Effectively managing company data means more than HIPAA compliance and avoiding data breaches. As two of my colleagues Brett Anders and Cliff Atlas would tell us, failing to preserve electronic evidence can jeopardize a company’s litigation strategy. Their recent article discusses a new decision that illustrates the kind of sanctions litigants could suffer even where
Happy Data Privacy Day!
While most are not taking the day off, January 28 is recognized internationally as Data Privacy Day – a day for people to become more aware of and promote data privacy related issues.
Many organizations support these initiatives and some have created and contributed to a website to promote this day and data privacy and security
Haiti Charity Fraud – FBI Guidelines To Donate With Care
We all are deeply saddened by the tragic situation in Haiti. Many are motivated to help in any way they can, which usually means donating to charities that are able to more effectively bring relief to the suffering. At the same time, many see this as an opportunity to commit identity theft.
FTC Investigates Cloud Computing
Last month, we briefly discussed "cloud computing," along with some issues that should be considered when deciding whether to adopt this new technology. Our post focused on data privacy and security issues.
As reported by Kim Hart, of The Hill’s Technology Blog, a December 9, 2009, Federal Communications Commission filing states that the Federal Trade Commission
Addressing Information Risk in 2010
Like individuals, businesses have resolutions/goals for 2010, perhaps even this new decade. As information risk, such as HIPAA or the occurrence of a data breach, continues threaten companies and put individuals’ personal identities, finances and medical information in jeopardy, addressing this issue in the coming years is a worthy resolution for any business. With this
New Hampshire Enacts Strict Data Breach Notification Law Affecting Health Care Providers and Business Associates
New Hampshire’s new breach notification law builds on the breach notification requirements under the HITECH Act by requiring health care providers and business associates to notify individuals of disclosures of their protected health information that are prohibited by New Hampshire law, even if such disclosures are permitted under HIPAA or other federal law. This new health information protection was enacted with other measures relating to privacy of electronic medical records and allowing individuals to opt out of sharing their names, addresses, and protected health care information with e-health data exchanges.
H.B. 619 becomes effective for data breaches occurring on and after January 1, 2010. Individuals may sue for violations of the notification requirement and, significantly, seek damages of not less than $1,000 per violation. The law also expressly requires business associates to cover the costs of notification if the use or disclosure triggering notification was made by the business associate.
Now, when New Hampshire health care providers and business associates experience a possible data breach, they will have to consider a number of laws to determine the appropriate response. These include H.B. 619, the state’s general breach notification statute, and the breach notification rules under the HITECH Act and implementing regulations. This is even more complex for health care providers and business associates operating in multiple states as at least five other states (Arkansas, California, Delaware, Missouri, Texas) and Puerto Rico require notification in the event some form of medical information is breached.
Continue Reading New Hampshire Enacts Strict Data Breach Notification Law Affecting Health Care Providers and Business Associates
House of Representatives Passes the Data Accountability and Trust Act
As passed by the House of Representatives on December 8, 2009, the Data Accountability and Trust Act would create federal data security standards, a national breach notification requirement, data destruction mandates, and special requirements for "information brokers."
The Act will now move to the Senate, where it likely will be considered together with recent bills from various Senate Committees, two such bills we discussed in a recent post.
The Act would apply to each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information (or contracts to have any third party entity maintain such data). In short, most businesses in the United States would be subject to the Act and required to establish and implement data security policies and procedures. Like other data security regulations, the Act would permit covered persons, when developing their policies and procedures, to take into account:
- the size of, and the nature, scope, and complexity of the activities engaged in by, such person;
- the current state of the art in administrative, technical, and physical safeguards for protecting such information; and
- the cost of implementing such safeguards.
These new standards will be regulated by the Federal Trade Commission (FTC). Violations of the Act would be enforced primarily by state Attorneys General, although the FTC maintains a right to intervene in those actions. Penalties can be substantial. For example, in the case of a violation of the breach notification requirement, the penalty amount would be calculated by multiplying the number of violations by an amount not greater than $11,000. Each failure to send notification would be treated as a separate violation, with a maximum civil penalty of $5,000,000.
Of course, it will be some time before the Act would become effective, if at all, and it may be substantially modified prior to enactment. Still, recent actions by Congress (for example the enhancements to HIPAA under the American Recovery and Reinvestment Act of 2009) and the states suggest a national standard for protecting personal information is only a matter of time. Companies should be gearing up to deal with these emerging information risks.Continue Reading House of Representatives Passes the Data Accountability and Trust Act
Health Net’s Data Breach Highlights Need for Privacy Officer with Clear Job Description
Health Net Inc., one of the nation’s largest publicly traded managed health care companies, recently notified authorities and informed affected persons, with a statement on its website, that the unencrypted personal information of 1.5 million current and former members, stored on a portable disk drive, is missing from the company’s Connecticut office. The company
Data Breach Affects Climate Change Debate
Based on recent events, the University of East Anglia likely will agree that data privacy and security requires a comprehensive approach, as data breaches are not limited to incidents involving personal information and identity theft. In fact, the effects of a breach to an organization’s information systems involving confidential company information can be far worse on the
“Friending” Employees – The Risks of Employer Participation In Online Social Networking
More companies are becoming a part of the social networking community – setting up Facebook pages, “friending” their employees and customers, and so on. Businesses use these sites for a variety of purposes including marketing; client, employee and government relations; and community involvement. With lawmaking bodies and courts just beginning to struggle with