Data is a critical and invaluable asset of all companies. Data privacy and security concerns affect every company, industry, and consumer. Despite this, an astonishing amount of misinformation surrounding data privacy, security risks, and compliance requirements continues to be asserted as fact. In this article, cybersecurity and data privacy attorneys at Nelson Mullins address—and bust—some of the more common myths to reveal the facts surrounding access to data, the risks to data, and how to protect your organization from such risks.
Cybersecurity and Data Privacy Myths
"IT, InfoSec, and Forensics Professional all do the same thing. We don’t need to engage an outside forensics vendor following an attack."
False — While all three are extremely important to an organization, each of these professionals have a certain role/skillset. Below is a non-exhaustive list that is intended to help illustrate the roles of each professional. If you have an email or network security incident that affects operations or sensitive data, cybersecurity forensics professionals should be engaged to help investigate the matter.
Information Technology Profession find and deploy technology to maximize network performance, minimize downtime, enhance communications, facilitate information sharing, and support more efficient processes.
Information Security Profession ensure that technology is secure and hazard-free from possible attacks by identifying, understanding, and resolving configuration and security vulnerabilities before they are exploited by threat actors.
Cybersecurity Forensic/Investigation Teams help stop, contain, and mitigate any identified vulnerabilities post-attack. These teams acquire and analyze logs and other information and apply advanced technical analysis software and skills to determine the point of entry and cyber event timeline and to evaluate the exfiltration and integrity of data. The forensic assessment should be conducted under attorney-client privilege and the results should be analyzed by a breach attorney to determine if the victim company has any legal notice obligations to consumers/employees.
"We don’t need breach counsel. We have a general counsel."
False — Breach counsel may be accessible under your cyber insurance policy or engaged directly by your company — prior to or following a security event. Breach attorneys specialize in data privacy and cybersecurity and work in the field responding to data breaches day in and day out. If your organization has a general counsel, breach counsel works closely with your general counsel to walk through the investigatory process, engage with post-attack forensic, public relations, mail house, and call center vendors, and help determine whether state, federal, and international legal breach notification obligations apply based on the data at issue.
"My company purchased a set of data privacy and security policies and procedures from an online vendor and saved those to our system. That’s sufficient for compliance purposes."
False — Data privacy and security policies should be tailored to fit an organization’s operational size, practices, and obligations — including meeting applicable industry standards, contractual requirements, and federal, state, and international laws. Using off-the-shelf set of policies and procedures can create significant legal risk for an organization. Policies that are executed without consideration of operations and exigent circumstances and not complied with can be used as evidence against a company in litigation and regulatory investigations. Employees should receive specific training on policies and the policies should be readily available for reference.
"I’m a small business. I would never be targeted for a cyber attack."
False — If your organization connects to the internet, it is at risk of a cyber attack. Attack groups scan every nook and cranny of the web to find vulnerabilities in computer networks, often using automated tools that do not discriminate based on a company’s size and/or type of operation. Small businesses are often the most vulnerable because they often do not have the financial resources to secure systems appropriately.
"My customers are businesses, and I don’t collect information about individuals, so I don’t have any sensitive personal information to protect."
False — Even if a company doesn’t collect personal information about individual customers, human resources data often includes employees’ Social Security numbers, driver’s license numbers, health information, direct deposit information, etc. It is a rare exception to find a business that does not store some form of personally identifiable information. Further, operational data and business confidential information should always be considered.
"I do not have to worry about data privacy and security because my company outsources all of our IT needs to a third-party vendor."
False — Organizations that collect, process, and/or otherwise handle sensitive personal information may have obligations to protect that data that cannot be delegated to another party. And with the increase in so-called multi-service provider and supply chain attacks, where threat actors attack multiple organizations connected via networked applications or services at once, it is more important than ever that organizations conduct due diligence to ensure that any outside vendors with access to the organizations’ systems have the appropriate qualifications and security measures in place to protect data.
"So long as I have good backups for my company’s data, I don’t have to worry about cyber attacks."
False — Cyberattacks continue to become more sophisticated and the primary risks to organizations are no longer limited to operational impacts or primary IT systems. Increasingly, threat actors are accessing/encrypting backups as well. Threat actors are also exfiltrating data as leverage to demand higher extortion payments and/or to sell the data on the black market. Even if an organization is able to restore its systems completely via backups after a cyberattack, it may still have reporting or other legal notification and other obligations in connection with any protected personal information that may have been impacted.
"Ransomware and cyberattacks are inevitable."
False — Many companies have decided that security incidents are not preventable and that every company eventually will get hit. However, our cyber forensics partners advise that in almost every ransomware attack we defend, multi-factor authentication (MFA) and good endpoint monitoring, which were not in place prior to the attack, likely would have prevented or slowed the attack. There are many steps that companies can take to help prevent cyberattacks.
Health Care Data Privacy Myths
"Any company that handles health information must comply with HIPAA."
False — Only health plans, health-care clearinghouses (companies that convert data into different formats), and health-care providers that conduct certain standard transactions electronically — mostly related to payment — are HIPAA covered entities and, therefore, obligated to comply with HIPAA.* Thus, free medical clinics and all-cash practices technically are not HIPAA covered entities. However, based on HIPAA and other laws designed to safeguard the privacy and security of medical information, patients have come to expect that their health-care providers will assure that their health information is maintained securely and confidentially. Further, many states now include “health information” in their security compliance and consumer notification laws.
* In addition, certain companies that furnish administrative services to HIPAA covered entities and access, receive, use, or maintain health information in order to provide those services — known as “business associates” — must comply with HIPAA.
"HIPAA prevents my employer from asking whether I am vaccinated or requiring proof of vaccination."
False — HIPAA does not apply to employment records, including employment records maintained by covered entities or business associates. However, other laws may apply. The Americans With Disabilities Act requires an employer who obtains vaccination or other health information about an employee to keep the information confidential and to store it separately from the individual’s personnel records.
"If police come to our hospital and ask for copies of medical records, HIPAA requires us to provide all of the information requested."
False — HIPAA places limits on what information hospitals and other healthcare providers may release to law enforcement. Generally speaking, law enforcement must tailor their requests for information to that which is reasonably related to a law enforcement investigation (such as investigation of a crime on the hospital’s premises). HIPAA specifies what limited information may be released to law enforcement under these circumstances. Hospitals also may report to law enforcement the death of a person if the hospital suspects that the death resulted from criminal conduct, and hospitals may respond to a police request for information to assist in locating a suspect, fugitive, material witness, or missing person; but again, only specific, limited information may be disclosed. Often mandatory state reporting laws and the federal substance use disorder treatment records (42 C.F.R. Part 2) will need to be considered.
"If a patient posts a negative review about my medical practice on social media, I can post a response on social media discussing the patient’s medical condition."
False — Providers should not respond to a negative online review in a manner that discloses the patient’s medical information. Instead, patients’ medical information may only be used or disclosed on social media if the patient has provided his written consent to the use or disclosure. This is true even if the patient refers to his medical condition in the negative review.
"As a patient, HIPAA entitles me to access and receive copies of all of my health information."
False — HIPAA permits individuals access to protected health information that is held in a designated record set, which is a defined term under HIPAA. Generally, a HIPAA right of access will not provide the level of records that a discovery request in litigation would yield. Covered entities are also not required to provide access to psychotherapy notes (private notes recorded by a mental health professional during a session and kept separately in the patient’s medical record). Healthcare providers and health plans are not required to provide access to health information if they determine, in their professional judgment, that providing access is reasonably likely to endanger the life or physical safety of the patient or another person. If a covered entity does not have records that a person requests (for example, your professional does not have your primary care doctor’s records), it is not required to provide.
"If I seek help for a drug habit, law enforcement may be notified, and I may be subjected to criminal prosecution."
False — The federal regulations addressing confidentiality of substance use disorder treatment records (42 C.F.R. Part 2) categorically prohibit a covered health-care provider from sharing information about a patient’s substance use disorder diagnosis or treatment with law enforcement unless the patient has committed or threatened to commit a crime on the premises of a treatment center or against treatment center personnel. Even then, law enforcement agencies are required to go through special procedures to obtain information about a person’s substance use disorder, and a court typically may grant access to this information, only in the case of a very serious crime such as homicide, rape, armed robbery, or child abuse/neglect.
"If I get a genetic test recommended by my doctor and ask my health plan to pay for it, my health plan can use the test results to deny coverage for my future medical conditions."
False — The Genetic Information Nondiscrimination Act, or GINA, prohibits health insurers from using genetic information to make decisions about your eligibility for health insurance, for coverage decisions, or to require you to pay higher premiums based on genetic information. However, if you get health insurance through your employer and your employer has fewer than 15 employees, GINA does not apply. Also, GINA does not apply to other kinds of insurance, such as long-term care insurance, disability insurance, or life insurance, so those companies may ask you about any genetic testing you have undergone as part of their application processes.
"Until my child turns 18, I have the right to access and receive copies of all her medical information."
False — Parents/guardians typically have the right to access health information about their minor children for the health records associated with the services that the parents are required by law to consent to on behalf of their children. However, in most states, minors have the right to consent to certain types of treatment on their own — such as treatment for mental health issues, communicable disease testing, birth control, and substance use disorders. If you live in one of those states and your child has consented on her own to receive one of these types of services, your child must agree in writing before the provider may release information about these services to you. There are exceptions in certain cases.