Sign-Up Opens Soon: Long-Term Care Facility Tabletop Exercise!
UPDATE: Registration for this event will begin Sept. 1st, 2022. If you have any questions, please contact Trudy Henson at thenson@law.umaryland.edu.
On Wednesday, September 21st, 2022, CHHS will host a free tabletop exercise at the University System of Maryland, Hagerstown, for long term care facilities in the Hagerstown/Washington County area. The half-day tabletop, from 8:30 a.m. to noon, will bring together LTCFs from across the community to discuss facility response measures, including topics such as evacuation, infection control, and communication. The tabletop is designed by CHHS’ HSEEP-certified COOP Program Director Eric Oddo and Public Health Program Director Trudy Henson and will be free.
Registration is free and facilities are encouraged to bring up to three staff to participate; registration is required, and space is limited. Anyone interested should contact thenson@law.umaryland.edu.
Concerns over Digital Surveillance Surge in the Wake of Overturning Roe v. Wade
By CHHS Extern Quinn Conlan
Photo Credit: Getty Images
Since the landmark decision Dobbs v. Jackson Women’s Health Organization was released on June 24, 2022, everyone, from Congress to the FTC to the White House, is talking about data privacy and digital surveillance. Reproductive health and wellness apps track a person’s menstruation cycle and ovulation windows as well as predict upcoming cycles. With no constitutional right to an abortion, can the data in these apps be used to prosecute a person for seeking an abortion?
Certain sensitive information is protected by law, such as private health information, which is protected by HIPAA. HIPAA, however, only protects health information that is held by a party subject to the law including healthcare providers, insurance companies, and research labs. In the broader marketplace, health information is only protected to that extent that is agreed between the user and the data-gathering entity. For example, the only protection available to an app user is the app developer’s privacy policy and nothing more. (And as we’ve seen before, privacy policies can be abused by corporations, including reproductive health apps, or compromised by a cyberattack).
With no legal protection for information given to a non-health care provider app (such as a period tracking app), the data collected by the app can be sold, transferred, or subpoenaed, per the privacy policy of that app’s developer or parent company. This collected data can range from what you enter voluntarily (such as the date of your last period) or information you did not willingly supply (such as your location). Legal redress for an app developer surrendering your wellness data to law enforcement is minimal or very unlikely because your health data in the app is not protected by HIPAA, and sometimes even protected health information can be subpoenaed under the right conditions.
The current landscape of protections for health data ultimately leads to the conclusion that the best way to protect your reproductive health data is to not digitize it. Free-to-use apps make their profit off of user data, consequently that data is their most valuable asset. Beyond digital-free tracking with pen and paper, each user must assess the risk of using a period tracking app for themselves.
Some companies have introduced “Anonymous Mode” where the person who input the data cannot be identified by the company. Therefore, if the company is subpoenaed, they are unable to truthfully tie the data to any individual. (Though anonymized data is not as anonymous as you think.)
Other companies are relying on their jurisdiction to protect their users’ data. EU based companies are subject to EU privacy laws, even for their US users, but this does not mean that a US subpoena would be unable to reach that app’s collected data. EU companies are subject to treaty agreements and may have to comply with US criminal investigations. Further, if the EU company uses a US-based processor than that processor will have to comply with a criminal investigation. (See Section 6.1 of this privacy policy, for example which states this to be the case for an EU based company).
Beyond the data stored within the apps themselves, there are many other ways your privacy is at risk digitally. For example, through “geofencing”, where police can identify all cellphones in a given area at a given time. This poses a serious threat to people seeking an abortion because they can be geographically tracked to a clinic, health care provider, or other pro-abortion site even when they are not physically seen entering or leaving the facility. Other data, such as search engine history or unencrypted text messages (like your phone’s SMS messaging) could also put a person at risk of prosecution for seeking an abortion; or even in some States, helping someone find safe medical resources for an abortion.
One immediate legislative solution to protect users’ data would be for Congress to pass a law that protects app users’ health and wellness data from investigation. In June, the My Body, My Data Act was introduced in Congress by Rep. Sara Jacobs of California. The bill tasks the FTC with enforcing privacy protections for reproductive and sexual health apps. Another bill introduced in June by Sen. Elizabeth Warren of Massachusetts, the Health and Location Data Protection Act, would ban the sale or transfer of health data with some limited exceptions. Until these introduced bills become law, however, health and wellness data in apps continues to be at risk of sale, transfer, or subpoena.
Surveillance concerns in the US have only intensified since Edward Snowden’s infamous leak of NSA activity in 2013, and the overturning of Roe v. Wade by the Supreme Court will be seen as yet another evolution in Americans’ fight for privacy. Privacy has continued to erode as more and more Americans data is collected digitally, sometimes for no planned purpose. While this decision raises health and wellness data privacy concerns specifically, it should also act as a warning to Americans that data privacy and protection in general is paramount to upholding liberty.
The Data Privacy Implications of FTC’s Penalty Against Twitter
By CHHS Extern Quinn Conlan
On May 25, 2022, the Federal Trade Commission (FTC) released a statement announcing a $150 million penalty against Twitter for deceptively collecting user data to sell to advertisers. This is not the first time Twitter has been in the FTC hot seat for inadequate data security. Back in March 2011, the FTC alleged that Twitter had failed to use reasonable and appropriate security measures, and failed to honor consumers’ privacy choices, in violation of FTC Act §5.
As a result, the FTC issued the “2011 Order”, an injunction prohibiting Twitter from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers” for 20 years. In other words, Twitter was not allowed to misrepresent their security systems and privacy policies. The 2011 Order also required the company to establish and maintain a comprehensive information security program, which would be assessed by an independent auditor.
The 2011 Order is legally significant. While it is a settlement, and therefore not an admission of guilt, it carries the force of law for Twitter’s future actions since the company agreed to change its practices for the next 20 years. Which brings us to the FTC settlement against Twitter today, in 2022. The FTC alleges that Twitter collected personal information from its users, including email addresses and phone numbers, claiming it was for security purposes but then discreetly sold that data to advertisers. This misrepresentation is a violation of the 2011 Order.
As a result, Twitter is settling with the FTC for $150 million in civil penalties and an extension of the injunctions first levied against it in 2011. Twitter is now required to “create and implement a privacy and security program that includes privacy risk assessments, detailed privacy reviews for new or modified products, documentation, data access controls, technical measures to monitor unauthorized access, training, and certifications.” This new program would be periodically reviewed by an independent auditor. The 2022 Settlement also requires stricter security measures to protect user data and includes a prohibition from collecting data under the guise of security but really using it for targeted advertising.
While this is certainly more accountability than has previously been exercised by the FTC, is it enough? Many criticize the FTC for punishing big corporations too rarely. Among the general criticisms, these settlements do not hold the executives responsible, the monetary penalty is merely the “cost of doing business” and the settlements do not do enough to deter future bad behavior. Additionally, no total restrictions or bars are placed on how companies can manipulate user data.
The FTC acknowledged these criticisms in their statement and argued that the $150 million civil penalty and directive to create a privacy program will have lasting effects on how large corporations treat user data. In other words, it sets an example. It further emphasized that FTC orders are valuable because they demonstrate the government’s expectations for companies’ adherence to federal regulations. The FTC closed their statement by reiterating its commitment to improving policy over time and adapting to privacy concerns as the digital landscape continues to evolve.
While the FTC’s holding Twitter accountable for its abuse of users’ data for profit is a step in the right direction, there is still much to be concerned about when it comes to consumer data. The FTC orders are purely reactionary, and while the long term goal is a change in corporate culture, the order does not prevent data misuse before it happens. Additionally, the fact that Twitter is a repeat offender demonstrates that these FTC orders are worth breaching if Twitter can make a large enough profit margin off of the advertising sales. Due to frustrations with the federal government’s inability or unwillingness to fight these large companies directly, data privacy law has moved down to the State level with multiple bills being introduced to protect users’ privacy. Only time will tell if agency regulations, State legislation, or Federal legislation will become the foundational legal protection for user data.
Why Critical Infrastructure Sectors Should Provide Data to the Government during the CIRCIA Rulemaking Process
By CHHS Extern Jacquelyn Creitz
More than one year ago, Colonial Pipeline, America’s largest fuel pipeline, which carries 100 million gallons of fuel a day, paid a ransom of nearly $5 million in cryptocurrency. The May 2021 cyberattack that led to the ransom caused Colonial Pipeline to stop operations for 5 days, creating mass fuel shortages along the East Coast. The ransomware attack encrypted Colonial Pipeline’s data, disabling their computer network. Ultimately, Colonial Pipeline paid ransom to the DarkSide ransomware actors in exchange for a decrypting tool that should have allowed the Pipeline to regain access to their data and restart operations. However, the decrypting tool was not fast enough, resulting in Colonial Pipeline using their own data backups to restore their networks, causing the shutdown to last longer than anticipated. Due to the multi-day shutdown, Washington D.C. and 17 states issued emergency declarations, and the federal government, along with state governments and the public, acknowledged the immediate need for law to address how critical infrastructure sectors should handle cyberattacks, specifically ransomware.
Ransomware is a type of malware that encrypts device files, forcing file owners to pay a ransom in exchange for the decryption of their data. According to Homeland Security and Government Affairs Committee Chairman Gary Peters (D-MI), “ransomware attacks have caused significant disruptions to daily life and impose serious economic costs.” According to the FBI’s Internet Crime Report, in 2020 there were 2,474 ransomware complaints from the American public resulting in over $29.1 million in losses. As a result of the increase in ransomware attacks, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was drafted and signed by President Biden in March 2022.
Originally authored in October 2021 by Senator Peters and Senator Rob Portman (R-OH), CIRCIA is a direct response to the uptick in ransomware attacks, including the 2021 Colonial Pipeline attack. CIRCIA requires covered entities to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the entity “reasonably believes the incident occurred” and 24 hours after the entity pays a ransomware payment. CIRCIA also directs CISA to define “covered entities” such that the definition includes the 16 critical infrastructure sectors, as stated in Presidential Policy Directive/PPD-21. Since CIRCIA rulemaking by CISA is ongoing, it is likely the CIRCIA will not go into effect for at least a year. However, entities should provide information as requested by the government to ensure CISA appropriately defines and creates rules to prevent ransomware attacks and lessen the threats they pose.
To highlight CISA’s need for entities to provide information to them and to fully comprehend the threat of ransomware attacks, Chairman Peters held a committee hearing on June 7th, 2022. The committee hearing’s purpose was to discuss the need for better data from industry and stakeholders as well as obtain valuable information from industry experts to assist in the quick and efficient execution of CIRCIA.
Expert witnesses at the hearing included Megan Stifel, Chief Strategy Officer for the Institute for Security and Technology, Bill Siegel, Chief Executive Officer for Coveware, and Jacqueline Burns Kovenn, Head of Cyber Threat Intelligence for Chainalysis. All three witnesses applauded the new CIRCIA reporting requirements while also emphasizing the need for consistent data collection from reported ransomware attacks. They also acknowledged the unique nature of ransomware attacks since they are usually financially motivated but may also stem from geopolitical objectives and can pose national security risks. To combat the risks of ransomware attacks, as Ms. Stifel states, “scope and quality of information about ransomware incidents must improve” because this “will better equip governments and stakeholders in developing [an] international strategy to reduce ransomware on a global scale.” Specifically, information obtained from entities reporting ransomware attacks is essential while the CIRCIA is undergoing the rulemaking process. This information will be used by CISA to help create rules and definitions for the implementation of CIRCIA.
The University of Maryland Center for Health and Homeland Security (CHHS) Celebrates its 20th Anniversary
The University of Maryland Center for Health and Homeland Security (CHHS) is celebrating its 20th anniversary. CHHS Founder and Director Michael Greenberger, JD, released the following statement commemorating the occasion:
May 15, 2022: The University of Maryland Center for Health and Homeland Security (CHHS) Celebrates its 20th Anniversary
A Message from CHHS Founder and Director, Michael Greenberger
When we opened our doors on May 15, 2002, we had a single employee (me) and the endorsement and startup funds from the then-President of the University of Maryland Baltimore, Dr. David Ramsay. Today, we have a professional staff of over 30 and we are working on countless public health, emergency management, cybersecurity, and disaster preparedness projects worldwide. In addition to our client projects, CHHS staff is teaching courses, in conjunction with Maryland Carey Law School, in four graduate school programs on crisis management and cybersecurity.
The initial motivation to establish the Center came from the September 11, 2001 terror attacks and our early focus was almost exclusively counterterrorism. However, as time went on, and especially after the devastation caused by Hurricane Katrina in 2005, our mission expanded to dealing with “all-hazards” emergency responses. That is, while we still deal with terrorism-related preparedness and response, our work now also includes assisting state and local agencies, federal departments, foreign countries, public and private hospitals and universities on emergency planning and response. These efforts include the ability to prepare for and respond to catastrophic adverse weather events (e.g., Hurricanes Katrina, Harvey and Irma and Superstorm Sandy); deadly infectious disease outbreaks (e.g., Zika and Ebola); and cybersecurity threats.
Of course, nothing has compared to our present work in responding to COVID-19, which has been of primary concern these last two plus years. Beginning in February 2020, our clients began to ask us to supplement our existing emergency management work to address the pandemic. In so doing, our staff has worked tirelessly with client leadership to write and implement plans and operating procedures to provide emergency public health services nationwide. We helped collect and distribute personal protective equipment and COVID-19 tests. We helped organize and run COVID-19 vaccine clinics. We developed and helped implement plans and distribution centers to fight unprecedented food insecurity challenges among our clients’ constituents. We assisted school systems in navigating the change from in-person to remote learning. We provided policy and legal guidance to organizations as they had to make decisions in real-time regarding evolving CDC best practices. This tremendous and ongoing effort has been one of the Center’s greatest challenges and finest accomplishments.
In addition to our client work, CHHS has grown our academic footprint over the last 20 years. In partnership with the Maryland Carey Law School, we are teaching 25 courses in four graduate degree programs. For JD students and law graduates at Maryland Carey Law, we offer a Cybersecurity/Homeland Security Certificate and courses in a Masters of Law (LLM) degree program. Since 2016, we have had nearly 70 students complete the JD certificate and another 35 currently pursuing it. CHHS also spearheads the online Cyber and Crisis Management tracks of the Masters of Science in Law (MSL) degree program. Since the program’s inception in 2015, more than 130 students have earned their MSL in Cyber and Crisis Management.
Additionally, CHHS has had the honor of expanding our expertise to programs offered at the University of Maryland College Park. Through a Law School partnership, CHHS developed and teaches two courses in the Master in Professional Studies (MPS) in Public Safety Leadership & Administration offered through the University of Maryland’s Office of Extended Studies. CHHS also teaches courses to undergraduate students in the College of Behavioral and Social Sciences as part of the MLAW program, designed to increase collaboration between the two campuses. We are immensely proud of these academic programs and the opportunities they provide for the next generation of professionals in this field.
In light of current COVID-19 case numbers, we are postponing official celebrations, but we hope to mark this important milestone for CHHS in the Fall of 2022 with an in-person event. In the meantime, please take a look at some of our Center’s background and program highlights in the attached slides.
Michael Greenberger, JD
Founder and Director
For more information on the Center, and its current work, please see the accompanying slide deck.
CHHS To Participate in Grant-Funded MPOWER Study on Antiterrorism Laws
The University of Maryland Center for Health and Homeland Security (CHHS), under the leadership of Academic Program Director Michael Vesely, JD, who has been awarded an MPower grant in conjunction with START’s Dr. Michael Jensen. Over the next year CHHS and START will study the efficacy of current antiterrorism laws and evaluate whether additional legislation is needed. For more, visit: http://mpower.maryland.edu
Who is the WHO?
By CHHS Extern Meghan Howie
Amid the COVID-19 pandemic, public entities which the public had previously rarely heard became commonplace. One of these is the World Health Organization. The WHO’s role in public health emergencies is commonly discussed- pulling together a global network of experts and governments to provide guidance and resources to address the situation at hand. Given its central position in the COVID-19 pandemic response, it is important to understand not only its many functions in other efforts but also key pieces of context for its efforts.
This international body connects nations, partners, and people to promote health, keep the world safe, and serve the vulnerable. They were established under the 1948 Constitution. Through a UN body called the International Health Conference in 1946. Some of the 61 initial signatories include China, the US, the UK, Venezuela, Ukraine, Switzerland, Turkey, South Africa, etc. Notably, the WHO was not meant to be housed under the UN. The body exists as its own international organization, and 10 of its original signatories were not UN members.
The WHO has grown since its inception. The principal organs are the World Health Assembly, the Executive Board, and the secretariat. Their governing body, the WHA, is a gathering of delegates from all 194 current member states. This assembly determines policy, budgeting, and administrative actions. The Executive Board is made up of individuals “technically qualified in the field of health” from 32 elected member countries. The WHO constitution authorizes the board “to take emergency measures within the functions and financial resources of the Organization to deal with events requiring immediate action. In particular, it may authorize the director-general to take the necessary steps to combat epidemics and to participate in the organization of health relief to victims of a calamity.” The secretariat, headed by the director-general, is responsible for technical and administrative personnel of the WHO. It also coordinates the efforts of localized branches. Much of the on-the-ground work done by the WHO is decentralized aside from coordination coming from the secretariat.
In addition to participating in the assembly and other leadership positions, member states are responsible for funding the organization. Funding is calculated by taking a percentage of GDP from each member state. Voluntary funds may be contributed above that value by nations. Outside partners may also donate voluntarily. According to 2021 funding spreadsheets published by the WHO, the United States has contributed 22% of the annual budget in 2019-2021. Other significant contributors include the United Kingdom (4.56%), Japan (8.56%), Italy (3.3%), Germany (6.09%), and France (4.43%). The total budgetary contributions of member states totaled 977.9 million USD for 2020-2021.
As for the mission areas of the organization, the WHO is involved in emergency management as well as promotion of access to healthcare for all. This takes on many forms. In times of peace, WHO leads efforts to expand universal healthcare and promote healthier lives. They focus on globalized efforts to address social determinants of health outcomes and expansion of healthcare resources in developing nations. (INCLUDE PROGRAMS AND NATIONS) They are continuously monitoring high-impact communicable diseases which do not constantly make the headlines. The ultimate goal is eradication of such diseases. Through broad data collection, the WHO is a resource for understanding the big picture of the world’s health.
In emergencies, the WHO provides a centralized voice of experts around the world outside of state governments. By uniting scientists in a formalized community, nations are provided with learned guidance on the situation and scientific advances are disseminated more quickly. All of this increases efficiency in emergency responses and improves scientific backing in public health policies as related to a constantly evolving global pandemic. Developing nations are also able to find support in creating healthcare policies to respond to unique circumstances. The organization’s role is unifying global efforts in public health and providing resources to nations that request assistance.
One unfortunate reality of entities which rely on funding from certain more centralized sources, like the WHO, is the risk of politicization of their efforts. The risk was laid bare in the Trump administration’s decision to cut US funding to the WHO in April of 2020. No matter the factual background of this decision, the impact of cutting over 20% of the organization’s budget in the beginning stages of a global pandemic left a mark on the policies. Through these circumstances the WHO can be buffeted by the storms of international political discourse.
So, as the world becomes aware of an international organization which provides so much information to the COVID-19 response, it is important to maintain a balanced perspective in interpreting the information coming from the WHO. No organization can completely rid itself of outside influence and bias. The centralization of expert discourse and collaboration among nations is an amazing feat of international cooperation which should not be discounted. However, the influence of powerful nations, as in any international body, must not be underestimated. No matter the source of scientific information, it is important to be informed of the outside biases implicated in publications and press conferences.
Supreme Court Blocks Vaccine Mandate: An Issue of Institutional Competence
By CHHS Extern Jenna Newman
On September 9th, 2021, President Biden first announced the creation of a plan that would require a large number of Americans to receive the COVID-19 vaccination. The Occupational Safety and Health Administration (OSHA) then published the aforementioned vaccine mandate on November 5. The OSHA mandate required workers employed by businesses with at least 100 employees to receive the COVID-19 vaccine, with an exception only allowed for workers who were tested weekly at their own expense and wore a mask each day. The mandate also pre-empted contrary state laws. On January 13, the U.S. Supreme Court stayed OSHA’s COVID-19 vaccine mandate.
The majority on the Court explained that because this order required 84 million Americans to either receive the COVID-19 vaccine or take weekly tests at their own expense, it was not an “everyday exercise of federal power.” The Court further noted that OSHA is tasked with ensuring occupational safety, which includes “safe and healthy working conditions.” The justices speaking for the majority found that this mandate did not set workplace safety standards, rather enacting broad public health measures that went against the original text of the act. They reasoned that “permitting OSHA to regulate the hazards of daily life – simply because most Americans have jobs and face those same risks while on the clock – would significantly expand OSHA’s regulatory authority without clear congressional authorization.” The Court drew a distinction between occupational hazards and risks that occur in the workplace, explaining that COVID-19 is not an occupational hazard that OSHA has the power to regulate. For example, COVID-19 is a universal risk that is present everywhere that people choose to gather, not just in the work-place setting. That is the difference between occupational risks and risks in general.
By contrast, the justices writing for the dissent argued that the OSHA mandate was within the agency’s mission to “protect employees from grave danger that comes from new hazards.” The dissenting justices noted that COVID-19 is a new hazard that poses a grave danger to millions of people, making the OSHA mandate “necessary” to address the dangerous situation. As a result, the dissent found that the majority ruling was at odds with the statutory scheme.
The biggest issue that the case raises surrounds the institutional competence to address the health care crisis. The dissent stated that the underlying dispute “is a single, simple question: Who decides how much protection, and of what kind, American workers need from COVID-19?” The options are either an agency or the Court. While competing arguments exist on both sides, the reality is that the decision is now left up to each individual company. Companies must now weigh the pros and cons of instituting regulations or potentially losing staff. For example, United Airlines and Tyson foods have instituted their own mandates, but others have chosen to not take any action, such as Walmart, Amazon, and JPMorgan Chase.
The institutional competence issue is further shown in the majority opinion in Biden v. Missouri, which was a small win for the Biden administration because it allowed a limited mandate that required health care workers to receive the COVID-19 vaccine if they worked at a facility that received federal funding. Differing significantly from the majority opinion concerning the OSHA mandate, the majority in Biden v. Missouri found that the secretary of health and human services mandate “fell within the authorities that Congress conferred upon him.” The statute that gives authority to the mandate states that the Secretary can make Medicaid and Medicare funds contingent on conditions that “the Secretary finds necessary in the interest of the health and safety of individuals who are furnished services.” Here, the majority found that this limited mandate was within congressional authorization because it ensures that providers are taking to steps to stop the spread of a dangerous virus.
These cases certainly illustrate the challenges that the pandemic has created in interpreting the authority conferred upon agencies by Congress, and what types of regulations go beyond these authorities. In light of the contrasting majority opinions, the institutional competence issue will continue until a consensus is reached on the proper authority of agencies to make vaccine regulations in the workplace.
CHHS Releases Winter 2022 Newsletter
CHHS is proud to release its Winter 2022 newsletter. In this edition, CHHS Founder and Director Michael Greenberger highlights our project work in pandemic response, cybersecurity, economic recovery and more.
Be sure to check out our newsletter page for earlier editions: https://www.mdchhs.com/media/newsletters/