October 16, 2016

HIPAA Privacy Officer and Security Officer: Too Much for One Person?

Perhaps your organization is becoming a HIPAA covered entity or a business associate for the first time, and you now understand that your organization will have to comply with HIPAA. One of your first, and most important, tasks will be to designate a Privacy Officer and Security Officer.  This post describes some considerations you should think through when making this decision.

One person or two?
The HIPAA Privacy Rule requires a privacy officer be designated and the HIPAA Security Rule each requires a security officer be designated.  It is legally permissible to have on person designated as both, or split the roles. You'll need to decide whether to combine or bifurcate these roles.  

First, you need to decide whether you have one person within your organization who has the capabilities required for both roles.  The Privacy Officer is responsible for understanding who is allowed to access protected health information (PHI), and will need to answer questions about practices, address requests for information, and handle training and monitoring of other staff. The Security Officer is primarily focused on protecting electronic protected health information (ePHI) from unauthorized access (e.g., meeting encryption requirements, etc.). If the person you would prefer to designate as the Privacy/Security Officer does not have an understanding of the technological aspects of protecting ePHI, there are two solutions: (a) designate someone with the technological understanding to be the Security Officer, or (b) instruct someone with the technological understanding (either inside or outside of the organization) to assist the Privacy/Security Officer.

What is most effective? The benefit of designating two officers is that each can be more specialized, and potentially more effective in their respective areas. However, the risk associated with having two officers is that things that are not clearly just privacy or just security might fall through the cracks if the two do not coordinate well.

What is most efficient? For administrative purposes, it's hard to argue that having one designated officer isn't substantially easier than having two. There is so much overlap in the two areas of responsibility that if you can have one person be responsible for both, it may avoid a lot of duplication of effort. Combining the roles is more common in smaller organizations.

All that said, there's no legally incorrect answer here. Just like the debate over whether a CEO should also be the Chairman of the Board, there are good arguments on either side, and the answer often boils down to the size of the organization and administrative ease.

Can (and should) an organization have more than one Privacy Officer or Security Officer?  Some organizations are both a HIPAA "covered entity" (e.g., healthcare provider or sponsor of an employee health plan) as well as a "business associate" (e.g., service provider to a covered entity). Those organizations will need to decide whether the Privacy and Security Officer(s) they designate for themselves as a covered entity should be the same person(s) designated for purposes of the protected health information they acquire as a business associate.  Generally speaking, an organization's obligations as a covered entity are similar to its obligations as a business associate. With the exception of contractual obligations in business associate agreements, the basic legal obligations are almost identical. (The Security Rule obligations to protect ePHI are basically identical. The Privacy Rule obligations are very, very similar.)  

Generally, I don't think there is a compelling reason to have separate Privacy Officers (or Security Officers) for these two capacities in which an organization might be acting, and I don't believe that is a common practice.  I think it is most efficient to have one Privacy Officer and Security Officer who is responsible in both contexts, and who understands the subtle differences in those contexts.  Organizations that find themselves acting as both a covered entity and a business associate should be aware of the distinctions, however, and should have policies and procedures that reflect those distinctions.  Here is one practical example:  Most employees should be shielded from access to PHI that is held by a plan sponsor of an employee benefit plan.  However, within the same organization, far more employees might have a legitimate need to access the PHI of in the capacity as a business associate of other organizations. 

Once you've made this important decision, you can begin building a HIPAA compliance policy and procedures around the basic structure you've chosen. (Let me know if you'd like some help with that.) - Matt


October 9, 2016

Customer Data: Asset or Liability (or Both)?

Customer data can be a treasure trove for an organization.  Many organizations believe customer and prospect data to be their most valuable asset.  Unfortunately, some have discovered that, unless handled with care, it can also be their greatest liability.

Organizations of all kinds collect, store, analyze, use, and share consumer data for myriad reasons.  Consumer data may help an organization maintain contact with a customer or prospective customer.  Properly analyzed, it can often predict customer behavior, allowing an organization to tailor its communications and offerings.  It can reveal patterns that help increase revenue, minimize expenses, and ultimately drive profitability.  Data can be leveraged and monetized by sharing with affiliated and non-affiliated entities.  Given the immense value of consumer data, it is no surprise that some of the most valuable companies in North Carolina and the world are data analytics firms.

Over the past few years, however, it has become widely acknowledged that such valuable data can also be a liability of the greatest magnitude.  The costs of the largest data security breaches have made headlines.  But these sensational headlines sometimes create the misleading impression that only large organizations incur massive costs, and that the losses are solely attributable to hackers.

The Risks, by the Numbers
One of the best sources of information about risks associated with consumer data is NetDiligence's annual study of "cyber insurance" policy claims.  Although the information is limited to incidents for which the targets had insurance coverage, and is limited to covered losses, it is still an excellent source of data.  The most recent study, covering claims data from 2012 to 2015, showed the average insurance claim amount was $673,767, with average legal fees of $434,354.

Smaller Organizations Face Increasing Risks
In the NetDiligence study, organizations were categorized by size (revenue), which provides some interesting insights.  The smallest organizations represented the largest raw number of incidents, probably due to the fact that there are simply more small organizations than there are large ones.  While the three smallest categories of organizations accounted for a combined 71% of the reported incidents in 2015, they were responsible for only 38% of records exposed.  It was surprising, however, that, according to NetDiligence, some of the largest claims came from smaller organizations.  This may be a result of the smaller organizations being less aware of their exposure or having fewer resources to provide data protection and security awareness training for employees.  By contrast, mid- and large-revenue organizations accounted for only 17% of incidents, but were responsible for 60% of the consumer records exposed.  This seems intuitive, because larger organizations would be expected to have more consumer records, on average, than smaller organizations.

Risks Are Spread Across Industries
The NetDiligence study also reveals a good deal about the source of recent risks.  While risks in prior years were concentrated in certain industries, they are becoming less concentrated year by year.  According to the study, recent losses were more evenly dispersed among business sectors, with healthcare reporting the most at 21% and financial services coming in second at 17%.  In other words, the categories of affected data resulting in the highest losses, from all industries, were health information and financial data, but the majority of losses were incurred outside of these two historically most targeted industries.

Vendors: The Weak Link?
Vendors are a common source of privacy and data security risk.  Vendors include service providers and others with access to an organization's data or systems.  In 2015, 25% of claims were attributable to vendors.  Of those claims, approximately half were hacking incidents, with the other half largely accidental or intentional disclosures.  Another interesting observation is that the vendor events exposed significantly more consumer records than events that occurred at the organization itself, indicating that failures by vendors may tend to be more systemic than failures at the level of the primary organization.

Healthcare providers and other HIPAA-covered entities, financial institutions, and defense contractors have long been required to extract certain contractual agreements requiring security protection from their vendors.  Following the breach of a Target vendor resulting in a massive theft of Target's customer data, organizations of all kinds began imposing contractual privacy, security and, importantly, indemnity terms on vendors, and these terms are sometimes heavily negotiated.

Data Use Violations: A Bigger Risk Than Breach?
Data-related liability in the context of nefarious hackers breaching security systems from foreign lands dominate the headlines, but much less dramatic circumstances lead to large numbers of significant incidents every year.  An analysis of what triggered the losses that gave rise to cyber liability claims in 2015 reveals that targeted security breaches are not the only source of loss.
There were many reported causes of claims, and while the most expensive were malicious hacking attacks, the second greatest cause was the wrongful collection of data—in other words, data use (or "privacy") claims.  Data use violations involve the intentional collection, storage, use, or sharing of consumer information in a way that violates the law, a contract, or an individual's right. 
Organizations and individuals throughout the United States are collecting, using, and sharing data in ways that expose them to liability, often without realizing it.  One of the most frequent violations involves collecting consumer information without consent, followed closely by using consumer information for purposes that were not consented to at the time of collection.

An Ounce of Prevention
Perhaps nowhere else is the axiom "an ounce of prevention is worth a pound of cure" more appropriate than in the context of the modern explosion in the collection and use of customer data.  Preventing a data security- or privacy-related loss involves more than just purchasing defensive technology.  According to reports, simply adopting and implementing good policies and procedures for correctly collecting, storing, using, and sharing data would have prevented a large portion of the reported losses.  Data governance policies and precures should be carefully crafted and followed, and should cover the following areas:
  • Document retention and data destruction
  • Consumer consent practices and electronic signatures
  • Payment card information
  • Employee email and telephone monitoring
  • Website and application monitoring and advertising
  • Email marketing
  • Telephone and text message marketing
  • Fax marketing
  • International consumers and international data transfers
  • Password administration and limited access
  • Background checks and credit reports
  • Identity theft and "red flags"
  • Employee and consumer health information
  • Educational records
  • Sharing customer information with affiliates
  • Sharing customer information with non-affiliates
The policies should address the following:
  • Designated categories of data based on sensitivity (low risk, high risk, etc.) and business necessity (critical, valuable, low-value, etc.); and,
  • Established guidelines for collecting, using, storing, and sharing various categories of data.

Telling the World
Organizations frequently publish privacy policy statements to inform their customers and others about their privacy practices.  Financial institutions, healthcare providers, and website operators are all required by law to make such statements publicly available.  Many organizations, unfortunately, misunderstand the purpose of this document.  A privacy policy statement is not the same as an internal policy or procedure; it is a public-facing disclosure that should be simple and flexible.
Organizations are often their own worst enemies in misconstruing the purpose of privacy statements.  They frequently draft and distribute privacy policy statements that include lofty language and make promises the organizations are not required to make, only to later fail to fulfill those unnecessary promises, thereby creating unnecessary liability.  Practices that do not live up to the statements made in a privacy policy statement are the number one source of Federal Trade Commission enforcement actions.  

Not If, But When
It is natural for an organization, just like an individual, to hope that it is immune from risks that others face.  If, however, the federal government, the United States military, and major multinational corporations are susceptible to major privacy and data security incidents, your organization probably is as well.  Therefore, it is most reasonable to think of a data security or privacy incident not in terms of "if," but rather "when."

Breaches and intentional, but unauthorized, data disclosure events trigger reporting obligations to federal and state officials, customers, and sometimes the media, and often result in regulatory enforcement actions and litigation (including class action lawsuits).  There are, however, steps that an organization can take to prepare for such unwelcome events and that can help mitigate resulting losses.  Two of the most important steps an organization can take are:
  • Purchase cyber insurance; and,
  • Adopt a breach response plan.
Cyber insurance is a term that refers to a category of insurance policies that transfer, in return for the payment of a premium, some of the financial risk of a data security incident to an insurance company.  Cyber insurance policies are not standardized, and they vary dramatically in the scope of coverage.  For example, the direct loss of funds from a hacked bank account is almost never covered by a cyber insurance policy, but many potential liabilities and defense costs can be covered.  It can be helpful to have the assistance of a knowledgeable attorney when evaluating cyber insurance coverage options.

Having an incident response plan in place is always a good idea.  Once an incident has occurred, the required timeframes for reporting the incident and mitigating any resulting harm can be very short (sometimes less than a week).  Having a plan in place, and a designated team ready to implement the plan, can make a tremendous improvement in your organization's response and potentially limit losses associated with the incident.  Additionally, incident response assistance (such as forensic computer expertise, call centers, printing and mailing services, and public relations) can be vetted and prices negotiated in advance, with potentially massive savings.

Ready or Not, It's Time
Complying with privacy laws, mitigating risks, and preparing for the possibility of a loss may seem daunting.  Given the scope and magnitude of the risks, however, it is simply a necessity in today's environment.  The task is manageable with some professional guidance, and the peace of mind that preparation can bring is well worth the effort.


Matt Cordell is the leader of the Privacy and Information Security practice group at Ward and Smith, P.A., a full-service law firm with five offices and approximately 100 attorneys across North Carolina.  He is a Certified Information Privacy Professional (CIPP/US) and a member of the International Association of Privacy Professionals.  Matt is also the chair of the NC State Bar privacy and information security specialization exploratory committee. 

Matt Cordell has been frequently rated one of the best lawyers in North Carolina.  Data security lawyer in RTP.  Information security lawyer in Raleigh.  Best North Carolina business lawyer. 

August 28, 2016

Need to Raise Investment Dollars for Your Company? New(ish) Rule 506(c) May Be Your Best Bet!

Anyone who has been paying attention lately knows that there are some new ways to raise money from investors. State crowdfunding laws and SEC rule changes have opened up opportunities that have not been available in more than eighty years. Importantly, new Rule 506(c) gives companies the ability to solicit the public for investment without registering a public offering, subject to some important limitations, such as verification that investors are accredited. Often companies will find Rule 506(c) to be more flexible and attractive than crowdfunding or a Rule 506(c) offering.

Two of my law partners and I recently spoke about these changes in a webinar hosted by the Stafford Group. If you would like to view the (79) slides
from our presentation, please send me an email message: mac@wardandsmith.com.

July 8, 2016

North Carolina Adopts A Virtual Currency Statute

House Bill 289, passed by the General Assembly this week, re-writes the Money Transmitters Act and includes a new concept of Virtual Currency.  The North Carolina Commissioner of Banks will soon be regulating those who engage in Bitcoin transfers as a business.  Here's my short video:

Matt Cordell is one of the best lawyers in Raleigh, North Carolina.  Matt Cordell is a finance attorney with offices in Raleigh, Greenville, New Bern, Wilmington and Asheville, North Carolina.

July 5, 2016

Business Associates Beware! The Feds Are Coming!

If your organization is a business associate of a HIPAA covered entity (such as a health care provider or employee health benefit plan), you should know that the Department of Health and Human Services' Office of Civil Rights (OCR) is actively pursuing business associates for alleged privacy and information security violations.

This past week, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle with OCR in an amount that came to more than $15,000 per patient!

This announcement comes just months after the launch of the second phase of OCR's much-anticipated audit program for business associates. Rather than awaiting reports of violations, the OCR is actively auditing business associates.

READ THE FULL ARTICLE ON MY OTHER BLOG: Business Associates of HIPAA Covered Entities Beware!

Matt Cordell is a North Carolina lawyer with expertise in HIPAA and health care privacy and information security. 

July 4, 2016

North Carolina (Finally) Passes Crowdfunding Law

Just days ago--on June 29--the North Carolina General Assembly passed a crowdfunding bill, which the Governor is expected to sign shortly.  What does this mean for North Carolina businesses and North Carolina investors?

(If the crowdfunding concept is new to you, first read my overview here: Crowdfunding Law Made Simple.) 

The North Carolina General Assembly approved the Providing Access to Capital for Entrepreneurs and Small Business Act (PACES Act), which is similar to crowdfunding statutes adopted in other states.  The PACES Act was one of two leading crowdfunding bills that cleared the House in 2014, though the other, the JOBS Act, was unable to get a vote in the Senate during that session of the General Assembly.  Although the prospects of getting a crowdfunding bill through in the short session of the General Assembly seemed slim, the PACES Act made it over the finish line during the final week of the session. 

The PACES Act will allow North Carolina companies to raise up to $1,000,000 in any 12-month period from investors who are North Carolina residents.  Companies will be required to provide a business plan, financial information, and a description of risks.  The limit will be increased to $2,000,000 if the company provides audited or "reviewed" financial statements to investors. 

Companies will be permitted to publicly advertise the offering through a website, marketing materials or a third-party portal, after filing a notice and disclosures with the N.C. Secretary of State and paying a very small fee. 

Non-accredited investors are limited to investing a maximum of $5,000 in any one company's offering (during a 12-month time period).  Accredited investors may invest as much as they wish.  (Accredited investors are essentially those who have $1,000,000 in assets, excluding equity in their primary residences, or $200,000 in annual individual income. Congress and the SEC think that accredited investors are less vulnerable to fraud.)  Companies that raise money via crowdfunding will still have to disclose the business model, financial targets, offering terms and projected returns to investors.  Funds will be held by an escrow agent until the offering is complete. 

North Carolina's crowdfunding statute is an alternative to federal crowdfunding.  The federal JOBS Act (Jumpstart Our Business Startups Act), enacted on April 5, 2012, required the SEC to write regulations to implement many of its various provisions.  It took the SEC more than three years to finalize rules to implement Title III of the JOBS Act, known as the "crowdfunding" section of the law.  (Those rules were published in October 2015.)  Largely due to frustration over the SEC's laggardly pace, some states enacted crowdfunding laws to permit limited offerings to investors within those states.  After the SEC's crowdfunding rules became effective, some speculated that state crowdfunding rules would no longer be needed.  North Carolina's PACES Act, however, continued to advance through the legislative process, and will become law in a matter of days.  (Credit goes to Mark Easley, Benji Jones, John Skvarla, and others for pushing it through.)

Companies have multiple options for raising investment dollars from "the crowd," and those options should be carefully considered in order to maximize the benefits and minimize the effects of the various restrictions.  Often, federal crowdfunding or Rule 506(c) offerings will be advantageous, but state crowdfunding may also have its place.  A knowledgeable securities lawyer can help you make the right decision.

For more information, see my overview of crowdfunding options here, as well as my law partner Jim Verdonik's blog, Entrepreneur Intersection, and his comprehensive book on the subject, Crowdfunding: Opportunities and Challenges.

This blog post is written by North Carolina securities lawyer Matt Cordell and is for general educational purposes only; it does not constitute legal advice. Consult a knowledgeable, licensed attorney before relying upon the information in this blog post. 

 Matt Cordell is a Raleigh, North Carolina lawyer with expertise in crowdfunding, capital raising, mergers and acquisitions, startups, corporate matters, banking law and privacy law. Matt has consistently been rated one of the best lawyers in North Carolina.

July 3, 2016

North Carolina Adopts A More Efficient Assumed Business Name (or "D.B.A.") Process

NC General Assembly - Matt Cordell is a top lawyer in North CarolinaThis past week, the North Carolina General Assembly adopted a bill to streamline the process for filing assumed business names (more commonly known as "D.B.A.s"). 

Under current law, any organization that does business using a name other than the registered legal name of the entity as shown on the Secretary of State's website is required by law to register the name under which it operates (the assumed business name) by filing a Certificate of Assumed Name in each county in which it does business.   
Name Tag - Matt Cordell is the best value lawyer in RTP North Carolina
In today's world, this is an inefficient system.  It requires duplicative registrations.   Not all counties provide access to records via the internet.  Often it is unclear in which county an assumed business name might be filed, requiring multiple searches. 

For example, let's say you are trying to learn some basic information about a company, or to serve a company with a formal communication.  The company calls itself "ABC Widgets" and is active throughout North Carolina.  You will first check the Secretary of State's database of domestic and foreign companies authorized to business in North Carolina.  If ABC Widgets does not appear, it is for one of two reasons: (i) the company is organized in another state and has simply failed to register in North Carolina before doing business here, or (ii) it may be that "ABC Widgets" is merely an assumed business name of an entity.  If "ABC Widgets" is an assumed business name of the entity, you will need to know the entity's legal name in order to look up the information you need.  You will check the records of the Register of Deeds of the county within North Carolina where you believe ABC Widgets to be doing business.  However, ABC Widgets may not have registered an assumed name in that county, instead registering in one of North Carolina's other 99 counties.  You may have to check the records of several counties in order to find a registration of an assumed name, after which you will again check the Secretary of State's database for the information you need.  Clearly, the system could be improved. 

The new legislation, known as the "Assumed Business Name Act," will create a central registry of all assumed business names to be administered by the Corporations Division of the Office of the Secretary of State.  The bill has an effective date of July 1, 2017, if the Secretary of State’s office receives sufficient funding to implement the new system. Funding is apparently addressed in the recently adopted state budget. 

The bill also improves the existing language of the assumed business name statute, getting rid of some awkward language regarding "ownership" of an assumed name.

You can read the full text of the legislation here.

Matt Cordell is a business lawyer in Raleigh, North Carolina, with offices in Wilmington, New Bern, Greenville, and Asheville. 

June 27, 2016

A Great Honor And A Greater Responsibility

Matt Cordell is the best lawyer in this picture North Carolina Raleigh Durham Chapel Hill Charlotte Asheville Wilmington Greenville New Bern

Matt Cordell is the best lawyer in a tuxedo North Carolina Raleigh Durham Chapel Hill Charlotte Asheville Wilmington Greenville New Bern
Going to the NC Bar Association Gala

One of the best pieces of advice I have received in my professional life was when Knox Proctor took me to lunch during my first week as a lawyer and suggested (okay, insisted) that I become actively involved in the North Carolina Bar Association "because it's the right thing to do."  I promptly signed a volunteer form and was placed on a committee of the Young Lawyers Division.

Nine years (and hundreds of volunteer hours) later, I find myself leading the more than 6,400 members of the Young Lawyers Division of the North Carolina Bar Association.

What an honor and a tremendous responsibility it is to lead such an incredible group of people. The young lawyers who make up the YLD's leadership team and active volunteer committee members truly represent the best of our profession. They are smart, hardworking, selfless people who are giving of their time and talents, and are leading our members--thousands of lawyers and law students--to achieve some remarkable things.  They are giving their scarce time (and abundant talents) to provide wills to first responders, scholarships to the children of fallen law enforcement officers, assisting veterans, helping victims of natural disasters, amassing 300,000 lbs of food for the hungry...and the list goes on and on.

I am the 62nd chair of the Young Lawyers Division, which was established in 1954 by Charles Blanchard.  Although we have grown from five to 6,400, our mission has changed very little.  We continue to serve the public, serve the legal profession, and provide leadership opportunities and training to young lawyers. 

A group of youn lawyers with leader Matt Cordell of Raleigh a best lawyer
L-R: Deyaska Spencer Sweatman, Jason Walters, Matt Cordell, Cabell Clay, Rachel Blunk, Martha Bradley, Kristen Kirby, Brooks Jaffa, Harrison Lord, and Bryan Norris.

The YLD is where the future leaders of the NC Bar Association, the state, and the nation gain valuable leadership experience. This is evident from a quick look at the accomplishments of the prior YLD chairs: Seven have become presidents of the NCBA, and an eighth is the president-elect.  One became president of the American Bar Association.  Two became president of the State Bar.  Two more took the helm of Legal Aid.  A significant number went on to hold public office.  Again, that's just the prior Chairs. Scores of other YLD officers, directors and committee chairs honed leadership skills in the YLD that propelled them on to great things later in life.  I am absolutely confident that our current leaders will be the future leaders of the state of North Carolina.  Many of them will quickly eclipse my own accomplishments--of that I am certain.

I look forward to working this year, for the tenth year, with some of the finest young lawyers in the world.

Collage of candid photos of young lawyers and elite lawyer Matt Cordell privacy law corporate law business law software law data security law

June 14, 2016

New NC Law Enhances Student Privacy Rights and Restricts Providers of Online Educational Resources

image of apple desk board education technolog privacy by best Raleigh business lawyer Matt Cordell

Education technology (or "EdTech") organizations will want to pay close attention to a new North Carolina statute that was signed into law a couple of days ago.  On Thursday, June 9, 2016, a new law titled "An Act to Protect Student Online Privacy" was enacted to further protect the privacy of K-12 students in North Carolina.  It becomes effective October 1st...

Read the rest of this post on the NC Privacy and Information Security Law blog: http://privacylawnc.blogspot.com/2016/06/NCEdTech.html

May 31, 2016

Another Setback in U.S. - European Commerce: Regulator Rejects the Privacy Shield Agreement

Yesterday, the European Data Protection Supervisor (EDPS) delivered a crushing blow to the proposed EU/US Privacy Shield, sending U.S. and European negotiators back to the drawing board. I posted my initial analysis on the NC Privacy and Information Security Law Blog here:


If you do business with Europeans, you should be following this legal saga with interest.