Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Over the past few months, many businesses, particularly in the Northeast Region, have been focusing on creating a written information security program (WISP) to comply with Massachusetts identity theft regulations that went into effect March 1, 2010. For many, this has been a significant effort, reaching most, if not all, parts of their organizations. However, it is important to remember that although Massachusetts may be the state with the most comprehensive set of rules for securing personal data, other states have enacted similar protections, and compliance with Massachusetts does NOT necessarily mean compliance with other states.

Consider the following examples:

California. The Civil Code in California states a business that owns or licenses personal information about a California resident must:

implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

For purposes of this requirement, “personal information" means:

an individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver's license number or California identification card number.
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.

Similar pretections for medical information exist in Arkansas, but that information is not covered by the rules in Massachusetts. Illinois requires safeguards for certain biometric information, a classification of data also not covered by the Massachusetts regulations.

Oregon. Oregon’s Consumer Identity Theft Protection Act lays out safeguards similar to those in Massachusetts, with some relief for small businesses (those manufacturing businesses with 200 employees or fewer and all other forms of business having 50 employees or fewer). Key is the requirement to implement an “information security program” that contains administrative, technical and physical safeguards.

Administrative safeguards include, for example: 

1. designating one or more employees to coordinate the program;
2. identifying reasonably foreseeable internal and external risks;
3. assessing the sufficiency of data safeguards;
4. training employees in the program’s practices and procedures;
5. limiting outside service providers to those maintaining adequate data security safeguards; and
6. adjusting the program according to business changes or new circumstances.

In New Jersey, regulations are pending that would create similar obligations.

Connecticut. Without specifying the kinds of safeguards, Connecticut requires any person in possession of personal information of another person to:

safeguard the data, computer files and documents containing the information from misuse by third parties, and [ ] destroy, erase or make unreadable such data, computer files and documents prior to disposal.

For purposes of this law, “personal information” includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

Similar requirements were enacted in other states, including Arkansas, North Carolina, Rhode Island, Texas, and Utah. But note the definition in Connecticut goes beyond the elements of data protected under the Massachusetts regulations.

Service contracts. Some states go a step further, requiring certain provisions be included in contracts between entities and their service providers when the contracts involve the disclosure of a state resident’s personal information from the owner of the information to the service provider. For example, such contracts in Nevada and Maryland must include a provision requiring the person to whom the information is disclosed to implement safeguards to protect that information.

The emergence of state mandates fueled by the continued rapid advancement and increased use of technology suggest a trend that is sure to become a fact of life for businesses operating anywhere in the U.S. Whether the technology is “cloud computing” or “peer-to-peer” software, businesses need to take appropriate steps to protect personal information maintained throughout their organizations.

• Email This
• Print
• Comments (3)
• Trackbacks
• Share Link

Like individuals, businesses have resolutions/goals for 2010, perhaps even this new decade. As information risk, such as HIPAA or the occurrence of a data breach, continues threaten companies and put individuals’ personal identities, finances and medical information in jeopardy, addressing this issue in the coming years is a worthy resolution for any business. With this January 28, 2010, being the second National Data Privacy Day, January is as good a time as any to begin thinking about your organization’s information risk. The following list, which is by no means exhaustive, provides ten critical areas businesses will need to consider when addressing this issue.

1. Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business' critical information assets must be the first step, and is perhaps the most important step to tackling information risk. You simply can’t adequately safeguard something you are not aware exists.
2. Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state, having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees. For companies, a WISP can be a competitive advantage. Of course, in states like Massachusetts, Maryland, Oregon, Connecticut and others, a WISP in one form or another is required.
3. Vendors/Business Partners. Businesses addressing their information risk cannot stop at their information systems, buildings, and employees. Very often, vendors of the business maintain significant amounts of sensitive company and personal information of that business. This list of vendors can be long and include service providers such as: employee benefits consultants/administrators/brokers, accountants, lawyers, record storage/destructions companies, office cleaning services, professional employer organizations, payroll companies, cloud computing or other information service providers, and so on. Businesses that turn over sensitive information to a vendor need to take steps to ensure the vendor has implemented appropriate safeguards to protect the information. If this information is personal information, a number of states mandate contract provisions requiring the vendor to safeguard the information.
4. HIPAA. The recent changes by the HITECH Act, under the American Recovery and Reinvestment Act of 2009, will drive increased focus on HIPAA in 2010, particularly for business associates which for the first time become directly subject to many of the same privacy and security requirements as covered entities. The addition of a HIPAA breach notification requirement, effective September 23, 2009, and the growth of electronic health records, already are driving covered entities to amend their business associate agreements. Plan sponsors, health care providers and business associates all need to refocus their attention on HIPAA in 2010.
5. Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be a part of any CIO, privacy officer or risk manager’s plan for safeguarding information.
6. Identify “Red Flags”. Identifying “red flags” is the next step after implementing a WISP, beyond safeguarding sensitive information. The concept of “red flags” is to have policies and procedures designed to detect, prevent, and mitigate instances of identity theft – that is, with safeguards already in place, businesses need to be able to identify circumstances (“red flags”) which indicate incidents of identity theft could be occurring, and then take steps to prevent the identity theft or mitigate its effects. After a number of extensions, on June 1, 2010, the Federal Trade Commission will begin enforcing its “red flag” regulations that apply to financial institutions and creditors.
7. Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security, training deserves special mention if only to remind businesses to remind employees how powerful the small devices are that they carry around.
8. Develop a Plan for Responding to a Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Delays in notification viewed as unreasonable could trigger an inquiry by the state’s Attorney General, or in the case of HIPAA protected health information, the Office of Civil Rights.
9. Carefully Integrate New Technologies. As businesses look for new technologies to increase productivity, cut costs, and gain a competitive advantage, how those technologies address information risk must be a factor in the decision whether to adopt the technology. For example, cloud computing is fast becoming a popular tool used by businesses to enhance their computing capabilities, at substantially reduced costs in some cases, but it raises a number of issues concerning information risk.
10. Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. It seems to be only a matter of time before U.S. companies are subject to a national law requiring the protection of personal information. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

Data privacy and security laws in states such as Massachusetts, Maryland and Nevada require businesses to develop written policies and procedures that provide administrative, physical, and technological safeguards to protect personal information - or a "written information security program" or "WISP." These laws do not require protections for confidential company information and trade secrets, but such information also warrants protection.

Failure to do develop a WISP can leave a business exposed.

Certain businesses also can lose a business advantage as individuals (clients, employees, dependents, and others) and business partners increasingly demand heightened security of their sensitive and personal information.

But where does a business start?

Don't wait any longer! Develop a plan by reading the Data Privacy Primer (PDF).

• Email This
• Print
• Comments
• Trackbacks
• Share Link