In recently fining a business a $350,000 monetary penalty for data security lapses, the New York State Attorney General (AG) underscored the importance of cybersecurity and vigilant vendor relationship management. The implications of the AG’s investigation reverberate across industries, especially for companies handling protected health information. This client alert summarizes the AG’s investigation and its ramifications and outlines best practices for businesses to avoid regulatory penalties.
The AG’s settlement with a New York-based home health care company, Personal Touch Holding Corporation (PTHC), highlighted two data security incidents:
1- A 2021 ransomware attack affecting over 750,000 individuals due to an employee opening a malicious Excel file in a phishing email, enabling a threat actor to access protected health information and employee information stored on PTHC’s servers. Prior to this incident, PTCH was made aware of several cybersecurity problems, which PTCH allegedly failed to address.
2- A 2022 incident involving the public disclosure of private information of over 1,000 current and past employees due to an insurance enrollment vendor's misconfiguration of settings on a file-sharing platform. This was discovered when a PTHC employee ran a Google search of the employee and discovered a publicly available spreadsheet containing private information of the employees, including names, social security numbers, dates of birth, and other data.
The AG determined PTHC violated its security obligations under General Business Law and the Health Insurance Portability and Accountability Act of 1996. Notably, the AG emphasized PTHC’s failure to maintain an adequate information security program, lack of privacy training, lack of an agreement with its insurance broker to address data security standards, and failure to conduct security diligence on the broker.
Beyond the $350,000 penalty, the AG mandated that PTHC implement a comprehensive security information program with rigorous security measures, some surpassing legal requirements. The mandated measures included:
- Development of an inventory of network assets that contain sensitive information
- Improved access controls
- Improved authentication procedures, including the use of multifactor authentication
- Encryption of sensitive information at rest or in transit
- Logging and monitoring of network activity
- Implementation of an anti-malware program
- Implementation of an intrusion detection and prevent solution
- Maintenance of email protection and filtering solutions for all email accounts
- Vulnerability management
- Implementation of data minimization procedures
- Maintenance of data retention and disposal procedures and creation of a data retention schedule
- Employee training covering phishing and annual mock phishing exercises where employees who fail must successfully complete additional trainings
- Vendor management procedures, including appropriate safeguards in vendor contracts and reasonable security diligence conducted prior to engagement and at least once every three years thereafter
- Periodic third-party security assessments
The AG also required PTHC to offer credit monitoring and identify theft protection services to the affected employees and patients who were not previously offered such services.
Businesses operating in New York or handling the data of New York residents should be aware that the AG enforces multiple laws related to data security and data privacy. Implementing a comprehensive information security program is paramount. Continuous legal oversight, especially in formulating vendor contracts with rigorous data security provisions, is recommended.
Many cybersecurity problems result from a third-party vendor, yet the victimized company is often the target of regulatory investigations and litigation. Companies are often stuck with the tab for dealing with an outside vendor’s cybersecurity failures, unless the contract between the parties places responsibility on the vendor. Vendor agreements thus serve as essential risk-management tools, given the potential for significant regulatory fines and impacts on the company’s reputation and customer relationships. Properly drafted, these agreements protect vital business interests.
Should an incident occur, organizations should promptly involve their outside legal counsel. This step creates the predicate for the attorney-client privilege to apply to communications regarding the incident, lessening the chance that compromising communications may surface as evidence in regulatory investigations or class-action lawsuits by impacted consumers. Moreover, engaging outside counsel for guidance and orchestration of a breach response can help avoid potential conflicts, particularly when a company’s internal information technology team may be involved in assessing a breach that it failed to prevent. To be prepared to address properly these time-sensitive matters, companies should retain—or at a minimum identify—competent data security counsel before an incident arises.
If you have any questions regarding this alert, please contact Charles Nerko, team leader for data security litigation in the firm’s Data Security & Technology Practice Area, at cnerko@barclaydamon.com; Renato Smith, Data Security & Technology Practice Area co-chair, at rsmith@barclaydamon.com; Bridget Steele, counsel, at bsteele@barclaydamon.com; or another member of the firm’s Data Security & Technology Practice Area.