Attorney General Securing Personal Data in Indiana

Posted on August 6, 2010 by Jason C. Gavejian

Indiana recently enacted a new law which grants authority to the Indiana Office of the Attorney General's Identity Theft Unit to obtain and secure abandoned records with personally identifying information, including health records, and either destroy them or return them to their owners. Additionally, the new law sets fines and other legal ramifications for violations of the law by health care providers or licensed professionals who leave such records unsecured in violation of state law. In fact, the Attorney General has already utilized this authority to obtain personal records from four entities. 

This additional grant of authority to the Indiana Attorney General, is in addition to the authority previously granted by the Health Information Technology for Economic and Clinical Health (HITECH) Act to enforce the privacy and security protections of HIPAA for protected health information. As we have previously discussed, the Connecticut Attorney General has filed a civil action against Health Net, as well as instituted an investigation against Griffin Hospital for violations of HIPAA. 

The Indiana statute, as with the authority granted to Attorney Generals under HITECH, highlight the need for companies to develop and implement comprehensive data security polices to secure their records. 

Tags: , , , , , , , , , ,

Dealing with Data Breaches: Health Net Suit Highlights Need for Effective Security Incident Procedures and Training

Posted on February 2, 2010 by Jason C. Gavejian

As we have discussed before, data breach notification is one of the most rapidly emerging areas of law. Good security incident procedures as well as effective training can help avoid the risk of data breach. (Sample data breach training). 

A case in point: Connecticut's Attorney General has filed a civil action against Health Net of the Northeast Inc. (“Health Net”) for failing to secure approximately 446,000 individuals’ patient information on a missing portable computer disk drive, and for failing to provide prompt notice of the breach. Among other things, the suit alleges Health Net violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, when it failed to provide prompt notice, failed to encrypt the data, failed to provide for and implement appropriate policies to safeguard the information, and failed to supervise and train its workforce on safeguarding protected health information and personal information. 

As this suit demonstrates, state Attorneys General will use the authority granted by HITECH to enforce the privacy and security protections of HIPAA for protected health information, as many breaches involving such information may not be covered by state data breach laws. Such enforcement will only add to the cost of a data breach, which, according to the 2009 Ponemon Institute Annual Cost of a Data Breach study, continues to rise.

While a company’s first line of defense always should be a comprehensive data security policy, preparation should include an effective security incident procedure. Several key questions, some of which will form the foundation for any good security incident procedure, must be answered immediately following a breach: 

  • How did the breach occur?
  • Are measures in place to contain the breach?
  • What information was compromised? 
  • Whose information was compromised?
  • Will the local authorities be alerted?
  • What potential breach notice laws are implicated?
  • Does notice of the breach have to be provided?
  • If so, to whom and how will notice be provided?
  • Does the company have applicable insurance to cover the notification process?
  • Will any monitoring service be provided for affected individuals?
  • Are measures in place for public relations implications?

However, a security incident procedure is only as strong as the awareness you create among your employees as to what constitutes a data breach and who to notify in the event of a possible breach. Therefore, in addition to an effective security incident procedure, it is essential that training, like the sample above, be provided to employees on a regular basis.   

Tags: , , , , , , , , ,

Data Security, Destruction and Encryption Leads the Way for States in 2010

Posted on January 26, 2010 by Jason C. Gavejian

Less than one month into 2010 the trend to address data security, destruction, and encryption has continued among state lawmakers. Specifically, Florida, Michigan, Kentucky, Kansas, Pennsylvania, and New York all have introduced, reintroduced, or amended legislation of this kind. 

  • The Florida and Michigan laws would amend personal data destruction rules for companies.
  • The New York law would mandate data security and encryption measures.
  • The Kentucky bill would require government agencies to protect all personal data under the Gramm-Leach-Bliley Act.
  • The Michigan bill includes a state version of the Federal Trade Commission's Red Flags Rule and would require creditors in the state to implement programs aimed at spotting “red flags” of possible identity theft and put in place mitigation measures. Michigan is also considering a number of other measures. 
  • The Kansas law would require state agencies to engage in periodic network security reviews.
  • The Pennsylvania bill would require public agencies to notify state residents of a breach of their personal information within seven days of the discovery of the breach.

While 5 states remain without data breach notice bills (Alabama, Kentucky, Mississippi, New Mexico, and South Dakota), Congress is considering legislation, the Data Accountability and Trust Act (DATA) (H.R. 2221), that would preempt all state notification laws and instead establish a national breach notice standard.

As we have previously mentioned, we anticipate data privacy and security legislation and case law to be at the forefront of legal issues in 2010. Employers should begin by reading the Data Security Primer and consider implementing comprehensive data security policies and procedures that would allow them to comply with the various state laws that may impact their business. 

While we have highlighted the main points of each of the proposed laws, a more detailed analysis of the laws put forth in Michigan, Florida, and New York is set forth below. 

Michigan

The new Michigan data destruction bill would ease existing personal data disposal requirements outlined in the state's Identity Theft Protection Act mandating that companies and agencies removing information from a database destroy only “unencrypted, unredacted personal information” and only such personal information related to state residents.

Another bill would require businesses with 50 or more employees that are “engaged in extending credit in the form of covered accounts to residents of this state” to implement and identity theft mitigation programs similar to those required under the federal Fair and Accurate Credit Reporting Act Red Flags Rule.   Companies that have complied with the federal Red Flags Rule would be exempt from the state law.

Michigan is also considering various other measures which would establish an Identity Theft Commission; make technical changes to the law; add misleading a law enforcement or court official about one's identity to the list of violations of the law; and authorize the state attorney general to seek civil fines of up to $10,000 per incident for identity thieves.

Michigan is also considering a bill which would make businesses and agencies that adopt comprehensive data security safeguards to protect personal data in any form immune from civil liability for damages due to data breaches. The proposed law would provide breach liability immunity in an effort to encourage entities to adopt such safeguards.

Florida

Florida has introduced bills (S.B. 586 and H.B. 279) which would require companies to follow federal guidelines when disposing of personal data. The bills would require businesses and government agencies to follow the “Guidelines for Media Sanitization” set by the National Institute of Standards and Technology to make all personal data disposed of by companies and agencies inaccessible. In addition, state agencies would also be required to submit samples of allegedly sanitized storage media to an independent third party vendor to verify the destruction of the personal data. 

New York

A New York data security bill would establish a general encryption standard as a safe harbor for entities seeking to avoid giving breach notice to individuals under the state's data breach notice law. The bill, would also require businesses and state agencies to: Implement and maintain reasonable security safeguards, appropriate to the nature of the information, to prevent unauthorized access to or unauthorized destruction, use, modification, or disclosure of the private information.

Unlike the data security regulations issued under Massachusetts breach notification law, the N.Y. bill does not authorize the promulgation of rules, but rather sets out the encryption standard in the text of the proposed law.The bill would also mandate notification of certain breaches to the state attorney general. Another New York bill would provide tax breaks for businesses that invest in data security.
Tags: , , , , , , , , , , , , , ,

Health Net's Data Breach Highlights Need for Privacy Officer with Clear Job Description

Posted on December 3, 2009 by Jason C. Gavejian

Co-Author:  Joseph J. Lazzarotti, Esq.

Health Net Inc., one of the nation’s largest publicly traded managed health care companies, recently notified authorities and informed affected persons, with a statement on its website, that the unencrypted personal information of 1.5 million current and former members, stored on a portable disk drive, is missing from the company's Connecticut office. The company is now working to send written notices to affected individuals in four states—Arizona, New York, New Jersey and Connecticut.

Coordinating a data breach response, responding to the questions and complaints of affected persons, and negotiating with vendors to provide monitoring services are time-consuming, tedious tasks that require a strong sense of an organization’s public image, good judgment and excellent communication skills. Having the right person to drive this effort internally is critical. 

Additionally, companies that experience data breaches increasingly are becoming subject to federal and state agency inquiries. In this case, at least two states have announced investigations. Connecticut Attorney General Richard Blumenthal said his office will investigate the loss of the portable disk drive that he believed held the unencrypted health, personal, and financial information of some 450,000 Connecticut residents. Blumenthal also vowed to probe a six-month lag in notifying affected individuals of the breach. In a letter dated November 19, 2009, Arizona Attorney General Terry Goddard’s office requested information about the breach from Health Net, also noting the time between the breach and when affected persons were notified. It is critical that an organization’s Privacy Officer be prepared to respond to these inquiries, with the assistance of internal or external counsel when appropriate.

A breach of personal information, particularly one of this size, reminds us of the need for companies to take steps to implement policies and practices that safeguard sensitive personal and company confidential information. The first step is to appoint a person to spearhead a data breach response– typically the Chief Privacy or Information Officer. Among the duties and responsibilities of a Privacy Officer is being the company’s first line of defense when responding to a data breach, including directing the investigation of the breach, coordinating the notification process, addressing the concerns of affected persons and responding to government agency inquiries. For a sample Privacy Officer job description, click here.  

Tags: , , , , , , , , , ,