Attack on Point of Sale System
One of our clients, a specialty grocery
store chain, experienced an attack on its
point of sale system that resulted in a theft
of customer payment card information.
Our team worked with the client from
the moment the breach was discovered to
investigate the incident, engage forensic experts and auditors, notify
law enforcement authorities, negotiate with affected payment card
companies, and develop position statements and press releases.
We helped the client handle every aspect of the breach, advising on how
to proceed and ensuring that the negative impact of the breach on our
client’s business was minimized as a result of a prompt, thorough response.
Social Security Disclosure
Our client, a vendor for the State of Wisconsin, was involved in the
inadvertent disclosure of the Social Security numbers of more than
700,000 Wisconsin taxpayers. Our team worked with the client during
the highly publicized incident to negotiate and address corrective
measures with the state. We drafted and coordinated a notice to the
affected taxpayers, as well as helped the client put credit monitoring
services in place for those affected. We also counseled the client in
connection with the legal and business ramifications of the publicity
associated with the event.
Malware vs Health Care
Our team assisted a large health care system
with a security incident involving malware
attacking its computer systems. We helped
the client obtain outside experts for its
investigation using our contacts in the
industry and developed a security incident
response plan. We analyzed and advised
on whether the incident rose to the level of
a breach of unsecured protected health information under the HIPAA
Security Breach Notification Rule. We also analyzed the applicable state
breach notification laws and aided in the drafting of the required
notifications to affected individuals and covered entities, the media,
and regulatory bodies. We also assisted in the development of fact
sheets and other materials that were used for internal and external
communications regarding the incident.
Office for Civil Rights Victory
The federal Office for Civil Rights (OCR)
investigates possible HIPAA violations.
In 2015, a health care client received an OCR
investigation request regarding a patient
complaint. We assisted the client by
reviewing the alleged incident, the client’s
policies and procedures, and by proposing a
response to OCR. The matter was then closed
by OCR, without further action.
Our attorneys have assisted hundreds of clients with HIPAA privacy
and security matters. We maintain model policies and procedures
and related forms, such as business associate agreements. We have
also trained clients on these rules. For example, in 2015 we
conducted an in-person training session for a Midwestern client.
However, this client has operations throughout the country and needed
to train personnel in those locations. We took the customized
training program and recorded a web seminar of the program.
As a result, the client could train both current and future employees.
Our team advised a Midwestern dairy
cooperative in connection with the
development and implementation of its
“Bring Your Own Device” technology
policy and with implementation of a
data retention and destruction program.
Our team assisted a client purchasing a business with U.S. and overseas
locations with the handling of employee data transfers and with a
transition services agreement through which data would be processed.
Our team assisted in the development
of several health information exchanges
for integrated delivery systems and
affiliated providers. We performed an
analysis of federal and state privacy laws
to determine the use and disclosure
restrictions on the sharing of data in health
information exchanges and related consent,
authorization, notice, and opt-in requirements.
Our team guided a client establishing U.S. and European e-commerce
terms of sale.