Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Prepared by Jason Gavejian and Joseph Lazzarotti

In honor of National Data Privacy Day, we have laid out 13 key issues affecting businesses in 2013. While the list is by no means exhaustive, it does provide critical areas businesses will need to consider in 2013.

1. BYOD. As advancements in technology continue at a breakneck pace, many businesses are confronted with the idea of implementing a Bring Your Own Device (“BYOD”) program. Under these programs, employees are permitted to connect their own personal devices to the company’s networks and systems to complete job tasks either in the office or working remotely. While BYOD programs have advantages, they also have associated risks. Developing a thorough implementation strategy with appropriate policies is critical.
2. Bans On Requesting Social Media Passwords. As we have previously discussed  fourteen states introduced legislation in 2012 which would prohibit employers from requiring current, or prospective, employees to disclose a user name or password for a personal social media account. Six states have passed and/or enacted such legislation and it is anticipated that other states will pass similar measures in 2013.
3. Final HIPAA Regulations. On January 17, 2012, the Office for Civil Rights released final privacy and security regulations under the Health Insurance Portability and Accountability Act. In addition to incorporating the HITECH Act which, among other things, expands the application of the rules to business associates, the final rules also apply the rules to subcontractors and remove the risk of harm trigger for data breaches affecting unsecured protected health information.
4. Disaster Recovery Plans. Hurricane Sandy caused extensive damage on the east coast in 2012, greatly affecting not only personal residences, but many businesses up and down the coast. Unfortunately, protecting information and technology assets from natural disasters and other emergencies is often an afterthought. However, developing a comprehensive disaster recovery plan now can avoid the significant expense, and often irretrievable loss of data, associated with natural disasters.
5. Develop a Plan for Responding to a Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Delays in notification viewed as unreasonable could trigger an inquiry by the state’s Attorney General, or in the case of HIPAA protected health information, the Office of Civil Rights. This is true even when the number of individuals affected is relatively small.
6. Investigating Social Media. As the use of social media continues to grow throughout the world, it is only natural that social media content is being sought to aid in litigation. While public content may generally be utilized without issue, if private content is accessed improperly, serious repercussions can follow. This is especially true for attorneys and their staff who attempt to aid their clients by accessing social media content.
7. International Data Protection. More and more company information is being stored in electronic format and shared with various corporate divisions through company intranets or email. While U.S. law requires some safeguarding of this information, international protections on personal information can be much more stringent. When the transfer of data across international borders is possible, or actively occurring, companies should be advised on the potential risks and requirements associated with same.
8. Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state, having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees. For some companies, a WISP can be a competitive advantage. Of course, in states like Massachusetts, Maryland, Oregon, Texas, Connecticut and others, a WISP in one form or another is required.
9. Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business' critical information assets must be the first step, and is perhaps the most important step to tackling information risk. You simply can’t adequately safeguard something you are not aware exists. And failing to conduct a risk assessment may subject the business to penalties under federal and/or state law.
10. Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be a part of any CIO, privacy officer or risk manager’s toolkit for safeguarding information.
11. Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security is training. In addition to meeting compliance requirements, training employees and supervisors also will aid in defending any potential breach of privacy claim that may be asserted against the company.
12. Carefully Integrate New Technologies. As businesses look for new technologies to increase productivity, cut costs, and gain a competitive advantage, how those technologies address information risk must be a factor in the decision to adopt.
13. Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. As no national law requiring the protection of personal information has yet to be passed in the U.S., companies are left to navigate the constantly evolving web of growing state legislation. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

• Email This
• Print
• Comments (1)
• Trackbacks

The $50,000 in penalties that the Office for Civil Rights (OCR) recently imposed on a health care provider in Idaho was due in part to allegations that the HIPAA covered entity had not conducted a risk assessment as required under the HIPAA privacy and security regulations. Of course, HIPAA is not the only law that requires a risk assessment. State laws, such as the Massachusetts data security regulations, contemplate and require a risk assessment in order to establish reasonable safeguards for personal information.

In short, this process involves examining what information the organization maintains, the nature of that information, how it moves through the organization and to/from its vendors, and the organization's current set of safeguards in order to determine the vulnerabilities to that information in terms of privacy, security, accessibility and integrity. This process is critical to ensuring that privacy and security policies are appropriate for the organization. There are a number of resources to assist you in getting started - here are a couple:

• High level risk assessment power point
• HHS guidance concerning risk assessments under HIPAA 

Organizations that have performed risk assessements need to periodically re-evaluate their prior efforts based on changes in their business. So, whether your organization has not conducted a risk assessment, or it has been a few years since your last assessment, or there have been substantial changes in your business, this may be as good a time as any to make this a priority.

• Email This
• Print
• Comments
• Trackbacks

Today the White House issued a Cybersecurity Legislative Proposal. The proposed legislation focuses on protecting the American people, the nation’s critical infrastructure, and the federal government's computers and networks.  While legislation of this nature would simplify the breach reporting process for businesses, and overall streamline cybersecurity laws, a number of legislative attempts to do this have previously failed.  It is important to note that while this proposal sets forth some guidelines, the specific details of how each provision would be instituted are not yet clear

Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusion, and cyber crime has increased dramatically over the law decade. The President has thus made cybersecurity an Administration priority. 

1.  To protect the American people, the proposed legislation calls for a national data breach reporting law which would simplify and standardize the existing patchwork of 47 state laws that contain these requirements. Additionally, the proposal calls for penalties for computer criminals and clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure.
2. To protect our nation’s critical infrastructure the proposal calls on legislative changes to fully protect this infrastructure. Specifically, proposal will enable the Department of Homeland Security (DHS) to quickly help a private-sector company, state, or local government when that organization asks for its help. It also clarifies the type of assistance that DHS can provide to the requesting organization.

Additionally, the proposal permits businesses, states, and local governments to share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it also provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

Further, the proposal emphasizes transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.

Finally, the proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would then take steps to address cyber threats, develop risk mitigation plans, and permit DHS to modify the processes which are implemented if they are insufficient. 

3.  To protect federal government computers and networks the legislative proposal includes: an update to the Federal Information Security Management Act (FISMA) as well as formalizing DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks, in order to provide departments and agencies with a shared source of expertise; giving DHS more flexibility in hiring highly-qualified cybersecurity professionals; the permanency of DHS’s authority to oversee intrusion prevention systems for all Federal Executive Branch civilian computers while codifying strong privacy and civil liberties protections, congressional reporting requirements, and an annual certification process; and preventions on states requiring companies to build their data centers in that state, as opposed to in the cloud, except where expressly authorized by federal law.

The Administration’s proposal also attempts to ensure the protection of individuals’ privacy and civil liberties through a framework designed expressly to address the challenges of cybersecurity. Some of these provisions include: requiring federal agencies (and likely federal contractors) to follow privacy and civil liberties procedures; limitations on monitoring, collecting, using, retaining, and sharing of information; requiring efforts to remove identifying information unrelated to cybersecurity threats; as well as immunity provisions for those business which comply with the proposal’s requirements.  

As the proposal concludes: 

Our Nation is at risk… [t]he Administration has responded to Congress’ call for input on the cybersecurity legislation that our Nation needs, and we look forward to engaging with Congress as they move forward on this issue.

• Email This
• Print
• Comments
• Trackbacks

Acknowledging the need "to help states combat the growing threat of business identity theft," the National Association of Secretaries of State (NASS) announced on April 18, 2011, the formation of a "Business Identity Theft Task Force." The focus of this task force is to assist states (not necessarily private business) with combating business identity theft in areas such as "the types of technology used by states in housing business documents, solutions for securing state business filing information and records, and key partnerships/liaisons for conducting outreach."

However, this action by the NASS highlights a growing problem for small and medium sized businesses: 

"With the downturn in the economy, the newest victims of identity theft are small and medium-sized businesses, including dormant or inactive companies," said NASS President Mark Ritchie of Minnesota, who serves on the task force. "As the state officials who oversee business registrations and corporate filings, secretaries of state have come together to educate business owners on how they can reduce their chances of falling prey to identity thieves and to explore safeguards for state filing systems." 

Identity thieves are not just attacking state filing systems, so businesses need to take steps of their own to safeguard not only personal information of customers, employees and others, but also the businesses' corporate and financial data. Many of the same principles that apply in the safeguarding of personal information also would apply to safeguarding the information of the business. Two critical steps in this process are conducting a risk assessment and developing a written information security program.

• Email This
• Print
• Comments
• Trackbacks

Contributed by: Richard Greenberg

Pursuant to the Fair Credit Reporting Act (pdf), the Federal Trade Commission has promulgated three notices (pdf): (i) A General Summary of Rights; (ii) A Notice to Furnishers of Information to Consumer Reporting Agencies; and (iii) A Notice to Users of Consumer Reports (such as employers). In late August, the FTC proposed revisions to the three current forms.

General Summary of Rights

The proposed revised General Summary of Rights, which needs to be provided by an employer if a pre-adverse action notice is issued, incorporates notice of the individual's rights to contest the accuracy of information contained in a consumer report not only with the consumer reporting agency but also the entity that furnished the information to the consumer reporting agency. The proposed notice also is more streamlined and unlike the current notice refers to various government websites from which relevant information can be accessed rather than listing all relevant federal agencies responsible for the enforcing the FCRA.

Notice to Furnishers

The proposed Notice to Furnishers incorporates the recently imposed obligations on data furnishers to establish policies and procedures to ensure the accuracy of information provided to consumer reporting agencies, as well as the obligation to address disputes regarding accuracy raised by the subject of the report with the data furnisher.

Notice to Users

The proposed Notice to Users, which is provided by a consumer reporting agency to an employer along with an End User Certification, incorporates additional obligations imposed on users by, among others, the FTC's Address Discrepancy and Medical Information rules.

The proposed notices are now subject to a public notice and comment period. 

• Email This
• Print
• Comments
• Trackbacks

The most frequent question we hear from clients who want to develop or tighten their data privacy and security policies and procedures: Where do we start?

In most cases, the first step for the group charged with this task is to understand the organization's "information risk." This means, in short, examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company's current set of safeguards. The process for gaining this understanding is generally referred to as a risk assessment. 

Click here for a power point presentation on key features of a risk assessment.

Risk assessments come in many forms and should be designed to fit your particular organization. 

• Email This
• Print
• Comments
• Trackbacks