On June 14, 2013, Texas Governor Rick Perry signed S.B. 1610 amending Texas’ data breach notification law to

  • remove language limiting the application of the data breach notification requirement to Texas residents and residents of states that do not require notification,
  • permit, for residents of states other than Texas that require notification of a breach, notice to be provided to such individuals under the states’ law or under Texas law, and
  • clarify that written notice of a security breach must be provided to the last known address of the individual.

These changes, effective when signed by the Governor, were intended to address concerns that the prior version of the law "unintentionally require[d] any person who handles personal health information to be aware of the breach notification laws of every state and any potential changes to them, which creates a substantial and unnecessary administrative burden on professionals who handle personal health information."  Of course, if a breach experienced by a Texas company affects Texas residents, as well as residents of states which also have breach notification laws, that company still needs to review and comply with the laws in those other states, if applicable.

When California changed its law to require Attorney General (AG) notification in the event of a data breach, Attorney General Kamala D. Harris’ office began analyzing the data it was receiving. A report issued by her office made a number of findings summarized below. However, key among them is the impact encryption would have on data at risk. Based on this finding, the Attorney General announced an enforcement priority to investigate breaches involving unencrypted personal information.

Attorney General Harris stated in the report:

Particularly striking is the impact of the failure to encrypt sensitive personal information. It has been ten years since we realized the vulnerability of personal information on stolen laptops, lost data tapes, and misdirected emails. If encryption had been used, over 1.4 million Californians would not have had their information put at risk in 2012. That number represents more than half of the 2 5 million people affected by the 131 breaches covered in this report. It is my strong recommendation that companies and agencies implement encryption as a basic protection and reasonable security measure to help them meet their obligation to safeguard personal information entrusted to them.

The report contains some interesting findings:

  • In 2012, 131 breaches, each affecting more than 500 California residents, were reported to the Attorney General’s Office.
  • The average breach involved information of 22,500 individuals, with the median breach size being 2,500 affected individuals.
  • More than 2.5 million Californians were put at risk by data breaches in 2012.
  • The retail industry reported the most data breaches in 2012: 34 (26 percent of the total reported breaches.
  • More than half of the breaches (56 percent) involved Social Security numbers.
  • While more than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders, the other 45 percent resulted from failures to adopt or carry out appropriate security measures.
  • The average reading level of breach notices submitted in 2012 was 14th grade.
  • In 50% of the breached considered, the breaching entity offered credit monitoring services.

Based on these findings, the report makes a number of recommendations, including calling for legislation requiring encryption of data in transit:

Companies should encrypt digital personal information when moving or sending it out of their secure network. The Attorney General’s Office will make it an enforcement priority to investigate breaches involving unencrypted personal information, and encourage our allied law enforcement agencies to similarly prioritize these investigations. The Legislature may also want to consider requiring the use of encryption to protect personal information in transit.

Similar requirements already exist in Massachusetts and Nevada. Other recommendations include:

  • Train employees and contractors.
  • Improve readability of breach notices.
  • Offer mitigation products and/or provide information of security freezes.
  • To the legislature, expand the definition of personal information in the State’s breach notification law to include online credentials such as username and password.

Companies, particularly those that maintain personal information about California residents, should read this report and carefully review the steps they take to mitigate their "information risk." Remember that in 2003 California was the first state to enact a data breach notification law, and 45 state followed shortly thereafter. Other states’ AGs have and may take similar steps to respond to the continuing risks data breaches raise for their state’s residents.

For hospital employees, looking at patient records they should not be accessing can have stiff consequences. My partner, Michael Bertoncini, discusses a recent case, Cosby v. Vicksburg Healthcare, LLC D/B/A River Region Medical Center, in which the hospital employee was fired for looking at patient records when she should not have been. For this employee, suing the employer claiming the real reason for the termination was discrimination and retaliation did not work.

Most breach notification mandates require a notice be provided without unreasonable delay. In some cases, such as under HIPAA, the same standard applies but also with an outside date to provide the notice – 60 days. Proposed regulations under the Affordable Care Act would require notification to the Department of Health and Human Services in one hour! 

In §155.280(c)(3) we propose that [Federally-facilitated Exchanges or FFEs], non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach. We also propose that a non-Exchange entity associated with a State Exchange must report all privacy and security incidents and breaches to the State Exchange with which they are associated.

The proposed definitions for "incidents" and "breaches" are broader than those under HIPAA, HHS adopting instead definitions established by Office of Management and Budget. Under the proposed regulations, FFEs and non-Exchange entities associated with FFEs would have to comply with applicable privacy and security standards, and be subject to monitoring, auditing by HHS.  This would include being required to have policies and procedures in place for reporting breaches and incidents.

The breach mandate would apply to the Exchanges as well as "non-Exchange entities."  Non-Exchange entities may include entities such as "navigators," agents, brokers and others "associated with an Exchange." "Navigators" are government-paid helpers, individuals and entities, whose role it will be to assist in the administration of the Exchange. Organizations such as unions, church groups and chambers of commerce can be navigators. They will perform tasks such as educating consumers and facilitating enrollment. 

Many expect there will be a considerable amount of confusion at the end of this year as millions consider their health care options with the full impact of "Obamacare" rolling out for 2014. In the process, vast amounts of very sensitive, personal information will need to be exchanged among newly created exchanges and other entities. Entities associated with these exchanges will need to be prepared from a privacy and data security standpoint. 

Medical device manufacturers generally are not the first group of businesses that come to mind when one thinks of HIPAA, privacy and security. However, in the world of "Big Data," the functioning of medical devices increasingly involves the use of wireless, Internet- and network- connections and the frequent electronic exchange of medical device-related health information. Yes, medical information about you (if you use such a device of course)!

Recognizing this, the Food and Drug Administration (FDA), the federal agency that approves certain medical devices for use in the marketplace, issued draft guidance for medical device manufacturers, following some earlier pronouncements. The FDA is quick to point out that if approved this guidance would not be not authoritative, but only contains suggestions; suggestions that likely will shape the FDA’s approval process

So why bring this to you. Well, developments like these help to point out how much we are and will continue to be surrounded by electronic devices – some for our health, others for our entertainment or communication – that collect, store and transmit confidential and personal information, very often without our even knowing.  

Privacy and data protection rules of the European Union place a heavy compliance burden on European companies and all foreign companies handling or possessing EU data and the latest proposal under consideration by the European Parliament for a uniform rule is no exception. As reported by L&E Global, the worldwide alliance of premier boutique employment law firms of which Jackson Lewis LLP is a founding member, a proposal to amend and replace the 1995 Data Protection Directive with the most stringent data protection laws in the world, which would require reporting of any data privacy breach to national authorities, received a favorable vote from the European Parliament’s Legal Affairs Commission. However, the drive for a uniform data privacy rule has received pushback from both business and government alike. They are concerned about the scope of the proposal, which are expected to be effective in 2016. EU justice ministers meeting in Luxembourg on June 6 agreed to dilute proposal in response. According to Reuters, lawmakers have offered approximately 4,000 amendments to the proposal and agreed to a "risk-based" approach for reporting data breaches. In its present form, the proposal requires data breaches to be reported within 24 hours and notification be given to government entities as well as affected individuals. The final rule, in any form, will impact global business and worldwide company use of data. Businesses should continue to monitor developments. Additional information about the proposal can be found here.

 

Numerous companies are considering, or already transitioned to, a "bring your own device" (BYOD) model.  Under a BYOD program, employees are permitted to connect their own personal devices (iPhone, iPad, Blackberry, PDA, etc.) to the employer’s networks and systems to complete job duties either in the office or working remotely.  While a BYOD program has numerous benefits, there are also a number of issues which should be considered.

The BYOD Issues Outline below highlights key issues and policy considerations for companies considering moving to, or continuing, a BYOD program. 

*Jackson Lewis’ Bring Your Own Device (BYOD) Issues Outline*

The New York Times recently reported that hackers from China have resumed attacks on U.S. targets, despite efforts by the Obama Administration to curb these intrusions. According to the article and a report by a security company, Mandiant, hackers from China have been behind…

scores of thefts of intellectual property and government documents over the past five years…They have stolen product blueprints, manufacturing plans, clinical trial results, pricing documents, negotiation strategies and other proprietary information from more than 100 of Mandiant’s clients, predominantly in the United States. 

For some, the thought of a data breach means stolen credit card numbers and identity theft. For others, it involves trade secret information, often critical data that provides a significant competative advantage in the global marketplace. In the worst case, it involves military and other secrets that could jeopardize national security.  

Businesses need to assess and address these risks from an enterprise-wide perspective and on a continuous basis. A key source of these risks, as many experts have noted, is the explosion of smartphone utilization. So, in addition to network and perimeter e-security, a good place for many companies to start is dealing with the rapid evolution to a mobile workforce and the demand by employees to use their own devices. One approach is to adopt a comprehensive "Bring Your Own Device" (BYOD) policy. Of course, mobile devices are only one aspect of an organization’s information systems to be safeguarded, but they do create significant vulnerabilities.

In addition to limiting employers’ access to the online accounts of employees and applicants, effective July 1, 2013, Colorado becomes the ninth state to restrict an employer’s right to obtain and use credit information for making employment decisions. Colorado joins California, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont and Washington.

Under Colorado’s new law, a covered employer cannot require an employee to consent to a background check containing credit information unless: (1) the employer is a bank or financial institution; (2) the report is required by law; or (3) the report is “substantially related to the employee’s current or potential job,” and the employer has a bona fide purpose for such information, and this information is disclosed in writing to the employee. Further, such information can be used only if it is “substantially related to the employee’s current or potential job.”

The statute provides that the phrase, “substantially related to the employee’s current or potential job,” means the information in the credit report is related to the position for which the subject is being evaluated, because the position is one for executive or management level personnel or officers,  or employees who constitute professional staff to executive and management personnel, and the position involves one or more of the following:

  • Setting the direction or control of a business, division, unit, or an agency of the business;
  • A fiduciary responsibility to the employer;
  • Access to customers, employees, or the employer’s personal or financial information, other than information customarily provided in a retail transaction;
  • The authority to issue payments, collect debts, or enter into contracts; or
  • Involves contracts with defense, intelligence, national security, or space agencies of the federal government.

More information about the law can be accessed here, or at the link above. 

Like many universities, Idaho State University (ISU) operates a number of health facilities, some of which are subject to the HIPAA privacy and security regulations. According to a U.S. Department of Health Human Services (HHS) press release, the Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of a breach in which the electronic "protected health information" (ePHI) of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. To settle the alleged violations of the HIPAA security rules, ISU has agreed to pay $400,000, and to comply with a two-year corrective action plan.

OCR’s action here is consistent with prior reported breaches and with its discussions of enforcement in recent final regulations, which we reported on. It is important to note that OCR’s investigation indicated that:

ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring.

Additionally, OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.

This makes clear that it is NOT sufficient to simply create policies and procedures that safeguard protected health information. A HIPAA covered entity must conduct and document a risk assessment, a process OCR Director Leon Rodriguez noted is a cornerstone of an effective HIPAA security compliance program. This basic requirement also applies to business associates, and is a common sense practice any entity should follow when setting out to safeguard data.