Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

In distinct efforts to strengthen data security requirements, the California and Massachusetts legislatures recently passed bills affecting data breach notification requirements and data security notification, respectively.  

On April 14, 2011, the California senate approved S.B. 24, requiring California businesses and agencies to notify the state attorney general if more than 500 California residents are notified of a data breach. The California bill also would require certain information be included in the notices.

While similar attempts to modify California’s data breach law have been vetoed by then-Gov. Arnold Schwarzenegger (R), the state’s new governor, Edmund G. “Jerry” Brown, Jr. (D) may likely sign S.B. 24. The bill also would amend the substitute notice provisions for breaches to require placing a notice that a breach has occurred on the business’s website and in major statewide media and notifying the California Office of Privacy Protection. 

While California’s current breach notice statute does not specify the information that must be included in an individual breach notification, S.B. 24 would mandate the notice include, among other things, the type of information breached, the time of the breach, and a toll-free telephone number of major credit reporting agencies.

On April 13, 2011, Massachusetts H.B. 3360 was referred for committee consideration. Under the bill, vendors of photocopiers in Massachusetts that fail to adequately notify purchasers of potential data security risks would be subject to a civil fine of up to $50,000 and could be sued by customers whose personal information is subsequently compromised.  Also, Massachusetts businesses that sell photocopiers must tell customers if a particular machine is equipped with a hard drive capable of retaining information from copied documents. Vendors must provide a notice stating that "the photocopier does or does not contain an eraser that deletes and destroys any previously captured picture from the copier's hard drive.” The notice must “inform the user of the risk of retention of such private data or images.” In addition, if a machine is such a “digital copier,” the vendor also must place a “conspicuous,” written data-security warning on the top of the copier.

H.B. 3360 also authorizes the state attorney general to enforce the law by filing a civil action seeking a fine of up to $50,000. Additionally, the bill would permit a lawsuit by customers who did not receive the required notification and warnings and whose private data was subsequently “misused.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Written by Keturah Martin

Continuing the trend of significant enforcement of data privacy and security laws by federal and state agencies across the nation, the Office of the Massachusetts Attorney General (AG) has settled a lawsuit against Boston-based Briar Group LLC for $110,000, according to a press release issued by that AG’s office on March 28, 2011.

See complaint and final judgment.

As we reported in prior posts, the U.S. Department of Health and Human Services (HHS) recently imposed a $4.3 million fine on a Maryland health care provider for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and days later entered into a $1 million settlement with a Massachusetts hospital that allegedly breached patient data. The recent enforcement activity of the HHS and the Massachusetts AG confirms that employers nationwide need to be as cognizant of the data privacy and security laws that apply to their operations as the government.

In its press release, the Massachusetts AG’s Office stated that the Briar Group, which owns and operates a number of bars and restaurants in the Boston area, “failed to take reasonable steps to protect its patrons’ personal information, thereby putting the payment card information of tens of thousands of consumers at risk.” The initial lawsuit filed by the AG’s Office stated that the Briar Group experienced a data breach in April 2009, in which hackers accessed customers’ credit and debit card information, but did not take steps to remove the software which allowed the hackers access to the company’s computer systems until December 2009, six months later. The lawsuit also outlined various other ways in which the company failed to properly safeguard its customers’ personal information, including:

• Failing to change default usernames and passwords on point-of-sale computer systems;
• Allowing multiple employees to share common usernames and passwords;
• Failing to properly secure its remote access utilities and wireless network; and
• Continuing to accept credit and debit card account information after knowing of the April 2009 data breach.

In addition to the monetary payment, the terms of the settlement require the company to “develop a security password management system and implement data security measures to comply with Payment Card Industry [PCI] Data Security Standards [and] state data security regulations, including implementation, maintenance, and adherence to a Written Information Security Program.”

This recent activity by the Massachusetts AG’s Office, along with HHS’s latest actions, should be motivation to employers to put in place the policies and procedures required by applicable data security and privacy laws. For those who have already taken steps toward conformity with the relevant laws, this should prompt a review of current policies and procedures to ensure the thoroughness of those policies and that they are being followed. For example, employers subject to HIPAA should have policies and procedures that address the management of protected health information of its constituents. Employers who employ Massachusetts residents or who maintain the personal information of Massachusetts residents are well advised to implement and follow a comprehensive WISP governing the storage, access, transmission and other forms of handling those individuals’ personal information.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a uniquely timed second showing of enforcement authority, the Department of Health and Human Services (HHS) announced on February 24, 2011 a one million dollar settlement with a Massachusetts hospital that allegedly breached patient data.  This settlement announcement comes only days after HHS announced a 4.3 million dollar HIPAA Privacy Rule fine.  The Massachusetts hospital settlement resulted from a hospital employee who took home documents containing sensitive personal information on patients. The employee then lost those documents while commuting to work.  

While the settlement did not include an admission of liability, in addition to the monetary settlement, and submitting to HHS oversight, the hospital must also adopt more stringent privacy practices and retain an independent security and privacy monitor. The investigation of the incident found the hospital failed to implement reasonable and appropriate standards to protect the privacy of patient information removed from the facility.  Under the settlement, the hospital must present new privacy and data security administrative, physical, and technical safeguards policies and procedures for HHS approval. Specifically, these policies and procedures must address the physical removal and transportation of protected health information and encryption of portable storage devices.  Despite a general prohibition on employees physically removing protected health information from the hospital,  HHS permitted an exception when the information is removed by an employee to perform his or her job duties.  Additionally, the hospital must implement training for all employees.  

This settlement, when considered with the 4.3 million dollar fine, likely signals how HHS will approach future enforcement actions.  In light of this, covered entities must seriously examine their privacy and security obligations, including implementing appropriate policies and procedures regarding the safeguarding of information.

 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Beginning March 1, 2010, businesses will be required to safeguard from identity theft and other dangers personal information about Massachusetts residents under a “written information security program” or WISP. Similar requirements exist in other states around the country, although those requirements generally are not as comprehensive as those becoming effective in the Bay state.

Our complimentary webinar is designed to help employers and businesses become compliant. The program will cover:

• the emergence of data security mandates across the country,
• the Massachusetts approach to data security – breach notification, data destruction, the nuts and bolts of the identity theft/data security regulations, and
• best practices when creating a WISP.

We hope you enjoy the webinar.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Recent state law developments will affect whether and to what extent certain employers can conduct credit and criminal background checks on employees and applicants. Employers, particularly multi-state employers, should be sure to review these new requirements and adjust their practices accordingly.

Massachusetts

The Commonwealth has changed how employers access and use criminal offender record information ("CORI") under a new law signed by Governor Deval Patrick on August 6, 2010. Among other things, the new CORI law bans the use of questions about criminal history on written employment applications. This ban becomes effective November 4, 2010. The law also creates a new method and database for employers to access criminal records, replacing the current procedure with the Criminal History Systems Board. This becomes effective in May 2012.

(more information about this change)

Illinois

Illinois employers will have a tougher time conducting credit checks on applicants and employees and using the information for employment purposes beginning January 1, 2011. The state’s new Employee Privacy Act (House Bill 4658), signed by Governor Pat Quinn on August 10, 2010, prohibits all but a handful of employers from:

1. inquiring into an applicant’s or an employee’s credit history;
2. ordering a credit report on an applicant or employee from a consumer reporting agency; or
3. taking any adverse employment action (such as refusing to hire) because of the individual’s credit history or credit report.

An aggrieved individual can bring a private cause of action in state court to enforce the Act and can seek injunctive relief and damages as well as costs and attorneys’ fees.
 

(more information about this change)

Oregon

Oregon employers’ ability to conduct credit checks and use the information for employment purposes has been significantly restricted since July 1, 2010, but the implications of this law extend well beyond state borders. With limited exceptions, Oregon Senate Bill 1045 prohibits employers from considering for employment purposes any information that bears on a consumer’s creditworthiness, credit standing or credit capacity, unless such information is substantially related to the individual’s current or potential job. Employers who believe credit information meets this job-related standard must provide the employee or applicant the reasons for their determination in writing.

(more information about this change)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) announced on November 4, 2009, the filing of final regulations (pdf) with the Secretary of State’s office, the final step before the regulations take effect March 1, 2010.

The final regulations differ slightly from the version of the regulations issued in August 2009, which made significant revisions to the earlier version of the rules.

OCABR clarified in the final regulations that:

• those who store personal information must comply, and
• until March 1, 2012, contracts with service providers will be deemed to satisfy the contract requirement, even if the contract does not require the service provider to maintain appropriate safeguards, as long as the contract was entered into no later than March 1, 2010. However, it is recommended that contracts with service providers be amended as soon as possible to require appropriate safeguards, as there may be similar requirements under federal or applicable state law (such as HIPAA or data security laws in Maryland, Oregon or Nevada). 

While the regulations have had a number of changes, the written information security program requirement remains, along with a number of other safeguards for personal information that require immediate attention. 

A checklist for the final regulations can be found here (pdf). 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Data privacy and security laws in states such as Massachusetts, Maryland and Nevada require businesses to develop written policies and procedures that provide administrative, physical, and technological safeguards to protect personal information - or a "written information security program" or "WISP." These laws do not require protections for confidential company information and trade secrets, but such information also warrants protection.

Failure to do develop a WISP can leave a business exposed.

Certain businesses also can lose a business advantage as individuals (clients, employees, dependents, and others) and business partners increasingly demand heightened security of their sensitive and personal information.

But where does a business start?

Don't wait any longer! Develop a plan by reading the Data Privacy Primer (PDF).

• Email This
• Print
• Comments
• Trackbacks
• Share Link