GDPR and HITECH: Can the past predict the future?
In February of 2017, Memorial Healthcare System settled their HIPAA violation fines for $5.5 Million USD. During an investigation, it was discovered that over 100,000 patient records had been impermissibly accessed. Allegedly, an ex-employee retained access to personal identifying information and sold data records to people who filed fraudulent tax returns using the data. Federal criminal charges were filed against the ex-employee.
The first question that pops out on this is: If the ex-employee committed a crime and illegally accessed the data, why did the hospital get such a hefty fine? According to the report from the Office of Civil Rights, “At the root of this breach was MHS’s failure to follow its own polices and deactivate the login credentials of a former employee from an affiliated physician’s office. Over the course of roughly a year, these credentials were repeatedly used to gain access to MHS’s data systems and client ePHI.”
This isn’t the only case of the office of Civil Rights issuing fines over HIPAA violations. We’ve seen numerous violations and breaches resulting in multimillion dollar fines. Many organizations didn’t believe that data breach would ever result in them getting a fine. Some organizations thought that data breach insurance would cover them and used that instead of actually securing their systems.
California’s Cottage Health System in December 2013 notified 32,755 of its patients whose protected health information had been compromised after the health system and one of its third-party vendors, inSync, stored unencrypted medical records on a system accessible to the Internet. Resultantly, the data may have been publicly available on search engines like Google. Columbia Casualty Company insured Cottage Health System for data breach. Because Cottage Health System failed to properly secure their system, Columbia Casualty Company has challenged the insurance claim in court.
General Data Protection Regulation (GDPR) is the new global compliance initiative coming from the EU. Many don’t believe that GDPR will actually leverage fines against their business. The GDPR implements a two-tiered approach to categorizing violations and related fines. The most significant breaches of the GDPR’s obligations can result in a fine of up to 4 percent of a company’s annual global revenue, or €20 million (whichever is greater). These higher-tier violations include failing to obtain the necessary level of customer consent to process data, failing to permit data subjects to exercise their rights including as to data erasure and portability, and transferring personal data outside the EU without appropriate safeguards. For less serious violations, which include failing to maintain records of customer consent or failing to notify the relevant parties when a data breach has occurred, the maximum fine is limited to 2 percent of annual global revenue, or €10 million (whichever is greater).
Companies not located in the EU but that process the data of EU customers will have to appoint a representative in the EU under the GDPR. In relation to enforcement, we can take a look at the USA and determine how this might work in Asia. The GDPR directs EU authorities to develop international cooperation mechanisms to support its extraterritorial reach, which could potentially build upon existing treaties and mutual investigative assistance agreements the EU has in place with the U.S. Federal Trade Commission in the United States. Companies should be aware that the EU is increasing its efforts to work with and through American authorities to investigate American targets, which may yield increased scrutiny on companies with an EU web presence.
If we look at India for a moment, the Indian outsourcing industry nearly stands at over 150 Billion USD, contributing nearly 9.3% to the GDP. More than 100 Billion USD of revenues comes from overseas, largely attributed to cross border data flow, that too from majority of countries of western regions and European Union (EU). With factors like data privacy and security becoming an important determinant in outsourcing, the global landscape on data flows is likely to be impacted.
Other industries you may not think about, such as airlines, car rentals and hotels which allow booking from the internet, may be impacted. Will the HITECH Act fines become the harbinger of much larger fines to come? Which countries will have cooperation with the EU, and which might get banned? Would banning nations from doing business with EU citizens force compliance? Would “content filtering” the internet for offenders cause a large disruption in their business? These questions are what we may be seeing in 2018 as the compliance law goes into effect May 25, 2018.