(c) 2018 Jon L Gelman, All Rights Reserved.

Thursday, June 15, 2017

Safeguarding Injured Workers From Cybersecurity Breaches

Under new Federal proposals, injured workers will be protected from cybersecurity breaches. The impact will be greater responsibilities and costs for law firms and, employers and their insurance companies.

Workers' Compensation stakeholders will be required to maintain better cyber hygiene, have better application update procedures and establish an adequate plan to respond to  breaches. Client and governmental agencies will require more secure networks and procedures for handling data transmission, access, and storage.

Hacking is an increasing concern for workers' compensation stakeholders. Some of the attacks by nation states are difficult to contain. Other attacks, by criminal ventures and amateurs, are less invasive. All the attacks can be hazardous, disruptive and costly. In the future, they will probably advance from the invasion of Personal Protective Information (PPI) to industrial ("Internet of Everything"), and national attacks, ie. WannaCry, and WannaCry (2nd wave).  See also, Envisioning the Hack That Could Take Down New York City  NYMag June 10, 2016  and "A Cyberattack "the World Isn't Ready For," NY Times, June 25, 2017.

The scope of potential exposure to injured workers is enormous. It extends from the hypothetical breach of a cardiovascular  (ie. medical device security) implant portrayed on the television series, Homeland, to real-world breaches of Personal Protected Information (PPI). An example of which is the breach of 32,599 patient records resulting in a $4.124 million class action settlement. Columbia Cas. Co. v. Cottage Health System, 2015 WL 4497730 July 15, 2015 Not Reported in F.Supp.3d. "The Court, therefore, DISMISSES the Complaint WITHOUT PREJUDICE, so that the parties may pursue alternative dispute resolution under the terms of the policy." The cybersecurity policy contained an exclusion for "failure to follow minimum required practices." See also the press releases from the NY State Attorney General.

Insurance carriers are not immune from liability as a result of cybersecurity data breaches. A $115 Million proposed class action settlement as a result of a cybersecurity attack on health insurer Anthem, Inc. has been announced. It is the largest data breach settlement in history,

More specifically, a recent American Bar Association opinion mandates that attorneys must take reasonable cybersecurity measures to protect client data. ABA Formal Opinion 477 (May 11, 2017). 

National regulation initiatives have been given a mandate through Presidential Executive Orders. Presidential Executive Order on Improving Critical Infrastructure Cybersecurity 13636 February 13, 2013 and Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure  May 11, 2017. An Introduction to Data Security  (NIST) June, 2017. Digital Idenity Guidlines 800-63 Rev 3, (NIST) June, 2017.

The National Institute of Standards and Technology (NIST) has initiated a "Framework for Improving Critical Infrastructure Cybersecurity." This voluntary model is rapidly gaining acceptance throughout industry and government.

A Federal statutory cause of action has evolved under the Defense of Trade Secrets Act. 18 USC §1836, et. seq., as well as the Cybersecurity Act of 2015. See also, Cybersecurity Enhancement Act of 2014  P.L.113-274 .

The recent initiatives in electronic security were highlighted at the recent NJ ICLE 2nd Annual Cyber Security Conference. The Presidential initiatives operationalized by National Institutes of Standards and Technology. The Cybersecurity Framework: Implementation Guidance for Federal Agencies - Draft NISTIR 8170 (NIST) May 12, 2017 Comment period through June 30, 2017 . Cybersecurity Framework Workshop 2017 , Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework  February 23, 2016.

The NIST Framework is being integrated into the infrastructure by the Executive Branch. Adoption and integration is anticipated by Health and Human Services  (HHS) (HIPAA-Office of Civil Rights), and Securities and Exchange Commission (SEC), Food and Drug Administration (FDA).
"An overriding question remains whether lawyers will be able to effectively protect their client’s confidentiality interests at any cost. Clients are becoming more sophisticated and they now demand that law firms adhere to security standards that will prevent a breach and if a breach occurs that the law firm will take adequate action to provide notice and, mitigate the potential damage."
"The ethical responsibility of lawyers, in most jurisdictions, is to take reasonable care to protect the personal information of clients in accordance with well-defined constitutional, statutory and administrative regulations, ethics opinions and the common law phraseology of the Restatement of Torts." See, Cybersecurity is an imminent and costly threat to lawyers and their clients.
Cybersecurity in workers' compensation remains in its infancy.  Cybersecurity is again placing the Federal government yet again in the lead on privacy and confidentiality as workers' compensation moves along the Path to Federalization. Going forward, increased regulation and stricter controls will safeguard injured workers.

This article is based on my presentation on Cybersecurity  at the NJ ICLE seminar on Hot Topics in Workers' Compensation Law 2016. The 2017 supplement to the treatise Workers' Compensation Law provides extensive and expanded coverage on this topic.

Jon L. Gelman of Wayne NJ is the author of NJ Workers’ Compensation Law (West-Thomson-Reuters) and co-author of the national treatise, Modern Workers’ Compensation Law (2017 West-Thomson-Reuters). 

For over 4 decades the Law Offices of Jon L Gelman  1.973.696.7900  has been representing injured workers and their families who have suffered occupational accidents and illnesses.

Updated: 06/29/17 06:30 am