If a person works in a sensitive field such as healthcare, law, accounting, or finance then setting boundaries that adhere to a plethora of laws and professional obligations should be implemented.
With remote working and devices being interconnected, it is imperative to appreciate the implications of accessing electronic information without consent, even if it’s a spouse. Importantly, passwords and consent should not be given to a spouse, partner, or roommate. If a person works in a sensitive field such as healthcare, law, accounting, or finance for example (not to mention government employees and contractors), then setting boundaries that adhere to a plethora of laws and professional obligations should be implemented. As an aside the application of providing access to electronic communications that are part of work, even personal archived emails, social media, or smart phones that are accessed without consent are subject to violating a variety of laws including the Computer Fraud and Abuse Act (1986), which enables individuals to use this federal criminal law to sue others for civil claims based on unauthorized access, as well as other laws explained below.
A recent example that brings the significance of not securing information to light is the 25 page indictment brought by federal prosecutors against Seth Markin who allegedly stole from his then-girlfriend, an associate at a prominent law firm who was working at home during the pandemic on an acquisition deal related to a major pharmaceutical company’s acquisition of a therapeutic company. Additionally, the U.S. Securities and Exchange Commission also filed insider trading charges against Markin and one other person.
Enacted in 1986, the Stored Communications Act, 18 U.S.C. §§ 2701, et seq. (SCA) has a primary purpose that is analogous to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule - to protect the privacy and unauthorized disclosure of stored electronic communications. While HIPAA is specific to protected health information (PHI) and the Security Rule is limited to electronic protected health information (ePHI), the SCA extends to stored electronic communications. As the U.S. Department of Justice explains, “[e]lectronic storage is defined in 18 U.S.C. § 2510(17) as both any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof and the storage of such communication by an electronic communication service for purposes of backup protection of such communication.”Like HIPAA, which extends beyond external hackers, so does the SCA. In Ehling v. Monmouth-Ocean Hospital Service Corp., No. 2:11-cv-03305 (WJM) (D.N.J. Aug 20, 2013) the District Court for the State of New Jersey held that non-public Facebook posts, which are configured to be private are indeed covered under the SCA because they are:
Although the court recognized and applied the “authorized user” exception – one of two exceptions in the SCA, caution should be taken regarding if the person providing authorization has the authority or right to do so. Also, if a person’s Facebook or other social media is linked to an email, separate permission is needed for each application. Also, as lawyers appreciate potential clients may reach out through private social media or a colleague may send a link to an article and reference a case that is been worked on. Regardless of whether the person gave the roommate or spouse permission, professional rules and other laws dictate otherwise.
The HIPAA Security Rule has Security Standards (45 CFR § 164.306(b)). As HHS reinforces in a bulletin, “[t]he Security Rule is clear that reasonable and appropriate security measures must be implemented, see 45 CFR 164.306(b), and that the General Requirements of § 164.306(a) must be met.” The task of addressing the changing cybersecurity landscape on both a professional and a personal level may seem daunting and, in some ways, it is. Here are some compliance tips, which can be used in healthcare, a variety of other industries, and personally:
In sum, there is a lot to digest. Approaching one’s business and personal life from a risk mitigation standpoint can help avoid significant liability, especially during an unforeseen change in circumstances, just as the recent indictment referenced herein substantiates.
Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.