Pursuant to the Fair Credit Reporting Act (pdf), the Federal Trade Commission has promulgated three notices (pdf): (i) A General Summary of Rights; (ii) A Notice to Furnishers of Information to Consumer Reporting Agencies; and (iii) A Notice to Users of Consumer Reports (such as employers). In late August, the FTC proposed revisions to the three current forms.

General Summary of Rights

The proposed revised General Summary of Rights, which needs to be provided by an employer if a pre-adverse action notice is issued, incorporates notice of the individual’s rights to contest the accuracy of information contained in a consumer report not only with the consumer reporting agency but also the entity that furnished the information to the consumer reporting agency. The proposed notice also is more streamlined and unlike the current notice refers to various government websites from which relevant information can be accessed rather than listing all relevant federal agencies responsible for the enforcing the FCRA.

Notice to Furnishers

The proposed Notice to Furnishers incorporates the recently imposed obligations on data furnishers to establish policies and procedures to ensure the accuracy of information provided to consumer reporting agencies, as well as the obligation to address disputes regarding accuracy raised by the subject of the report with the data furnisher.

Notice to Users

The proposed Notice to Users, which is provided by a consumer reporting agency to an employer along with an End User Certification, incorporates additional obligations imposed on users by, among others, the FTC’s Address Discrepancy and Medical Information rules.

The proposed notices are now subject to a public notice and comment period.

The most frequent question we hear from clients who want to develop or tighten their data privacy and security policies and procedures: Where do we start?

In most cases, the first step for the group charged with this task is to understand the organization’s "information risk." This means, in short, examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company’s current set of safeguards. The process for gaining this understanding is generally referred to as a risk assessment

Click here for a power point presentation on key features of a risk assessment.

Risk assessments come in many forms and should be designed to fit your particular organization. 

On August 18, 2010, the Connecticut Insurance Commissioner issued Bulletin IC-25 which mandates that entities within its jurisdiction notify the Department of Insurance of any "information security incident." This post provides a brief summary of this new requirement.

Who must provide the notice?

The Bulletin applies to all licensees and registrants of the Department. This generally means all entities regulated by the Insurance Department, including, insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants, casualty claim adjusters, property and casualty insurers, life and health insurers, health care centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers, and medical discount plans.

Additionally, in cases where the information security incident happens at a vendor or business associate, the Department expects to be notified of the incident as well as how the

licensee or registrant is managing the vendor’s/business associate’s activities and what protections and remedies are being put in place by the vendor/business associate for the Connecticut consumers.

What is an "information security incident"? 

Under this Bulletin, an information security incident is:

any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

Thus, unlike the general Connecticut data breach notification statute which requires notification only with respect to computerized personal information, this mandate applies to paper documents which includes personal health, financial or personal information. Also, encrypted data is not exempt from this notification requirement.

What is personal health, financial, or personal information?

The Bulletin does not define this term and, therefore, is unclear in this regard. However, in discussing its authority to impose the requirement, the Department cites to Conn. Gen. Stat. §42-471, which defines "personal information" to mean:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

This definition, however, may not be as broad as how the Department views the term "personal health, financial or personal information." Licensees and registrants should be careful here and err on the side of being more inclusive when deciding whether an incident needs to be handled in accordance with this Bulletin.

When must notification be provided?

The Bulletin requires licensees and registrants of the Department to notify it of the incident as soon as the incident is identified, but no later than five (5) calendar days after the incident is identified.

Where should notice be sent?

Notification should be sent to the Insurance Commissioner in writing via first class mail, overnight delivery service or electronic mail.

What must the notice include?

Notification should include as much information as is known concerning the incident. The Bulletin provides the following list of items of information to be reported to the Department:

  • Date of the incident
  • Description of incident (how information was lost, stolen, breached)
  • How discovered
  • Has lost, stolen, or breached information been recovered and if so, how
  • Have individuals involved in the incident (both internal and external) been identified
  • Has a police report been filed
  • Type of information lost, stolen, or breached (equipment, paper, electronic, claims, applications, underwriting forms, medical records etc)
  • Was information encrypted
  • Lost, stolen or breached information covers what period of time
  • How many Connecticut residents affected
  • Results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed
  • Identification of remedial efforts being undertaken to cure the situation which permitted the information security incident to occur.
  • Copies of the licensee/registrants Privacy Policies and Data Breach Policy.
  • Regulated entity contact person for the Department to contact regarding the incident. (This should be someone who is both familiar with the details and able to authorize actions for the licensee or registrant)
  • Other regulatory or law enforcement agencies notified (who, when)

One of the items on this list to note is a Data Breach Policy which all entities should consider adopting even if not subject to this Bulletin.

Does the Department require that credit monitoring be offered in the event of an information security incident?

It looks like the Department may require credit monitoring in some circumstances. The Bulletin states that:

Depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time. 

In addition, the Department wants to review the draft letters informing individuals of the information security incident.

Will the Department impose penalties?

The Bulletin states that the Department will evaluate each incident independently based on the applicable circumstances, and notes that some situations may warrant imposition of administrative penalties. The Department urges licenses and registrants to follow these procedures in order to minimize the possibility for penalties.

Licenses and registrants surely will need to review this guidance and incorporate it into their information security programs. Other entities should take note of this development and recognize the increasing efforts by federal and state agencies to safeguard personal information.

Update – On September 29, 2010, Governor Arnold Schwarzenegger for the third time vetoed S.B. 1166.

California led the way in 2002 when it enacted the nation’s first data breach notification law. Last week, the State’s lawmakers sent Governor Arnold Schwarzenegger S.B. 1166 (pdf), which would mandate that data breach notification communications include more detailed information about the breach and that businesses experiencing data breaches affecting more than 500 Californians notify the State’s Attorney General.

Since California enacted its data breach notification law, lawmakers have been trying to make changes to it, with mixed results. Assembly Bill 1298 ("A.B. 1298"), which became effective January 1, 2008, expanded the application of the existing law to include medical and health information. However, to date, attempts to add content requirements to the notice and require notification to the State’s Attorney General have failed, despite similar requirements in the laws of a number of other states, such as Massachusetts, New York, North Carolina.

S.B. 1166 marks the third attempt by Senator Joe Simitian to amend the law in this manner. Both prior attempts were vetoed by the Governor Schwarzenegger. In addition to requiring notice to the State’s Attorney General for certain breaches, his current effort would require notices stating:

  • a general description of the breach incident;
  • the type of information breached;
  • the date and time of the breach;
  • whether the notification was delayed because of a law enforcement investigation; and
  • a toll-free number of major credit reporting agencies if the breach exposed Social Security numbers, driver’s license numbers, or state identification card numbers.

Because many states have similar content requirements and there are a number of websites that report on data breaches, passage of S.B. 1166 should not impose a significant burden in breaches involving individuals in multiple states. Nonetheless, companies should be alert to developments in California and be prepared to update their California data breach notification policies should the measure pass.
 

ABC news reported yesterday about an employee fired for statements made on a social networking site – this time Facebook. The employee, Massachusetts high school teacher June Talvitie-Siple, was fired by her school district for statements she made about the community, her students and their parents. The 54-year-old teacher mistakenly thought her statements were being communicated only to her circle of friends on the popular site, not to the entire world. As others have found before her, such a misconception can be costly.

What did Talvitie-Siple say on Facebook? In one post, she referred to the students as “germ-bags,” on account of the multiple times she caught illnesses from them. She also described the community and the parents as “arrogant” and “snobby.”

Whether these are the kinds of posts that warrant termination of employment is beyond the scope of this discussion.

The ABC report shows that the negative consequences of unflattering social media communications are on the rise (even though employees have yet to realize it). Companies need to think through their policies concerning these kinds of electronic communications, made both at and outside of work, particularly regarding the appropriate levels of discipline. A helpful discussion of this and other issues employers should be thinking when it comes to social media can be found here.
 

Recent state law developments will affect whether and to what extent certain employers can conduct credit and criminal background checks on employees and applicants. Employers, particularly multi-state employers, should be sure to review these new requirements and adjust their practices accordingly.

Massachusetts

The Commonwealth has changed how employers access and use criminal offender record information ("CORI") under a new law signed by Governor Deval Patrick on August 6, 2010. Among other things, the new CORI law bans the use of questions about criminal history on written employment applications. This ban becomes effective November 4, 2010. The law also creates a new method and database for employers to access criminal records, replacing the current procedure with the Criminal History Systems Board. This becomes effective in May 2012.

(more information about this change)

Illinois

Illinois employers will have a tougher time conducting credit checks on applicants and employees and using the information for employment purposes beginning January 1, 2011. The state’s new Employee Privacy Act (House Bill 4658), signed by Governor Pat Quinn on August 10, 2010, prohibits all but a handful of employers from:

  1. inquiring into an applicant’s or an employee’s credit history;
  2. ordering a credit report on an applicant or employee from a consumer reporting agency; or
  3. taking any adverse employment action (such as refusing to hire) because of the individual’s credit history or credit report.

An aggrieved individual can bring a private cause of action in state court to enforce the Act and can seek injunctive relief and damages as well as costs and attorneys’ fees.
 

(more information about this change)

Oregon

Oregon employers’ ability to conduct credit checks and use the information for employment purposes has been significantly restricted since July 1, 2010, but the implications of this law extend well beyond state borders. With limited exceptions, Oregon Senate Bill 1045 prohibits employers from considering for employment purposes any information that bears on a consumer’s creditworthiness, credit standing or credit capacity, unless such information is substantially related to the individual’s current or potential job. Employers who believe credit information meets this job-related standard must provide the employee or applicant the reasons for their determination in writing.

(more information about this change)

On August 5, 2010, U.S. Senators Mark Pryor (D-AR) and John D. (Jay) Rockefeller IV (D-WV)  introduced legislation to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances, including credit monitoring services.

More specifically, the "Data Security and Breach Notification Act of 2010" would require entities that own or possess data containing personal information to establish reasonable security policies and procedures to protect that data. If a security breach occurs, entities would have to notify each individual whose information was acquired or accessed as a result of the breach within 60 days. Affected consumers would be entitled to receive consumer credit reports or credit monitoring services for two years, as well as instructions on how to request these services.

In support of the new law, the press release issued by the Senate Committee on Commerce, Science, and Transportation notes that data security breaches and identity theft are a growing problem in the United States. In 2009, the business industry experienced the greatest number of data breaches (41.8%), followed by government/military (18.1%) and education sectors (15.7%).

Of course, passage of this measure is possible, but, given the number of prior efforts to pass a national data breach notification law, passage seems unlikely. This outcome is made more likely by the inclusion of the credit monitoring mandate, the cost of which could be considerable to businesses affected by a data breach. Businesses should stay tuned . . .

Indiana recently enacted a new law which grants authority to the Indiana Office of the Attorney General’s Identity Theft Unit to obtain and secure abandoned records with personally identifying information, including health records, and either destroy them or return them to their owners. Additionally, the new law sets fines and other legal ramifications for violations of the law by health care providers or licensed professionals who leave such records unsecured in violation of state law. In fact, the Attorney General has already utilized this authority to obtain personal records from four entities. 

This additional grant of authority to the Indiana Attorney General, is in addition to the authority previously granted by the Health Information Technology for Economic and Clinical Health (HITECH) Act to enforce the privacy and security protections of HIPAA for protected health information. As we have previously discussed, the Connecticut Attorney General has filed a civil action against Health Net, as well as instituted an investigation against Griffin Hospital for violations of HIPAA. 

The Indiana statute, as with the authority granted to Attorney Generals under HITECH, highlight the need for companies to develop and implement comprehensive data security polices to secure their records. 

 Does your HR staff know the limits on what they could tell prospective employers about former employees?

In this case, the US Equal Employment Opportunity Commission (EEOC) alleged that 7-Eleven of Hawaii failed to keep a former employee’s medical information confidential by disclosing the information to a prospective employer, in violation of the ADA, which caused the prospective employer to rescind a job offer. The EEOC filed suit in federal district court ( EEOC v 7-Eleven of Hawaii, Inc, DHaw, No CV 07-00478-SPK-BMK) and, after the District Court ruled in 7-Eleven’s favor, the EEOC appealed the decision in August 2008 to the US Court of Appeals for the Ninth Circuit.

However, on August 2, the EEOC announced a settlement under which 7-Eleven of Hawaii will:

  1. pay $10,000,   
  2. provide annual training to its human resources personnel and managers in equal employment opportunity, with an emphasis the ADA requirements concerning confidentiality, and
  3. for a period of two years, 7-Eleven will also be required to report annually to the EEOC regarding the company’s policies and proposed training programs with respect to disability discrimination, medical disclosure, non-retaliation, and reasonable accommodation.

In comments about the case, EEOC representatives made clear that the ADA confidentiality requirements apply to applicants, current employees and former employees. Earlier in the year, we wrote about a recent EEOC senior staff attorney’s informal letter concerning the duties of federal employees and contractors relating to medical confidentiality. It is unclear whether these actions by the EEOC suggests a greater emphasis on enforcement of medical records confidentiality under the ADA. Regardless, employers should be taking preventive steps to comply with these requirements. Some steps include:

  • Creating a culture of confidentiality concerning medical records, whether those records are subject to ADA, HIPAA or some other law.
  • Reminding employees that medical information is confidential and access is on a need-to-know basis.
  • Reviewing and revising administrative, physical, and technical safeguards as necessary and appropriate to safeguard medical information, such as requiring employees to keep their desks clear of sensitive information and locking doors and file cabinets.

Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. At the same time, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

The lesson to be learned from this case:

Disposing of individuals’ health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals’ information to the risk of identity theft and other crimes.

The Office of Civil Rights, which enforces the HIPAA Privacy and Security Rules, opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.

The investigation also indicated other potential concerns about Rite Aid’s policies related to safeguarding patient information during the disposal process, training employees, and a related sanction policy.

The Director of OCR noted:

It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA.

The corrective action Rite Aid has agreed to includes improving policies and procedures to safeguard the privacy of its customers’ health information, and applies to all of its nearly 4,800 retail pharmacies. More specifically, the settlement requires Rite Aid to take a number of steps including

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and
  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS and FTC.

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. The length and scope of these plans show the seriousness these agencies are taking concerning compliance with requirements to safeguard personal information.