07 apr 2016

Does the New Era of Mega-Leaks Pose Reputational Risk to HIPAA Regulated Companies?

On Sunday, more than a hundred media outlets around the world, coordinated by the Washington, DC-based International Consortium of Investigative Journalists (“ICIJ”), released stories on the “Panama Papers”, which is an exposé of private client emails and other files.  More than 5 million emails and files were stolen from within the IT systems of the professional services firm Mossack Fonseca. World leaders and U.S. business people have become targets as a result of the exposed data.

There is no doubt, from reading the whirlwind of press on the “Panama Papers”, that the majority of this correspondence would have been considered personally identifiable information or non-public personal information had this involved information covered by HIPAA or other consumer data protection regulations.  It is also likely that the person who provided the trove of data to the press violated a corporate non-disclosure agreement or committed an Internet crime.

But for health care professionals, insurance companies and their agents and brokers, or business associates, in today’s environment of massive and immediate dissemination and worldwide (Internet) publication of exposed confidential information, does that really matter? Once exposed, the cost of your firms’ reputational damage is most expensive and for some, of greatest concern.

RPost recently invited Compliancy Group to join in a recent educational web briefing for insurance executives and health care practitioners governed by HIPAA data privacy regulations.

In that session, 36% of attendees reported the greatest concern about a data breach (HIPAA compliance) was the reputational damage. This surpassed concern about the cost of fines associated with a data beach, cost of managing compliance, and far outstripped concern of the fact that exposure of client data may embarrass clients.

With the “Panama Papers”, an anonymous “whistleblower” was able to secretly send journalists the massive set of emails and files which were then circulated to more than 400 reporters in secret over more than a year, before a coordinated effort to go public, according to ICIJ. The whistleblower and the ICIJ that coordinated the effort took great care to use encryption to mask their correspondence, according to Wired Magazine.  In this case, it appears the whistleblower’s intent was to expose heads of state private financial dealings.  In other data leak cases, it has been to use information to request ransom from consumers who wish to prevent their private data from being exposed.

Who might the hacker or party to have stolen the data have been in this case?

Perhaps this was a hacker that gained access to the firm’s IT systems. Or, perhaps this was a disgruntled IT staffer, consultant, or outsourcer that copied the database of files before leaving the firm, and then sold it to some third party. How much did they sell it for? $10,000? $100,000? $1 million? Whatever the price, the reputational damage to Panamanian law firm Mossack Fonseca and its clients is far greater.

In these scenarios, it is important to remember that plain text email correspondence can be exposed in route in many ways, and certainly on a company’s mail servers, anyone with access can read these messages at will.

Let’s assume IT staffs are loyal and committed to using best efforts to protect their employees and employers, and as such, they often go the extra step of setting up encryption at the mail gateway – – so everything leaving the firm is encrypted when it hits the Internet. We know, however, that they often cannot control what happens to your message upon receipt at the recipient destination, and often it is out of their control if email archives store messages and attached files unencrypted and are somehow accessed by an unauthorized person.  The “whistleblower” treasure trove, as we may find out from Mossack Fonseca, may have been the email archive (in house or outsourced) database containing the unencrypted messages before sent at the mail server (before reaching the Internet) and after received (from senders by the mail server and perhaps decrypted by the mail server).

Whatever the source, the important learning is to consider what might one do when one needs to communicate with one’s client or among staff with sensitive client matters? We suggest trust no one, and use “Outbox-to-Inbox” email encryption rather than “network-level” or “policy-based gateway” encryption, if your information is sensitive to the highest degree.

RMail encryption calls this “Outbox-to-Inbox” email encryption “Executive Mode” encryption and recommends use for those dealing in merger, acquisition, corporate litigation strategy, private client wealth management, and personal health matters; matters that one would like to shield from their IT staff or the IT staff at the recipient.

RMail® Executive Mode encryption encrypts the message locally in the sender’s Microsoft Outlook program at the sender’s desktop or device, and ensures encrypted delivery straight through to the recipient’s desktop; securing from the potential of data breaches both within the sender’s in-house or outsourced email system, and external while in transport across the Internet and within the recipient’s email system. This also provides for letting the recipient encrypt replies without having RMail at their end.

With RMail® Executive Mode encryption, the message and all attachments remain encrypted within the recipient’s email inbox, and are printed and encapsulated inside a PDF file, readable after decrypting in one’s PDF reader (outside of the inbox) and if saved, remain saved in encrypted file format unless the recipient extracts the attachments and chooses to use them as normal files. This end-to-end encryption uses a 256-bit AES encrypted PDF wrapper to keep one’s message and any attachments private from start (while sitting in outbox) to finish (even while sitting within their inbox), so only one’s recipient can read them.

There are other ways to do something similar, using PKI or PGP encryption, but in each of these methods, depending on how deployed, the message is decrypted in the recipient’s inbox and remains so, are usually too complicated for normal senders and normal recipients to use, or requires special software at the recipient end which introduces more complexity.

Would RMail® Executive Mode encryption have protected Mossack Fonseca clients from this mega leak? It may have. It certainly should have at least been an option in the toolkit to protect private client information in this new era of mega leaks.

Attorney Keith Lee contributed to this article. Keith Lee writes about professional development, the law, the universe, and everything at Associate’s Mind. He practices law in Birmingham, AL. 

Share: