Cloud Cyber Risk

Cloud-based storage of an organization’s data attracts cyber hackers like bees to honey. Hackers take time to study and find flaws to breach, extract and sell personal information data. Data Experts Lee Neubecker and John Blair discuss cloud data compliance and legal regulations put in place to protect cloud-based data.

Compliance and Privacy Laws

Cloud cyber risk goes hand in hand when storing data on the Cloud. New compliance and privacy laws have been enacted to protect this cloud-based private information. The State of Illinois has passed a privacy law that specifically addresses how companies gather and store private data.

The Illinois Policy Group, an independent organization that generates public policy, explained that in 2008, Illinois enacted the BIPA, the most stringent law of any state regarding the consent, notice and disclosure procedures private entities must follow when collecting, storing or using people’s biometric information, such as fingerprints, iris scans and face prints. This law forces companies into compliance and makes them more responsible for the collection and storage of private data ultimately, decreasing exposure to cyber risk.

Data Experts Lee Neubecker and John Blair say because of BIPA companies are now more aware of how they secure and store data. They discuss other data compliance and privacy laws such as; California Consumer Privacy Act (CCPA) and Health Insurance Portability and Accountability Act (HIPAA) and how these laws help regulate the healthcare industry and other organizations when storing consumer data, and vendor data in the cloud ultimately protecting the consumer. Watch this video interview to learn more.

View Part 2 of our 3-Part Series on Cloud Data

Part 2 of our 3-Part Series on Cloud Data

Lee Neubecker: Hi I am back again with John Blair. We’re continuing our discussion on cloud security and helping to minimize your cyber risk of having data in the cloud. And today, we’re going to be talking more about some of the compliance and regulatory issues and legal issues that companies face that are having their data and customer data, vendor data in the cloud. So, John, can you tell me a little bit about some of the regulations that impact the healthcare sector specifically?


John Blair: Yeah, the primary one is going to be HIPAA and associated as subsequent acts like HITECH and things like that that augment HIPAA and some of them more clearly defined some of the rules and regulations, primarily Security Rule and Privacy Rule. So those are going to be the ones that primarily come into play, but there are also individual state versions of healthcare acts that you need to abide by and each state has one so you also need to abide by the state regulations as well.

LN: Interesting. So it really, if a company’s operating in multiple states, they have a lot of issues to be looking at.

JB: They have a lot of regulations to be aware of and to be compliant with, yep.

LN: So I know here in Illinois, we have the Illinois Biometric Information Protection Act, otherwise known as BIPA and that’s been creating a lot of stir with Facebook recently had a settlement.

JB: Yep.

LN: And apparently Illinois Residents that have Facebook accounts might be entitled to around $200 per person.

JB: Yep.

LN: If you are in Illinois and have Facebook, so possibly you will be notified.

JB: Yeah, Illinois is the only one.

LN: And do you think it will be through Facebook Messenger?

JB: I do not but Illinois because of that law, Illinois residents are the only ones that are getting anything out of that lawsuit because of that, specifically because of that law.

LN: Got it.

JB: So I don’t know the details of the law but on the surface, it seems to be headed the right direction.

LN: Right, essentially they took the position that your biometric information, unlike your cell phone or your social security number, you can’t change it.

JB: Right.

LN: So if that data becomes compromised such as your facial vector map,

JB: Yeah.

LN: Or your fingerprint or your DNA, that you can’t swap it, it’s part of who you are.

JB: Right and those, you know, we’re finally headed in the right direction where it’s being considered personal.

LN: Yeah.

JB: So which I totally agree with.

LN: We also had just last month the California Consumer Privacy Act, known as CCPA went into effect and that’s got a huge impact on anyone who does business with California residents.

JB: Yeah, that is yet to, I think people were preparing for that prior to that but it’s going forward, I’m sure there’s going to be a lot of repercussions from that because there’s going to be obviously companies and entities that don’t prepare well for that and are going to get caught up in it because it covers, California is a huge state, a lot of people so there’s going to be some lawsuits.

LN: So it’s also been such that if you’re making medical devices for consumers and you have that information, relaying over 3G, 4G networks, we’ve got CPAP machines, pacemakers, all other types Of information. LN: All kinds of monitors

JB: Yep.

LN: And that information going to the cloud, if you’re a California resident and that information gets breached, it could be used by marketers or it could be used In other ways to target people.

JB: Yeah hospitals are going to need to really step up their game with respect to that particular regulation. Hospitals traditionally are a little bit behind technically speaking from an IT point of view, they’re very much on the bleeding edge from a medical device IT point of view but they tend to lag behind because you can’t, it’s hard to afford both

LN: Yeah.

JB: But this is going to, you know, how they allow individuals or access to their networks, what they allow in and what they allow out because that’s the channel these medical devices use is going to be very, very important that they get more control over those things.

LN: So as it relates to healthcare, what are some of the concerns about when a data incident is discovered to actually turn out to be a data breach, what types of reporting and notification requirements are unique to the healthcare sector?

JB: Well, first and foremost, you need to evaluate the situation and then have in conjunction with your legal team and compliance teams, establish whether or not you do officially declare it a breach which means you need to investigate it, you need to involve any vendors that were involved with that data because it may have been the vendor that you’ve contracted with that actually had the breach of the disclosure and not you but since they’re your vendor, you’re also on the hook and that flows all the way up from business associates, which is what those two entities will be up to the covered entity who actually owns the data. So after a thorough investigation and consultation with legal and compliance, a determination needs to be made whether or not you’ve formally declared a breach. And if so, then there’s all kinds of HIPAA standards that come into play about notification to the government, notification to each individual affected by the breach, what needs to take place with respect to that notification, there’s a timeline involved that needs to be met. So there’s all declaring it a breach is a very formal and arduous task.

LN: Yeah, not a pleasant one.

JB: No.

LN: In our next segment on securing data in the cloud, we’re going to be talking more about when a breach is discovered, some of the issues related to reporting the breach and what that can mean to an entity, especially if it’s not handled correctly. So thanks for being on the show again.

JB: Thanks, Lee.

View Part 1 of our 3-Part series on Data Cloud Storage

BIPPA Laws

To learn more about HIPAA

https://www.hhs.gov/hipaa/index.html

Illinois BIPPA policy

https://www.illinoispolicy.org/

Steps Employers Should do Before Using Biometrics

More and more employers are using biometrics. Biometric information and is covered by the Illinois Biometric Information Protection Act or BIPA. Forensic expert Lee Neubecker and Vedder Price Shareholder David Rownd talk about the steps employers need to take so they don’t violate BIPA.

Employers Using Biometrics

What should employers do before collecting biometric information? Biometrics is on the cutting edge of technology and more and more employers are using biometrics in the workplace. Employers use biometrics to activate machinery or computer devices, to track employee time and attendance, and can be used to gain access to specific secured environments. The most common example of employer use of a biometric recognition system is the fingerprint.

Expert Lee Neubecker and Vedder Price Shareholder David Rownd discuss the necessary steps that all employers should do before installing biometrics.

Part 3 of our 3-Part Series on Biometric Data

Part 3 of our 3-Part Series on Biometric Information

The Video Transcript Follows.

Lee Neubecker (LN): Hi, I’m here again with David Rownd. David, thanks for being back on the show.

David Rownd (DR): Oh, thanks for having me again.

LN: So we are continuing our series talking about BIPA, the Illinois Biometric Information Protection Act. And what employers should do, especially those New York employers that have satellite offices in Chicago that track their employees and whatnot and how they should, things they might want to do beforehand so that they don’t get into trouble. With that David, what are some of the concerns and responsibilities employers have under BIPA?

DR: Well, first of all, they have an obligation to notify employees that they are using biometric information. And they have to tell them why they are using biometric information. They have to safeguard the information. They have to have policies in place to safeguard the information. And they are absolutely prohibited from selling the information to third parties.

LN: That would mean if they are using time tracking software they might want to check to see what adaptations those software companies have in terms of how they protect employees’ fingerprints and whatnot.

DR: Absolutely.

LN: And is it a good idea for the employer to actually get the employee to sign a consent form?

DR: Absolutely. In fact, they are required to obtain consent

LN: Okay

DR: before doing this. And this is an important consideration for employers and it should be something that is well thought out and a program put into place that complies with the law before embarking on the use of biometric information.

LN: So employers if you have a trading firm here in New York that has a satellite trading, possibly an option firm, options are big in Chicago. What would you advise them to do just to do a check-up to make sure they are OK?

DR: Well, if you are going to be using your employee’s biometric information in Illinois it would be covered by BIPA. And you need to make sure you are in compliance with the law. And I think it makes sense for your in-house legal team or whatever counsel you rely on to go over what you planned to do and ensure that what you are going to be doing is in compliance with the law.

LN: So I think the intent though of a lot of these tracking features of time tracking software really is to try to protect employees from punching in for, you know, their friend that is running late. But there are other ways that employers can still do that without relying on fingerprints or retina scans.

DR: There are other ways. Smartphones can be used and they can be used without taking any biometric information. And there are other ways of doing it as well. But if you are going to be using biometric information, you certainly should make sure that you are in compliance with BIPA because it’s been a very active, very buried in litigation. There’s been a lot of class actions lately and a lot of companies have had some issues. Most employers would be well advised to make sure they don’t run afoul of the law.

LN: So why are we suddenly hearing so much about BIPA in Illinois? What happened last year that changed things?

DR: Well, there was an Illinois Supreme Court case that really kind of open the floodgates for plaintiffs to be able to sue. Normally in order to bring a lawsuit, you have to be able to show that you suffered some specific harm which is referred to in the law as damages, and that is an element of most civil causes of action. However, under the way, BIPA is written an aggrieved party can bring a private right of action under BIPA. And there’s the Illinois Supreme Court, a case called Rosenbach, last year, basically held that the mere violation of the law with the respect to someone’s biometric information makes that person an aggrieved party. So, the fact that your biometric information has come out of compliance in a program means you’d have the standing to bring a lawsuit. And more importantly, that you could potentially be the lead plaintiff in a class-action lawsuit which ups the ante significantly for employers and exposes them to much more significant liability.

LN: So this could expose any employer using time tracking that has a biometric component in Illinois?

DR: Potentially, yes.

LN: Now are there things that can help protect those employers though from getting in the crosshairs if they are using that software?

DR: Well, I mean, ensuring that you’re in compliance with the law, certainly. Which means making sure you’re getting consent. Making sure that the concent is informed consent and the consent is in full compliance with the requirements of BIPA. Not doing anything that BIPA prohibits such as selling the information to third parties. It sounds pretty obvious but it’s something that’s important to make sure you’re in compliance with the law.

LN: Now there was a case in Illinois involving, it was an athletic gym that had customer information and some of that information was alleged to have gone to outside parties. And I think that case settled, but it certainly not only employers could fall into the snare of BIPA, but consumers as well, people who do business with companies that choose to take their biometric data.

DR: Absolutely

LN: Like possibly even Google and Facebook.

DR: Potentially, yes.

LN: Well, thanks a bunch. In our next segment, we’ll talk a little bit more about what is happening nationally with BIPA. And thanks again for being on the show.

DR: Thanks for having me.

View Part 1 of our 3-Part Series on Biometric Information

Part 1 of our 3-Part Series on Biometric Information

View Part 2 of our 3-Part Series on Biometric Information

Part 2 of our 3-Part Series on Biometric Information

Other Related Articles

View Vedder Price – David Rownd

https://www.vedderprice.com/david-rownd

To learn more about BIPA

http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

BIPA: How it May Affect You

Does your employer require your fingerprint when you clock in for work? That fingerprint is considered private biometric information. BIPA is the Illinois law that protects its use. Experts Lee Neubecker and David Rownd share how this law affects employers that have Illinois based employees.

Biometric Information Privacy Act (BIPA) is a law that covers the employer’s use of biometric information of its employees. Biometrics are the physiological means to gather an individual’s uniqueness. The oldest most widely used is a fingerprint but other biometric identifiers may be also used such as; facial recognition, photos, retina scan, voice recognition, ear shape, and hand scans all are considered private biometric information. The Illinois BIPA law is designed to govern, secure, store and prohibit the sale of biometric information. Forensic Expert Lee Neubecker and David Rownd from Vedder Price discuss how BIPA may affect employers that have satellite offices in Illinois.

Part 1 of a 3 Part Series on Illinois’ Biometric Information Protection Act

The Video Transcript on BIPA: How It May Affect Employers in Illinois.

Lee Neubecker (LN): Hi I am here again with David Rownd from Vedder Price. Thanks for being on the show David

David Rownd (DR): Thanks for having me

LN: David is an attorney that specializes in defending class action lawsuits also employment litigation, trade secret theft, and misappropriation. I asked him to come on the show today to talk a little bit about BIPA which is the Illinois Biometric Information Protection Act and specifically he deals with a lot of trading security-related financial services firms and since that law applies to Illinois and many trading firms in New York have satellite offices I wanted him to talk a little bit about the act and some of the concerns that employers should have if they have employees working in Illinois. So, David, can you tell us a little bit about BIPA what it is and what it entails?

DR: Basically it covers the employers use of biometric information of its employees and this can be a retinal scan it can be a fingerprint it can be a number of different things and it can be used for time cards access to the workplace and things like that and employers are using biometric information because its an easy way to keep track of employees. However, it is also a privacy issue and that’s where the BIPA comes in and BIPA is intended to regulate employers ability to utilize biometric information and put certain requirements on them for notifying employees they are using it and notifying employees why they are using it keeping written records of the biometric information and it specifically prohibits the sale of biometric information to third parties.

LN: It’s especially troublesome too because if you lose your biometric unique identifiers you can’t necessarily get those back unlike a social security number you could replace a social security number but if someone is able to copy your retina scan your fingerprints what not it could cause a lot of permanent damage.

DR: That’s true you only get one of those things

LN: So we will be talking later in the series next well be talking a little bit about what employers should do before they land in trouble with BIPA to help protect against finding themselves embroiled in litigation and then finally we’ll talk a little bit about some of the national happenings with Facebook and other entities who have been en snagged in the BIPA trap and we’ll conclude with there so thanks for being on the show today.

DR: Oh thanks for having me.

View related Employment Litigation articles on our website.

EMR or Electronic Medical Records May Contain Private Biometric Information
Forensic Data Collection can be used in cases where ESI is breached or stolen
Private Biometric Information is Electronically Stored Information (ESI) and governed by BIPA
An individual’s photo is considered biometric information.

Employment Litigation articles

Learn More about Illinois BIPA Litigation

http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

Protection under BIPA

https://www.vedderprice.com/