Last week, New Jersey Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs (“Division”) announced that a physician group affiliated with more than 50 South Jersey medical and surgical practices agreed to pay $417,816 and improve data security practices to settle allegations it failed to properly protect the privacy of more than 1,650 patients whose medical records were made viewable on the internet as a result of a server misconfiguration by a private vendor.

Sharon M. Joyce, Acting Director of the Division, warns HIPAA covered entities:

[Y]our own cybersecurity is not enough.  You must fully vet your vendors for their security as well.

One of the significant changes made by the Health Information Technology for Economic and Clinical Health (HITECH) Act is that state Attorneys General were given authority to enforce the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). Accordingly, covered entities and business associates should remember that the federal Office for Civil Rights is not the only game in town when it comes to investigating data breaches and imposing fines when HIPAA violations are found. New Jersey is not the only state that has used this authority.

In this case, according to the NJ Office of Attorney General, the physician practice used a third party vendor to transcribe dictations of medical notes, letters, and reports by doctors, a popular service provided to many physical practices and other medical providers across the country. When the vendor, a HIPAA business associate, attempted to update software on a password-protected File Transfer Protocol website (“FTP Site”) where the transcribed documents were kept, it unintentionally misconfigured the web server, allowing the FTP Site to be accessed without a password. As a result, anyone who searched Google using search terms that happened to be contained within the dictation information would have been able to access and download the documents located on the FTP Site. These documents would have included doctor names, patient names, and treatment information concerning patients.

Following notification of the breach, the Division investigated and found HIPAA violations beyond the vendor’s security incident. The Division identified violations of HIPAA’s privacy and security regulations by the physician practice, including:

  • Failing to have a security awareness and training program for its workforce members, including management.
  • Delayed response to the incident and mitigation.
  • Failing to create and maintain retrievable exact copies of ePHI maintained on the FTP site.
  • Failing to maintain a written or electronic log of the number of times the FTP Site was accessed.

There are at least three important lessons from this case for physical practices in New Jersey and in other states:

  1. The New Jersey Office of Attorney General and the Division of Consumer Affairs, and Attorneys General in other states, are ready, willing and able to enforce the HIPAA privacy and security regulations.
  2. While investigating data breaches, federal and state officials are concerned about more than the breaches themselves. They will investigate the state of the covered entity’s privacy and security compliance prior to the breach. Accordingly, covered entities should not wait to experience a data breach before tightening up their privacy and security compliance programs.
  3. HIPAA covered entities need to identify their business associates and take steps to be sure they are complying with the HIPAA security regulations. Business associates can be the weakest link in a covered entity’s compliance efforts.

On March 28th, Alabama Governor Kay Ivey (R) signed into law the Alabama Data Breach Notification Act, Act No. 2018-396, making Alabama the final state to enact a data breach notification law. South Dakota Governor Dennis Daugaard signed into a law a similar statute one-week prior. The Alabama law will take effect June 1, 2018. Being the last state to enact a breach notification law, Alabama had the benefit of examining the approach in just about all of the other states and apparently drew provisions from many other state laws, including relatively detailed requirements for covered entities (as defined within the statute) and their third-party service providers to maintain reasonable requirements to protect “sensitive personally identifying information.”

Breach Notification Requirements

The Alabama Data Breach Notification Act requires covered entities to notify any Alabama resident whose sensitive personally identifying information was, or the covered entity “reasonably believes,” to have been acquired by an unauthorized person as a result of a data breach that is reasonably likely to cause substantial harm to the individual to whom the information relates.

Similar to South Dakota and recent amendments to other state data breach notification laws, the Alabama law includes an expansive definition of personal information. Notably, however, “biometric information” is not included in Alabama’s definition of personal information, as has been a typical inclusion for other states of late.

Personal information or “sensitive personally identifying information” as it is called by the Alabama law, is defined as an Alabama resident’s first name or first initial and last name in combination with one or more of the following with respect to the same Alabama resident:

  • A non-truncated social security number or tax identification number;
  • A non-truncated driver’s license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual;
  • A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account;
  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment diagnosis by a health care professional;
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
  • A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.

The law requires a covered entity that experiences a data breach to notify affected Alabama residents “as expeditiously as possible and without unreasonable delay,” taking into account a reasonable time to conduct an appropriate investigation, but not later than 45 days from the determination that a breach has occurred and is reasonably likely to cause substantial harm, with certain exceptions. Notably, if a covered entity’s third party agent experiences a breach of security in the agent’s system, the agent shall notify the covered entity as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination of the breach or reason to believe the breach occurred. Covered entities should be reviewing their services agreements with third party vendors to ensure they are consistent with these requirements.

In addition, if more than 1,000 state residents are impacted by the breach, the state attorney general and consumer reporting agencies must be notified. Following a number of other states, the Alabama law also sets forth specific content requirements for the notices to individuals and the Attorney General. For example, if notification to the Attorney General is required, it must include (i) a summary of events surrounding the breach, (ii) the approximate number of individuals in the Alabama affected by the breach, (iii) information about any services, such as ID theft prevention or monitoring services, being offered or scheduled to be offered, without charge, to individuals and instructions on how to use the services, and (iv) contact information for the covered entity or its agent.

Reasonable Safeguard Requirements

The Alabama law also imposes a reasonable security requirement for covered entities and their third party vendors. Under the law covered entities and third parties are required implement and maintain reasonable security measures to protect sensitive personally identifying information (see definition above) against a breach of security. This provision is significant not only because it reaches third party agents as well as covered entities, but also because of the scope of the information to which it applies. For example, the similar requirement under often cited Massachusetts regulations currently does not apply to medical information; the Alabama reasonable safeguard requirement appears to reach this category of personal information.

Security measures include:

  • Designation of an employee(s) to coordinate the reasonable security measures;
  • Identification of internal and external risks of a breach of security;
  • Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards;
  • Retention of service providers, if any, that are contractually required to maintain appropriate safeguards;
  • Keeping management of a covered entity, including its board of directors, appropriately informed of the overall status of its security measures;

Notably, the law also requires covered entities to conduct an assessment of its security based upon the entity’s security measures as a whole and placing an emphasis on data security failures that are multiple or systemic, including consideration of all the following:

  • The size of the covered entity.
  • The amount of sensitive personally identifying information and the type of activities for which the sensitive personally identifying information is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity.
  • The covered entity’s cost to implement and maintain the security measures to protect against a breach of security relative to its resources.

Enforcement

A violation of the Alabama Data Breach Notification Act is also considered a violation of the Alabama Deceptive Trade Practices Act, however criminal penalties are not available. The Office of the Attorney General maintains the exclusive authority to bring an action for civil penalties – there is no private right of action. Failure to comply with the Alabama law could result in fines of up to $5,000 per day, with a cap of $500,000 per breach. Of note, such penalties are reserved for failure to comply with the law’s notification requirements, and it is not clear to what extent such penalties would apply for failure to comply with the law’s reasonable security requirements.

As each state now has a data breach notification law, and many states continue to amend those laws, it is imperative for companies operating in multiple states and/or maintain personal information about residents of multiple states to be aware of the requirements across several jurisdictions. Companies should regularly review and update the measures they are taking to better secure the data they hold and appropriately response to any potential data incident.

It’s official! Alabama is the only remaining state lacking a data breach notification statute. On March 21, 2018 South Dakota Attorney General Marty Jackley announced that Governor Dennis Daugaard signed into law the state’s first data breach notification law, after unanimous approval by both chambers of the state legislature a couple weeks prior. The law will take effect July 1, 2018.

 South Dakota’s new law creates a breach notification requirement for any person or business conducting business in South Dakota that owns or retains computerized personal or protected information of South Dakota residents. On trend with recent amendments to other state data breach notification laws, the South Dakota law includes an expansive definition of personal information.

The law defines personal information as a person’s first name or first initial and last name in combination with any one or more of the following data elements:

  • Social Security Number;
  • driver’s license number or other unique identification number created or collected by a government body;
  • account, credit card or debit card number, in combination with any required security code, access code, password, routing number, PIN or any additional information that would permit access to a person’s financial account;
  • health information; and
  • an identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.

In addition, protected information is defined as:

  • a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and
  • account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account.
  • NOTE: “protected information” does not include a person’s name.

The law requires an information holder to disclose a breach to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosure must be made within 60 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement.

Further, breaches affecting more than 250 South Dakota residents must be reported to the state’s Attorney General. Note that if the information holder reasonably believes the breach will not likely result in harm to the affected person, the information holder is not required to make a disclosure so long as the information holder first conducts an appropriate investigation and provides notice to the attorney general. This determination needs to be documented in writing and maintained for at least three years.

The South Dakota law makes each failure to disclose a breach an unfair or deceptive practice under South Dakota’s Deceptive Trade Practices And Consumer Protection law, which imposes criminal penalties for violations. In addition, the law authorizes the state Attorney General to impose a civil penalty of up to $10,000 per day per violation and to recover attorneys’ fees and costs associated with an action brought against the information holder.

A string of large-scale breaches made clear that additional protections for South Dakota consumers were needed. Alabama is now the only state without a data breach notification law, but that will likely change in the coming weeks. A house-amended version of Senate Bill 318, the Alabama Data Breach Notification Act sponsored by Senator Arthur Orr (R-Decatur), passed the House of Representatives unanimously on March 22nd, but requires concurrence from the Senate before being sent to the Alabama governor for signing.

 

The deadline to comply with the GDPR’s complex and far ranging requirements is rapidly approaching.  As your organization races to implement its compliance program before the May 25, 2018 effective date, questions and concerns are likely to arise.  While there is no shortage of online guidance on the GDPR, finding answers to your specific questions and concerns, and assuring those answers come from credible sources, can be daunting.  But we’re here to help.  Below are four resources that make the GDPR more accessible, thereby enabling you to more efficiently and effectively decipher your organization’s obligations.

    1. EUGDPR.org is a good place to start your search. The site answers FAQs about the GDPR in general, how to prepare to meet its requirements, and whether your organization is subject to the GDPR’s mandates. It also summarizes the articles contained in the GDPR and, for those seeking motivation, provides a down-to-the-second Time Until GDPR Enforcement countdown clock.
    2. GDPR Regulations & Recitals. Though they are available elsewhere, this site lays out the regulations and recitals in a very user-friendly format.
    3.  Article 29 Working Party (“WP29”) Guidance. WP29 is an advisory group made up of representatives from EU data protection authorities and the European Commission. It has authored guidance on a number of key GDPR topics, including data portability, data protection officers, lead supervisory authority, data protection impact assessments, personal data breach notifications, automated decision-making and profiling, administrative fines, consent, and transparency. WP29’s guidance is well worth heeding because the GDPR envisions a key role for WP29’s successor, the European Data Protection Board (“EDPB”), which will replace WP29 when the GDPR takes effect. As discussed in Recital 139, the EDPB will contribute to “the consistent application of” the GDPR and the promotion of “cooperation of [its] supervisory authorities” throughout the EU.
    4. Our Blog & Articles. In past posts and articles, we’ve covered important GDPR issues including employee consent, the impact of the GDPR on US organizations with EU employees, and an employee’s right of erasure. We’ll continue to write regularly on GDPR-related topics in coming months.

 

 

 

The implementation of the European Union’s General Data Protection Regulation (GDPR), with an effective date of May 25, 2018, is just around the corner, and with it will come pressure on the human resources (HR) department to update its approach to handling employee data. The GDPR significantly enhances employee rights in respect to control over their personal data.

In particular, the GDPR introduces the concept of a “right of erasure” i.e. a ‘right to be forgotten’. Although the concept currently exists under EU law, it is currently applicable under very limited circumstances, when data processing may result in damage or distress. Under the GDPR, pursuant to Article 17 and Recital 65, an employee will have a right to have his/her data erased and no longer processed, where consent of processing is withdrawn, where the employee objects to such processing, or where processing is no longer necessary for the purpose for which it was gathered. That said, the employer, under certain circumstances, can refuse to comply with an employee’s request for erasure of personal data – where data processing is required by law or in connection with a legal proceeding.

Further, there is a time limit for responding to a request for erasure of data by an employee. An employer will be required to comply with a request by an employee ‘without undue delay’, and not later than one month of receipt of the request, together with the reasons for delay (Article 12).

To effectively meet the GDPR’s new requirements, employers will need to take stock of the employee data they process related to EU operations (see Does the GDPR Apply to Your U.S.-based Company?). What categories of EU employee data are processed? What categories of EU employee data are processed? Where does it comes from? In what context and where is it processed and maintained? Who has access to it? Are the uses and disclosures being made of that information permitted? What rights do EU employees have with respect to that information? The answers to these questions are not always self-evident. Employee data may cover current, former, or prospective EU employees as well as interns and volunteers. It may come from assorted places and be processed in less traditional contexts.

To better understand how an employee’s “right of erasure” will impact day-to-day HR operations, below are a few practical examples of instances where an employee will have the right, under the GDPR, to request that his/her data be erased and no longer processed.

Circumstances where an HR department may be compelled to erase employee data:

  • You collected the data during the employee’s hiring process, but, following the completion of that process, you can no longer demonstrate compelling grounds for continuing to process it.  Such data could include, inter alia: (i) past employment verifications, (ii) education and credential verifications, (iii) credit reporting and other financial history data, (iv) government identification numbers.
  • You collected data about an employee in order to administer benefits to him or her, but the employee has since de-enrolled from the benefits program.
  • You collected employee online monitoring data for work productivity purposes – but you collected data which the employee does not expect is reasonable processing (personal emails, personal messenger conversations, etc.).
  • You collected employee data (g., profiling data) for use in evaluating whether to promote an employee to Position X, but end up promoting another employee to that position instead.
  • You processed data related to employee job performance issues (g., late arrivals, absences, disputes with a coworker, etc.) a number of years ago, and the employee has not had similar issues since.
  • You collected identifying data on an employee such as an employee’s past address, phone number, email address, username, financial account information, etc., but the employee has since provided updated information.

Employers must be ready to comply with the new EU data regime upon its effective date next month. If your organization has not yet started, it should begin implementing policies and procedures that inform employees of their enhanced rights to control over their personal data, ensure that operationally the organization can comply with such rights, and train HR personnel handling employee requests for erasure of data. This includes developing a plan of how to respond timely and effective to employees’ requests, and a review process for when there is a legal basis to deny a request.

After two and a half years, the U.S. Court of Appeals for the District of Columbia issued a highly anticipated ruling reviewing the Federal Communications Commission’s (“FCC” or “Commission”) July 2015 Declaratory Ruling and Order (“2015 Order”) in which the FCC issued interpretative guidance on several aspects of the Telephone Consumer Protection Act (”TCPA”). Over a dozen organizations sought review of the FCC’s 2015 Order. The D.C. Court, on appeal, reviewed four key aspects of the 2015 Order: 1) which sorts of automated telephone dialing system (“ATDS”) equipment are subject to the TCPA’s restrictions, 2) if a party consents to a call, whether the caller is still in violation if the consenting party’s wireless number is, unbeknownst to the caller, reassigned to a different party, 3) how may a consenting party revoke consent, and 4) whether the FCC too narrowly interpreted an exemption for certain healthcare-related calls.

The D.C. ruling, by a unanimous three judge appellate panel, set aside the FCC’s expansive interpretation of what constitutes an ATDS and its approach to consent of reassigned wireless numbers. The Court, however upheld the FCC’s approach to revocation of consent by “reasonable means” expressing a desire to receive no further messages from the caller and the scope of the FCC’s exemption for certain healthcare calls.

ATDS Equipment

In setting aside the FCC’s expansive interpretation of what constitutes ATDS equipment, the appellate panel concluded that the FCC’s opinion that all equipment that has the theoretical “capacity” for autodialing is subject to the TCPA, is too broad. Although the FCC did say in its 2015 Order “there must be more than a theoretical potential that the equipment could be modified to satisfy the ‘autodialer’ definition”, the panel held that this “ostensible limitation affords no ground for distinguishing between a smartphone and a Firefox browser”. The panel determined that the FCC’s interpretation of ATDS was “an unreasonably expansive interpretation of the statute”.

Wireless Number Reassignment

The appellate panel also rejected the FCC’s approach to calls made to a person who previously have consent but whose number has since been reassigned to another nonconsenting person. The FCC concluded that calls in that situation are a violation of the TCPA, but did allow for a “one-call safe harbor” (i.e. one call post-reassignment, regardless of whether the caller has any awareness of the reassignment).  The Court set aside this interpretation as a whole on grounds that the FCC’s “one-call safe harbor” was “arbitrary and capricious”.

Revoking Consent

In contrast to the first two aspects of the FCC’s 2015 Order, the Court upheld the FCC’s guidance allowing consumers to revoke consent through any “reasonable means clearly expressing a desire to receive no further messages from the caller”. The FCC was originally petitioned to clarify whether callers could unilaterally prescribe exclusive means for consumers to revoke consent. The Commission explicitly declined this request, on the belief that allowing, “callers to designate exclusive means of revocation” could “materially impair” the “right to revocation”. The Court agreed with the FCC’s conclusion.  Notably, the Court did state “[t]he Commission’s ruling absolves callers of any responsibility to adopt systems that would entail ‘undue burdens’ or would be ‘overly burdensome to implement” and that “callers will have every incentive to avoid TCPA liability by making available clearly-defined and easy-to-use opt-out methods.”  Seeming to address a recent wave of lawsuits based on alleged unreasonable revocation attempts by call or text message recipients, the Court further stated, “[i]f recipients are afforded [clearly-defined and easy-to-use opt-out methods], any efforts to sidestep available methods in favor of idiosyncratic or imaginative revocation requests might well be seen as unreasonable.  The selection of an unconventionally method of seeking revocation might also betray the absence of any ‘reasonable expectation’ by the consumer that she could ‘effectively communicate’ a renovation request in the chosen fashion.”

Healthcare Exemption

The FCC was originally petitioned to exempt from the TCPA consent requirement “certain non-telemarketing, healthcare calls” alleged to “provide vital, time-sensitive information patients welcome, expect, and often rely on to make informed decisions.” Although the Commission acknowledged the “exigency and public interest” in certain healthcare related calls, it was concerned that this policy argument failed with other types of healthcare calls such as “account communications and payment notifications” that could still potentially qualify as “vital, time-sensitive”.

As a result, the FCC’s 2015 Order limited the healthcare exemption to calls for which there is “exigency and that have a healthcare treatment purpose, specifically: appointment and exam confirmations and reminders, wellness checkups, hospital pre-registration instructions, pre-operative instructions, lab results, post-discharge follow-up intended to prevent readmission, prescription notifications, and home healthcare instructions”. The exemption would not cover calls that include telemarketing, solicitation, or advertising content, or which include accounting, billing, debt-collection, or other financial content.”

The Court concluded that the FCC was “empowered to draw the distinction it did, and it adequately explained its reason for doing so”, and therefore did not act “arbitrary and capricious”, as petitioners argued.

FCC Response

Shortly after the Court’s decision was announced, the FCC Commissioners issued statements in response. Chairman Pai, Commissioner Carr, and Commissioner O’Reilly all viewed the decision favorably.  Commissioner Rosenworcel’s statement reflected her view that the Court’s decision would allow robocalls to continue unless the FCC does something to address them.  Importantly, it appears an appeal of the Court’s decision is unlikely as Chairman Pai stated, “I’m pleased today’s ruling does not impact the current FCC’s efforts to combat illegal robocalls and spoofing.  We will continue to pursue consumer-friendly policies” and “we’ll maintain our strong approach to enforcement.”

Takeaway

The D.C. Court’s ruling both clarifies key aspects of the FCC’s 2015 Order and provides the FCC with direction on how to address rulemaking in this area going forward. However, numerous issues of the TCPA’s breadth and scope remain.  Organizations  are advised to consider the D.C. Court ruling together with FCC Chairman Pai’s position on the TCPA, when implementing and updating telemarketing and/or automatic dialing practices going forward.

Nary a week goes by without news of a data breach by a healthcare provider…while there are certainly a good number of breaches resulting from a breach of cybersecurity defenses or from the wrongful exploitation of system security weaknesses, there is still a risk to healthcare providers resulting from the internal operations of the healthcare provider. There are frequent reports of these “internal” breaches:  loss of equipment (e.g., laptops that were not secured and unencrypted USB drives), employee wrongdoing (e.g., theft of records or improper access to records to satisfy personal curiosity), and then those unfortunate “oops” moments (e.g., sending personal health information (“PHI”) to administrative vendors without a proper business associate agreement (“BAA”) in place, or a spontaneous conversation in a waiting room disclosing PHI).

Huge penalties are attached to these breaches. Healthcare entities (and their business associates) face stiff financial penalties:  $150,000 for a lost, unencrypted flash drive, $750,000 for sending an administrative service provider PHI without a signed BAA, and $2.5 million for a stolen laptop, just to name a few.   These poor folks would also likely be required to implement corrective action plans for several years, internal and external costs of investigating the breach and navigating the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) , and potential litigation, not to mention the adverse publicity.  Let’s not even get into the possibility of criminal penalties…

The Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act (“HIPAA/HITECH”) requirements have been around for some time. These critical rules are being augmented by the regular passage of various state laws.  Some enacted or proposed laws, such as the “Stop Hacks and Improve Electronic Data Security Act” (“SHIELD Act”) legislation proposed by the NYS Attorney General, would not add requirements for companies who are in compliance with other cybersecurity laws such as HIPAA/HITECH.  If you are not in compliance, however, then you could be facing OCR and other regulators as well.

Without doubt, many small or mid-sized healthcare providers have not complied with at least some of the security and privacy requirements under these laws as of this blog (please see monkey emojis above). We get it – healthcare payments are shrinking and compliance can be a big nut – but ignoring compliance obligations gets more risky with each passing day.

If you need help meeting privacy requirements, are looking for assistance with HIPAA compliant policies and procedures or training, or if you have any questions, please let the Jackson Lewis Privacy, e-Communications and Data Security Practice Group know.  Below are some assorted links to our previous award-winning blog posts dealing with data breach preparedness, the SHIELD Act, and breach matters pertaining to healthcare entities (and if you browse through the posts, there are plenty more informative blogs pertinent to privacy concerns for healthcare entities):

 

There are only two states in the U.S. that have yet to enact data breach notification laws, but that may change in 2018. Several weeks ago, the South Dakota state legislature announced that a data breach notification bill (Senate Bill No. 62) was pending.  Now, Alabama is following suit.

On March 1st, the Alabama Senate unanimously passed Senate Bill 318, the Alabama Data Breach Notification Act.  The bill now moves to the House of Representatives for consideration.  The bill sponsored by state Senator Arthur Orr (R-Decatur) would require companies facing a data breach to notify affected individuals within 45 days of determination that a breach has occurred and is reasonably likely to cause substantial harm. Although there are no criminal penalties for companies that fail to notify affected individuals, the Attorney General’s office can issue fines of up to $5,000 per day, and file a lawsuit on behalf of the affected individuals. A private action is not available.

“Alabama is one of two states that doesn’t have a data breach notification law,” Sen. Arthur Orr said. “In the case of a breach, businesses and organizations, including state government, are under no obligation to tell a person their information may have been compromised.”

Over the past year, Alabama Attorney General Steve Marshall  has both worked on and been vocally supportive of the bill. “I want to thank the Alabama Senate, and Senator Orr in particular, for moving this bill forward and taking us one step closer to giving Alabama consumers the same protections as the citizens of 48 other states who already receive notifications when their sensitive personal information has been hacked,” Marshall said. “This is a big win for Alabama consumers and I look forward to working with the House to cross the finish line.”

High-profile data breaches have been a “wake-up call” for state legislators across the U.S., and Marshall emphasized, “It is long overdue”. The coming years will likely bring a variety of amendments to already existing state data breach notification laws.  Review our articles on recent trends in other state data breach notification laws:

The European Union’s  General Data Protection Regulation (GDPR) is fast approaching and U.S. organizations that control or process personal data of EU residents are likely subject to these new data protection requirements.  Now is the time for U.S. employers to determine whether they are covered by the GDPR (see our blog post, Does the GDPR Apply to Your US-based Company) and, if they are, begin preparing their HR data systems for compliance.

An employer that needs to process EU employee data must have a lawful basis for doing so under the GDPR. One of the six lawful bases for processing an EU resident’s personal data in Article 6 of the GDPR is “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.”

A common practice in the U.S. is to rely on blanket consent clauses in employment contracts or handbooks that permit employers to process employee personal data. U.S. employers often also rely on implied consent from employees. However, such practices may not be considered valid forms of consent for lawful processing of personal data under the GDPR. An expansive discussion on the validity of employee consent for data processing under the GDPR, and how organizations can prepare their HR data systems to reflect GDPR ‘consent’ requirements, can be accessed here.

Most business owners are all too familiar with identity theft. What they might not be sufficiently aware of is the “Dark Web” where identity theft thieves buy and sell stolen personal information.

The Dark Web Defined

The Dark Web describes places on the internet not identified by traditional search engines. Although not all sites on the Dark Web engage in criminal activity, it is generally where illegal consumer data is bought and sold.  For identity thieves, the Dark Web is a virtual market place that can provide a safe haven for cyber criminals to barter their goods, whether it’s stolen account information, stolen credentials, stolen documents or other personal information.

What Is the Connection between the Dark Web and Small Business?

Generally, personal data stolen from businesses ends up on the Dark Web. There is a myriad of categories within the Dark Web that specialize in different stolen information such as stolen credit cards, stolen account information from financial institutions, forged documents, etc.  Many times there are even subcategories within these general categories such as a specific brand of credit cards within a specific geographic location by state and zip code.  Surprisingly, some of these Dark Web businesses will not only sell stolen information such as bank cards, but will also offer “customer service” functions such as card support or refunds.  The Dark Web also offers compromised bank accounts, health records, credentials and forged real estate documents.  Interestingly, a “one-stop shop” is available on the Dark Web that offers entire “wallets” complete with driver’s license, social security numbers, birth certificates and credit cards.

How Is Stolen Information Utilized?

There is no real limitation for the creative criminal mind on what purposes stolen information can serve. Generally, it can include obtaining credit, mortgages, loans, tax refunds, etc.  In addition, it can be used to create a “synthetic identity” where both real and fictitious information is lumped together to suddenly create a new identity that is difficult to discover.

Stolen Credentials

A growing area of criminal activity on the Dark Web is the use of stolen credentials such as user names and passwords. To profit from this type of information, many times identity thieves hire “account checkers” who input stolen user names and passwords across various business accounts, including banking, and eCommerce and attempt to “break in” to the account, as many people use the same user name and passwords for various business services.  Suddenly, a stolen user name and password from one credit card, can suddenly be used to open up a variety of accounts across financial and business-related horizons.

Small Business Impact from Dark Web

The media generally focuses on data breaches for large companies that possess information on millions of consumers. Consequently, many small business mistakenly may conclude that they would not be a prime target of identity thieves.  Small business owners should know that thieves generally don’t target the size of the business, only those that are most vulnerable.  As privacy specialists noted at a recent Federal Trade Commission (FTC) conference,  information available for sale on the Dark Web is up to twenty times more likely to come from a company whose breach wasn’t reported in the media.  Unfortunately, many of these are small retailers, restaurant chains, practices, school districts, medical practices etc, as emphasized at the FTC conference, whereby it was announced that the majority of breaches investigated by the U.S. Secret Service involve small business. (The full FTC conference on identity theft is available for viewing under the video tab here.)

Reducing Risk for Your Small Business

Obviously, it starts and ends with adequate security protections and the commitment to consistently utilize proper security protocols. The FTC has a data security page that identifies security options for a business of any size and sector.  In addition, the House of Representatives recently held a hearing to discuss cybersecurity risks for small businesses and various solutions. In particular it was suggested that increased sharing of cyberthreat data could enhance the security of all industries, supported by Committee Chairman Steven Chabot’s recently introduced Small Business Cybersecurity Enhancement Act (H.R. 4668) which would create a government-led cyberthreat sharing information program.  For more information on small businesses and cybersecurity, see our article Data Breach Preparedness: A critical risk management for small and mid-sized business. The bottom line is that small businesses are particularly at risk for identity theft and need to act promptly and aggressively to minimize their legal and monetary exposure.