Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

On August 18, 2010, the Connecticut Insurance Commissioner issued Bulletin IC-25 which mandates that entities within its jurisdiction notify the Department of Insurance of any "information security incident." This post provides a brief summary of this new requirement.

Who must provide the notice?

The Bulletin applies to all licensees and registrants of the Department. This generally means all entities regulated by the Insurance Department, including, insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants, casualty claim adjusters, property and casualty insurers, life and health insurers, health care centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers, and medical discount plans.

Additionally, in cases where the information security incident happens at a vendor or business associate, the Department expects to be notified of the incident as well as how the

licensee or registrant is managing the vendor's/business associate's activities and what protections and remedies are being put in place by the vendor/business associate for the Connecticut consumers.

What is an "information security incident"? 

Under this Bulletin, an information security incident is:

any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

Thus, unlike the general Connecticut data breach notification statute which requires notification only with respect to computerized personal information, this mandate applies to paper documents which includes personal health, financial or personal information. Also, encrypted data is not exempt from this notification requirement.

What is personal health, financial, or personal information?

The Bulletin does not define this term and, therefore, is unclear in this regard. However, in discussing its authority to impose the requirement, the Department cites to Conn. Gen. Stat. §42-471, which defines "personal information" to mean:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

This definition, however, may not be as broad as how the Department views the term "personal health, financial or personal information." Licensees and registrants should be careful here and err on the side of being more inclusive when deciding whether an incident needs to be handled in accordance with this Bulletin.

When must notification be provided?

The Bulletin requires licensees and registrants of the Department to notify it of the incident as soon as the incident is identified, but no later than five (5) calendar days after the incident is identified.

Where should notice be sent?

Notification should be sent to the Insurance Commissioner in writing via first class mail, overnight delivery service or electronic mail.

What must the notice include?

Notification should include as much information as is known concerning the incident. The Bulletin provides the following list of items of information to be reported to the Department:

• Date of the incident
• Description of incident (how information was lost, stolen, breached)
• How discovered
• Has lost, stolen, or breached information been recovered and if so, how
• Have individuals involved in the incident (both internal and external) been identified
• Has a police report been filed
• Type of information lost, stolen, or breached (equipment, paper, electronic, claims, applications, underwriting forms, medical records etc)
• Was information encrypted
• Lost, stolen or breached information covers what period of time
• How many Connecticut residents affected
• Results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed
• Identification of remedial efforts being undertaken to cure the situation which permitted the information security incident to occur.
• Copies of the licensee/registrants Privacy Policies and Data Breach Policy.
• Regulated entity contact person for the Department to contact regarding the incident. (This should be someone who is both familiar with the details and able to authorize actions for the licensee or registrant)
• Other regulatory or law enforcement agencies notified (who, when)

One of the items on this list to note is a Data Breach Policy which all entities should consider adopting even if not subject to this Bulletin.

Does the Department require that credit monitoring be offered in the event of an information security incident?

It looks like the Department may require credit monitoring in some circumstances. The Bulletin states that:

Depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time. 

In addition, the Department wants to review the draft letters informing individuals of the information security incident.

Will the Department impose penalties?

The Bulletin states that the Department will evaluate each incident independently based on the applicable circumstances, and notes that some situations may warrant imposition of administrative penalties. The Department urges licenses and registrants to follow these procedures in order to minimize the possibility for penalties.

Licenses and registrants surely will need to review this guidance and incorporate it into their information security programs. Other entities should take note of this development and recognize the increasing efforts by federal and state agencies to safeguard personal information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

California led the way in 2002 when it enacted the nation’s first data breach notification law. Last week, the State’s lawmakers sent Governor Arnold Schwarzenegger S.B. 1166 (pdf), which would mandate that data breach notification communications include more detailed information about the breach and that businesses experiencing data breaches affecting more than 500 Californians notify the State’s Attorney General.

Since California enacted its data breach notification law, lawmakers have been trying to make changes to it, with mixed results. Assembly Bill 1298 ("A.B. 1298"), which became effective January 1, 2008, expanded the application of the existing law to include medical and health information. However, to date, attempts to add content requirements to the notice and require notification to the State’s Attorney General have failed, despite similar requirements in the laws of a number of other states, such as Massachusetts, New York, North Carolina.

S.B. 1166 marks the third attempt by Senator Joe Simitian to amend the law in this manner. Both prior attempts were vetoed by the Governor Schwarzenegger. In addition to requiring notice to the State’s Attorney General for certain breaches, his current effort would require notices stating:

• a general description of the breach incident;
• the type of information breached;
• the date and time of the breach;
• whether the notification was delayed because of a law enforcement investigation; and
• a toll-free number of major credit reporting agencies if the breach exposed Social Security numbers, driver's license numbers, or state identification card numbers.

Because many states have similar content requirements and there are a number of websites that report on data breaches, passage of S.B. 1166 should not impose a significant burden in breaches involving individuals in multiple states. Nonetheless, companies should be alert to developments in California and be prepared to update their California data breach notification policies should the measure pass.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On August 5, 2010, U.S. Senators Mark Pryor (D-AR) and John D. (Jay) Rockefeller IV (D-WV)  introduced legislation to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances, including credit monitoring services.

More specifically, the "Data Security and Breach Notification Act of 2010" would require entities that own or possess data containing personal information to establish reasonable security policies and procedures to protect that data. If a security breach occurs, entities would have to notify each individual whose information was acquired or accessed as a result of the breach within 60 days. Affected consumers would be entitled to receive consumer credit reports or credit monitoring services for two years, as well as instructions on how to request these services.

In support of the new law, the press release issued by the Senate Committee on Commerce, Science, and Transportation notes that data security breaches and identity theft are a growing problem in the United States. In 2009, the business industry experienced the greatest number of data breaches (41.8%), followed by government/military (18.1%) and education sectors (15.7%).

Of course, passage of this measure is possible, but, given the number of prior efforts to pass a national data breach notification law, passage seems unlikely. This outcome is made more likely by the inclusion of the credit monitoring mandate, the cost of which could be considerable to businesses affected by a data breach. Businesses should stay tuned . . .

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. At the same time, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

The lesson to be learned from this case:

Disposing of individuals’ health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals’ information to the risk of identity theft and other crimes.

The Office of Civil Rights, which enforces the HIPAA Privacy and Security Rules, opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.

The investigation also indicated other potential concerns about Rite Aid's policies related to safeguarding patient information during the disposal process, training employees, and a related sanction policy.

The Director of OCR noted:

It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA.

The corrective action Rite Aid has agreed to includes improving policies and procedures to safeguard the privacy of its customers' health information, and applies to all of its nearly 4,800 retail pharmacies. More specifically, the settlement requires Rite Aid to take a number of steps including

• Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
• Training workforce members on these new requirements;
• Conducting internal monitoring; and
• Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS and FTC.

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. The length and scope of these plans show the seriousness these agencies are taking concerning compliance with requirements to safeguard personal information.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

We recently reported here that the Department of Health and Human Services (HHS) is issuing proposed regulations to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). These proposed regulations contain a number of important points to think about for HIPAA covered entities (and business associates), even though these rules are in proposed form. One is avoiding HIPAA violations involving “willful neglect," which under the HITECH Act will require a formal investigation and civil penalties.

To date, the Secretary of HHS has attempted to resolve complaints and certain violations by informal means, as required by § 160.312 of the current regulations. A significant change to the HIPAA enforcement scheme in the HITECH Act requires that if a preliminary investigation of the facts of a complaint indicates a possible violation due to willful neglect, the Secretary is required to commence a formal investigation. If the formal investigation finds a HIPAA violation involving willful neglect, the Secretary must impose a civil money penalty.

What is “willful neglect”?

Willful neglect is defined at § 160.401 as the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” The term not only presumes actual or constructive knowledge on the part of the covered entity that a violation is virtually certain to occur, but also encompasses a conscious intent or degree of recklessness with regard to the entity’s compliance obligations.

So what does that mean, what are some examples? The proposed regulations provide the following examples:

1. A covered entity disposed of several hard drives containing electronic protected health information in an unsecured dumpster, in violation of § 164.530(c) and § 164.310(d)(2)(i). HHS’s investigation reveals that the covered entity had failed to implement any policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process.
2. A covered entity failed to respond to an individual’s request that it restrict its uses and disclosures of protected health information about the individual. HHS’s investigation reveals that the covered entity does not have any policies and procedures in place for consideration of the restriction requests it receives and refuses to accept any requests for restrictions from individual patients who inquire.
3. A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.

In addition to having actual or constructive knowledge of one or more violations, the covered entities in the examples above, particularly Example 1, failed to develop or implement compliant policies and procedures and, thus, demonstrated either conscious intent or reckless disregard with respect to the compliance obligations under HIPAA.

Based on the proposed regulations, covered entities can no longer expect the velvet hand of the regulators to resolve a violation informally in all cases. Covered entities that fail to have policies and procedure and make a good faith compliance effort likely will find themselves subject to mandatory formal investigations and penalties.

Covered entities like the one in example 1 above might want to consider certain precautions, including:

• maintaining a record retention policy,
• maintaining media re-use policy,
• maintaining a data destruction policy,
• maintaining an e-discovery policy, and
• and engaging a good data destruction/shredding company.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Effective May 1, 2010, Alberta amended its Personal Information Protection Act (PIPA) to require breach reporting and notification requirements. U.S. businesses with a presence in Alberta should take note of the new law as it is a bit different than most of the state data breach notification laws in the United States. 

PIPA governs the collection, use and disclosure of personal information by businesses. Under the amendment to PIPA that adds the mandatory breach notification requirement, organizations that experience a breach will be required to report the incident to the Privacy Commissioner where there exists “a real risk of significant harm” to an individual. The Commissioner can, in turn, require the organization to notify the affected individuals.

Alberta's Privacy Commissioner Frank Work commented on the new law:

Now an organization has to report significant losses to my Office. I can then require notification of affected individuals. Our experience has been that most businesses already notify people affected by losses and we encourage this. This is not necessarily a matter of making businesses liable for losses of information; it is about warning people so that they can take precautions. Hopefully it will make businesses more aware of the need for reasonable security measures.”

Of course, the challenge for multi-national companies will be to consider and coordinate the laws in various jurisdictions.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 10, 2010, the California Department of Public Health (CDPH) announced  issuing administrative penalties and fines totaling $675,000 against five hospitals in the state. CDPH cites the facilities’ failure to prevent unauthorized access to confidential patient medical information as required under new legislation (Section 1280.15 of California’s Health and Safety Code) (pdf) as the basis for the penalties and fines.

Relevant portions of Section 1280.15 of California’s Health and Safety Code provide:

A clinic, health facility, home health agency, or hospice . . . shall prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information . . . The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000) per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to seventeen thousand five hundred dollars ($17,500) per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patients' medical information. For purposes of the investigation, the department shall consider the clinic's, health facility's, agency's, or hospice's history of compliance with this section and other related state and federal statutes and regulations, the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring, and factors outside its control that restricted the facility's ability to comply with this section. The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section.

CDPH Director Dr. Mark Horton commented, “medical privacy is a fundamental right and a critical component of quality medical care in California.” His position and the actions taken by the agency highlight the need for health care providers to do more to safeguard patient records. In most of these cases, according to the CDPH announcement, multiple hospital employees accessed confidential patient medical information without authority to do so.

However, California hospitals should not be the only entities concerned about exposure relating to unauthorized access to confidential personal information, nor is California’s Health and Safety Code the only statutory obligation to safeguard such information. Mandates to protect personal information are growing and apply to industries beyond healthcare and persons other than patients. In short, businesses in all states and industries should be reviewing, at a minimum:

1. how they safeguard personal information, whether it be that of customers, patients, employees, or their dependents,
2. who they permit to access personal information, and
3. what their plan is in the event of unauthorized access or acquisition.

We’ve written about a number of these areas of concern:

• Pending Federal Legislation
• State Attorneys General enforcing (i) HIPAA, (ii) Deceptive and Unfair Trade Practices Laws, (iii) record destruction laws.
• Risks if You Are a Business Associate
• Criminal Penalties Under HIPAA
• State Laws Mandating Protections for Personal Information, not just medical information.
• HHS Enforcing HIPAA Following Data Breach
• Developing a Plan

Like most things, "an ounce of prevention is worth a pound of cure."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Connecticut Attorney General Richard Blumenthal has commenced an investigation in a second case involving potential HIPAA violations by a worker at Griffin Hospital. This follows the suit commenced against Health Net for HIPAA violations following a data breach. As reported by George Gombossy of ctwatchdog.com, this would be the second time a state attorney general has used the enforcement authority granted under the Health Information Technology for Economic and Clinical Health Act (HITECH).

The Attorney General’s press release states:

My office is investigating allegations that a radiologist formerly affiliated with Griffin Hospital improperly accessed the medical information of almost 1,000 of the hospital’s patients.

These charges, if true, are deeply disturbing. Patients rightly expect and demand that their medical information remain secure and confidential, viewed only by authorized individuals.

Unauthorized accessing of patient information is a violation of the federal HIPAA law that my office is empowered to enforce. I will seek strong and significant sanctions, if warranted by the facts.

Griffin Hospital rightly informed my office of this alleged data breach and is cooperating with our investigation.

Efforts are underway to help state Attorneys General become more actively involved in HIPAA enforcement. For example, the Department of Health and Human Services (HHS) has awarded a $1.7 million contract to train attorneys general on enforcing HIPAA and, specifically, to assist the Office of Civil Rights (an arm of HHS) “in conceptualizing and implementing a training curriculum for state attorneys general staff and others affected by the HIPAA Privacy and Security Rules.”

It is important that HIPAA-covered entities and business associates focus on compliance so when there is a data breach, they will be better positioned to respond to a state attorney general inquiry.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Have you noticed that negotiating that business associate agreement has gotten a lot more difficult? Many companies that serve health care providers and health plans, generally known as business associates, have noticed. These companies include software vendors, benefits brokers, cloud computing providers, data storage/destruction companies, and accountants, among others.

The clients of these companies are citing HIPAA, ARRA, HITECH, data breach notification requirements, and state law mandates as they demand stricter contract language and additional rights and protections, such as the right to audit the business associate and to be held harmless in the event of any data mishap. Business associates that took HIPAA lightly in 2003 and 2004, when the HIPAA regulations first became effective (2005 and 2006 for the security regulations), are playing catch-up.

When President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA), “business associates” may not have expected the significant effects that law would have on their businesses. Chief among those effects are mainly due to four sentences in The Health Information Technology for Economic and Clinical Health (HITECH) Act (pdf), passed as part of ARRA, and which generally became effective on February 17, 2010 (the breach notification mandate became effective on September 23, 2009), one year after enactment:

• “Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporate[d] into the business associate agreement between the business associate and the covered entity.” ARRA Sec. 13401(a). This statement makes business associates directly subject to nearly all of the HIPAA security regulations, the HIPAA rules relating to electronic protected health information. Prior to the change, these obligations existed for business associates only as a matter of contract.
• “A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach.” ARRA Sec. 13402(b). This statement creates a new obligation for business associates – report to covered entities breaches of unsecured protected health information.
• “The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” ARRA Sec. 13404(a). This statement makes business associates directly subject to nearly all of the HIPAA privacy regulations. Prior to the change, as with the security regulations, these obligations existed for business associates only as a matter of contract.

In response to these law changes, and in the absence of regulatory guidance, covered entities have been demanding modifications to existing business associate agreements or requesting new agreements. In both cases, covered entities are seeking greater assurances from their business associates concerning the handling of the covered entities’ protected health information.

On top of that, covered entities are weaving into business associate agreements and other agreements requirements under newly enacted state laws requiring protections for “personal information” in the hands of vendors (e.g., business associates) to curb identity theft. Given the cost and reputational harm that could come from a data breach, as well a growing enforcement activity, many covered entities are becoming more forceful in their negotiations, citing legal mandates and established company policies for their unwillingness to budge on many provisions, even those that go beyond statutory mandates.

What is a business associate to do? Here are some thoughts:

1. Confirm your company is a business associate. (go to HHS HIPAA frequently asked questions and insert "business associate" for helpful guidance). In some cases, covered entities are blanketing all of their vendors with these agreements. If believe your company is not a business associate, raise it with your client. Of course, even if you avoid being considered a business associate, your customer/client still may demand written assurances under state law for the personal information you handle on its behalf.
2. Become compliant. As noted above, the HIPAA privacy and security requirements are now directly applicable to business associates. While additional guidance is expected as to what this means precisely, there is enough existing guidance concerning covered entities for business associates to use to achieve compliance. Among other things, compliance means conducting a risk assessment, adopting a written set of policies and procedures concerning the safeguarding of protected health information, and training staff. Being compliant not only reduces risk, but in an environment of increasing attention to data privacy and security, compliance can be a competitive advantage.
3. Review agreements carefully. Covered entities increasingly include contract provisions that provide the covered entity with greater protections than the law requires. To the extent possible, try to remove those provisions. In any event, it is important to know your obligations under these agreements; they can vary dramatically from covered entity to covered entity.
4. Develop strategies for reviewing/complying with multiple contracts. Some business associates have many clients and, therefore, business associate agreements. Managing unique provisions multiple agreements can be daunting, although the ability to negotiate a uniform agreement across a client basis is increasingly unlikely. So, where possible, try to use similar provisions in all agreements and know ahead of time your approach to certain key provisions, such as handling data breaches.
5. Understand the law. Even if you’ve mastered the determination of whether you are a business associate, the rules outlining your business' obligations likely will be evolving under HIPAA over the next few years, particularly with the expected growth of electronic health records and the expansion of health care. The same is true of state laws concerning personal information. In many cases these laws might coexist peacefully, in other cases there will be conflict. You need to be aware of the conflicts and be prepared to act accordingly.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

The Federal Trade Commission announced it is further delaying its enforcement of the “Red Flags” Rule through December 31, 2010. This move comes at the request of several Members of Congress who want to further consider legislation that would clarify who is subject to the Rule.

The delay follows the lawsuit (pdf) filed by the American Medical Association and others arguing that the Red Flags Rule should not apply to physicians.  As reported by amednews.com, the plaintiffs bolster their case by pointing to a 2009 federal court ruling (pdf) (American Bar Assn. v. Federal Trade Commission) exempting lawyers from the Rule. That ruling is now on appeal to the U.S. Court of Appeals for the D.C. Circuit

Legislation is pending in the United States House of Representatives that would exempt certain professions, including physicians, from the Red Flags Rule. H.R. 3763 passed the House unanimously in October 2009, but there has been no further movement in Congress on this issue.

The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

In its announcement, the FTC notes that as was the case with prior enforcement delays, this enforcement delay is limited to the Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to users of consumer reports, or to the rule regarding changes of address applicable to card issuers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

We are honored that the National Association of Professional Employer Organizations (NAPEO), the largest national trade association for professional employer organizations (PEOs), recently published our article in its May 2010 edition of its PEO Insider publication, an important resource for any PEO.  

PEOs no doubt provide valuable services for businesses across the country. However, in doing so, they generally have access to and maintain vast amounts of personal information. Our article, "Key Data Privacy and Security Issues for PEOs," summarizes emerging data privacy and security laws and their effects on PEOs.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On April 16, 2010, Florida Attorney General Bill McCollum announced a settlement (pdf) with Certegy Check Services, Inc. over how the company secures consumer records. The Attorney General’s enforcement action stems from a massive data breach by a former Certegy employee who stole personal identification information from approximately 5.9 million consumer files.

According to the Attorney General’s press release, Certegy promptly notified the Attorney General and consumers of the data thefts, and cooperated with the Attorney General’s investigation. In addition to agreeing to maintain a comprehensive information security program, under the settlement, Certegy will contribute $125,000 to the Attorney General’s “Seniors vs. Crime Program” for educational, investigative and crime prevention programs for the benefit of senior citizens and the community. Further, it will pay $850,000 for the state’s investigative costs and attorney’s fees.

Massachusetts and some other states have specific statutory provisions requiring the safeguarding of personal information. No similar law exists in Florida. The Attorney General commenced its action against Certegy under the State’s deceptive and unfair trade practices statutes. Businesses with data security safeguards that can be viewed as subpar, therefore, cannot depend on the absence of specific state statutes to shield them from state action in case of a data breach or allegations that personal information is not being adequately safeguarded.

In addition to the nearly one million dollars Certegy will pay the State of Florida, the company agreed to

maintain a comprehensive “Information Security Program” that assesses internal and external risks to consumers’ personal information, implements safeguards to protect that consumer information, and regularly monitors and tests the effectiveness of those safeguards. Certegy and its related entities will also adhere to payment card industry data security standards as those standards continue to evolve.

Significantly, the settlement requires Certegy to conduct initial and annual assessments of its policies and procedure.

The settlement with the Attorney General followed a class action settlement in U.S. District Court in Tampa. Under that settlement, Certegy made certain monitoring services available to affected consumers, who also were able to seek reimbursement of certain out-of-pocket costs incurred or identity theft expenses. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

With Mississippi enacting its own data breach notification law on April 7, Alabama, Kentucky, New Mexico, and South Dakota remain the only states without such a law. Mississippi Gov. Haley Barbour signed H.B. 583 making his state the 46th to enact a breach notification law. The law becomes effective July 1, 2011.

Like many breach notification statutes:

• the notification obligation falls on any business in the state which owns or licenses personal information,
• personal information generally includes name plus either Social Security number, drivers license number, or financial account number,
• encrypted personal information is not subject to the breach notification requirement, and
• the notification obligation applies only when there is a risk of harm to affected state resident in connection with a breach of security.

The law will be enforced by Mississippi’s Attorney General, however, the law prohibits individuals from commencing a privacy lawsuit under the new law.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Nearly 100 organizations have been notified by the Federal Trade Commission (“FTC”) that personal information, including sensitive employee and customer data, shared from the organizations’ computer networks is available on peer-to-peer (P2P) file-sharing networks. This, the FTC warned, could be used to commit identity theft or fraud. The notices went to both private and public entities, including schools and local governments. The entities ranged in size from those with as few as eight employees to public corporations employing tens of thousands. The notices come not long after the Congressional Ethics breach we discussed in October. 

With P2P file-sharing software, a user can share music, video, and documents. However, when not configured correctly, P2P file-sharing software may allow anyone on the P2P network to access files not intended for sharing.

To aid businesses in managing the security risks of file-sharing software, the FTC also has released education materials, including a new business education brochure – Peer-to-Peer File Sharing: A Guide for Business – designed to assist businesses and others as they consider whether to allow file-sharing technologies on their networks. The brochure also explains how to safeguard sensitive information on their systems, and provide other security recommendations. Additionally, the FTC published tips for consumers about computer security and P2P. 

In addition to the FTC notices, employers should consider the P2P Cyber Protection and Informed User Act, which was introduced in Congress shortly after the notices were sent. Under the Act, P2P file-sharing programs must clearly inform users when their files are made available to other P2P users, are prohibited from being installed without informed consent, and are prohibited from preventing a user from blocking/disabling/removing any sharing program. 

The FTC has urged entities to review their security practices and, if appropriate, the practices of their contractors and vendors, to ensure that the practices are reasonable, appropriate, and in compliance with the law.  FTC Chairman Jon Leibowitz also cautioned,  , “companies and institutions of all sizes are vulnerable to serious P2P-related breaches…” and “[companies] should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.” 

A company’s failure to prevent such information from being shared on a P2P network, may violate applicable law and subject the company to legal action. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Over the past few months, many businesses, particularly in the Northeast Region, have been focusing on creating a written information security program (WISP) to comply with Massachusetts identity theft regulations that went into effect March 1, 2010. For many, this has been a significant effort, reaching most, if not all, parts of their organizations. However, it is important to remember that although Massachusetts may be the state with the most comprehensive set of rules for securing personal data, other states have enacted similar protections, and compliance with Massachusetts does NOT necessarily mean compliance with other states.

Consider the following examples:

California. The Civil Code in California states a business that owns or licenses personal information about a California resident must:

implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

For purposes of this requirement, “personal information" means:

an individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver's license number or California identification card number.
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.

Similar pretections for medical information exist in Arkansas, but that information is not covered by the rules in Massachusetts. Illinois requires safeguards for certain biometric information, a classification of data also not covered by the Massachusetts regulations.

Oregon. Oregon’s Consumer Identity Theft Protection Act lays out safeguards similar to those in Massachusetts, with some relief for small businesses (those manufacturing businesses with 200 employees or fewer and all other forms of business having 50 employees or fewer). Key is the requirement to implement an “information security program” that contains administrative, technical and physical safeguards.

Administrative safeguards include, for example: 

1. designating one or more employees to coordinate the program;
2. identifying reasonably foreseeable internal and external risks;
3. assessing the sufficiency of data safeguards;
4. training employees in the program’s practices and procedures;
5. limiting outside service providers to those maintaining adequate data security safeguards; and
6. adjusting the program according to business changes or new circumstances.

In New Jersey, regulations are pending that would create similar obligations.

Connecticut. Without specifying the kinds of safeguards, Connecticut requires any person in possession of personal information of another person to:

safeguard the data, computer files and documents containing the information from misuse by third parties, and [ ] destroy, erase or make unreadable such data, computer files and documents prior to disposal.

For purposes of this law, “personal information” includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

Similar requirements were enacted in other states, including Arkansas, North Carolina, Rhode Island, Texas, and Utah. But note the definition in Connecticut goes beyond the elements of data protected under the Massachusetts regulations.

Service contracts. Some states go a step further, requiring certain provisions be included in contracts between entities and their service providers when the contracts involve the disclosure of a state resident’s personal information from the owner of the information to the service provider. For example, such contracts in Nevada and Maryland must include a provision requiring the person to whom the information is disclosed to implement safeguards to protect that information.

The emergence of state mandates fueled by the continued rapid advancement and increased use of technology suggest a trend that is sure to become a fact of life for businesses operating anywhere in the U.S. Whether the technology is “cloud computing” or “peer-to-peer” software, businesses need to take appropriate steps to protect personal information maintained throughout their organizations.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

Beginning March 1, 2010, businesses will be required to safeguard from identity theft and other dangers personal information about Massachusetts residents under a “written information security program” or WISP. Similar requirements exist in other states around the country, although those requirements generally are not as comprehensive as those becoming effective in the Bay state.

Our complimentary webinar is designed to help employers and businesses become compliant. The program will cover:

• the emergence of data security mandates across the country,
• the Massachusetts approach to data security – breach notification, data destruction, the nuts and bolts of the identity theft/data security regulations, and
• best practices when creating a WISP.

We hope you enjoy the webinar.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 29, 2009, I had the opportunity to attend a brief presentation sponsored by Minnesota CLE entitled, “Corporate Data Privacy & Security: 10 Legal Practice Tips,” given by Brad Bolin, Senior Corporate Counsel for Best Buy, Inc. a Fortune 500 electronics retailer headquartered in Richfield, Minnesota. Bolin is a specialist in information security and privacy law. I was curious to hear what data privacy issues were on the mind of someone who monitors these issues for a living on behalf of a large corporation, especially a company that sells some of the very devices that make data privacy more challenging and which is known for its “results oriented” work environment. Many of the issues relate to topics discussed on this blog. The views expressed were strictly those of Bolin, not Best Buy. Here were his observations:

1. Work/Life Balance.  Electronic connections are collapsing the distinctions between work and personal life. Employees expect to be connected 24 -7. Bolin quoted Best Buy CEO Brian Dunn as noting, “Technology is … a constant backdrop in people’s lives, at home, at work, on the road and literally in the palms of their hands. We call it the ‘connected world’ and, as exciting as it is, it’s also increasingly complex, and difficult to keep pace with.”

2. Smart Phones Part 1.  Smart phones are becoming common and are a great example of how the “limited personal use” exception is swallowing the rule. He cited a survey showing that 20% of companies allow their employees to use personal devices for work, and the number is surely growing. Bolin discussed how under the old corporate model, a company that pays for an employee’s smart phone ought to take it back from the employee upon his or her departure, erase the contents and either recycle or reuse the device to prevent the disclosure of confidential corporate information. But what about the employee’s personal photographs, “apps”, movies, contacts and downloaded songs? What if the employee paid for the device but the company reimburses the cost? Securing employee-owned smart phones is not the same as securing corporate-owned devices, he emphasized.

3. Smart Phones Part 2.  Bolin said that, whatever rules you choose, a departing employee should be able to take his or her personal data, while IT should be able to ensure that any corporate information has been safely removed. The process should be simple and transparent to all. Adopt simple rules that make corporate data on an employee's smart phone easier to identify and control. For example, distinguish between media files on the one hand, and xls doc, ppt, and pdf documents on the other. Have a transparent dialog with employees about the trade-offs that exist cost when placing personal phones on the corporate network. For example, an employee might be required to archive SMS text messages on his phone for e-discovery purposes.

4. Texting Issues.  While e-mail typically is stored on a common server, text messages usually are stored by cell phone companies or directly on phones, and often the employer does not directly pay for their storage. Employers must have either a warrant or the employee's permission to see cell phone text messages that are not stored by the employer or by someone the employer pays for storage, Bolin said, citing Quon v. Arch Wireless, et al. 529 F.3d 892 (9th Cir. 2008),  The case is now under review by the United States Supreme Court.

5. TMI = Too much information.  An embedded Global Positioning System (GPS) feature is great for supporting and measuring effectiveness of a mobile sales force, but it raises the danger of collecting information about employees regarding the personal part of their life.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As we have discussed before, data breach notification is one of the most rapidly emerging areas of law. Good security incident procedures as well as effective training can help avoid the risk of data breach. (Sample data breach training). 

A case in point: Connecticut's Attorney General has filed a civil action against Health Net of the Northeast Inc. (“Health Net”) for failing to secure approximately 446,000 individuals’ patient information on a missing portable computer disk drive, and for failing to provide prompt notice of the breach. Among other things, the suit alleges Health Net violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, when it failed to provide prompt notice, failed to encrypt the data, failed to provide for and implement appropriate policies to safeguard the information, and failed to supervise and train its workforce on safeguarding protected health information and personal information. 

As this suit demonstrates, state Attorneys General will use the authority granted by HITECH to enforce the privacy and security protections of HIPAA for protected health information, as many breaches involving such information may not be covered by state data breach laws. Such enforcement will only add to the cost of a data breach, which, according to the 2009 Ponemon Institute Annual Cost of a Data Breach study, continues to rise.

While a company’s first line of defense always should be a comprehensive data security policy, preparation should include an effective security incident procedure. Several key questions, some of which will form the foundation for any good security incident procedure, must be answered immediately following a breach: 

• How did the breach occur?
• Are measures in place to contain the breach?
• What information was compromised? 
• Whose information was compromised?
• Will the local authorities be alerted?
• What potential breach notice laws are implicated?
• Does notice of the breach have to be provided?
• If so, to whom and how will notice be provided?
• Does the company have applicable insurance to cover the notification process?
• Will any monitoring service be provided for affected individuals?
• Are measures in place for public relations implications?

However, a security incident procedure is only as strong as the awareness you create among your employees as to what constitutes a data breach and who to notify in the event of a possible breach. Therefore, in addition to an effective security incident procedure, it is essential that training, like the sample above, be provided to employees on a regular basis.   

• Email This
• Print
• Comments
• Trackbacks
• Share Link

While most are not taking the day off, January 28 is recognized internationally as Data Privacy Day - a day for people to become more aware of and promote data privacy related issues.

Many organizations support these initiatives and some have created and contributed to a website to promote this day and data privacy and security generally. This website provides a wealth of information and resources related to data privacy in all facets of our lives.

Of course, our focus is on employers and we encourage all employers to use this day as an opportunity to focus on this emerging issue and create awareness in their organizations.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Less than one month into 2010 the trend to address data security, destruction, and encryption has continued among state lawmakers. Specifically, Florida, Michigan, Kentucky, Kansas, Pennsylvania, and New York all have introduced, reintroduced, or amended legislation of this kind. 

• The Florida and Michigan laws would amend personal data destruction rules for companies.
• The New York law would mandate data security and encryption measures.
• The Kentucky bill would require government agencies to protect all personal data under the Gramm-Leach-Bliley Act.
• The Michigan bill includes a state version of the Federal Trade Commission's Red Flags Rule and would require creditors in the state to implement programs aimed at spotting “red flags” of possible identity theft and put in place mitigation measures. Michigan is also considering a number of other measures. 
• The Kansas law would require state agencies to engage in periodic network security reviews.
• The Pennsylvania bill would require public agencies to notify state residents of a breach of their personal information within seven days of the discovery of the breach.

While 5 states remain without data breach notice bills (Alabama, Kentucky, Mississippi, New Mexico, and South Dakota), Congress is considering legislation, the Data Accountability and Trust Act (DATA) (H.R. 2221), that would preempt all state notification laws and instead establish a national breach notice standard.

As we have previously mentioned, we anticipate data privacy and security legislation and case law to be at the forefront of legal issues in 2010. Employers should begin by reading the Data Security Primer and consider implementing comprehensive data security policies and procedures that would allow them to comply with the various state laws that may impact their business. 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

As reported by the December 23 Rochester, Minnesota Post Bulletin, the Mayo Clinic has terminated two medical professionals, a physician and another staff member, after determining that they had inappropriately accessed a patient’s confidential electronic health records (EHRs).

The access highlights what should be a growing concern for health care industry employers: the increased availability EHRs provide about patients’ private information that is otherwise protected by HIPAA. As reported in the Bulletin, according to the President of the Minnesota-based Citizens’ Council on Health Care, “the development of the electronic medical record has allowed all sorts of people to have access” that they would not have had before the advent of EHRs.

As previously reported here, the risks of data breaches and misuses of personal information rise significantly when the information is in electronic format. The trend toward putting more information in electronic format will only continue given the significant cost savings through technological advancements and, for health information, federal subsidies for the adoption of EHRs. Despite protections mandated by law, the portability and availability of EHRs nevertheless facilitate the improper viewing or misuse patients’ protected health information.

The Mayo Clinic terminations come on the heels of a string of employee terminations in 2008 by the UCLA Medical Center, which, through investigations dating back to 2004, found that at least 127 employees had improperly accessed the medical records of celebrities. One employee was even indicted in 2009 after she was found to have purposefully removed the social security numbers of celebrity patients and recorded actor Farah Fawcett’s medical records. Farah Fawcett subsequently sued her.

While most medical providers are well-aware of HIPAA’s requirements, the interest in all things celebrity may be too much for some to resist. We expect that the American Recovery and Reinvestment Act of 2009 (ARRA) [pdf] may only increase the risk of privacy breaches for it provides incentives to health care-related businesses to develop even more extensive uses of electronic health records. However, even famous celebrities have privacy rights under HIPAA, and health care employers should revisit their policies, procedures and training in the area of maintaining patient privacy and more closely monitor the use of electronic medical records.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last month, we briefly discussed "cloud computing," along with some issues that should be considered when deciding whether to adopt this new technology. Our post focused on data privacy and security issues.

As reported by Kim Hart, of The Hill's Technology Blog, a December 9, 2009, Federal Communications Commission filing states that the Federal Trade Commission is in the process of investigating "cloud computing" to address some of the same concerns noted in the post referenced above - privacy and security concerns.

Companies operating in the cloud, or thinking of moving in that direction, ought to be on the lookout for regulation or guidance that could come from the FTC's investigation.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Like individuals, businesses have resolutions/goals for 2010, perhaps even this new decade. As information risk, such as HIPAA or the occurrence of a data breach, continues threaten companies and put individuals’ personal identities, finances and medical information in jeopardy, addressing this issue in the coming years is a worthy resolution for any business. With this January 28, 2010, being the second National Data Privacy Day, January is as good a time as any to begin thinking about your organization’s information risk. The following list, which is by no means exhaustive, provides ten critical areas businesses will need to consider when addressing this issue.

1. Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business' critical information assets must be the first step, and is perhaps the most important step to tackling information risk. You simply can’t adequately safeguard something you are not aware exists.
2. Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state, having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees. For companies, a WISP can be a competitive advantage. Of course, in states like Massachusetts, Maryland, Oregon, Connecticut and others, a WISP in one form or another is required.
3. Vendors/Business Partners. Businesses addressing their information risk cannot stop at their information systems, buildings, and employees. Very often, vendors of the business maintain significant amounts of sensitive company and personal information of that business. This list of vendors can be long and include service providers such as: employee benefits consultants/administrators/brokers, accountants, lawyers, record storage/destructions companies, office cleaning services, professional employer organizations, payroll companies, cloud computing or other information service providers, and so on. Businesses that turn over sensitive information to a vendor need to take steps to ensure the vendor has implemented appropriate safeguards to protect the information. If this information is personal information, a number of states mandate contract provisions requiring the vendor to safeguard the information.
4. HIPAA. The recent changes by the HITECH Act, under the American Recovery and Reinvestment Act of 2009, will drive increased focus on HIPAA in 2010, particularly for business associates which for the first time become directly subject to many of the same privacy and security requirements as covered entities. The addition of a HIPAA breach notification requirement, effective September 23, 2009, and the growth of electronic health records, already are driving covered entities to amend their business associate agreements. Plan sponsors, health care providers and business associates all need to refocus their attention on HIPAA in 2010.
5. Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be a part of any CIO, privacy officer or risk manager’s plan for safeguarding information.
6. Identify “Red Flags”. Identifying “red flags” is the next step after implementing a WISP, beyond safeguarding sensitive information. The concept of “red flags” is to have policies and procedures designed to detect, prevent, and mitigate instances of identity theft – that is, with safeguards already in place, businesses need to be able to identify circumstances (“red flags”) which indicate incidents of identity theft could be occurring, and then take steps to prevent the identity theft or mitigate its effects. After a number of extensions, on June 1, 2010, the Federal Trade Commission will begin enforcing its “red flag” regulations that apply to financial institutions and creditors.
7. Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security, training deserves special mention if only to remind businesses to remind employees how powerful the small devices are that they carry around.
8. Develop a Plan for Responding to a Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Delays in notification viewed as unreasonable could trigger an inquiry by the state’s Attorney General, or in the case of HIPAA protected health information, the Office of Civil Rights.
9. Carefully Integrate New Technologies. As businesses look for new technologies to increase productivity, cut costs, and gain a competitive advantage, how those technologies address information risk must be a factor in the decision whether to adopt the technology. For example, cloud computing is fast becoming a popular tool used by businesses to enhance their computing capabilities, at substantially reduced costs in some cases, but it raises a number of issues concerning information risk.
10. Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. It seems to be only a matter of time before U.S. companies are subject to a national law requiring the protection of personal information. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

The State of Minnesota has been smacked with a number of privacy-related district court lawsuits recently.

The most recent dispute arose after the state of Minnesota hired a Texas-based company, Lookout Services to perform E-Verify services for state employees as part of a U.S. Department of Homeland Security program to ensure that all employees of the state and its contractors have Social Security numbers and are authorized to work in the United States. A reporter for Minnesota Public Radio, Sasha Aslanian, discovered confidential data from state officials posted on the company's Web site, and reported the story along with a recitation of other recent privacy blunders by the state.  The story triggered a mandatory notification of a potential data breach under Minnesota law. In response, Lookout Services filed a lawsuit against both the state and Minnesota Public Radio alleging that Aslanian hacked into the site in violation of the Computer Fraud and Abuse Act.

A state agency, the Minnesota Department of Human Rights ("MDHR"), was the target of another district court action brought by a teacher who had been named as a witness in an action by the MDHR against the Anoka-Hennepin school district. The MDHR charge alleged in part that the teacher singled out a student for harassment because the student was gay. The MDHR settled the case, to which the teacher was not a party, with the school district and featured a description of the case as its “case of the month” on its website. The teacher sued and successfully obtained a temporary restraining order, in part requiring the MDHR to take her name off the website and amend it to refer only to a “female teacher.” The case is captioned Cleveland v. Minnesota Department of Human Rights.

In the third case, a state court dismissed a claim that the Minnesota Department of Health violated the Minnesota Genetic Privacy Act (GPA) by gathering and storing blood specimens from newborn babies and sharing them with medical facilities without the parents’ consent. The GPA prohibits collection or use of genetic information without informed consent, “unless otherwise expressly provided by law.” In an 11-page order, Hennepin County judge found that the blood samples were biological samples, not genetic information and, regardless, the state’s Newborn Screening Law was a statutory exception to the GPA. Bearder, et al v. State of Minnesota. This is a rare example of a private lawsuit under a genetic privacy law, but we can expect to see more as new legislation is enacted in this area, such as the Federal Genetic Information Nondiscrimination Act.

The last case involves the neighboring state of Wisconsin and comes to us from lawyer Peter Nickitas who recently obtained a $40,000 jury verdict in federal court against Dunn County Wisconsin for violation of Wisconsin’s Open Records Laws.  The case, Sheffler v. County of Dunn, involved a Minnesota citizen who was arrested in Madison, Wisconsin and spent time in the Dunn County Jail. A few weeks later he requested copies of video footage from his time in jail. The County failed to respond to his request in a timely fashion and the footage was copied over before it could be produced. Plaintiff Troy Scheffler represented himself pro se in defeating the County’s motion for summary judgment  and Nickitas represented him at trial. 

"These cases all demonstrate that private employers are not alone in facing the complexities and exposure of managing personal information about individuals, particularly employees",  observes Joe Saccomano, head of the Jackson Lewis public sector practice group. 
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

New Hampshire’s new breach notification law builds on the breach notification requirements under the HITECH Act by requiring health care providers and business associates to notify individuals of disclosures of their protected health information that are prohibited by New Hampshire law, even if such disclosures are permitted under HIPAA or other federal law. This new health information protection was enacted with other measures relating to privacy of electronic medical records and allowing individuals to opt out of sharing their names, addresses, and protected health care information with e-health data exchanges.

H.B. 619 becomes effective for data breaches occurring on and after January 1, 2010. Individuals may sue for violations of the notification requirement and, significantly, seek damages of not less than $1,000 per violation. The law also expressly requires business associates to cover the costs of notification if the use or disclosure triggering notification was made by the business associate.

Now, when New Hampshire health care providers and business associates experience a possible data breach, they will have to consider a number of laws to determine the appropriate response. These include H.B. 619, the state’s general breach notification statute, and the breach notification rules under the HITECH Act and implementing regulations. This is even more complex for health care providers and business associates operating in multiple states as at least five other states (Arkansas, California, Delaware, Missouri, Texas) and Puerto Rico require notification in the event some form of medical information is breached.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As passed by the House of Representatives on December 8, 2009, the Data Accountability and Trust Act would create federal data security standards, a national breach notification requirement, data destruction mandates, and special requirements for "information brokers." 

The Act will now move to the Senate, where it likely will be considered together with recent bills from various Senate Committees, two such bills we discussed in a recent post.

The Act would apply to each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information (or contracts to have any third party entity maintain such data). In short, most businesses in the United States would be subject to the Act and required to establish and implement data security policies and procedures. Like other data security regulations, the Act would permit covered persons, when developing their policies and procedures, to take into account:

• the size of, and the nature, scope, and complexity of the activities engaged in by, such person;
• the current state of the art in administrative, technical, and physical safeguards for protecting such information; and
• the cost of implementing such safeguards.

These new standards will be regulated by the Federal Trade Commission (FTC). Violations of the Act would be enforced primarily by state Attorneys General, although the FTC maintains a right to intervene in those actions. Penalties can be substantial. For example, in the case of a violation of the breach notification requirement, the penalty amount would be calculated by multiplying the number of violations by an amount not greater than $11,000. Each failure to send notification would be treated as a separate violation, with a maximum civil penalty of $5,000,000.

Of course, it will be some time before the Act would become effective, if at all, and it may be substantially modified prior to enactment. Still, recent actions by Congress (for example the enhancements to HIPAA under the American Recovery and Reinvestment Act of 2009) and the states suggest a national standard for protecting personal information is only a matter of time. Companies should be gearing up to deal with these emerging information risks.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Co-Author:  Joseph J. Lazzarotti, Esq.

Health Net Inc., one of the nation’s largest publicly traded managed health care companies, recently notified authorities and informed affected persons, with a statement on its website, that the unencrypted personal information of 1.5 million current and former members, stored on a portable disk drive, is missing from the company's Connecticut office. The company is now working to send written notices to affected individuals in four states—Arizona, New York, New Jersey and Connecticut.

Coordinating a data breach response, responding to the questions and complaints of affected persons, and negotiating with vendors to provide monitoring services are time-consuming, tedious tasks that require a strong sense of an organization’s public image, good judgment and excellent communication skills. Having the right person to drive this effort internally is critical. 

Additionally, companies that experience data breaches increasingly are becoming subject to federal and state agency inquiries. In this case, at least two states have announced investigations. Connecticut Attorney General Richard Blumenthal said his office will investigate the loss of the portable disk drive that he believed held the unencrypted health, personal, and financial information of some 450,000 Connecticut residents. Blumenthal also vowed to probe a six-month lag in notifying affected individuals of the breach. In a letter dated November 19, 2009, Arizona Attorney General Terry Goddard’s office requested information about the breach from Health Net, also noting the time between the breach and when affected persons were notified. It is critical that an organization’s Privacy Officer be prepared to respond to these inquiries, with the assistance of internal or external counsel when appropriate.

A breach of personal information, particularly one of this size, reminds us of the need for companies to take steps to implement policies and practices that safeguard sensitive personal and company confidential information. The first step is to appoint a person to spearhead a data breach response– typically the Chief Privacy or Information Officer. Among the duties and responsibilities of a Privacy Officer is being the company’s first line of defense when responding to a data breach, including directing the investigation of the breach, coordinating the notification process, addressing the concerns of affected persons and responding to government agency inquiries. For a sample Privacy Officer job description, click here.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Continuing our thoughts on how disclosures of private or confidential information may adversely impact the institution and the persons affected by such disclosure, we now focus on something near and dear to lawyers’ hearts: paper shredding.

Many businesses regularly shred documents they no longer need to protect them from disclosure. While this may secure the information contained in those documents, an additional concern exists for HIPAA-covered entities, such as hospitals, medical providers or their business associates. Often, those documents might consist of old medical records, charts, notes, or other information containing protected health information (“PHI”) specifically protected from disclosure under HIPAA.  

Shredding frequently is done by outsourced vendors.  They shred what is provided to them and then resell it as fill, packaging material or for other recyclable-type uses. But shredding alone may not be sufficient to secure data under HIPAA. This can cause a HIPAA headache, as suggested by recent occurrences overseas.  A gift-wrapping company owner in England discovered protected health data (including names of patients) from a local hospital on the shredding she used for work. In another situation being investigated by British authorities, an outsourced medical transcription company in India disclosed shredded health data. Although those situations occurred abroad, they could just as easily happen in the U.S., or occur outside the U.S. but affect information involving U.S. citizens.

If a data breach is discovered by the unauthorized disclosure of PHI through shredding or otherwise, under the American Recovery and Reinvestment Act of 2009 (“ARRA”), covered-entities and business associates must notify those affected by the disclosure of unsecured PHI within 60 days after a breach. If the breach involves disclosure of PHI for over 500 persons, a covered-entity and/or a business associate must also notify Department of Health and Human Services and the media. “Unsecured” under ARRA means any data not rendered unusable, unreasonable or indecipherable. Thus, an individual’s name legible on a snippet of shredded paper together with some health information may be enough to trigger ARRA’s disclosure requirements and constitute a HIPAA violation. For more information about data breaches under HIPAA, click here.

We therefore remind HIPAA-covered entities to ensure that their vendors are compliant with the HIPAA security requirements, that they have appropriate business associate agreements where necessary, and that they actively monitor compliance with those agreements.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Based on recent events, the University of East Anglia likely will agree that data privacy and security requires a comprehensive approach, as data breaches are not limited to incidents involving personal information and identity theft. In fact, the effects of a breach to an organization's information systems involving confidential company information can be far worse on the organization as a whole than if the breach involved personal information.

Take, for example, a report by The New York Times reporter Lauren Morello concerning a breach involving thousands of emails and documents of the Climatic Research Unit (CRU) at University of East Anglia. Apparently, hackers obtained and posted on the Internet emails and documents calling into question some of the positions about climate change and global warming held by the CRU. Whatever the truth or perception of the information contained in the posted emails and documents, the CRU surely is in an uncomfortable position of having to defend its statements and address their context. 

Last month we reported a data breach involving personal information of a different kind - ethics investigations of members of the United States Congress. Again, while not the kind of personal information that would lead to identity theft, or require notification be sent to the affected individuals, it is the kind of information that could have significant adverse consequences for the institution and the persons affected.

For this reason, organizations need to address "information risk" on an organization-wide basis, making sure that their written information security programs take into account how information of any kind, maintained in any medium by the organization, can, if misused, caused the organization harm. While remedies may be available through the criminal justice system or civil litigation under such laws as the Computer Fraud and Abuse Act, avoiding the breach in the first place obviously is preferred.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

“Cloud computing” takes many forms, but, fundamentally, it is a computer network system that allows consumers, businesses, and other entities to store data off-site and manage it with third-party-owned software accessed through the Internet. Files and software are stored centrally on a network to which end users can connect to access their files using computers that are less powerful and sophisticated than those we use today.  This technology reduces the need for expensive multiple servers and PCs with enough capacity to store massive data and application files. Some believe the PC of the future will need simply the capacity to connect to a web browser for the user to access his or her applications and files.

For more information on how cloud computing works, click here. For information on the FTC investigation of cloud computing, click here.

If you are not already computing in a cloud, you likely will be hearing more about “cloud computing” soon. Last month, for example, the City Council for the City of Los Angeles voted to move city employee e-mail and other applications from city computer networks to a cloud service provider – in this case, Google Inc. City officials cite significant cost savings (which they estimate to be in the millions) as one of the reasons for the switch. They acknowledged that concerns over data privacy, security and management remain.

We’ll agree that significant cost savings can be achieved through, among other things, reduced infrastructure. Questions and concerns many have with cloud computing, however, relate to the privacy, security and management of the information in the cloud. These include:

• What if the cloud starts to rain – a cloud computing data breach – who is responsible for notifying affected persons (and bearing the costs)?
• Which company owns the data placed in the cloud?
• If the data in the cloud is employee e-mail, is the employer still permitted to access and monitor email communications? Will new policies/notices be needed?
• Will company proprietary information be safe?
• Who has access to the data? Who should have access?
• Is the cloud service provider a business associate under HIPAA, prepared to comply with the HITECH Act? What other legal compliance requirements are there?
• Do we still need to maintain a back-up of data in the cloud?
• Where is the data stored? Is it in the United States, or in a foreign country subject to different data security standards? Does one location as opposed to another provide better access or security? What if data is stored in multiple places, will we be able to locate what we need when we need it?
• How big is the cloud? How much can we store?
• What if the cloud goes down? How do we get our data and access the applications needed to run our business?
• How do we move between clouds? Can our data be held captive when contract negotiations fall through?
• Can we put our clients’ data in the cloud? Do we have to tell them where it is?
• What happens to the data if the cloud service provider or the cloud customer goes out of business?
• Will applications in the cloud work the same way, be as flexible, and respond with the same speed as those on current PCs?

Organizations such as the Cloud Security Alliance have been formed to grapple with some of these issues. Indeed, the City of Los Angeles has had to respond to some of these concerns. So, while cloud computing may yield substantial cost savings and appear tempting, these and other questions and concerns should be addressed before moving in that direction.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Baltimore Sun reports that Baltimore police are investigating a security breach at Mercy Medical Center that left certain patient records open to possible identity theft. According to the article, affected former patients were sent a letter informing them that their personal patient records may have been accessed by a former employee in order to apply for credit cards and loans. A Maryland state law that became effective in 2008 would require Mercy Medical Center to notify these individuals promptly in the event of such a breach. 

This case is yet another example of personal information being accessed for improper purposes by hospital staff and demonstrates the need for hospitals to establish strict privacy controls and notification procedures.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

Today, Connecticut Attorney General Richard Blumenthal announced his office will investigate a data breach that occurred in late August that affected approximately 18,817 Connecticut health care professionals. The American Medical Association reported earlier that this breach involved the personal information, including Social Security numbers, of an estimated 850,000 physicians nationwide. What is most troubling about this breach is that it probably was avoidable.

Like many data breaches, this one involved a stolen laptop, in this case from the employee’s car. However, as NewsTimes.com reported, despite the employer’s encryption policy, the employee downloaded the file to a laptop, without the required encryption, in order to work from home.

Even the best firewalls and other technology-based information system protections cannot save us from ourselves. It was possible here that not only did the employee violate the company’s encryption policy, but he or she also may have exercised poor judgment in leaving the laptop in a car. The ease with which employees acquire, handle and transport massive amounts of sensitive personal information make it critical that businesses ensure their employees have greater awareness of the sensitivity of this information and receive regular training about how to be more cautious handling it. This should be a part of any written information security plan. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Joining the growing number of states which have enacted laws regulating the destruction of records to prevent possible identity theft, the Rhode Island Legislature passed H. 5092 on October 29, 2009. The bill requires businesses and government agencies to completely destroy records containing personal information, or render the personal information unusable, before disposing of records whether in electronic and paper form. Not surprisingly, H. 5092 comes on the heels of Texas’s Attorney General settling related violations for nearly $1,000,000 with Select Medical, and over $600,000 with Radio Shack.

As with most legislation of this nature, including the FTC’s data disposal rule, the law provides two means by which covered entities may destroy records: either by modifying the personal data to make it entirely unreadable or indecipherable through any means, or by taking reasonable steps to shred, erase, or otherwise destroy records. The bill also exempts certain covered entities whose destruction practices are covered by federal law or who contract with data disposal firms (who would be subject to the data disposal law). The need for such measures is further underlined by the overzealous office workers who used documents containing personal information as “confetti” during the New York Yankees World Series parade. 

Underlying the consequential nature of proper destruction, this bill permits individuals to sue to recover actual damages, and permits the state attorney general to seek fines or sue on behalf of individuals, with each record not properly disposed of being counted as a separate violation.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In another recent example of a law firm running afoul of privacy requirements in litigation (See also the discussion of Kim v. St. Elizabeth’s), U.S. District Judge Michael Davis recently assessed a $5,000 sanction against the law firm for electronically filing an affidavit that contained the Social Security numbers and dates of births of 179 people. Engeseth v. County of Isanti, No. 06-CV-2410 (D. Minn.), Oct. 20, 2009. The court’s order was premised on Rule 5.2(a) of the Federal Rules of Civil Procedure which states that filings in federal court may only include the last four digits of an individual’s social security number or taxpayer identification number. Judge Davis noted that: 

The Court is deeply concerned with the harmful and widespread ramifications associated with negligent and inattentive electronic filing of court documents. Although electronic filing significantly improves the efficiency and accessibility of our court system, it also elevates the likelihood of identity theft and damage to personal privacy when lawyers fail to follow the federal and local rules. 
(emphasis added)

In addition to the $5,000 sanction, Judge Davis required the plaintiff’s law firm to pay the costs associated with preventing identity theft for the 179 harmed individuals including informing the individuals and paying the costs of FICO standard services consisting of a credit report and a 12-month subscription to FICO Quarterly Monitoring.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As shown by a recent Illinois appellate court decision, Kim v. St. Elizabeth's Hosp., Ill. App. Ct., No. 5-08-0571, (Oct. 23, 2009), the patchwork of federal and state protections for certain types of information has made the process of responding to subpoenas more difficult. This is particularly the case with medical records.

Based on an Illinois law providing special protections for mental health records known as the Illinois Mental Health and Developmental Disabilities Confidentiality Act, the plaintiff in this case sued the hospital and her former husband’s law firm alleging the impermissible release of her mental health records in connection with a prior divorce action.

Absent an authorization from the individual, the Illinois Act prohibits any third party, including medical providers, from responding to a subpoena for mental health records unless the subpoena is accompanied by a written court order authorizing the disclosure. This requirement may be surprising to some, who assume that a subpoena is, itself, a request from the court. The law also prohibits the use of mental health records in litigation unless a judge makes certain findings after a review of the records.

In this case, the husband’s law firm served a subpoena on the health care provider seeking “any and all records regarding the care and treatment of” the plaintiff. While the appellate court wrestled with some procedural issues involving the lower court’s rulings, it held that the matter had not been fully considered and there could very well have been a violation of the Illinois law restricting the disclosure of certain mental health records.

This decision highlights the complicated tensions that arise in every state and federal court when medical records or other private information is requested during discovery. It also should be a reminder for hospitals and all other entities receiving requests for information to exercise the appropriate due diligence before responding.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Yesterday, the U.S. Senate Judiciary Committee again approved two pieces of legislation that would require certain entities to safeguard personal information and notify individuals of breaches of that information. Over the last few years, similar legislation made it out of various Committees, but failed to go any further. Could this time be different?

The Committee voted in favor of the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139), sponsored by Senators Patrick Leahy and Dianne Feinstein, respectively.  In its current form, S. 1490 would require that covered entities, among other things, perform risk assessments, limit access to sensitive information, train their work force, and require vendors by contract to implement appropriate safeguards. The Data Breach Notification Act would establish a national standard for federal agencies and businesses engaged in interstate commerce to report data breaches.

There are a number of circumstances that suggest this legislation is more likely to move forward than in years past:

• The Judiciary Committee approved both measures by significant majorities.
• The number of data breaches and complaints about them continue to mount.
• Congress recently had its own data breach (reported here), affecting personal information not likely to lead to identity theft, but which could hurt some members' reelection efforts.
• The change in administration which arguably is more focused on privacy concerns given the push for electronic health records.

Stay tuned. . . 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In good and not-so-good economic times, the on-boarding process – recruiting, application, hiring and orientation – is critical for employers to attract and welcome new talent. In recent years, technology has enabled employers to perform all or a part of this process on-line, significantly increasing efficiency and reducing costs. Moving to a web-based on-boarding system, however, raises many workplace challenges and considerations, including the privacy, security and management of personal data collected in the process.

Following are some of the key challenges and considerations employers should think about when moving to electronic on-boarding:

• Can the on-line process be the exclusive method for applying and on-boarding? Consider, for example, applicants who cannot access or view the site because of a disability.
• Are there laws limiting the personal information that may be collected from applicants? See, for example, Utah Employment Selection Procedures Act discussed in our article and the Utah law. 
• How must personal information collected during the process be safeguarded, retained, preserved, and ultimately destroyed? A recent class action was filed alleging failure to safeguard on-line job application information. 
• Is the process subject to collective bargaining?
• Are there special rules for government contractors? See Office of Federal Contract Compliance Programs (OFCCP) guidance. 
• Are on-line consents for fitness-for-duty examinations, background checks, and drug testing valid? Can non-compete agreements be executed electronically?
• Are there any specific issues/disclosures for public sector employees/applicants?
• Can the I-9 verification/e-verify process be completed on-line?
• Do the rules change for applicants from other countries?
• If an applicant is hired, how does collected information about the person transfer accurately and securely for benefit plan enrollment, payroll, personnel, and other purposes?
• Has the on-boarding vendor been vetted and shown capable of safeguarding personal data and preserving the integrity of that data? Where is data stored by the vendor? Are appropriate contract provisions in place?
• Can benefit plan enrollment forms be completed on-line?
• Can handbooks and benefit plan documents be provided on-line as part of the on-boarding process? See ERISA electronic disclosure regulations.

Employers implementing an electronic on-boarding process will certainly realize significant savings of time and money. However, those savings can be short-lived if the on-line process is not designed to address the risks inherent in the new medium.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Washington Post is reporting another inadvertent disclosure of sensitive information involving "peer-to-peer" or "P2P" technology. This time, the disclosure exposed a House Ethics Committee document outlining ongoing ethics investigations for an uncomfortably large number of House members. The same technology raises serious issues for employers.

According to the Washington Post, the now-terminated, junior committee staff member saved a copy of the document summarizing the ethics investigations to her personal computer where her peer-to-peer file-sharing software allowed it to be shared.

Besides the difficult political questions that are sure to follow, this incident makes clear that strong data security requires more than a strong firewall and encryption. Administrative policies, training and vigilance are essential, particularly where working remotely and from home is the norm.

• Email This
• Print
• Comments
• Trackbacks
• Share Link