What Covered Entities and Business Associates Need to Do to Prepare for the New HIPAA/HITECH Requirements (Part II)

Posted by Theodore J. Kobus III on January 27, 2013

There has been a lot of discussion about the impact of Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (HITECH).  In Part I, we discussed what HIPAA covered entities (CEs) need to do to prepare.  This discussion will focus on what suggestions we have for HIPAA business associates (BAs) and their subcontractors (subBAs).  Although the core recommendations are for the most part the same as we identified in Part I for CEs, the justification for adopting these suggestions is slightly different and the priorities are reorganized for BAs and subBAs.

Legal:  BAs are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements. Experienced outside privacy counsel can help BAs become compliant with the final rule requirements.  Privacy counsel will be valuable to assist and document whether a breach has occurred, as well as to help BAs and SubBAs develop appropriate compliance programs. Now that CEs have an obligation related to appropriately selecting and retaining vendors, CEs will be doing their due diligence to determine whether their vendors are compliant.

Cyber Insurance:  CE’s have been struggling with HIPAA compliance, particularly compliance with the Security Rule, for nearly a decade.  Now, BAs must enter into the fold.  While BAs for the most part have safeguards in place for protected health information (PHI), strict compliance with the HIPAA Security Rule by BAs is questionable.  Insurance is not a substitute for compliance.  More than one-third of breaches are caused by vendors and the breach reports we have seen since 2009 suggest that BAs and subBAs have a lot to do to become fully compliant with HIPAA.  Therefore, as BAs and subBAs wrestle with these compliance issues, it is critical to have a robust cyber insurance policy in place that covers not only notification costs, but also regulatory penalties.  BAs and CEs need to keep in mind that penalties for violations of the HIPAA Rules will be specific to the organization against which the penalty is being assessed.

There appears to be some confusion over whether or not joint and several liability principles will apply to assessment of penalties.  There may be a few very limited circumstances where this might be an issue, but for the most part, the penalty will relate to a specific violation by that entity.  For example, a BA will not be subject to penalties because a CE did not perform a periodic risk assessment as required by HIPAA. Or, a BA may be subject to a penalty for not having sufficient technical safeguards in place while the CE may be subject to a penalty for being aware of the BA’s failures and not doing something to stop the practice.

Policies and Procedures:  Compliance with HIPAA requires that administrative, technical, and physical safeguards be in place to protect PHI.  Additionally, the organization must have policies and procedures in place to implement these safeguards.  The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has enforcement authority of the HIPAA Privacy and Security Rules.  After a breach is reported to HHS, OCR requests a copy of the organization’s policies and procedures in place to safeguard PHI.  The request is often more broad than the cause of the reported breach and extends to all policies and procedures in place in order for OCR to determine if the responding organization is compliant with HIPAA.  Examples of policies that BAs should have in place include:  (1) permitted uses and disclosures of PHI; (2) business associates; (3) minimum necessary; (4) de-identification of PHI; (4) back-up plans; (5) disaster recovery; (6) risk analysis; (7) risk management plans; (8) workforce training; and (9) termination of access.

Risk Assessments and Risk Management Plans:  BAs are now subject to the OCR HIPAA Audit protocol.  HIPAA requires organizations to conduct periodic risk assessments and then to address the risks identified in a risk management plan.  The OCR HIPAA Audit program sets a framework to analyze process, controls, and policies of the selected BA by using a comprehensive audit protocol.  The protocol addresses uses and disclosures, safeguards in place (administrative, physical, and technical), and breach notification rule compliance.

Incident Response Plans (IRPs):  IRPs are a roadmap to guide an organization’s incident response team’s (IRT) breach response activities.  As with CEs, the IRPs of BAs and subBAs must include the factors HHS has outlined for consideration in determining whether there is a low probability of compromise:  (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed).   An IRT’s members depend on the size and complexity of the organization, but typically include members from the following groups:  (1)  general counsel; (2) IS/IT; (3) communications; (4) HR; (5) compliance and (6) privacy.  External members of the team can include:  (1) outside privacy counsel; (2) forensics; (3) notification vendors; and (4) crisis management.

Breach Analysis Forms:  Keep in mind two basic requirements when considering the impact of the final rule.  The first is compliance and the second is documentation.  As BAs develop their compliance programs to fit the new requirements, they need to remember to update their forms as well.  The standard for determining whether or not a breach has occurred has changed and so has the required analysis.  A breach is presumed unless the CE can show that there is a low probability of compromise.  Moreover, HHS has outlined at least four (4) factors that must be considered. (The four factors are listed under Incident Response Plans, supra.) To the extent that third-party tools which analyze breach notification are utilized, BAs need to confirm that the approach reflects the new requirements.

Education:  A culture of compliance is expected.  Education and awareness are the best ways to develop that culture.  In addition to new employee training and annual training, consider periodic training in the form of newsletters and other events to keep privacy at the top of employees’ minds.

Business Associate Agreements:  Expect an administrative nightmare.  Changes to business associate agreements (BAAs) are coming.  CEs will be struggling with compliance with the final rule and you are going to see demands from CEs that may test the BAs' ability to comply with the requests--both on an administrative level because of the volume of contracts that will need to be amended and from a compliance standpoint because BAs are not prepared to meet the safeguard demands.  Additionally, BAs will need to modify the agreements they have in place with subBAs to ensure compliance with HIPAA. 

Forensics:  As with CEs, BAs need to develop relationships with forensic firms because outside forensics is going to be critical in helping to reach a conclusion that a breach has not occurred--low probability of compromise. For those BAs that already have cyber insurance, talk to your broker or carrier about the forensics options and seek recommendations from them as to how the coverage will support you with the changes in the regulations.

OCR Director Rodriguez has made it clear the final rule provides for the most sweeping changes to HIPAA since the Privacy and Security Rules were released.  And, further, the final rule provides OCR with an opportunity to vigorously enforce compliance.  These statements are a reality for the several dozen OCR investigations that we are currently defending.  As time passes, and OCR gains experience through the thousands of breaches that are reported and the audits that are conducted, the questions which organizations face will become more difficult to answer.  Compliance with HIPAA must be a top priority for all CEs, BAs, and subBAs.  

What Covered Entities and Business Associates Need to Do to Prepare for the New HIPAA/HITECH Requirements (Part I)

Posted by Theodore J. Kobus III on January 21, 2013

The Department of Health and Human Services (HHS) issued, on January 17, 2013, its Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  Our initial discussion can be found here.  The healthcare industry has been waiting for the final rule for more than two and half years--now that it is here, what do Covered Entities (CEs) and Business Associates (BAs) need to do to prepare for compliance?  We will cover recommendations for CEs in this post, Part I, and BAs will be addressed in Part II.

 

Incident Response Plans:  To the extent you are a CE who has been waiting for the final rule to implement an incident response plan (IRP), now is the time.  An IRP helps the breach response team respond to privacy events by providing them with a roadmap so that a determination can be made as to whether or not a breach has occurred.  At a minimum, new and existing plans should incorporate the factors outlined by HHS to be considered:  (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed). 

 

Policies and Procedures:  CEs policies and procedures, including the Notice of Privacy Policy, must be updated and amended to reflect the new requirements.  For example, there are new requirements regarding the timeliness of responding to requests for a copy of PHI.

 

Breach Analysis Forms:  CEs have been utilizing forms that reflect the language of the interim final rule where the focus is on the potential harm to the patient.  Many CEs have also utilized breach analysis forms that depend on a risk rating developed by third parties to assess whether there is a significant risk of harm due to the impermissible use or disclosure.  The standard has changed and so will the required analysis.  A breach is presumed unless the CE can show that there is a low possibility of a compromise.  Moreover, HHS has outlined at least four (4) factors that must be considered.  (The four factors are listed under Incident Response Plans, supra.)

 

Education:  HHS and OCR expect that healthcare organizations will create a culture of compliance.  Raising awareness about the importance of privacy issues through education is just one way to achieve this goal.  CEs should consider other opportunities to keep privacy at the top of their employees' minds (e.g., posters, newsletters, committee calls).  Just as the Federal Trade Commission (FTC) is promoting Privacy by Design, CEs need to consider ways that privacy awareness can be incorporated into every aspect of patient care and healthcare operations. 

 

Vendor Lists and Vendor Contracts:  Vendors remain the cause of a large percentage of breaches that occur; more than a third of all breaches are caused by vendors.  Even though BAs are now directly liable, the final rule makes it clear that CEs have an obligation related to appropriately selecting and retaining vendors.  Review your vendor lists to see if any vendors should be removed because of issues relating to data security and privacy.  Review your contracts to see if language needs to be updated to reflect the final rule.

 

Risk Assessments and Risk Management Plans:  HIPAA requires healthcare organizations to conduct periodic risk assessments and then to address the risks identified in a risk management plan.  Now is a good time to review and assess your risks to determine if changes can be made to help avoid breaches. Privacy counsel can be a critical member of this exercise.  For example, in some instances, outside counsel can retain the vendor and oversee the project to help maintain the attorney-client privilege. The experience of the privacy counsel, however, is also crucial.  Organizations should retain counsel who has been involved in dozens of OCR investigations and who can provide guidance around what OCR is asking for during those investigations.  That experience translates into the organization's ability to better identify risk mitigation strategies in response to the vulnerabilities found during the risk assessment.


Cyber Insurance:  There are many types of cyber policies being sold to healthcare organizations.  Whether or not you have purchased cyber insurance for breach notification, consider seriously the scope of your coverage for regulatory violations and defense of class actions. We predict that OCR and State Attorneys General (SAGs) are going to be far more aggressive than in the past.  Additionally, due to the changed threshold for breach notification, we may see more class action lawsuits which are expensive to defend.

 

Legal:  Experienced outside privacy counsel is critical for full compliance with the breach notification requirements of the final rule.  A breach is now presumed which means that outside counsel is going to need to help document the reasons why an organization concludes a breach did not occur.

 

Forensics:  I am not a big proponent of retaining forensics companies prior to a breach occurring.  This is because, like lawyers, the strengths amongst forensics firms varies.  Therefore, if I am dealing with an issue involving a new malware variant, I may find a forensics vendor who has experience with the variant and is better positioned to assist my client.  The final rule, however, is a bit of a game changer and I am now encouraging my clients who do not have insurance to interview a few forensics firms as the new breach notification rules make it clear that a technically sound and understandable forensics report is critical for supporting determinations that a breach did not occur.  For those that have insurance, talk to your broker or carrier about the forensics options and seek recommendations from them as to how the coverage will support you with the changes in the regulations.

 

The final rule becomes effective on March 26, 2013, but enforcement will not commence until September 23, 2013.  This does not mean that mean that organizations do not need to be compliant.  The Office for Civil Rights (OCR) has made it clear that civil monetary penalties (CMPs) will be on the rise for HIPAA violations.  A culture of compliance is expected and not encouraged.  

 

On Wednesday, January 23, 2013 at Noon EST, we will be hosting a webinar to discuss some of the big changes in the final rule.  You may register here.

The HIPAA/HITECH Final Rule Has Been Released

Posted by Theodore J. Kobus III on January 17, 2013

The long awaited HIPAA/HITECH Final Rule is out.  The final rule is effective March 26, 2013, but covered entities (CEs) and business associates (BAs) will have 180 days beyond the effective date to come into compliance. While we are still conducting a comprehensive review of this 563-page document, below are a few of the changes we have found so far:

  • BAs are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements:  impermissible uses and disclosures; failure to provide breach notification to the covered entity; failure to provide access to a copy of electronic protected health information to either covered entity, the individual, or the individual's designee; failure to disclose PHI where required by the Secretary to investigate or determine the business associate's compliance with the HIPAA Rules; failure to provide an accounting of disclosures; and for failure to comply with the requirements of the Security Rule.
  • Insurers may need a business associate agreement (BAA) with a covered entity if it is performing risk management or assessment activities or legal services for the covered entity which involve access to PHI.
  • Additional guidance has been provided regarding the assessment of civil monetary penalties (CMPs):  number of individuals affected and time period during which violations occurred will be considered.  As noted below, OCR's presentation to the State Attorneys General shows how quickly CMPs can reach very high numbers.
  • Reputational harm is a fact-specific inquiry and does not arise solely from the sensitivity of the diagnosis.  Instead, OCR will look at whether there were adverse affects on employment, standing in the community, or personal relationships.  
  • When assessing CMPs, an organization's history of compliance and non-compliance will be considered.  A mere complaint does not constitute an indication of non-compliance.
  • There are significant changes to treatment and care communications when the covered entity receives financial remuneration for promoting a third party's goods and services.
  • Individuals must have a right to access and to obtain a copy of PHI within 30 days (with a one-time 30 day extension after written notice for the delay and when the records will be provided).
  • The definition of breach has been modified to clarify that an impermissible use or disclosure of PHI is PRESUMED to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised.  Documentation sufficient to meet this burden of proof must be maintained.
  • Breach notification is not required if a CE or BA demonstrates through a risk assessment that there is a low probability that the PHI has been compromised--the focus is no longer on the harm to the individual.
  • The probability of harm must be assessed by considering at least: (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed). Most of these factors were likely considered previously by CEs.
  • Notification does not require an analysis of risk because the occurrence of a breach is presumed.
  • Notification, in situations where the use or disclosure is so inconsequential, is not warranted because it may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely.  An example is provided of a misdirected fax to the incorrect physician who immediately calls to report the error. This is nothing new, just a clear expression of what many have already believed.
  • Substitute notice or media notice may at times occur after the 60-day period dependin g on circumstances.
  • Breaches under 500 must be reported no later than 60 days after the calendar year in which they were discovered, not when they occurred.
  • Notification to the Secretary must occur contemporaneously with notice to individuals for breaches over 500.

We also notice some things remain:

  • HITECH only preempts state law to the extent HITECH is more stringent.  HITECH is only a Federal floor of privacy protection.
  • The revised penalty structure remains.  A presentation by the OCR to state Attorneys General shows how aggressive OCR may be in assessing civil monetary penalties (CMPs).
  • "The goal of enforcement is to ensure that violations do not recur without impeding access to care." P. 79.  An entity's financial condition will still be considered.
  • The addressable standard remains.  HHS does "not mandate the use of specific technologies, or require uniform policies and procedures for compliance, because [they] recognize the diversity of regulated entities and appreciate the unique characteristics of their environments." P. 102.
  • The "minimum necessary" standard applies directly to BAs.
  • Certain provisions of the Privacy Rule do not apply to BAs unless the CE delegates that responsibility: designating a privacy officer, providing a notice of privacy practices (NPP).
  • BAAs are still required to help clarify and limit permissible uses and disclosures.
  • A decedent's PHI will require protection for 50 years.
    •
  • The requirement for return or destruction of PHI by the BA at the termination of the contract (if feasible) does extend to sub-BAAs.
  • HHS will not establish or endorse a certification process for HIPAA compliance by BAAs and sub-BAAs.
  • Timeliness and content of notification have not changed.
  • A CE retains the ultimate obligation for proper notification.  Notification by the BA can be delegated.
  • Media notification and notification to HHS has not changed.
  • Law enforcement delays remain available.
  • There are no changes to the circumstances permitting preemption of state law of HITECH.

We will continue to assess these changes and post updates as our analysis develops and the impact of these changes is further considered.  

SEC To Issue Stronger Cybersecurity Guidance?

Posted by Robert Oestreicher on August 02, 2012

In February we wrote about whether Facebook’s IPO would set the tone under the SEC’s then-relatively new cybersecurity disclosure guidance. In subsequent months, it has become apparent that this guidance is still not yielding the level of disclosure on cybersecurity matters that regulators want. This is especially true with respect to the disclosure of past incidents of data breach.

Two recent examples of high profile breaches that did not show up in SEC disclosures:

  • A well-known, large online retailer said nothing in its latest annual report about an online theft of customer data that took place earlier this year. When the SEC followed-up to ask why the incident had not been disclosed, the retailer asserted that disclosure was not required because the incident did not have a material impact on its business.
  • A highly popular social networking website similarly chose not to file a report with the SEC regarding a breach in June that exposed more than 6 million customer passwords.

Accordingly, new legislation is currently being debated in the Senate, which would require the SEC to review its original guidance and decide whether it should be updated or even made compulsory (i.e., issued as a formal guideline). Such new guidance, in whatever form it takes, would likely force reporting companies to make disclosures regarding cybersecurity, specifically past incidents of data breach, that they are not making under the current guidance regime.

Connecticut to Require Notice to Attorney General Following a Breach

Posted by Kimberly M. Wong on June 20, 2012

Connecticut has been in the forefront in protecting the personal information of its residents.  In July 2010, in the first action by a state attorney general for violations of HIPAA since HITECH authorized state attorneys general to enforce HIPAA, a settlement was reached between HealthNet and the state of Connecticut – stemming from a May 2009 incident related to a lost computer disk containing the protected health and other private information of 1.5 million consumers nationwide.  The incident affected nearly a half million Connecticut consumers.  The settlement included HealthNet’s payment of $250,000 to the state representing statutory damages and HealthNet’s implementation of a corrective action plan.     

Connecticut’s commitment to its residents’ personal privacy continued into 2011.  In September of 2011, Connecticut Attorney General George Jepsen announced the creation of a privacy task force to focus on internet and data privacy concerns.  Since its creation, the Attorney General’s office has publicly requested information from various entities, including the state Department of Labor, Central Connecticut State University, Wells Fargo, and Zappos, after receiving reports of security breaches affecting Connecticut residents.  The requests for information have occurred without a statutory requirement for the notification of a security breach to the Attorney General’s office.  Recently, however, Connecticut joined the ranks of states requiring notification to the Attorney General following a breach incident. 

On June 12, 2012, at an end of term General Assembly special session, Connecticut updated its existing data breach notification statute, Conn. Gen Stat. 36a-701b.  The update appears on page 162 of the Connecticut General Assembly's June 12, 2012 Special Session Bill No. 6001, a 468 page house and senate budget bill.  The updates to the statute are effective as of October 1, 2012. 

The legislature, instead of amending the existing data breach notification statute, repealed the statute in full, replacing it with an amended version.  The amended statute differs from the one it replaces as follows:

  • "breach of security” is defined as the "unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable" (amended language is underlined);
  • If notice of a breach of security is required, notice must also be provided to the Attorney General at a time no later than when notice is provided to a resident;
  • the statute expressly states that the statute's notification requirements are applicable only to the personal information of a "resident of this state."

Personal information continues to be defined as an individual's first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number; (2) driver's license number or state identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.  Any violation of the statute continues to be considered an unfair trade practice under Connecticut’s Unfair Trade Practices Act, with the Attorney General retaining enforcement authority, and no private right of action.

 

France's New Breach Notification Requirements

Posted by Maryanne Stanganelli on June 05, 2012

On May 28, 2012, the French data protection regulator (CNIL) released new guidance on breach notification laws.  The guidance regards a 2011 ordinance that recently came into force on April 1.  Among other things, the ordinance amends existing French data protection law (Law on Information Technology and Liberties (78-17 of 1978)) to reflect the EU e-Privacy Directive’s (2009/136/EC) breach notification requirement for ISPs and others.

The Guidance provides that the ordinance applies to e-communication service providers, including ISPs and mobile phone operators, that are registered with the French Authority for Regulation of Electronic Communications and Posts (ARCEP).  It does not yet apply to online banks, e-commerce sites or other “information society” services. 

It defines a violation under the ordinance, and in doing so states that that malicious intent is but one possible scenario where the violation may occur.  It also sets out a few examples of where a violation may occur:  an intrusion into the customer database of an ISP, a confidential e-mail sent in error, and a mobile phone operator’s system making available to others the credit card information of subscribers that have ordered phones.  However, according to the guidance, a computer virus on the personal computer of a user and not linked to the ISP would not constitute a violation.  Neither would the theft of a human resources database as it does not relate to the providing of the e-communication service to the public.

The guidance sets out a layered process for notification.  First, where a violation occurs, regardless of its severity, CNIL must be notified without delay by letter setting out certain details of the breach.  As far as notifying individuals, the company must assess the potential damage from the breach (considering, for example, theft or identify fraud or significant humiliation or damage to reputation) and whether it has applied the technological protection measures required, such as effective encryption, to determine whether to notify individuals in the first instance.  Companies do not have to notify individuals where “adequate” measures have been taken.  However, the guidance notes that encryption is not effective where the key is stolen or otherwise compromised. 

Second, CNIL will evaluate the breach and measures. If the breach is serious, CNIL can order a company to notify users and will do so within a month.  However, CNIL has two months to evaluate the corrective measures taken by a company.  If CNIL does not respond, the company must immediately notify its subscribers regarding the breach.  The guidance sets out the details that must be included in the notification to subscribers: the nature of the breach, contact details from whom to obtain additional information regarding the breach, and recommended measures to reduce the negative consequences of the breach.  CNIL leaves the method of notification to individuals to the company so long as it can be verified.

Non-compliance with the ordinance can lead to fines of € 300,000 and up to five years imprisonment, as well as CNIL sanctions.  In April, CNIL announced that inspections for compliance with the ordinance are planned for 2012.  Therefore, enforcement of the breach notification rules may follow the publication of this guidance.

One concern that has been raised regarding the ordinance regards the fact that some countries have not yet implemented the breach notification requirements from the 2009 changes to the e-Privacy Directive and others have done so in ways that do not precisely align with the French ordinance.  This will create risk and challenges for mobile phone operators and ISPs where their services run across national borders to individuals in other jurisdictions.

Significant Changes to Vermont's Data Protection and Notification Law

Posted by Kimberly M. Wong on June 04, 2012

On May 8, 2012, the Vermont General Assembly approved changes to the state’s consumer protection law (Act 109, in effect on passage 5/8/12).  The changes include substantial revisions to Vermont’s data protection and notification law.  A summary of the changes are provided below. 

  • The term “personally identifiable information” (“PII”) has been adopted.
  •  “Security breach” is defined as the “unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data.” 
  • In determining whether PII has been or reasonably believed to have been acquired, the following factors may be considered:
    • Physical possession of the information (such as a lost or stolen computer or device);
    • Indications that information has been downloaded or copied;
    • Indications that information has been used (opening of fraudulent accounts or instances of identity theft reported); and
    • Information has been made public.   

Notification of a security breach to a consumer: 

  • must be made no later than 45 days after discovery, and
  • the approximate date of the security breach must also be provided to consumers. 

For notice of a security breach to the attorney general, two notifications are required:

  • First, within 14 business days of the discovery of the incident, the attorney general must be provided the date of the security breach, date of discovery, and a preliminary description of the breach. 
    • For an entity that has sworn in writing to the attorney general that it maintains written policies and procedures to maintain the security of PII, the attorney general must be provided the date of the security breach, date of discovery, and a preliminary description of the breach prior to notifying consumers. 
  • Second, once notice is made to consumers, the attorney general must be notified of the number of Vermont consumers affected and provided a copy of the notice. 
    • A second copy of the consumer notification letter, with PII that was subject to the breach redacted, can also be provided to the attorney general which will be used for any public disclosure of the breach. 

The Vermont General Assembly’s Act 109 can be found here

Update to Cybersecurity / Data Breach Notification Legislative Outlook

Posted by William J. Weber on April 18, 2012

Congress is back from a two week Easter recess and despite lingering concerns from privacy groups, House leaders plan to bring to the floor for votes one or more cybersecurity bills designed to protect the nation’s critical infrastructure – from power plants to financial markets – by encouraging information sharing about cyber threats between the government and private business. The bills could be considered as early as next week.

House Intelligence Committee Chairman Mike Rogers (R-MI) has been working over the recess to address concerns of privacy advocates about his Cyber Intelligence Sharing and Protection Act, H.R. 3523. In recent redrafts, the bill has been revised to include data minimization language to reduce the amount of detailed information businesses would share with the government.  Further, the bill now eliminates references to theft of IP that raised concerns similar to the anti-piracy/anti-counterfeiting bills that withered in the face opposition earlier this year (SOPA/PIPA, S. 968/H.R. 3261). It would also now allow lawsuits against the government for intentional or willful improper disclosure of personal data that’s been collected. (Note: the above link to the April 16 discussion draft which incorporates amendments adopted at markup (in green) and new potential amendments under consideration (in yellow for changes from the April 12, 2012 draft and in blue for new changes in this draft).)

However, opposition to a communications monitoring provision in Rogers’ bill continues from a coalition of privacy and civil liberties groups that fear the language is too vague and would allow companies to share user data with the government without a court order. The Electronic Frontier Foundation is leading a twitter campaign against “CISPA” this week using the hashtags #CongressTMI and #CISPA. Other groups are concerned about provisions that would cut off FOIA access to information companies share with the government. More about their concerns can be found here and here.

Business groups are also weighing in on cybersecurity this week.  A coalition of 26 associations wrote House leaders today urging them to focus on several policy principles without endorsing or opposing any of the bills.  The organizations range from the American Chemistry Council to the Real Estate Roundtable and they want Congress to take a “nonregulatory step forward” on cybersecurity by improving liability protections, strengthening cyber R&D, reforming FISMA, educating the public, and supporting public-private collaboration. Read the full letter.

Another House bill that could come up next week is the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness or “PRECISE” Act, H.R. 3674, which would define DHS’ roles and responsibilities and create a private, not-for-profit organization to facilitate best practices, provide technical assistance, and enable the sharing of cyberthreat information.  The bill was approved by the Homeland Security Committee yesterday on a 16-13 party line vote. Democrats said the scaled-back bill doesn't establish DHS as the lead cybersecurity agency. Read Rep. Lungren’s (R-CA) revised bill

Also approved separately yesterday by the Oversight and Government Reform Committee, by voice vote, was the Federal Information Security Amendments Act, H.R. 4257, which would require federal agencies to continuously monitor government IT systems and perform regular threat assessments.

A fourth bill that the House could vote on next week is the Cybersecurity Enhancement Act, H.R. 2096, intended to improve cybersecurity R&D and technical standards.  It was approved last fall by the House Science, Space, and Technology Committee.  The same committee also recently approved H.R. 3834, which overhauls policies for funding R&D in unclassified computing, networking and information technology, including cybersecurity, and could also be considered next week.

A sixth bill, the SECURE IT Act of 2012, H.R. 4263, was recently introduced as the House companion to Sen. McCain’s alternative cybersecurity bill (S. 2151), but has yet to see committee action and is unlikely to come to the House floor next week.

House Commerce, Manufacturing, and Trade Subcommittee Chairwoman Mary Bono Mack has expressed her desire to bring up her data breach notification measure, the SAFE Data Act, H.R. 2577, during the cybersecurity debate, but odds are slim that it could garner enough support to hitch a ride on cybersecurity legislation. Several of her colleagues are not on board that such legislation is necessary, despite continuing reports of data breaches.

On the Senate side, the primary bill, the Cybersecurity Act, S. 2105, which would establish minimum security standards that certain companies must meet, remains stalled while the bipartisan sponsors work to address Republican concerns with the bill, described in a February 15, 2012, post. If one or more of the House bills advance next week, the Senate could act on cybersecurity in May. The outlook for data breach notification legislation on the Senate side also remains doubtful, though work continues at the staff level.

Will Facebook's IPO Cybersecurity Disclosures Set the Tone Under SEC's New Guidance?

Posted by Craig Hoffman on February 10, 2012

Facebook filed its long-awaited Form S-1 with the SEC on February 1.  Given the nature of its business, concerns regarding data privacy were peppered throughout the filing.  While other business risk factors may be paramount (e.g., reliance on Zynga, slowing growth, etc.), data privacy has been and will continue to be an important issue for Facebook.

For instance, in November 2011 Facebook settled a case with the FTC in which it agreed to subject itself to bi-annual privacy audits for the next 20 years.  Using this example, the filing states that Facebook expects to continue to be subject to similar regulatory investigations regarding privacy going forward.

The filing also cites new and changing laws and regulations regarding data privacy, both U.S. and foreign, as potentially having the following negative consequences on Facebook’s core business:

“[Such laws and regulations] can be costly to comply with and can delay or impede the development of new products, result in negative publicity, increase our operating costs, require significant management time and attention, and subject us to claims or other remedies, including fines or demands that we modify or cease existing business practices.”

Considering the risks presented by continued pressure on the data privacy front, Facebook says it is not taking any chances, putting in place “a dedicated team of privacy professionals who are involved in new product and feature development from design through launch; ongoing review and monitoring of the way data is handled by existing features and apps; and rigorous data security practices.”

Facebook’s cybersecurity disclosure represents a fairly sophisticated example of a disclosure prepared subsequent to the fairly recent guidance released by the SEC on this topic.  Facebook’s disclosure here could be seen as a blueprint for other companies going forward.

By contrast, VeriSign is facing scrutiny for waiting until September 2011 to disclose successful attacks against its corporate network that occurred in 2010.  VeriSign’s 2011 disclosure contained little information about the nature of the attacks, the type of data that was taken, and the remedial measures that were taken.  VeriSign did insist that its SSL business had not been compromised. 

Authorship Credit: Robert A. Oestreicher

Privacy and Data Breach Regulatory Activity--A Year in Review

Posted by Theodore J. Kobus III on December 29, 2011

While plaintiffs continue to face an uphill battle proving damages in privacy litigation - regulatory actions and investigations seem to be increasing.  During 2011, we saw activity from many government agencies—both state and federal—including the Federal Trade Commission (FTC), Department of Education (DOE), Department of Health and Human Services (HHS) Office for Civil Rights (OCR), Office of Inspector General (OIG), Security Exchange Commission (SEC), state Attorneys General, and the California Department of Public Health (CaDPH).

FTC 

The FTC has a long history of being proactive in promoting consumer protection and in preventing anti-competitive business practices.  The FTC has the power to regulate against unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.  In 2011, there were several noteworthy FTC actions in the privacy sector.

  • Google Buzz:  The settlement with Google arose out of alleged violations of Google’s privacy promise related to the sharing of Gmail user account information to populate Google’s new social network, Google Buzz.  The settlement bars the company from future privacy misrepresentations.  Google is also required to implement a comprehensive privacy program and submit to independent audits for the next 20 years.  Additionally, for the first time, the FTC alleged violations of the U.S.-EU Safe Harbor Framework (which has privacy requirements for the transferring of personal information from the EU to the U.S.).
  • Playdom:  Playdom, an online game developer, was accused of collecting and disclosing information about hundreds of thousands of children under 13 without parental consent.  The FTC announced on May 12, 2011 that it had reached the largest civil penalty settlement under the Children’s Online Privacy Protection Act (COPPA) with Playdom for $3,000,000.  COPAA  prohibits owners of websites and online services directed to children (including general audience websites) from collecting or maintaining personal information about children under 13 without verifiable parental consent (including name, address, email address, telephone number, social security number, etc.).  The FTC has online resources for those interested in learning more about COPPA.
  • Facebook:  Ending the FTC’s 18-month investigation into Facebook’s user privacy practices, the FTC and Facebook reached a settlement [pdf] in November of 2011.  As we reported here, by adding Facebook to the list of major social media entities subject to an FTC consent order—a list that includes Google and Twitter—the FTC has loudly signaled its leading role in regulating the online privacy practices of businesses.  The focus of the FTC seemed to be on sharing user information and making certain user information available without clear consent.  Similar to the Google Buzz settlement, Facebook agreed to not misrepresent its privacy controls.  Independent audits for the next 20 years are also part of the settlement.

With the FTC’s recent workshop on facial recognition technology as it relates to privacy and security concerns, it is clear that we will continue to see FTC activity in 2012.  The question remains—will we see any enforcement activity relating to the Red Flag Rules, which we talked so much about between 2008 and 2010?

DOE 

We have seen investigations by the DOE following data breaches involving educational institutions pursuant to Family Educational Rights and Privacy Act (FERPA).  While there is currently no duty to report a breach to the DOE, the agency is reading news reports and utilizing online resources to track breaches that have been made public.  We expect that this activity will continue in the new year, particularly since the DOE has been more focused on privacy issues in the past few years with the addition of a new Chief Privacy Officer, establishment of the Privacy Technical Assistance Center (PTAC), and the enhancement of FERPA regulations.

HHS OCR

Since the enactment of HITECH, and with its enforcement authority of the HIPAA Privacy and Security Rules in place, OCR has been quite active following data breaches involving healthcare organizations.  Typically, the organization receives a laundry list of document requests (and often supplemental requests as well) during the course of the investigation.  While penalties are available, we have not seen significant activity in this regard.  Still, there were two civil penalties assessed in 2011 that may be a warning call that the HHS is looking carefully at the safeguards in place to protect protected health information (PHI) at healthcare organizations.   The first penalty was for $1M and involved Massachusetts General Hospital.  There, records of 192 patients of the Infectious Disease Associates outpatient practice were lost on public transportation—some containing diagnoses of HIV/AIDS.  The second incident involved a $4.3M penalty against Cignet for refusing to provide 41 patients access to medical records.  Additionally, it was alleged that Cignet did not cooperate with HHS’s investigation.  With the audits of covered entities commencing just recently, the occurrence of major healthcare breaches in 2011, and the fact that over 30,000 healthcare breaches have been reported since HITECH, we expect that OCR activity will increase in 2012.

State AGs

2011 brought additional activity by state AGs.  AGs have enforcement authority of their own state data breach laws in most cases, as well as enforcement authority under HITECH.  Two actions came out of Massachusetts that should be closely followed. The first involved the Briar Group, LLC (“Briar Group”), a restaurant chain.  On March 28, 2011, the Briar Group was the first company to be fined  under the Massachusetts Data Privacy Law.  In addition to the $110,000 in penalties, the Briar Group will have to prove compliance with the Commonwealth’s data security regulations as well as the Payment Card Industry Security Standards.  The second action involved Belmont Savings Bank and a $7,500 fine.  The fine may seem small, but the incident involved only 13,000 customers, and the back-up tapes at issue were known to be discarded in a trash can by a cleaning company.  The focus of this action seems to be an allegation of poor information security practices, including security procedures for handling computer tapes and customer information.  Also, in Indiana, the Attorney General settled with Wellpoint, Inc. for $100,000 after the company allegedly delayed in notifying approximately 32,000 residents about a data breach.  Wellpoint was also required to provide up to 2 years of credit monitoring and identity theft protection services to Indiana consumers affected by the breach, and reimbursement to any WellPoint consumer of up to $50,000 for any losses that result from identity theft due to the incident.  The Indiana Attorney General’s Office interprets the timeliness requirement of the Indiana Disclosure of Security Breach Act to require notice to affected individuals within 30 days.

In addition, the HHS conducted training sessions for HITECH enforcement this year to state AGs.  Now that the training has been completed, we expect to see increased activity in 2012.

These are some of the 2011 regulatory highlights.  Other agencies have been active as well.  No matter which agency may have enforcement power over your organization, do not wait until a breach occurs to think about how you will respond to an investigation.  As we discussed here, regulators expect a prompt and thorough response, transparency and involvement by the C-Suite. 

Data Breach Response: A Year in Review

Posted by Theodore J. Kobus III on December 27, 2011

In 2011, we saw some of the most significant data breaches in U.S. history.  There are a plethora of causes—ranging from hackers to employee error to criminals using sophisticated malware.  Notification letters are being sent so frequently, consumers are almost becoming immune to the daily announcements that personal information has been breached.  Still, corporations facing data breaches need to navigate a maze of state laws that have varying requirements governing timeliness of notification, contents of notification, and what constitutes a data breach.  The time and expense involved in responding to a data breach is significant, but the risks to a company’s reputation are far greater if the breach is not handled appropriately.

We learned several breach response lessons this year—some may not seem so new: 

  • Transparency is key to maintaining relationships with customers and regulators, be certain you understand the scope of the breach before making an announcement; 
  • An IT policy should be implemented to ensure that patches and updates are implemented in a timely fashion; 
  • Ensure that firewalls have been installed, configured and are tested on a regular basis; 
  • A breach of a large email database may trigger notification; 
  • Education of employees is critical to the success of any data breach prevention plan; 
  • Old data is dangerous data—make sure you need to keep it; 
  • Do not collect more data than you need to—e.g., do you need to request a social security number on the initial submission by an applicant for employment?; 
  • Social engineering tools are being used creatively to gain access to personal information; 
  • Social media policies need to be monitored, enforced, and updated regularly without encroaching on employee rights; 
  • It isn’t just personal information we are concerned about—disclosure of trade secrets and other confidential information puts organizations at risk; 
  • Encryption is not only a safe harbor, it is expected by customers and regulators. 

In 2012, we will be seeing amendments to current laws that will expand an organization’s obligations when responding to a data breach.  Remember, it is not the state in which the organization is located that dictates which laws need to be followed; rather, it is the residency of the individual’s information who has been breached.

Effective, January 1, 2012, California will require more information be contained in breach notification letters following a breach of personal information, including what happened, how it may affect the recipient of the letter, and how the recipient can protect themselves.  The letters must be written in plain language and there is a requirement to notify the Attorney General when the breach affects over 500 people.

A new Texas law becomes effective on September 1, 2012 that will:  (1) increase the scope of training required by covered entities of employees who handle protected health information; (2) increase penalties for disclosure of protected health information; and (3) require entities doing business in Texas to notify anyone in any state in the case of a breach. 

Compliance with laws is not the only reason that breach response preparation and strategy are critical.  An organization’s goodwill is at risk.  The number 1 New Year’s Resolution still needs to be—encrypt your electronic devices.

Baker Hostetler Data Breach Emergency Response Team Launches Data Breach Hotline

Posted by Craig Hoffman on November 04, 2011

After you learn of a potential data breach, the clock is ticking and potential liabilities are mounting. Quickly identifying the right team to guide your company through the complexities of the response is paramount. Baker Hostetler's Privacy, Security & Social Media Emergency Response Team has launched a dedicated hotline so it can be reached at any time:

Toll Free 24-Hour
Data Breach Hotline
855.217.5204

The hotline is staffed by attorneys with the combined experience of responding to over 200 breaches.

Federal and state laws are constantly changing. Three state breach notification laws will change in 2012 and there are at least 15 pending data security bills in Congress. The costs of responding to a data breach continue to increase and studies show that a company will spend almost twice as much responding to its first data breach as it will for subsequent breaches. Studies also show that companies who report breaches too quickly incur higher costs.

The risk of a data breach is a risk companies of all sizes cannot afford to ignore. Hackers are not just after large companies. Some of the focus has shifted to so-called easier targets -- small and midsize companies that are more likely to be unprepared and unprotected.

The Baker Hostetler Data Breach Emergency Response Team leads a multi-disciplinary team of key client personnel, attorneys, network security experts and crisis communications specialists to:

  • eliminate any system vulnerability;
  • confirm remediation of the system so business can resume;
  • assess legal and contractual notice obligations;
  • manage contact with impacted parties;
  • minimize the potential for lawsuits or regulatory enforcement actions;
  • defend against assessments by the card brands; and
  • defend against putative class actions.

We have effectively used this approach to help companies in the financial services, healthcare, retail, hospitality, technology and third-party service provider industries respond to data breach incidents. Indeed Baker Hostetler attorneys have been involved in responding to the largest reported data breach incidents and subsequent class action litigation related to covered entities and payment processors. We utilize this experience, including long-standing relationships with breach response specialists, to help clients respond in a cost-effective and efficient manner.

If you have any questions about our Data Breach Hotline or how we may assist you, please contact Jerry Ferguson (gferguson@bakerlaw.com or 212.589.4238), Ted Kobus (tkobus@bakerlaw.com or 212.271.1504) or your regular Baker Hostetler contact.

The A to Z of Healthcare Data Breaches

Posted by Theodore J. Kobus III on October 27, 2011

I recently presented on the topic of Healthcare Data Breaches--A to Z at the annual American Society for Healthcare Risk Management (ASHRM) conference in Phoenix.  Attendees at any conference are always looking for practical takeaways to share with their colleagues and to help guide them even before a crisis event occurs.  During my presentation, with the hope that at least one of the tenets would be helpful to tackle the constantly evolving data breach legal landscape, I gave the audience my A to Zs for healthcare organizations.  Many of these will seem like common sense, but in my experience, there are a number of organizations who still do not recognize the importance of each of these.  Since the ASHRM conference, I have received many requests for my list and decided to publish them here:

A - Accept that it will happen to you

B - Breach response policies are not only mandatory, they are helpful

C - Compliance with policies and procedures is critical

D - Data breach Fridays--the breach call always comes in at 6pm on a Friday

E - Empathize with your customers/patients/employees--how are they going to react to your response?

F - Familiarize yourself with the members of your breach response team before the breach occurs

G - Government has its hands in everything when it comes to privacy

H - HIPAA/HITECH

I -  IT is not the only one responsible for breaches-- it is a C-suite issue

J - Joint Commission may ask you about your healthcare breach

K - Kids' information is sensitive to parents no matter how low level you may think it is

L - Legal landscape is constantly changing

M - Mitigation of harm (credit monitoring, identity monitoring, reissued credit cards)

N - Notice to the media needs to be carefully considered even when required by law and your PR firm may not be in the best position to advise you

O - Overreacting is not going to get you through the event

P - Preparedness is key 

Q - Quit keeping old data

R - Risk of harm analyses should be documented

S - Social media policies should be in place

T - Transparency is expected by regulators and customers

U - Understand the laws that impact your organization

V - Vendors cause about 1/3 of the breaches

W - Wait to see what you are dealing with before you announce a breach to the world

X -  X-rays are being stolen to be melted down for their silver content, but you may still need to notify the patients affected because the sleeves often contain PHI

Y - Yesterday's events can't be changed--get over it, look forward, and change your practices

Z - Zealously investigate your breach--it will help you in the end

Building these principles into your organization's philosophy as it bolsters its data security and privacy policies and procedures will help you when an event occurs.  Consider updating your breach response/incident response plans, written information security plans, social media policies, portal agreements, vendor contracts, and risk assessments.   An increasing number of clients are also requesting tabletop exercises or workshops to help them prepare to respond to a breach.  The more prepared an organization is, and the more an organization's C-Suite recognizes that this is not an IT-only issue, the better equipped organizations will be to respond to customers, lawsuits, and regulators.

SAFE Data Act Approved by House Subcommittee

Posted by Craig Hoffman on July 21, 2011

The House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Mary Bono Mack (CA), approved the Secure and Fortify Electronic Data Act (H.R. 2577) (SAFE Data Act) following lengthy debate on July 20, 2011.  The SAFE Data Act contains information security requirements and breach notice obligations consistent with Rep. Bono Mack's statements following the subcommittee's hearing regarding the breaches at Sony and Epsilon.  The bill now moves to the full committee for consideration. 

The information security requirements would come from regulations to be issued by the FTC within one year.  The regulations must require companies that own or possess data containing personal information to implement policies and procedures to protect personal information, including: (1) a security policy for collection, use, and dissemination of personal information; (2) identifying a person to be responsible for managing information security; (3) a process for identifying foreseeably vulnerabilities, including regularly monitoring to detect system breaches; (4) a process for taking preventative action to mitigate any identified vulnerabilities; and (5) a process for disposing of data on paper and in electronic form.

The breach notification provisions of the Act require companies to notify law enforcement without unreasonable delay and notify the FTC and all affected individuals whose personal information “may have been accessed or acquired” within 48 hours of identifying the affected individuals.  The notification to affected individuals must begin no later than 45 days after discovery of the breach unless the company receives a written request to delay notification by law enforcement.

Notice to affected individuals is required when there is unauthorized access to or acquisition of personal information in electronic format.  Personal information is limited to a person’s name in combination with a: (1) Social Security number; (2) driver’s license number, passport number, military ID; or (3) financial account number or credit or debit card number along with any required code necessary to permit access to the account.  There is also risk of harm trigger­—notice is not required if the company makes a reasonable determination that the breach presents “no reasonable risk of identity theft, fraud, or other unlawful conduct” to the affected individuals.  A presumption exists that there is no reasonable risk of harm if the data was encrypted.  Companies are also required to provide at no cost, upon the request of affected individuals, either credit reports on a quarterly basis for at least two years or credit monitoring for two years (this does not apply if the only personal information at issue is a name associated with a credit or debit card number).

Importantly, the SAFE Data Act preempts all state laws concerning information security requirements and breach notification obligations.

Democrats offered many amendments to the bill, including expanding the definition of personal information and not preempting stronger state notification laws, but they were rejected by the subcommittee.  Representative Henry Waxman (CA), who offered some of the rejected amendments, contends that the bill is filled with "loopholes that sacrifice data security and privacy." 

The SAFE Data Act does not contain any provisions concerning privacy rights or Do Not Track.  You can view a summary of the other pending breach notification bills here.

HIPAA Audits ARRA Coming! Is your PHI Secure?

Posted by John Mulhollan on July 14, 2011

In the growing world of RAC audits, Voluntary Disclosure Protocols, IRS Form 990 disclosures, “Never Events” and HIPAA breach notifications, there is a new kid on the block in the area of federal audit and oversight for health care providers, health plans and their business associates under the health information privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  During the next 18 months, HIPAA privacy and security audits mandated under the American Recovery and Reinvestment Act of 2009 (“ARRA”) will be conducted by the Office of Civil Rights (“OCR”) through an audit contractor, it was announced on  June 10, 2011.  The Department of Health and Human Services (“HHS”) awarded a $9.5 million contract to the KPMG accounting firm to “assist OCR in operating an audit program that effectively implements the statutory requirement to audit covered entity and business associate compliance with the HIPAA privacy and security standards as amended by ARRA.”  KPMG was awarded the contract one day after another contract had been awarded to Booz Allen Hamilton to conduct the “audit candidate identification” intended to identify the universe of covered entities and business associates subject to potential audit under this program.

Under Section 13411 of the Health Information Technology for Economic and Clinical Health Act, a part of ARRA (“HITECH”), HHS, through its Office of Civil Rights, is directed to conduct such audits for purposes of determining compliance with the privacy and security regulations under HIPAA.  Until now, the OCR has focused primarily on the investigation of alleged privacy and security violations in response to complaints, and has conducted a limited number of compliance reviews of covered entities, typically in response to publicized incidents.  The new audits will expand OCR’s activities in compliance enforcement and will raise the stakes for entities that have failed to appropriately implement HIPAA privacy and security safeguards.

Continue Reading

Sony & Epsilon Support National Data Breach Notice Law in Testimony Before House Subcommittee

Posted by Craig Hoffman on June 08, 2011

On June 2, 2011, representatives from Sony Network Entertainment International and Epsilon Data Management, LLC appeared before a House panel to answer questions regarding their responses to recent security breaches.  The hearing of the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade was called by Subcommittee Chairwoman Mary Bono Mack (R-Calif.) as part of the subcommittee’s comprehensive review of data security for the purpose of assessing the need for comprehensive federal data security and breach notification laws.

Jeanette Fitzgerald, general counsel for Epsilon Data Management, LLC, and Tim Schaaff, president of Sony Network Entertainment International, appeared on behalf of their respective companies.  Their testimony to the subcommittee regarding their companies' breach investigation, response, and disclosure closely tracked the information each company had already provided in written responses to subcommittee inquiry letters.   Fitzgerald and Schaaff both agreed that there was a need for a national uniform standard for notifying individuals whose personal information is affected by a breach that preempted existing state laws.  Indeed, Fitzgerald’s prepared testimony states that: “Epsilon fully supports national legislation that would create a uniform standard for data breach notification. The current patchwork of individual state breach notification laws only serves to create confusion among consumers and businesses, and imposes unnecessary compliance costs.”  Similarly, Schaaff warned in his prepared testimony that any national data breach notice standard should follow a common sense approach that allows companies adequate opportunity to investigate breaches and take remedial measures before making them public.  He said that “issuing vague or speculative statements before you have specific and reliable information” could lead companies to “either confuse and panic people, without giving them useful facts, or … bombard them with so many announcements that they become background noise.”

At the end of the hearing Rep. Bono Mack committed to working with her colleagues to pass comprehensive data security legislation to ensure Americans are protected from cyber crimes.

While Epsilon has not made any public statements regarding the costs it has or anticipates as a result of the breach of its systems, Sony estimates its costs at $171 million for data security remediation, customer services, and legal fees by the March 31, 2012 close of its 2011 fiscal year.  The subcommittee background memorandum, which includes links to communications with Sony and Epsilon is available hear.  Rep. Bono Mack's opening remarks are available here.  You can watch a recording of the hearing here

Three National Data Breach Notification Legislative Proposals Issued

Posted by Craig Hoffman on May 18, 2011

So far this month, three legislative proposals containing a national data breach notification requirement have been issued.  On May 4, Rep. Bobby L. Rush (D-Ill.) reintroduced the Data Accountability and Trust Act.  On May 11, Rep. Cliff Stearns (R-Fla.) introduced the Data Accountability and Trust Act (DATA) of 2011.  One day later, the White House released a Cybersecurity Legislative Proposal

The three proposals are built on a framework similar to many of the state breach notification laws.  All three would preempt the breach notification laws in 46 states and the District of Columbia.  Some of the notable similarities and differences include:

            (1) the White House's proposal and Rush’s bill more broadly define a security breach to cover unauthorized access to or acquisition of electronic data containing personal information, whereas the definition in Stearns’ bill is limited to “unauthorized acquisition”;

            (2) the Rush and Stearns bills both define “personal information” as a person’s name, address, or phone number in combination with a Social Security number, driver’s license number, or financial account or credit card number along with any required security or access code, but the White House uses “sensitive personal information,” which is more broadly defined to include: (a) an individual’s name in combination with two of the following—address, telephone number, mother’s maiden name, or date of birth; (b) non-truncated Social Security number, driver’s license number; (c) unique biometric data (e.g. fingerprint); (d) a unique account identifier (e.g. credit card number); and (e) any combination of a name, account number, or security or access code;

            (3) all three contain a risk of harm notice trigger exempting a company from providing notice if it determines that there is no reasonable risk of identity theft, fraud, or unlawful conduct;

            (4) all three create a presumption that no reasonable risk of harm exists if the data was encrypted;

            (5) the White House's proposal and Rush’s bill require notification to affected individuals not less than 60 days after the breach absent “extraordinary circumstances,” while Stearns’ bill requires notification “without unreasonable delay”;

            (6) in addition to presumably requiring faster notification, Stearns’ bill does not permit a delay in notification if requested by law enforcement unlike the White House proposal and Rush bill; 

            (7) all three describe the method and content of the required notice;

            (8) all three: (a) authorize the FTC to enforce violations as unfair or deceptive acts or practices; (b) permit state attorneys general to enforce violations through civil actions to recover penalties; and (c) preclude a private right of action by individuals;

            (9) the White House proposal limits civil fines to no more than $1,000 per day and a maximum amount of $1,000,000 compared to no more than $11,000 per day and a maximum of $5,000,000 under the bills issued by Rush and Stearns; and

            (10) the bills issued by Rush and Stearns both include additional data security requirements for information brokers, including establishing practices to make sure the information they collect is accurate and precluding the use of pretexting to obtain personal information.

            Prior attempts to pass national data breach legislation—dating back to 2007—have failed.  In 2009, Rush’s DATA bill was approved by the House but it was never acted on by the Senate.  Momentum towards enacting a national breach notification requirement, however, may be growing following recent high-profile data breaches and the privacy concerns related to smartphones and mobile applications.  In addition to the three pending proposals, Rep. Mary Bono Mack has indicated that she will introduce her own proposal. 

Noteworthy Data Privacy and Information Security Events in 2010

Posted by Craig Hoffman on December 31, 2010

The two events that drew the most attention in 2010, both of which occurred at year-end, were reports from the FTC and the Department of Commerce.  Below is a brief summary of those two reports and other issues drawing attention in the past year:

(1) FTC Issues Long-Awaited Consumer Privacy Policy Report

On December 1, the FTC published the Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policy Makers

The FTC’s press release provides a summary of the preliminary report.  The best practices framework recommended in the preliminary report for businesses that collect or use consumer data include:

  • simplifying choices for consumers, providing consumers with greater transparency, and following the Fair Information Practice Principles;
  • creating a “Do Not Track” mechanism to give consumers a choice to avoid online tracking;
  • extending protection to information collected offline;
  • dispensing with the distinction between PII and non-PII because technology allows data fragments to be pieced together; and
  • a “Privacy by Design” concept for businesses.

The preliminary report did not change the FTC’s continued focus on self-regulation.  Finally, the preliminary report contained an appendix with 64 questions on which it invited comment by January 31, 2011.  A final report will be issued later in 2011 based on the comments. 

 (2) Department of Commerce Calls for a “Privacy Bill of Rights”

On the heels of the FTC’s preliminary report, the Department of Commerce Internet Policy Task Force released a green paper titled: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.  The press release contains a summary.

The Baker Hostetler Data Privacy Monitor covered this green paper here.  The four broad policy recommendations of the task force are:

  • Enhance consumer trust online through recognition of revitalized Fair Information Practice Principles.
  • Encourage the development of voluntary, enforceable privacy codes of conduct in specific industries through collaborative efforts of multi-stakeholder groups, the FTC, and a Privacy Policy Office within the Department of Commerce.
  • Encourage global interoperability.
  • Ensure nationally consistent security breach notification rules.

(3) Behavioral Advertising Opt-Out Icon

As reported by the Baker Hostetler Data Privacy Monitor, a behavioral advertising industry group proposed a Self-Regulatory Program for Online Behavioral Advertising, which features an “Advertising Option Icon” that can be placed near online ads that collect data used to conduct behavioral advertising.  Users who click on the icon will receive a disclosure statement about the data collection and use practices associated with the ad along with the ability to opt-out of being tracked.

(4) Social Media

  • Facebook faced several privacy issues, including an FTC complaint regarding its privacy policy, details of 100 million Facebook users were published online, and questions from U.S. Senators.
  • Google apologized for collecting about 600 gigabytes of data snippets captured from e-mails and browsing history from Wi-Fi networks in more than 30 countries.
  • In the first FTC action against a social network service, Twitter settled charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information.

 (5)  HHS/HIPAA/HITECH

  • White House Forms New Subcommittee to Review Online Privacy Issues
  • HHS Withdraws Draft Of Final HIPAA Breach Notification Rule

(6) Massachusetts Data Security Regulations

Massachusetts’ aggressive new data security regulations (201 CMR 17.00 et seq.), which became effective on March 1, 2010, contain broad and imposing mandates that go further than any other state law or regulation.  Even companies that have no facilities or personnel in Massachusetts must comply with the strict mandates if they maintain personal information of any Massachusetts resident in connection with providing goods or services. 

All businesses covered by the statute must institute a written information security program.  That program must, among other things:

  • Designate an employee to maintain the security program;
  • Identify and evaluates internal and external security risks;
  • Impose disciplinary measures for violations of the program rules;
  • Oversee third-party service providers;
  • Require regular monitoring and updating of the program; and
  • Documents responsive actions taken in connection with any breach of security.

For many business, the most difficult compliance issues arises from the encryption mandates of 201 CMR 17.04, which requires the encryption of: (1) laptops containing personal information that leave the businesses premises; (2) personal information transmitted across the Internet or wirelessly; and (3) backup tapes on a prospective basis.

Commerce Department Recommends New Online Privacy Framework

Posted by Frank Pugliese on December 20, 2010

The Commerce Department on Thursday released a green paper, Commercial Data Privacy and Innovation in the Internet Economy: a Dynamic Policy Framework, recommending the consideration of a new framework to address online privacy issues in the U.S.  The goal of the 88 page report, created by the department’s Internet Policy Task Force, is to improve consumer online privacy protection while continuing to foster online business growth.

One of the key recommendations of the report calls for the creation of a set of “Fair Information Privacy Principles”, a sort of privacy Bill of Rights for the online consumer.  These principles would act as a baseline for online data privacy protection, and make usage of online consumer data much more transparent.  The goal would be to establish clearer online data usage limits and enhanced audit requirements, with policy violations enforceable by the Federal Trade Commission.

In addition, the report recommends the creation of a Privacy Policy Office in the Department of Commerce. The role of the new office would be to, among other tasks, work with the FTC, examine commercial uses of online data, and determine where gaps in privacy protection existed.

The report also recommends the enactment of a federal data security breach notification law. The report goes on to add, “A comprehensive national approach to commercial data breach would provide clarity to individuals regarding the protection of their information throughout the United States, streamlining industry compliance, and allow businesses to develop a strong nationwide data management strategy.”

The Commerce Department seeks public comment on the report by January 28, 2011, with a white paper on the subject planned for release in 2011.