGR supports the university through

important partnerships. Many SGR attorneys

its contributions in the spirit of name partner

are graduates of Emory Law and several of

E. Smythe Gambrell. Mr. Gambrell served

the Firm’s partners also serve as Emory Law

on Emory’s law faculty in the late 1920s and

adjunct professors.

04

TRUST THE LEADERS | Winter 2019 | SGRLAW.com

SGR attorneys and Emory Law alumni Tom Hong, Hon. Leah Ward Sears, John Ethridge, Steve Forte and Mark Pottorff celebrate the SGR Suite’s dedication with Jim Hughes, interim dean of Emory Law (fourth from left).


ATTORNEYS IN THE NEWS Greg Smith, counsel in SGR’s Construction Practice in Atlanta and Washington, D.C., was elected to the Board of Directors of the Veteran’s Empowerment Organization (VEO), an Atlanta nonprofit that serves homeless veterans. VEO’s vision is to end veteran homelessness and return the dignity of self-sufficiency to every veteran it assists. A former member of the U.S. Navy, Greg is proud to serve fellow veterans and assist VEO in its mission. Greg will also serve as the regional director of the Southeast Atlantic Region for the Society of Construction Law, North America, which promotes education, study and research, and dissemination in the field of construction law and related subjects in the U.S., Canada, South America and overseas.

Marcie Ernst, a partner in SGR’s Litigation Practice, was recently reappointed by the mayor and city council of Sandy Springs, Georgia, to a second fouryear term as a judge of the Municipal Court of Sandy Springs. Judge Ernst hears traffic offenses (including DUI charges), local ordinance violations and certain other misdemeanor cases, and conducts preliminary hearings and issues warrants. She strives to ensure that the city’s court system provides justice, upholds citizens’ rights and preserves public safety for the community.

David Burge, a partner in SGR’s Real Estate Practice, has been appointed to the Board of Visitors of Emory University. The Board of Visitors is an advisory board of business and civic leaders who assist the university in integrating its intellectual assets with the Atlanta community, increasing the awareness of Emory in the Atlanta area and improving Emory’s level of service to society. Traditionally, members of the Board represent the top levels of the business, professional and volunteer communities.

TRUST THE LEADERS | Winter 2019 | SGRLAW.com

05


LEGAL BRIEFS THE LATEST NEWS FROM THE SGR OFFICES

ATTORNEYS IN THE NEWS Kathy Zickert, head of SGR’s

Ed Wasmuth, a partner in SGR’s

Zoning, Planning and Land Use

Atlanta Litigation Practice, and

Practice, has been appointed to the

Kathy Zickert (far left) represented

Board of Directors of the Georgia

real estate developer The Quarters,

Regional Transportation Authority (GRTA) by

LLC in the Georgia Court of Appeals. The

Governor Nathan Deal. GRTA addresses mobility

successful outcome requires the City of

and air quality in metro Atlanta. Its 15-member

Decatur, by mandamus, to make a decision

board is comprised of private- and public-sector

on a subdivision plan for a new townhouse

leaders throughout metro Atlanta.

development.

IN BRIEF... Ben GrahamEvans, a partner in SGR’s U.K. offices, has been appointed co-chair of the Aviation Industry Sector Team for the global law firm network TerraLex. He also recently contributed an article to the TerraLex newsletter, Connections, on trading aircraft subject to existing leases. Ben has been elected to serve on the International Bar Association’s Aviation Law Committee. Parker Sanders, a partner in SGR’s Litigation Practice, has become secretary of the Antitrust Section of the State Bar of Georgia. The section promotes antitrust law, sponsors antitrust continuing legal education programs, and studies, reviews and initiates proposed legislation or administrative policy for the improvement of antitrust law to recommend to the State Bar of Georgia.

Rodgers Lunsford, a partner in

Laura Andrew has been appointed

SGR’s Intellectual Property Practice,

to the Community Investment

has been elected to the Board of

Council for the United Way of

Directors of the Kiwanis Club of

Northeast Florida (UWNEFL).

Atlanta – Georgia’s oldest Kiwanis Club – for

The Council focuses on strategic direction,

a two-year term. Members of the Kiwanis Club

leadership and accountability for UWNEFL.

serve the community through volunteer support

Laura is a partner in SGR’s Executive

of charitable organizations, especially those

Compensation, Employee Benefits and Health

focused on the betterment of youth. Rodgers

Care practices. She is also a member of the

previously served as parliamentarian to the

UWNEFL Tocqueville Society, which recognizes

Club for four years.

local philanthropic leaders and volunteers.

06

TRUST THE LEADERS | Winter 2019 | SGRLAW.com

Kristen Lewis has joined the Board of Wesley Woods Senior Living, a nonprofit supporting independent housing initiatives for elders of modest means. Kristen, counsel in SGR’s Atlanta Tax Practice, is a frequent lecturer on combatting elder financial abuse.


RECENT REPRESENTATIONS Medical school mixed-use project SGR served as legal counsel to Morehouse School of Medicine (MSM) in its $52 million mixed-use development project in Atlanta’s historic West End. Scheduled for completion in time for the 2020 school year, the new 7.2-acre development will support the institution’s strategic growth, specifically the demand for quality apartments. Aasia Mustakeem, a partner in the Firm’s Atlanta Real Estate Practice, served as outside counsel to MSM.

A trio of timberland transactions In July 2018, SGR client

National Grange victorious in the Eastern District of California

CatchMark Timber Trust, Inc. purchased 1.1 million acres

SGR client The National Grange of

among the Grange members about who was

of East Texas timberlands

the Order of Patrons of Husbandry

the “real” California State Grange, and which

for $1.39 billion, one of

(“the Grange”) is the nation’s oldest

organization had the right to claim the history

the largest U.S. timberland

agricultural fraternal organization,

and goodwill accrued by the more-than-century-

transactions in more than

promoting the interests of farmers

old organization. The court granted summary

a decade. CatchMark also

and farming in the U.S. SGR has

judgment to the Grange on its claims for false

purchased 18,063 acres of

provided trademark enforcement

designation of origin, federal false advertising,

Oregon timberlands, known

and litigation services to the Grange

false advertising under California law, trademark

as the Brandon Property,

for several years.

infringement, copyright infringement and trade

in October 2018 from

libel. The court’s award of summary judgment,

Forest Investment Associates (FIA) for

represented by SGR’s Jim Bikoff,

the latest in a string of victories in favor of the

$88.8 million, and sold 56,000 acres of

Bruce McDonald, Holly Lance

Grange, confirms that the history and goodwill

timberlands in East Texas and western

and Darlene Tzou, was awarded

of the true California State Grange, as well as

Louisiana to FIA for $78.5 million in

sweeping relief in federal court in

copyrighted content produced by the organization,

November 2018. A legal team from SGR’s

California. The National Grange of

are the intellectual property of the Grange.

Atlanta Real Estate Practice, including

the Order of Patrons of Husbandry

In addition to issuing a judgment in the

partners Mark Pottorff and Sharon

v. California Guild (No. 2:16-cv-00201-WBS-

Grange’s favor on its intellectual property

Duvall, and associate Matt Moore,

DB (E.D. Cal.)), is one of a series of lawsuits

claims, the court awarded actual damages

advised CatchMark on the transactions.

arising from the revocation of the charter of

in the form of the defendants’ total gross

the California State Grange in 2013 based

revenues from dues and loan payments.

on the organization’s failure to abide by the

The court also held that the case “can

Grange’s bylaws. The state organization and its

certainly be considered ‘exceptional’ [pursuant

leader Robert McFarland continued to function

to applicable statutes] given the intentional

as a breakaway chapter of the Grange, first

nature of Defendants’ use of California State

under the name “California State Grange” and

Grange property,” and awarded additional

later the “California Guild.” The defendants’

relief in the form of attorneys’ fees, costs,

actions resulted in widespread confusion

and treble and punitive damages.

In August, the Grange,

TRUST THE LEADERS | Winter 2019 | SGRLAW.com

07


LEGAL BRIEFS THE LATEST NEWS FROM THE SGR OFFICES

RECENT REPRESENTATIONS SGR advises in multistate medical office building portfolio sale SGR recently served as legal counsel to Montecito Medical Real Estate, a privately owned Nashville, Tennessee-based firm that specializes in the acquisition and development of

Big Apple residential and retail real estate

medical office buildings, in the

SGR is representing Adam America

recent sale of a $352 million

Real Estate in its development of

medical office building portfolio.

more than 2 million square feet

The portfolio was comprised of

of high-end residential and retail

19 different assets located across

real estate in prime New York City

10 different states.

locations in Manhattan, Downtown Brooklyn, Williamsburg Brooklyn

The SGR legal team included Bill Rogers, Jim Porter,

and Long Island City. The SGR

Brandon Dodd and Vincent Pulignano,

New York construction team

along with paralegals Jan Long, Kelly Kics

of Russell Wolfson, Michael

and Cheree Williams, all based in Jacksonville.

Glanzman and Daniel Horner is

Alex Clay and Matt Moore of SGR’s Atlanta

handling the representation.

office also assisted.

Broadband merger

Brooklyn construction financing SGR served as legal counsel

SGR served as legal counsel to

to Gigamonster, LLC, one

Second Development Services, Inc.

of the nation’s leading

in its $53.25 million construction

fiber-based broadband

financing transaction with G4

companies, in its merger with

Capital and $23.3 million mezzanine

Fibersphere Communications, and a

loan from Ares Capital for 285

$45 million capital investment with

Schermerhorn Street, which has

Post Road Group. The SGR Atlanta

been the Brooklyn Community

legal team included partners Jay

Service’s headquarters, in Downtown

Schwartz and Julie Sebastian,

Brooklyn. The SGR legal team was

and associates Nick Flint and

led by New York Real Estate Practice

Heiko Gruenwald, all from SGR’s

head and partner Sean Altschul,

Corporate Practice. Ron Barab, a

with assistance from partners

partner in the Firm’s Commercial

Anne Pitter and Eliot Zuckerman,

and Bankruptcy Law Practice, also assisted

and associate Jon Linder, all also from the

with finance matters on the transactions.

New York Real Estate Practice.

08

TRUST THE LEADERS  |  Winter 2019 |  SGRLAW.com

IN PRINT... Atlanta corporate partner Perry McGuire released his book, Nice, But Not Naïve And Other Lessons I Learned From Chick-fil-A® Founder Truett Cathy. Perry served as an attorney for Mr. Cathy and Chick-fil-A for more than 11 years, which gave him the opportunity to work closely with the founder on his business, personal and charitable endeavors. The book is a tribute to the impact Mr. Cathy had on Perry and the business and life lessons Perry learned from their relationship. Net proceeds from the sale of the book are being given to the Chick-fil-A Foundation and the WinShape Foundation. Bruce McDonald was engaged by the Pharmaceutical Research and Manufacturers of America to lead author two articles that appear in two peerreviewed journals, the Quarterly Journal of the American Intellectual Property Law Association (Vol. 46) and The International Lawyer (Vol. 51). The articles discuss intellectual property and legislative initiatives in the Russian Federation to restrict the scope of patent and data protection in the pharmaceutical sector. Bruce is a partner in SGR’s Intellectual Property Practice in Washington, D.C.


ATTORNEY INTERVIEW

10 minutes with…

Patrick Cain

The employment law attorney on writing, guitar playing, risk-taking and beer brewing.

A native of San Fernando, California,

Pramov in 2018. What has been the biggest

Q What has been the best career advice you

office. His practice focuses on representing

The biggest change for me is the need to

Actually, it was advice that I gave to myself,

interact daily with a much larger organization.

in the sense that I ignored someone else’s

While that sometimes can feel like drinking

advice. When you know in your heart the

from a fire hose, it also is one of the great

right thing to do, you need to do that,

advantages of the combination. All of the

regardless of the possible risk to yourself.

SGR lawyers with whom I’ve dealt are

Otherwise, that self becomes a little

talented and enthusiastic, which makes all

diminished, even if what you did was the

the difference. I’ve also found that SGR has

“safe” thing to do.

Pat Cain is a partner in SGR’s Los Angeles and counseling employers in all aspects of the employment relationship, with particular emphasis on employment

litigation. Pat also offers experience in a wide range of trusts and estates litigation matters.

Q Where did you receive your undergraduate

resulting change to your practice?

have ever received?

degree? What did you major in, and why?

a very talented group of people working on

I graduated from Loyola Marymount

the administrative side, who take seriously the

University with a degree in history. I had this

goal of advancing the Firm. This enables us to

practice law, what would you want to do?

vague notion that I would attend law school,

serve a much larger client base, and to do so

I would like to be a college professor who

so I thought the reading and writing required

from a position of greater strength.

is also a moderately successful author.

Q What career advice would you give to

Q What do you do in your spare time?

Q If you were not an attorney or couldn’t

of history majors would be good training. Besides, I enjoyed high school history classes. Most important, I met my wife at LMU!

a young attorney?

I play guitar (poorly, and not often enough)

Be adventurous. Take considered risks and

and banjo (even worse and even less often).

Q Why did you decide to go to law school?

expand your horizons. Form and nurture

I’ve recently taken to brewing beer, with only

I cannot recall an “Aha!” moment – it was

friendships as early as you can, not with

one real failure so far. I also enjoy reading,

more of a progression based on my notion

regard to potential business opportunity

although you could charitably describe my

that lawyering involved a great deal of

but because your life will be richer. Life is

tastes as eclectic.

reading and writing, both of which I enjoyed.

better with balance.

Q How do you describe your legal practice?

Q Are there any special causes or

organizations that are important to you?

As a management-side employment lawyer,

I have been involved with my alma mater,

I help clients avoid problems and minimize

Loyola Marymount University, for several

and manage the impact of those that cannot

years, and currently serve on its Board of

be avoided. Despite the popular conception

Regents. I have also started doing pro bono

of the heartless employer, managers are

legal work for Homeboy Industries, an

just as human as those whom they manage.

organization providing assistance to at-risk

My clients want to do things properly, and

youth and former gang members.

care about their employees. Q SGR’s L.A. office was formed through a

combination with the California business law firm Rodi Pollock Pettker Christian &

Q What is the last book you read? The last book I finished that I really enjoyed was A Gentleman in Moscow. I also recently read The Brothers Karamazov.

TRUST THE LEADERS | Winter 2019 | SGRLAW.com

09


California’s Consumer Privacy Act

10

TRUST THE LEADERS | Winter 2019 | SGRLAW.com


CALIFORNIA’S CONSUMER PRIVACY ACT AND THE FUTURE OF PRIVACY IN THE U.S.

BY BRETT LOCKWOOD

How California continues to lead the way in privacy protection

C

ALIFORNIA led the way over 15 years ago when, in 2003, it implemented the first state data breach notification law in the

United States. Since that time, concerns about data privacy and cybersecurity have increased so notably among consumers and businesses that now all 50 states have some form of data breach law. These laws are in addition to numerous other state and federal regulations concerning the secure handling of personal data, as well as the far-reaching and recently effective European General Data Protection Regulation (GDPR). Against this backdrop, California continued its trailblazing approach in this sensitive area of the law by enacting its Consumer Privacy Act (CCPA, or the “Act”) this past June. The CCPA’s extensive requirements will impose significant new data privacy requirements on

TRUST THE LEADERS | Winter 2019 | SGRLAW.com

11


The Act potentially impacts many U.S. businesses, given California’s large population and the extensive sales made to California consumers by businesses located elsewhere.

covered businesses – including many businesses located

The CCPA’s Requirements

outside of California – and likely portends similar

Fundamentally, the CCPA is intended to further

legislation in other states as well as at the federal level.

the personal right to privacy under the California Constitution. To accomplish this, the CCPA provides

Amendment Process and Effective Date

several practical means for California residents to assert

The CCPA was enacted by the California legislature at

greater control over personal information collected

the beginning of the summer of 2018 with breakneck

about them. Thus, under the law, California consumers

speed to forestall a ballot initiative that was then

have the following additional rights:

planned for the fall. Given its hasty passage and the complexity of its provisions, the final bill contained numerous provisions that were ambiguous and in need of further clarification. To address some of these

being collected about them by covered businesses • The right to know whether their personal information is sold or disclosed and to whom

concerns, the legislature enacted a handful of clarifying

• The right to stop the sale of personal information

amendments in August. However, these amendments

• The right to have collected personal information

still left many aspects of the Act unclear. Before the January 1, 2020 effective date for the Act, the state legislature may enact further amendments, and the

12

• The right to know what personal information is

deleted • The right not to be discriminated against for exercising these new rights.

state attorney general is also expected to issue related

For each of these rights, the Act requires covered

clarifying regulations. Because of the recognized need

businesses to provide specified notices to consumers

for additional guidance for businesses and consumers

about these rights and to do so in a prescribed manner

affected by the Act, there is a grace period on

in the company’s privacy policy and elsewhere on its

enforcement actions, which runs from the earlier of (i)

website. Consumers must be provided at least two

six months from the issuance of required regulations by

means of making requests to exercise their rights under

the attorney general or (ii) July 1, 2020.

the Act, including at a minimum a toll-free phone

TRUST THE LEADERS  |  Winter 2019  |  SGRLAW.com


California’s Consumer Privacy Act

that does business in California and collects personal information of California consumers and that meets at least one of the following thresholds: (i) it has at least $25 million in annual revenue, (ii) it handles personal information of at least 50,000 consumers, or (iii) at least 50 percent of its annual revenue is derived from selling consumers’ personal information. The purpose of these three thresholds is to minimize the compliance burden on smaller companies unless they are engaged in the data brokerage business. While the Act does not define what is meant by “doing business in California,” that clause, and, therefore, the Act as a whole, potentially

Some have referred to CCPA as “GDPR Lite” because of the extensive rights it gives California consumers to control the handling of their personal information.

implicate many businesses throughout the U.S., given California’s large population and the extensive sales number and a website address for such requests. If a

made to California consumers by many businesses

consumer makes a valid request under the CCPA, the

located elsewhere.

company must, without charge, promptly comply within

The Act exempts from its coverage the handling of

45 days of the request (which period may be extended

personal information by a small number of regulated

for up to 90 days due to the complexity or nature of

businesses if the uses of such information are within

the request). When a request is fulfilled it must be

the scope of the applicable regulatory scheme. This

done by including specific information or categories of

includes health care covered entities under HIPAA,

information as detailed in the Act.

consumer credit reporting agencies under the federal

Special opt-in requirements are imposed for the

Fair Credit Reporting Act, and banks and financial

sale of information for children. A business wanting to

services companies under the Gramm-Leach-Bliley Act.

collect and sell information about a child between the

However, if any of these regulated businesses use

ages of 13 and 16 must first obtain the child’s consent.

the personal information outside the scope of the

Parental or guardian consent is required for children

regulated purposes, then such businesses and those

younger than 13.

nonexempt uses are subject to compliance with the

Absent the applicability of some limited exceptions,

requirements of the Act.

the failure to comply with the Act’s requirements exposes the business to civil penalties. Penalty amounts are up to $2,500 for unintentional violations and up to $7,500 per intentional violation for actions brought by the California attorney general. Private rights of action, which can be asserted on a class basis, are also allowed for violations of the data breach portions of the Act. A business that experiences an incident of unauthorized access or disclosure of unencrypted or unredacted personal information as a result of that business’s negligence risks statutory fines of between $100 to $750 per violation or actual damages incurred, if higher. If a business cures the violation within 30 days of a specified written notice, however, any related private right of action is preempted.

Covered Businesses and Exceptions A covered business under the Act is a for-profit entity

TRUST THE LEADERS | Winter 2019 | SGRLAW.com

13


California’s Consumer Privacy Act

Relationship to Other Laws

All of these laws together with the GDPR and the CCPA reflect a trend toward greater accountability for businesses for the manner in which they handle and use consumer data.

Some have referred to CCPA as “GDPR Lite” because of the extensive rights it gives California consumers to control the handling of their personal information. While some comparisons to the GDPR are apt, such as the reliance that both laws place on disclosure of certain practices to affected individuals, there are also notable differences between the two laws. In some respects, the CCPA goes further than the GDPR, such as with the CCPA’s much broader definition of “personal information.” While the GDPR indirectly addresses data privacy, that law is more a comprehensive framework

“right to be forgotten” that has taken root in Europe.

concerning data security, whereas the underlying theme

Also, as already mentioned, California has long had a

of the CCPA is personal data privacy.

robust data breach notification law. The Act adds an

Other California laws already address different

additional layer of restrictions and compliance alongside

aspects of data privacy and cybersecurity. For instance,

these existing laws. All of these laws together with the

website operators and other businesses already are

GDPR and the CCPA reflect a trend toward greater

required to notify California consumers of their right

accountability for businesses for the manner in which

to be informed about business-related disclosures of

they handle and use consumer data.

information concerning those consumers. California also has had in place a limited personal data erasure law applicable to minors that is akin to the so-called

Brett Lockwood is a partner in SGR’s Corporate Practice and heads the Cybersecurity Practice. blockwood@sgrlaw.com.

SO, WHAT TO DO NOW? Although the effective date of the Act is January 1, 2020, and enforcement may be delayed slightly depending on subsequent regulations issued by the California attorney general, businesses should prepare for the CCPA’s requirements. Among the key steps a business should undertake now are: • Assess what data is collected and sold concerning California consumers • Implement processes to respond timely to consumer requests and to verify the identity of requesting persons • Educate staff on the handling requirements under the Act and the need to be responsive to consumer requests • Update its privacy policy • Add appropriate links and notices on both the company’s website homepage and elsewhere on its website • Implement a toll-free number and other means for consumers to make requests under the Act

14

TRUST THE LEADERS | Winter 2019 | SGRLAW.com


CYBERSECURITY COST & RISK HIGHLIGHTS Rank of Industries as Breach Victims (By Reported Breaches)

Average Data Breach Costs Globally

$3.86M

United States

$7.91M

Canada

$4.74M $148 Per Lost Record

Email Can Be Dangerous!

1

Health Care

2

Hospitality

Email is the #1 source of viruses and malware. More than 49% of malware is installed from emails. Email content is 55% spam. A typical user receives 16 malicious emails each month. In the last year, 76% of businesses reported an increase in phishing scams. The most common email “disguises” are:

3

Public Sector

4

Retail

● Bills/invoices ● Email delivery failure ● Law enforcement

5

Financial Services

● PDF attachment ● Package delivery notice ● Electronic signature notice

Major Risk Minimizers

Major Risk Multipliers

Incident Response Team

Number of Records Breached

Employee Training

Use of Encryption

Breach Caused by Third Party

Time to Detect Breach*

*68% took a month or more to discover

Percentage of Breaches Involving Employees

28%

Percentage of Above Due to Employee Error

17%

(Most incidents involve misdelivery of data or lost/stolen devices)

Sources: Ponemon 2018 Cost of Data Breach Study; Symantec 2018 Internet Security Threat Report; Verizon 2018 Data Breach Investigations Report.

TRUST THE LEADERS | Winter 2019 | SGRLAW.com

15


BY EMILY McCONNELL

THE PENDING EUROPEAN ePRIVACY REGULATION

What the new legislation means for U.S. companies

electronic communication. Moreover, the proposed ePR is not limited to the protection of personal data. It is more broadly concerned with the protection of any and all electronic communications data and metadata – including business data – regardless of whether such information qualifies as personal data. Finally, the proposed ePR would apply to all instances in which electronic communications services are provided to and used by end users located within the European Union. A company’s physical presence within the European Union is irrelevant in determining whether the company is subject to the requirements of the ePR. This effectively translates into worldwide territorial applicability.

HE PHRASE “it’s a marathon, not

confidentiality of electronic communications.

The key requirements

a sprint” is applicable to the world

In this regard, the ePR forms part of a

The proposed ePR principally addresses the

of data privacy regulatory compliance

comprehensive, ongoing effort by the European

privacy and confidentiality of electronic

these days. Last year, companies located inside

Union to reform data protection and privacy laws

communications, online tracking and device

and outside the European Union scrambled to

in the digital age. As such, the ePR is intended to

tracking, and unsolicited electronic marketing

comply with the European Union’s far-reaching

complement and particularize GDPR with respect

communications. Under the proposed ePR,

General Data Protection Regulation (GDPR) –

to any electronic communications data that

companies would generally be required to collect

which governs the processing of personal

qualifies as personal data.

users’ consent to process either the content of,

T

data – before the law became effective on

or the metadata associated with, an electronic

May 25, 2018. The compliance effort is far

The scope of the ePR

communication. Such consent would need to

from over, however. Companies must now

Like GDPR, the proposed ePR is very broad

adhere to the same consent standard provided

devote resources to monitor the development

in scope. This new regulation would apply not

in GDPR, which is that it must be:

of a new privacy law pending in the European

only to traditional telecommunications service

• Informed and unambiguous,

Union: the ePrivacy Regulation (the “ePR”).

providers, but to over-the-top communications

• Demonstrated by clear, affirmative action,

Many U.S. companies impacted by the extensive

services, including instant messaging applications,

• Freely given for a specific, agreed-upon

compliance requirements under GDPR will be

webmail, personal messaging via social media

similarly impacted by the equally broad mandates

platforms, voice- and video-calling services,

of the proposed ePR.

and machine-to-machine, or “M2M,” communication services.

The purpose of the ePR

The proposed ePR would also protect both

purpose, and • Capable of withdrawal. In addition, companies would be required to offer users the same electronic communications services regardless of whether such users have

When it is finalized, the ePR is expected to

the content of electronic communications

provided consent to the processing of their

replace the current ePrivacy Directive (the

and the metadata associated with such

electronic communications data. Online

“Directive”), which was adopted in 2002 to

communications. For example, the timing

tracking and device tracking would be

address the management of subscriber data

of an electronic communication, address

significantly curtailed under the proposed ePR

by telecommunications service providers. In

information of the parties involved in an

as well. Operating systems, browsers and other

light of the significant evolution in electronic

electronic communication, and geographic

applications would be obligated to require users,

communications over the last 16 years, the

location of the terminal equipment of a party

upon installation, to choose whether they want

Directive is now largely considered obsolete.

involved in an electronic communication would

to prevent third parties from storing information

Accordingly, the ePR aims to modernize

be protected under the current proposal, as

on their devices or processing information stored

current legal rules concerning the privacy and

well as the actual content contained in the

on their devices. This centralization of consent in

16

TRUST THE LEADERS | Winter 2019 | SGRLAW.com


European ePrivacy Regulation

software settings is intended to eliminate cookie

set forth in GDPR. Specifically, the proposed

of the Council was turned over to Romania for

banners and notices on individual websites,

ePR provides that violations will be subject

2019, “[W]e are not sure if a common position

which are viewed as ineffective and inefficient.

to administrative fines of up to 20 million

in this topic is reachable. We hope to be able

Tracking users through the collection of signals

euros or four percent of the violator’s total

to produce a status report about ePrivacy

emitted by their devices would be permitted

worldwide annual revenue, whichever is greater.

Regulation.”

displayed to the public in the area where such

The timeline

will come into effect before 2020.

tracking occurs.

The proposed ePR was approved by the European

Thus, it appears highly unlikely that the ePR

provided that a clear and prominent notice is

Parliament in the fall of 2017 and was originally

Conclusion

to obtain users’ consent prior to sending

intended to come into force on the same day

Although the timeline for the enactment of

unsolicited electronic marketing communications,

as the GDPR, a date which has now passed.

the ePR has decelerated, in light of the proposed

inform users of the marketing nature of the

The ePR is currently under review by the

breadth of the ePR and the significance of

communication and the identity of the marketer,

Council of the European Union. Before the

the proposed penalties for noncompliance,

and provide information about how users may

ePR can be enacted, the Council of the European

companies should take advantage of this

withdraw their consent. Direct marketing callers

Union must come to its own consensus on the

extended time frame by dedicating resources

would be required to disclose a contact number

proposal and then the European Parliament,

to understand what will be expected once the

or present a specific code or prefix that indicates

the Council of the European Union and the

ePR comes into effect and to ensure compliance

that the call is a marketing call.

European Commission must negotiate the

capability at that time.

Finally, the ePR would require marketers

final language in a three-way discussion.

The penalties for noncompliance

Notably, a spokesman for the then Austrian

The proposed ePR sets forth substantial penalties

presidency of the Council of the European

for noncompliance, which are identical to those

Union stated, shortly before the presidency

Emily McConnell is Corporate Counsel with Equifax and was formerly an attorney in SGR’s Corporate Practice in Atlanta.

TRUST THE LEADERS | Winter 2019 | SGRLAW.com

17


FTC Enforcement Actions

18

TRUST THE LEADERS | Winter 2019 | SGRLAW.com


4

BY MARCIE ERNST

QUESTIONS YOU NEED TO ASK ABOUT

FTC ENFORCEMENT ACTIONS ON DATA PRIVACY VIOLATIONS I

N THE UNITED STATES, the Federal Trade Commission (FTC)

2. How does the FTC’s self-regulatory regime work?

serves as the primary federal enforcer of consumer data privacy

Under the FTC’s self-regulatory regime, companies are required to disclose

and security laws for most businesses. Companies that violate

their privacy policies to consumers and abide by their stated policies. Two

privacy rights of consumers or mishandle sensitive consumer information

pillars of the self-regulatory system emerged from the Fair Information

may face legal enforcement actions brought by the FTC and state-level

Practice Principles issued in the 1970s by the U.S. Department of Health,

authorities. The FTC began to bring these actions in the late 1990s

Education, and Welfare: notice and choice.

and has since established a wealth of its own privacy jurisprudence in

Companies generally provide notice to their consumers of how their

the absence of many judicial decisions relating to FTC enforcement.

information is collected, stored and transferred through a privacy policy. A

Together with various state-level agencies, the FTC has successfully

consumer must then consent to those terms. This is often accomplished

investigated and taken legal action against many companies that have been

through a right to opt out, but is more strongly supported by an affirmative

alleged to have mishandled personal consumer information. Here are four

opt-in by the consumer.

key considerations you need to be aware of in ensuring compliance.

1. What is the scope of FTC authority to enforce consumer privacy and security?

3. Are FTC enforcement actions effective? As a consumer data protection authority, the FTC has been criticized as being weak and lacking teeth, particularly compared to data protection

Within the FTC’s Bureau of Consumer Protection, the Division of Privacy

authorities in other countries. Many other nations have established

and Identity Protection is responsible for consumer privacy enforcement. In

government agencies with designated authority to enforce data privacy

the early stages of its involvement in data privacy enforcement, the

laws, whereas the development of the FTC into a data protection authority

FTC simply enforced regulations created by companies for themselves,

was much less deliberate. Undoubtedly, data privacy and security laws in

pursuant to its authority under Section 5 of the Federal Trade Commission

the European Union are stronger and more developed than the body of

Act, which prohibits “unfair or deceptive acts or practices in or affecting

applicable law in the United States.

commerce.”1 The FTC’s authority has expanded over the years to include

In fact, disapproval by EU leaders of the inadequacy of data privacy laws

enforcement of key portions of the Fair Credit Reporting Act, the

and enforcement in the United States was the impetus of the U.S.-EU Safe

Gramm-Leach-Bliley Act, the EU-U.S. Privacy Shield Framework, the

Harbor Framework, implemented in 2000. The Safe Harbor Framework

Swiss-U.S. Privacy Shield Framework, and the Children’s Online Privacy

provided a legal mechanism for companies to transfer consumer data

Protection Act of 1998 (COPPA).

between the EU and U.S., after EU leaders passed legislation prohibiting

TRUST THE LEADERS | Winter 2019 | SGRLAW.com

19


FTC Enforcement Actions

CASE STUDIES

RECENT FTC ENFORCEMENT ACTIONS HIGH-PROFILE CASES OF PRIVACY VIOLATION

● Uber Technologies

information of other individuals without

privacy and security matter.

The scenario: In August 2018, the FTC

their consent. The defendants were also

The settlement: In January 2018, the

announced an expanded settlement with

ordered to pay more than $2 million.3

company entered into a settlement to pay

Uber Technologies for its alleged failure to reasonably secure sensitive data in

personal information from children without

The scenario: In 2018, FTC enforcement

obtaining parental consent, in violation

600,000 names and driver’s license

actions led to large settlements with

of COPPA. VTech was also required to

numbers, 22 million names and phone

technology manufacturers Lenovo and

implement a data security program that is

numbers, and more than 25 million names

Vizio. The Lenovo settlement related to

subject to audits for the next 20 years.6

and email addresses.

allegations the company sold computers

The settlement: The expanded settlement

in the U.S. with pre-installed software that

is a result of Uber’s failure to disclose

sent consumer information to third parties

a significant data breach that occurred

without the knowledge of the users. With

company, was accused by the FTC of

in 2016 while the FTC was conducting

the New Jersey Office of Attorney General,

failing to reasonably protect consumers’

its investigation that led to the original

the FTC also brought an enforcement

medical information and other personal

settlement. The revised proposed order

action against Vizio, a manufacturer

data. Identity thieves allegedly obtained

includes provisions requiring Uber to

of “smart” televisions. Vizio entered

sensitive data on LabMD consumers

disclose any future consumer data

into a settlement to resolve allegations

due to the company’s failure to properly

breaches, submit all reports for third-

it installed software on its televisions

safeguard it. The billing information of

party audits of Uber’s privacy policy and

to collect consumer data without the

9,000 consumers was also compromised.

retain reports on unauthorized access to

knowledge or consent of consumers and

The settlement: After years of litigation,

consumer data.2

sold the data to third parties.

the case was heard before the U.S. Court

The settlement: Lenovo entered into

of Appeals for the Eleventh Circuit. LabMD

the cloud, resulting in a data breach of

● Emp Media Inc. (Myex.com)

● LabMD

The scenario: LabMD, a cancer-screening

a consent agreement to resolve the

argued, in part, that data security falls

The scenario: The FTC joined forces

allegations through a decision and order

outside of the FTC’s mandate over unfair

with the State of Nevada to address

issued by the FTC. The company was

practices. The Eleventh Circuit issued

privacy issues arising from the “revenge”

ordered to obtain affirmative consent from

a decision in June 2018 that, while not

pornography website, Myex.com, run

consumers before running the software on

stripping the FTC of authority to police

by Emp Media Inc. The website allowed

their computers and implement a software

data security, did challenge the remedy

individuals to submit intimate photos of

security program on preloaded software

imposed by the FTC.7 The court ruled that

the victims, including personal information

for the next 20 years.4 Vizio agreed to

the cease-and-desist order issued by the

such as name, address, phone number and

pay $2.2 million, delete the collected data,

FTC against LabMD was unenforceable

social media accounts. If a victim wanted

disclose all data collection and sharing

because the order required the company

their photos and information removed from

practices, obtain express consent from

to implement a data security program

the website, the defendants reportedly

consumers to collect or share their data,

that needed to adhere to a standard of

charged fees of $499 to $2,800 to do so.

and implement a data security program.

“reasonableness” that was too vague.8

● VTech

FTC to provide greater specificity in its

The scenario: The FTC’s action against

cease-and-desist orders about what is

permanently prohibited the defendants

toy manufacturer VTech was the first time

required by companies that allegedly

from posting intimate photos and personal

the FTC became involved in a children’s

fail to safeguard consumer data.

The settlement: On June 15, 2018, the enforcement action brought by the FTC led to a shutdown of the website and

20

$650,000 to resolve allegations it collected

● Lenovo and Vizio

TRUST THE LEADERS  |  Winter 2019  |  SGRLAW.com

5

The ruling points to the need for the


Despite criticism of its regulatory inadequacy, the FTC has brought legal action against many businesses, addressing many data privacy issues.

for each individual company may prove challenging for the FTC. As the U.S. looks forward in its approach to consumer data privacy protection, there may be a trend toward aligning U.S. data privacy laws and enforcement measures with the robust body of law in this area in the EU. If that trend develops, it is likely that the FTC will need to be empowered with even more regulatory powers with a clearer congressional mandate.

member nations from transferring data to countries with inadequate privacy protection. Following a finding by the European Court of Justice in 2015 that the Safe Harbor Framework did not provide an adequate level of privacy protections, the U.S. and EU renegotiated and improved upon the Framework, replacing it with the EU-U.S. Privacy Shield Framework in 2016.

Marcie Ernst is a partner in SGR’s Litigation Practice. She has extensive experience in commercial litigation at trial and appellate court levels. Her practice also includes cybersecurity, data privacy and technology matters. mernst@sgrlaw.com.

Despite criticism of its regulatory inadequacy, the FTC has successfully brought legal actions against many businesses addressing a wide range of data privacy issues including peer-to-peer file sharing, social media networking, spam, spyware, behavioral advertising and failure to adhere to privacy commitments.

4. What is the future of FTC enforcement actions? The FTC’s approach to enforcement actions against companies that fail to properly handle consumer data will likely shift to imposing more customized conditions. Under the Eleventh Circuit’s decision in LabMD, specific benchmarks for data security, rather than vague standards of “reasonableness,” will be required for companies accused of failing to safeguard data. Given the speed of innovation, defining “reasonableness”

Endnotes 1. 15 U.S.C. § 45(a)(1). 2. www.ftc.gov/news-events/press-releases/2018/04/uber-agrees-expanded-settlementftc-related-privacy-security. 3. www.ftc.gov/system/files/documents/cases/emp_order_granting_default_ judgment_6-22-18.pdf. 4. www.ftc.gov/news-events/press-releases/2018/01/ftc-gives-final-approval-lenovosettlement. 5. www.ftc.gov/news-events/press-releases/2017/02/vizio-pay-22-million-ftc-state-newjersey-settle-charges-it. 6. www.ftc.gov/news-events/press-releases/2018/01/electronic-toy-maker-vtech-settlesftc-allegations-it-violated. 7. The United States Court of Appeals for the Third Circuit has rejected this argument. See FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 247-49 (2015). 8. www.media.ca11.uscourts.gov/opinions/pub/files/201616270.pdf.

TRUST THE LEADERS | Winter 2019 | SGRLAW.com

21


DATA BREACHES AND HIPAA Keeping personal health care information safe in the digital age

22

TRUST THE LEADERS  |  Winter 2019  |  SGRLAW.com


Data Breaches and HIPAA

I

F YOU HAVE ever lost your laptop, you have something in common with one of the most frequent violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HIPAA, among other provisions, protects the privacy and security of certain individually identifiable health information considered to be “protected

BY LAURA ANDREW

health information,” or PHI. Organizations that have access to, create or transport such information are “covered entities.” Covered entities include hospitals, physicians, health insurance companies and employer group health plans. These covered entities are subject to stringent regulations and requirements related to the privacy and security of PHI. They are only allowed to use PHI in specified ways. Companies that provide services to these covered entities, called “business associates,” are also subject to these requirements. The United States Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is charged with overseeing compliance with and enforcing the HIPAA Privacy Rule and Security Rule. OCR has been very active in auditing and assessing penalties and fines to covered entities and business associates that fail to safeguard PHI. It investigates complaints that have been filed with it and conducts compliance audits to determine if covered entities are in compliance with the HIPAA Privacy and Security rules. As noted in its report of July 31, 2018, since HIPAA’s Privacy and Security rules were first effective in April 2003, OCR has received over 186,450 HIPAA complaints and has initiated over 900 compliance reviews. According to OCR, it has resolved almost 96 percent of these cases.1

HIPAA sanctions in 2018 In 2018, OCR imposed two major HIPAA penalties and won a case before an HHS administrative law judge (ALJ). The three outcomes amount to an estimated $7.9 million in fines. In 2017, OCR imposed 10 penalties totaling $19.4 million, and in 2016, the office instituted actions resulting in 13 penalties totaling $23.5 million.2 On February 1, 2018, OCR announced the first HIPAA settlement of the year, with Fresenius Medical Care North America (FMCNA), a nationwide dialysis provider.3 In this settlement, FMCNA agreed to pay $3.5 million and adopt an extensive corrective action plan to settle potential HIPAA violations based on five data breaches that occurred at separate FMCNAowned entities over a five-month period in 2012.4 These breaches included two desktop computers stolen during a break-in at one company facility, with another three desktops and one laptop stolen from another company location. All of these devices contained PHI not protected by password or encryption. At another FMCNA location, an unencrypted USB drive was stolen from a company employee’s car parked at the company’s work location. A similar theft happened at an employee’s home, where an unencrypted laptop and its computer bag (which contained the employee’s list of passwords) were stolen from the employee’s car. Lastly, a hard drive

TRUST THE LEADERS | Winter 2019 | SGRLAW.com

23


containing unprotected PHI was reported missing from another office location. These data breaches impacted 521 individuals. “The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.” OCR found that FMCNA “failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of” its electronic PHI, or “ePHI.”5 A corrective action plan requires FMCNA to complete a risk analysis and risk management plan, revise policies and procedures, develop an encryption report, and provide employee education on policies and procedure.6

An anonymous tipster alleged that an individual took papers out of an unlocked dumpster and attempted to sell them as recyclable material to a shredding office.

Failing to properly secure and handle PHI was at the root of the second large settlement of 2018. An anonymous tipster alleged that an individual

store and dispose of the remaining medical records in a HIPAA-compliant

took papers out of an unlocked dumpster outside of a company location

manner.8 This is a good reminder that HIPAA responsibility does not end

and attempted to sell the paper as recyclable material to a paper shredding

when a company goes out of business. The company must still dispose

office. The only problem was that the company that originally disposed of

of or protect the PHI in accordance with HIPAA’s requirements.

the papers stored and delivered medical information.

Lastly, in June of 2018, an HHS ALJ ruled that MD Anderson Cancer

The settlement of $100,000 between OCR and Filefax, Inc. resulted from

Center violated HIPAA and granted summary judgment to OCR on all issues,

an OCR audit based on this anonymous tip. The investigation concluded

requiring MD Anderson to pay $4,383,000 in civil money penalties.9

that “Filefax impermissibly disclosed the PHI of 2,150 individuals by leaving

In this case, unencrypted laptops and thumb drives were stolen or lost.

the PHI in an unlocked truck in the Filefax parking lot, or by granting

While MD Anderson’s HIPAA policy required that devices containing ePHI

permission to an unauthorized person to remove the PHI from Filefax, and

must be encrypted, it was slow to implement its policy, and did not begin

leaving the PHI unsecured outside the Filefax facility.” Filefax dissolved

mass encryption until 2012, even though its annual risk analysis identified

during the course of the investigation, but the receiver appointed to

failure to encrypt as a high risk concern. In April of 2012, a laptop was

liquidate the assets of Filefax agreed to pay the $100,000 and properly

stolen from the home of an MD Anderson employee who had purchased

7

24

TRUST THE LEADERS | Winter 2019 | SGRLAW.com


Data Breaches and HIPAA

the laptop using the organization’s funds. This employee was “teleworking” and the computer was not encrypted or password protected. Three months later, in July of 2012, another MD Anderson employee lost a USB thumb drive while riding in one of the Center’s shuttle buses. Again, as with the other situations cited, the thumb drive was not encrypted and contained ePHI of more than 2,200 individuals. Then, in November of 2013, a visiting researcher lost an unencrypted thumb drive containing ePHI of about 3,600 patients.10 While stating that HIPAA gives flexibility to covered entities in how to protect their ePHI, the judge held that the protection must be effective. It does not matter whether a laptop or thumb drive is lost or stolen; the violation is the failure to protect ePHI from disclosure, including from theft. The ALJ held that the penalties assessed – $1.5 million per year – were modest given the gravity of MD Anderson’s noncompliance. The takeaway from this case is that, once a strategy for protecting PHI and ePHI is determined, it must be implemented with diligence or the organization risks an OCR audit or investigation and possibly substantial penalties.

Conclusion The examples cited above reinforce the importance of vigilance regarding a company’s HIPAA policies and procedures. Complacency with the handling of PHI and ePHI can lead a company’s employees to compliance failure. Neglecting to implement passwords or encryption on portable devices, then losing such devices, is just one example of the carelessness that can lead to HIPAA breaches. Companies can protect themselves and their PHI and ePHI by instituting self-audits and providing refresher training to employees to reduce the likelihood of such breaches. Laura Andrew is a partner in SGR’s Executive Compensation and Employee Benefits and Health Care practices in Jacksonville. She concentrates her practice in health care related matters, including compliance with HIPAA and federal and state health care anti-fraud laws. landrew@sgrlaw.com.

Endnotes 1. U.S. Dep’t of Health & Human Servs., Health Information Privacy, Enforcement Highlights as of May 31, 2018 (last updated June 13, 2018), www.hhs.gov/hipaa/forprofessionals/complianceenforcement/data/enforcement-highlights/index.html. 2. Id. 3. www.hhs.gov/about/news/2018/02/01/five-breaches-add-millions-settlemen-costsentity-failed-heed-hipaa-s-risk-analysis-and-risk.html. 4. www.hhs.gov/sites/default/files/fresenius-racap.pdf. 5. Id. n.3. 6. Id. n.4. 7. Press Release, U.S. Dep’t of Health & Human Servs., “Consequences for HIPAA violations don’t stop when a business closes” (Feb. 13, 2018), www.hhs.gov/about/ news/2018/02/13/ consequences-hipaa-violations-dont-stop-when-business-closes.html. 8. www.hhs.gov/sites/default/files/filefax-receiver-racap.pdf. 9. www.hhs.gov/sites/default/files/alj-cr5111.pdf. 10. Id.

TRUST THE LEADERS | Winter 2019 | SGRLAW.com

25


SGR’S 125TH ANNIVERSARY OFFICE SERVICE PROJECTS S PART OF SGR’S 125th anniversary in 2018, the Firm celebrated with service to its local communities. Each office participated in volunteer projects during the year at various local charities of that office’s selection. The projects ranged from office collections of school supplies and the day’s lunch money to help and feed children, to volunteer time spent sorting collections at food pantries and hospitals, to beach cleanup and serving meals in soup kitchens. Both lawyers and staff found the projects rewarding and a wonderful way to celebrate the Firm’s anniversary and the legacy of the Firm’s name partner, E. Smythe Gambrell, who founded the Atlanta Legal Aid Society in 1924.

A

LOS ANGELES

SGR volunteers sorted and packed books for Children’s Hospital of Los Angeles, and participated in a beach cleanup for Heal the Bay.


Finish Line

NEW YORK

Attorneys and staff prepared and served food to families at Loaves & Fishes Soup Kitchen, donated money to City Harvest’s Skip Lunch, Fight Hunger and participated in a Play Day with Playworks, which organizes outdoor activities for children in underserved areas.

WASHINGTON, D.C. SGR volunteers served lunch for the homeless at S.O.M.E. (So Others Might Eat).

ATLANTA

Attorneys and staff sorted food at the Atlanta Community Food Bank on multiple occasions.

JACKSONVILLE

The office collected food for Feeding Northeast Florida and school supplies for the Salvation Army’s Back to School Drive.


Trust the Leaders is printed on recycled paper

Profile for Smith, Gambrell & Russell, LLP

Trust the Leaders  

Winter 2019

Trust the Leaders  

Winter 2019