Utilizing NIST Safeguards to reduce liability under the Stored Communications Act

With remote working and devices being interconnected, it is imperative to appreciate the implications of accessing electronic information without consent, even if it’s a spouse. Importantly, passwords and consent should not be given to a spouse, partner, or roommate. If a person works in a sensitive field such as healthcare, law, accounting, or finance for example (not to mention government employees and contractors), then setting boundaries that adhere to a plethora of laws and professional obligations should be implemented. As an aside the application of providing access to electronic communications that are part of work, even personal archived emails, social media, or smart phones that are accessed without consent are subject to violating a variety of laws including the Computer Fraud and Abuse Act (1986), which enables individuals to use this federal criminal law to sue others for civil claims based on unauthorized access, as well as other laws explained below.

A recent example that brings the significance of not securing information to light is the 25 page indictment brought by federal prosecutors against Seth Markin who allegedly stole from his then-girlfriend, an associate at a prominent law firm who was working at home during the pandemic on an acquisition deal related to a major pharmaceutical company’s acquisition of a therapeutic company. Additionally, the U.S. Securities and Exchange Commission also filed insider trading charges against Markin and one other person.

Enacted in 1986, the Stored Communications Act, 18 U.S.C. §§ 2701, et seq. (SCA) has a primary purpose that is analogous to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule - to protect the privacy and unauthorized disclosure of stored electronic communications. While HIPAA is specific to protected health information (PHI) and the Security Rule is limited to electronic protected health information (ePHI), the SCA extends to stored electronic communications. As the U.S. Department of Justice explains, “[e]lectronic storage is defined in 18 U.S.C. § 2510(17) as both any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof and the storage of such communication by an electronic communication service for purposes of backup protection of such communication.”Like HIPAA, which extends beyond external hackers, so does the SCA. In Ehling v. Monmouth-Ocean Hospital Service Corp., No. 2:11-cv-03305 (WJM) (D.N.J. Aug 20, 2013) the District Court for the State of New Jersey held that non-public Facebook posts, which are configured to be private are indeed covered under the SCA because they are:

• electronic communications;
• transmitted via an electronic communication service;
• in electronic storage; and
• not accessible to the general public.

Although the court recognized and applied the “authorized user” exception – one of two exceptions in the SCA, caution should be taken regarding if the person providing authorization has the authority or right to do so. Also, if a person’s Facebook or other social media is linked to an email, separate permission is needed for each application. Also, as lawyers appreciate potential clients may reach out through private social media or a colleague may send a link to an article and reference a case that is been worked on. Regardless of whether the person gave the roommate or spouse permission, professional rules and other laws dictate otherwise.

The HIPAA Security Rule has Security Standards (45 CFR § 164.306(b)). As HHS reinforces in a bulletin, “[t]he Security Rule is clear that reasonable and appropriate security measures must be implemented, see 45 CFR 164.306(b), and that the General Requirements of § 164.306(a) must be met.” The task of addressing the changing cybersecurity landscape on both a professional and a personal level may seem daunting and, in some ways, it is. Here are some compliance tips, which can be used in healthcare, a variety of other industries, and personally:

1. NIST is a great resource and utilizing its standards may mitigate liability. I always recommend SP 800-53 (rev. 5 is the current version), as well as a HIPAA specific one. “NIST’s new draft publication, formally titled Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide is designed to help the industry maintain the confidentiality, integrity and availability of electronic protected health information, or ePHI. The term covers a wide range of patient data, including prescriptions, lab results, and records of hospital visits and vaccinations.”
2. Adopt a Remote Worker checklist for working from home and traveling. Some fundamental items are: (1) secure WiFi at home and when traveling (use a hotspot); (2) ensure that if you are syncing your Apple products (or other devices and software) that your private messages are not connected to another person’s account – whether family, friend, or colleague; (3) educate yourself and understand how your private messages on social media may end up being looked at by a spouse, roommate, or child (hint: if you get alerts know where the alerts are going and who has access to your phone, tablet, or email account); (4) set policies and procedures and have workforce members and contractors review and sign off on them, so they understand the potential legal liability that may come with sharing information; and (5) if you are a small business (or even a one person physician practice or law firm), have your disaster recovery plan as well as incapacity plan in place and pick a trusted person and have the information in a safe deposit box to be accessed only when needed.
3. Training is critical. Workforce members should also be educated as part of cybersecurity and HIPAA training on social engineering, phishing, and wrongful disclosure of both PHI and personally identifiable information.

In sum, there is a lot to digest. Approaching one’s business and personal life from a risk mitigation standpoint can help avoid significant liability, especially during an unforeseen change in circumstances, just as the recent indictment referenced herein substantiates.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.