In this Corporate Counsel article, Orrick attorneys Renee Phillips and Shea Leitch discuss the emerging issue of cybersecurity whistleblowing. The authors discuss scenarios in which cybersecurity whistleblowers may step forward and how a company can best address complaints internally and mitigate the potential of regulatory scrutiny. Click here to read the full article.
In this Law360 article, Orrick attorneys Renee Phillips, Aravind Swaminathan, and Shea Leitch explore the rise of the cybersecurity whistleblower. The article examines the DOJ’s investigation, prompted by a cybersecurity whistleblower, into whether Tiversa Holding Corp. provided false information to the Federal Trade Commission about data breaches at companies that declined to purchase its data protection services. Click here to read more about the growing trend of whistleblower-initiated regulatory investigations and what companies can do to protect themselves against this growing risk.
Earlier this month, the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) announced that it had entered into a settlement agreement with St. Elizabeth’s Medical Center (SEMC) in Brighton, Massachusetts. Pursuant to the non-admission settlement, SEMC agreed to pay $218,400 and enter into a one-year Corrective Action Plan (CAP) to settle allegations that its employees violated the HIPAA Security Rule by, among other things, storing electronic protected health information (ePHI) in a cloud document sharing application. Covered entities and business associates that increasingly leverage cloud services for storing and managing Electronic Health Records (EHR), and ePHI more generally, should take notice of this development for a number of reasons. First, it underscores the importance of conducting security assessments on, and evaluations of, cloud services before allowing employees to use them to manage ePHI and EHR. Second, it demonstrates the need to create and enforce clear policies prohibiting use of unapproved and untested cloud services. Finally, the settlement appears to have stemmed from an employee whistleblower and highlights how such whistleblowers will become more prominent considerations in cyber and data security investigations and enforcement actions.