Client Alert: How “Shadow IT” Cost Horizon $1.1M Settlement with New Jersey
The New Jersey Attorney General recently reached a settlement with Horizon Blue Cross Blue Shield of New Jersey (“Horizon”) related to a data breach in which unencrypted laptops went missing. The complaint includes a number of allegations that highlight the importance of following through on remediation after a breach, and being mindful of unsanctioned IT functions. Before you dismiss this action as “just another encryption case,” take a look at the more interesting allegations.
Specifically, the New Jersey Attorney General alleged the following:
- A “shadow IT” function arose within the company's marketing area, including the purchase, use and maintenance of MacBooks outside the purview of Horizon's IT group. These laptops were not encrypted in violation of company policy.
- The laptops went missing during an office move, and a subsequent forensic investigation suggested SSNs and other data regarding almost 690K NJ residents were affected.
- The lack of encryption was contrary to prior public statements made by the company following a previous data breach. Horizon had claimed that all of its PCs were encrypted and employee training was undertaken so employees had “a complete understanding” of the need for such encryption.
- Multiple (as in dozens of) violations of HIPAA, most notably lack of audit logs, failure to determine that workforce access to PHI was appropriate, and (of course) lack of encryption.
- Violation of the New Jersey Consumer Fraud Act because the inadequate security measures and HIPAA violations constituted an unconscionable commercial practice.
- Further violation of the New Jersey Consumer Fraud Act because the company's statements regarding its security measures were false promises and misrepresentations.
Importantly, the company's prior statements about encryption and other remedial actions it took after a prior breach were used against it in this complaint. This outcome stresses the importance of rigorously following through on planned remediation after a breach (or a risk assessment - compare this outcome to the line of cases coming out of OCR regarding risk analyses and failure to mitigate identified risks over time).
The settlement also highlights the importance of discouraging and managing against shadow IT functions within an organization's business areas, which too frequently operate outside a company's security program. That disregard for corporate policy can (and in this case, did) have very serious monetary and reputational consequences.