The Department of Health and Human Services, Office of the National Coordinator for Health Information Technology released its final rule on Information Blocking as part of the 21st Century Cures Act in May. Implementation of the HHS Final Rule on Information Blocking Begins November 2. The HHS Final Rule on Information Blocking concerns the

Key Point: The SHIELD Act increases the statutory penalties for knowing and reckless violations of the State’s data breach notification law. It also authorizes the NY Attorney General to pursue injunctive relief and monetary penalties against persons and businesses who fail to implement reasonable safeguards to protect New York residents’ private information.

On July 25, 2019, New York Governor Andrew Cuomo signed two bills related to data privacy and identity theft. In our June 24 post, we summarized the contents of the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The second signing was the Identity Theft Prevention and Mitigation Services bill. Highlights of the laws’ requirements and effective dates are described below.

More and more frequently the following question arises: “What do we do about personal, sensitive, and business information owned by or residing with a financially troubled company?” Information is an intangible asset and often has significant value. Information increasingly resides with a party other than the owner and may need to be transferred in unexpected ways. Unfortunately, the thinking about this question often arises after financial distress is readily apparent, such as after a bankruptcy filing. Planning should occur much earlier, whether for the business in distress or in dealing with a business that could suffer financial distress (hint 1 – the latter is every business).

I’m here at RabbitHole, Inc., talking with the company’s Manager of Money in his office, which is buried in the Facilities Department, down in the building’s basement. I’m interviewing him to get a better sense of how RabbitHole manages money as a corporate asset.

Pardon my asking, but how much money does RabbitHole have?

“Frankly, no one knows – we don’t really keep track of that. We have boxes of paper currency stored off-site, but as for ‘active’ money, our employees keep that pretty much wherever they choose – in the network money systems, in their individual offices, in mobile wallets, and probably some stashed at home.”

But isn’t that your job? I mean, your title is “Manager of Money,” right? 

As we anticipate the calorie-bomb of Thanksgiving dinner, let’s face it – litigation preservation is overweight, obese, and corpulent, torpidly dazed in a fat/sugar coma of way too much data. But effective Dec. 1, amended Rule 26 of the Federal Rules of Civil Procedure strikes back, limiting the scope of discovery to what is “proportional.” Will the amended rule tip the scales toward leaner litigation preservation, or is this simply another FRCP fad diet, doomed to fail?

In the late 1500s, privateer and explorer Martin Frobisher embarked upon a journey that would net him fame—Frobisher Bay is named for him—but not much fortune. His travels took him to what is now Canada, where he claimed Baffin Island for the Crown because of the vast amounts of gold he found there. He was so convinced he had found great riches that he continued to make multiple trips with increasingly more ships to mine and send the ore home for safekeeping. Queen Elizabeth I even ordered quadruple locks in the Tower of London to guard the trove.

Unfortunately for all, however, what Frobisher had so diligently worked to procure, transport, and store was nothing but iron pyrite—fool’s gold. Once it was discovered that his cache was not real gold, an Italian alchemist was engaged to work his magic and transform the worthless rocks into the gold everyone desired. Needless to say, he was unsuccessful.

I was reminded of this story while attending the Information Governance Conference recently in Connecticut.

When a judge hears that documents no longer exist due to a company’s retention schedule, it feels like we’re transported back to grade school, with a sheepish pupil making lame excuses about “disappearing” homework. Courts can seem skeptical, even disdainful, about retention schedules. As the U.S. Supreme Court characterized them in Arthur Andersen LLP v. United States, “’Document retention policies,’ which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business.” The tone is noblesse oblige, as if businesses follow an odd, quaint practice of having retention schedules, which should be grudgingly acknowledged before moving on to the court’s more important consideration of the preservation duty and discovery sanctions.

Ironically, the courts have retention schedules too. Yep, this notion of destroying records pursuant to a retention schedule is not unique to “business” – the trial judge at a spoliation hearing is governed by the court’s own records retention schedule, which classifies records by content type and prescribes records disposition, including destruction.  And the court also has a records management program, with one of its purposes being the appropriate disposition of records when they have served their purposes.

A busy examiner, working on 15-20 other cases, sets a file aside in the “delayed/pending” queue while awaiting information, and a gun is sold and nine people died. A utility transferred responsibility for recordkeeping functions to its distribution business unit, files containing information about pressure and strength tests were not kept current, and an explosion kills eight. Computer files are accidentally deleted from an Airbus plane and three of its four engines shut down, causing a crash that kills four.

What do these seemingly disparate events have in common?

Old-school company intranets are like soooo boring. Why not juice things up? Sure, we’ll keep the one-directional content (employee policies, company announcements, etc.), but let’s add a dynamic platform for employee interactive training modules, capturing employee responses and quiz results. Why stop there – how about a message board for employees, to turn dull company communications into an energized conversation? And in today’s mobile world, shouldn’t we enable remote access from anywhere our employees happen to be, 24/7? What could possibly go wrong?

Well … a whole lot will go wrong, unless the company first applies an information governance perspective. So let’s ask a few questions to explore what information risks and compliance issues are at play.

Ineffective wireless encryption

Taped-over door lock on data room

Inadequate passwords

Computers without adequate log-off

Disabled audit logging

Unencrypted email and laptops

Former employees with inappropriate network access

These vulnerabilities and more (a total of 151) were found at seven large hospitals during a round of audits by the Department of Health & Human Services. Although these vivid examples point to hospital systems, HIPAA applies also to many other types of covered entities and business associates including, of course, physician practices. These non-hospital providers are most likely even more vulnerable to such lapses as they are less likely to have dedicated information technology staff, legal departments, and formalized record-keeping practices.