Cybersecurity is a top concern for all industries, particularly for the pharmaceutical and medical device industries. These industries hold some of the most sensitive data and highly valuable technology, making them prime targets for cybercriminals. Here we discuss cybersecurity risks, how to protect against those risks, and the latest on the legal impact of those risks.
I. Cybersecurity Risks
The year 2021 was a record-breaker for data security breaches. There were 1,864 data breaches affecting 422 million individuals – a 68% increase from 2020. Out of those, 1,143 of them divulged individuals’ entire social security number. More than 80% of the successful breaches were accomplished due to human factors, such as compromised passwords and successful phishing scams. In fact, 33% of the 2021 data breaches were accomplished through phishing attacks, which also happens to be the third most common scam reported to the FBI. A majority of the phishing attacks were achieved through spear phishing, which is successful because the scam email appears to have been sent from a trusted source. Smishing –SMS phishing messages – also proved to be a fruitful route to breaching data in 2021. Smishing landed victims in a scam more than twice the number of times in 2021 than it did in 2020. These human factor risks resulted in cyber criminals effectively attacking 83% of organizations in 2021.
In addition to the increase in phishing attacks, the FBI reported a 62% increase in ransomware[1] complaints in 2021. U.S. financial institutions spent nearly $1.2 billion on ransomware payouts in 2021, which is more than double than what was paid in 2020. Over 41 million individuals in the U.S. alone were affected by healthcare data breaches in 2021, according to reports of breaches affecting 500 individuals or more by the US Department of Health and Human Services Office of Civil Rights. Federal Trade Commission (FTC) data released on February 23, 2023 shows that consumers reported losing nearly $8.8 billion to fraud in 2022, with losses of $2.6 billion reported from imposter scams.[2] Despite all of the heightened exposure to breaches seen in 2021, only 60% of organizations offer formal cyber security education to their users today.
II. Legal Impact
A. Data Security Laws
The U.S. approach to personal data security is a “sectoral model,” achieved through various laws aimed at specific industries.[3] In contrast, the European Union utilizes a “comprehensive model,” which defines data security requirements for organizations across the board through the General Data Protection Regulation (GDPR). There is no comprehensive federal privacy law in the U.S. that is comparable to the GDPR.
Some states have enacted laws requiring organizations that collect, use or manage personal information to take reasonable measures to protect the information. In the eyes of the law, what constitutes “personal information” varies by state, but at the bare minimum, it includes information that (1) may create a significant risk of fraud, identity theft or other consumer harms if compromised, and (2) first and last name accompanied with either a social security number, driver’s license or state identification number, or a financial account, credit card, security code, access code or password that permits access to the bank account. If an organization uses, collects, accesses, or maintains “personal information,” it must take steps to protect it. Additionally, all 50 states require an organization collecting, using or managing personal information to notify affected individuals if their data has been breached.
Most of the state laws impose “reasonable” data security to protect personal information from unauthorized use, access, acquisition, destruction, disclosure and modification. The laws’ “reasonable” standard, while appropriately flexible for fast-paced changes in technology, is often challenging to measure for organizations.
A few states have laws imposing specific data security requirements or prescribe specific program approaches. For example, Massachusetts, which requires some of the most stringent information security program obligations, requires a comprehensive written information security program. Oregon requires specific administrative, physical and technical safeguards. Alabama requires organizations to consider specific factors in maintaining reasonable data security measures.
Most states authorize their attorneys general to enforce data security obligations. If a state does not specifically give the attorney general authority to enforce the laws, they deem violations of the state law as unlawful or deceptive business practices. If in violation of reasonable cybersecurity measures, a court may order an injunction to prevent further action and violations, may order monetary penalties, such as consumer compensation, or may order the violator to pay a monetary penalty. Penalties range state-by-state from a few hundred dollars to a few thousand dollars per violation, with potential increases depending on the violator’s culpability.
B. FTC Enforcement
Businesses that use or retain personal data are lucrative targets for cybercriminals because such data can be valuable on the black market. So, the FTC has authority over businesses that collect personal information under the FTC Act[4] (“the Act”) and has issued guidance on cybersecurity. Under the authority given in the Act, the FTC can bring enforcement actions against businesses that collect personal information. Recently, the FTC has brought enforcement actions against two companies that acquire and maintain personal health information for making deceptive claims about the use or disclosure of health data.
In February 2023, the FTC filed a proposed order in an enforcement action against the telehealth and prescription drug discount provider GoodRx Holdings, Inc., for failing to notify customers and others of its unauthorized disclosures of consumers’ personal health information. According to the FTC’s complaint, GoodRx violated the Act by sharing sensitive personal health information with advertising companies and platforms and failing to report it to consumers. In addition to violating the rule, the FTC enforcement action alleged that GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information as GoodRx had no formal, written or standard privacy or data sharing policies or compliance programs in place. As a result, the proposed order prohibits GoodRx from sharing user health data with applicable third parties for advertising purposes and provides a $1.5 million penalty for violating the HIPAA Breach Notification Rule.
Online counseling service, BetterHelp, suffered a similar fate. The FTC discovered that BetterHelp was pushing people to provide sensitive health information through an intake questionnaire and promising that the responses would remain confidential. Despite the promises of confidentiality, the FTC complaint alleged that BetterHelp shared the email addresses of over seven million consumers to platforms like Facebook, Snapchat, Criteo and Pinterest for advertising purposes. On March 2, 2023, the FTC issued a proposed order banning BetterHelp, Inc. from sharing consumer health data and requires, for the first time, that BetterHelp return $7.8 million in funds paid by consumers whose data was compromised.
These recent FTC actions shed light on how businesses can avoid similar fates. The FTC saw issues with BetterHelp sharing the email addresses of consumers, which is not typically considered “health information,” because the emails were shared with BetterHelp in the context of receiving a health-related service. Additionally, the FTC can bring an action against a business for deceptive practices if it does not have written data security policies, practices and procedures to protect the information from unauthorized disclosures.
Additionally, the Federal Trade Commission recently settled an enforcement action against Drizly, an alcohol delivery company, and its CEO over security failures that led to data breaches exposing the personal information of 2.5 million consumers. To penalize Drizly for its failure to take reasonable steps to protect its customer’s personal information, the FTC mandated corrective action, including monitoring and reporting requirements, and imposed future restrictions on the CEO personally for the next ten years, regardless of his place of employment. The Drizly settlement illustrates the FTC’s increased scrutiny on corporate officers and directors for failing to prioritize data protection.
The FTC alleged that the following failures of Drizly ultimately led to the breach of 2.5 million consumers’ personal information:
- Drizly failed to develop and implement adequate written security standards and procedures and failed to assess or enforce compliance with any written policies it did have. Drizly also failed to train employees, including engineers, on security standards.
- Drizly failed to store database login credentials using a secure method.
- Drizly failed to require employees and contractors to use unique, complex passwords to access sensitive information. It also did not end employee or contractor access to sensitive information when there was no longer a legitimate need for access.
- Drizly failed to adequately monitor its network and systems for unauthorized attempts to transfer or obtain consumers’ personal information. It also failed to perform regular assessments on the effectiveness of any protective measures in place.
- Drizly did not adequately test, audit and assess any security features and failed to conduct regular risk assessments, vulnerability scans and penetration testing of its networks and databases.
- Drizly failed to maintain a policy for inventorying and deleting consumers’ personal information.[5]
The organizational security failures highlighted in the FTC’s complaint against Drizly provides insight to the FTC’s expectations of companies harboring customer personal information. First, the Drizly settlement reminds corporate executives of the importance of their role in ensuring compliance with reasonable security measures. It also stresses that once a business no longer has a need for the personal information, it should dispose of the information securely. While not specifically mentioned in the alleged failures, the Drizly complaint also points out that Drizly should have known of the risk of breach inherent in its failed security measures because of other breaches in its recent past.
Takeaways from Drizly: if an organization has a prior breach, the FTC may consider it on notice that the current measures are not sufficient. The FTC’s action against Drizly also informs organizations of the importance of having key-players qualified to create, maintain and enforce a data security program within the company and of training essential employees how to comply with the program. Last, but certainly not least, the Drizly action reminds us of the importance of requiring complex passwords.
III. Cybersecurity Resources
To help organizations navigate data security measures, state and federal regulators and industry groups provide a variety of resources. The Federal Trade Commission (FTC) provides publications that explain basic elements of data security for businesses. The National Institute of Standards and Technology (NIST) also has a highly recognized and widely adopted Cybersecurity Framework that offers organizational guidance to implementing security measures. Additionally, the Department of Health and Human Services’ Health Sector Coordinating Counsel Cybersecurity Working Group released the Cybersecurity Framework Implementation Guide[6] to help the healthcare sector manage cybersecurity risks and align the healthcare sector with the NIST Cybersecurity Framework. The Cybersecurity & Infrastructure Security Agency (CISA) offers the Cyber Resilience Review, an assessment that evaluates an organization’s cybersecurity practices, and other tools and information. Finally, the International Organization for Standardization (ISO) provides a well-known information security standard for businesses to identify and address cyber risks.
IV. Cyber Insurance
Generally cyber insurance covers data security claims involving loss arising from a compromise of the insured’s computer systems, which can include hacking of the insured’s computer systems, introduction of malware (programs designed to obtain unauthorized access to data or to damage data or computer systems) and ransomware.
Even though most commercial general liability (CGL) policies cover bodily injury or property damage caused by an accident, they likely do not cover a data breach. Bodily injury is typically defined as physical injury, sickness or disease to a person – data breaches do not typically result in such injuries. Property damage is typically defined as physical injury or loss of tangible property – electronic data is not tangible property. With no bodily injury or property damage, the chance of a data breach claim triggering insurance coverage under your CGL is unlikely.
A comprehensive cyber insurance policy should cover the following losses:
- Data breach notification
- Forensic investigation
- Legal fees
- Lost or corrupted data/ransomware
- Loss mitigation services such as credit monitoring and identity theft protection services
- Business interruption/denial-of-service
- Regulatory fines/penalties
- Third-party contractual losses, such as PCI fines
- Statutory penalties
- Litigation costs and settlement
Also, pay close attention to exclusions and limitations. Watch for narrow definitions of personal data that may exclude coverage. Look for exclusions if stolen or lost laptops are not encrypted or unencrypted data is breached in transit. If you use cloud services, consider coverage of data stored outside of your network.
Cyber insurance companies will likely take a very close look at businesses’ written data security policies and procedures. It is likely that underwriters will evaluate how personal information is controlled, networked and protected. In reviewing those controls, insurers may look at how each device within an organization’s network communicates with the network, and if the organization is able to swiftly identify and isolate a device that may have malfunctioned or been the victim of a data breach. In addition, insurers may evaluate whether an organization has the ability to control login credentials and maintain access to devices that store/transmit personal health information and has regular, timely updates to software. The Health and Human Service’s Cybersecurity Framework, mentioned above, not only assists in identifying and implementing risk management best practices, but it also identifies numerous incentives, like reductions in cybersecurity insurance premiums and prioritized technical assistance from the federal government.
V. Conclusion
While it is impossible to defend all cybersecurity risks, understanding and preparing for the risks, and developing a strategy to manage the risks, are the keys to protecting your company.
[1] Ransomware is malicious software that encrypts access to a computer system until the “ransom” is paid.
[2] https://www.ftc.gov/news-events/news/press-releases/2023/02/new-ftc-data-show-consumers-reported-losing-nearly-88-billion-scams-20227
[3] See, e.g., Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §§ 16801–09; Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191.
[4] The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, which prohibits unfair or deceptive practices in the marketplace.
[5] See In re Drizly, LLC and James Cory Rellas (Complaint, FTC Dkt. No. 2023185).
[6] https://aspr.hhs.gov/cip/hph-cybersecurity-framework-implementation-guide/Pages/default.aspx
Finis