1 U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana...
-
Upload
helena-owens -
Category
Documents
-
view
218 -
download
2
Transcript of 1 U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana...
1
U. S. Privacy and Security Laws
DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE
April 1, 2009
Diana S. HareAssociate General Counsel
Drexel University College of [email protected]
2
U.S. Privacy and Security Laws
Contents:I. DISCLAIMERII. Audience ParticipationIII. What’s Protected?IV. Sources of Privacy & Security Obligations
- TrendsV. What’s Loss, Liability, Breach?
- Sanctions/LiabilityVI. Lessons LearnedVII. Resources
3
I. DISCLAIMER
This presentation does not include every privacy and security law and regulation in the United States. Its purpose is to provide context, key principles and trends.
Thank you!
4
II. Audience Participation
• Who knows they are covered by the FTC Guidelines on protecting consumer information collected online?
• Who knows they are covered by HIPAA because they have an employer-sponsored health plan?
• Who knows they are covered by the Red Flags Rule? (And who knows what it is?)
5
II. Audience Participation
• Who knows they are covered by state data breach notification acts other than Pennsylvania? By the new federal data breach notification act?
• Who has not had employees or consultants lose the company’s customers’ personally identifying information, or access such data beyond their scope of authorization?
6
III. What’s Protected?
• Identity– Individually Identifiable Information– Personal Information– Education Record– Name, social security number (cf. redacted to
last 4), credit card number– HIPAA has 18 Identifiers – down to stripping
the Zip Code
7
III. What’s Protected?
• Sensitive Information about a Person
Drug and alcohol treatment
HIV Status
Genetic screening
Children 13 or younger
Privileged communications
8
III. What’s Protected?
• Data “CIA” =
– Confidentiality
– Integrity
– Availability
• Collection, Use and Disclosure
• Informed Consent
9
IV. Sources of Privacy & Security Obligations
General Sources• U.S. Constitution – 4th Amendment; 14th Amendment;
U.S. v. Griswold• Torts – Intrusion upon Seclusion; Invasion of Privacy• Privileges – Judicial Codes
– Accountant– Psychologist – 42 PA C.S.A. § 5944– Sexual Abuse Victim Counseling – 42 PA C.S.A. §
5945.1– Attorney– Physician
10
IV. Sources of Privacy & Security Obligations
Federal Laws and Regulations and Guidance:
• U.S. Constitution –see above• Federal Privacy Act of 1974 – 5 U.S.C. §552a • FTC Consumer Online Privacy Principles 1998; Online
Behavioral Advertising Principles 2009• FTC COPPA – Children’s Online Privacy Protection Rule
– 16 C.F.R. 312
11
IV. Sources of Privacy & Security Obligations
• HIPAA – Health Insurance Portability and Accountability Act of 1996 and Privacy and Security Rules, 45 CFR §§ 160, 162 and 164, as Amended by HITECH Act (see below)
• GLB – Gramm-Leach Bliley Act (Financial Modernization Act of 1999) 15 U.S.C. §6801 et seq. and Financial Privacy Rule 16 C.F.R. 313 and Financial Safeguards Rule 16 C.F.R. 314
• Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
12
IV. Sources of Privacy & Security Obligations
• FCRA – Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); amended by FACT Act – Fair and Accurate Credit Transactions Act of 2003
– Section 114 – Identity Theft Prevention – Red Flags Rules – 16 C.F. R. 681
– Section 116 – Proper Disposal of Consumer Information – Disposal of Consumer Report Information and Records - 16 C.F.R. 682
13
IV. Sources of Privacy & Security Obligations
• FDA – Research Data – Electronic Records and Signatures – “Part 11” – 21 C.F.R. 11
14
IV. Sources of Privacy & Security Obligations
• ARRA – American Recovery and Reinvestment Act of 2009 (“Stimulus Bill”) February 17, 2009 (www.whitehouse.gov ≥ http://frwebgate.access.gpo.gov/)– HITECH Act – Health Information Technology for
Economic and Clinical Health Act – Division A, Title XIII of ARRA
• Subtitle D – Privacy - §§13400 -13424 – Amends HIPAA, substantially increases penalties (now) and new Federal Data Breach Notification as to Protected Health Information
15
IV. Sources of Privacy & Security Obligations
State Laws:
• More stringent state laws on protected health information supersede HIPAA – e.g.– PA Confidentiality of HIV-Related Information Act (“Act 148”) 35
P.S §7601 et seq.
• Limit use of Social Security Numbers, e.g.– PA Social Security Number Privacy Act – 71 P.S. § 2601 et seq.
16
IV. Sources of Privacy & Security Obligations
• Data Breach Notification Acts –
– California and Massachusetts lead the trends
– PA – Breach of Personal Information Notification Act – 73 P.S. § 2301
– NJ – New Jersey Identity Theft Prevention Act – N.J.S.A. § 56:11- 44 et seq. and new draft rules with comment period closed 2/13/09
– DEL – Computer Security Breaches – Title 6, Chapter 12B
17
IV. Sources of Privacy & Security Obligations
• Torts – see above• Privileges – Judicial Codes (see above)
19
IV. Sources of Privacy & Security Obligations
Key obligations shared:• Risk assessment• Administrative, Physical and Technical
Safeguards• Policies and Procedures• Training• Sanctions
20
- Trends in Privacy and Security Laws
Trends in Laws:
• Mandatory encryption• Mandatory and prompt reporting of data
breaches• Increased penalties; enforcement• Increased third party vendor oversight, liability• Board level responsibility (e.g. Red Flags Rule)
22
V. What’s Loss, Liability, Breach?
• Unauthorized Access
• Loss that reasonably could lead to theft
23
- Sanctions/Liability for Violations:Examples
Laws:
Section 5 of the FTC Act - unfair or deceptive acts
States – “Baby FTC Acts”
HIPAA HITECH Act
24
- Sanctions/Liability for Violations:Enforcement Actions; Lawsuits:
– Providence Health – unencrypted tapes – OCR/CMS/HIPAA sanction; 1st monetary penalty ($100K)
- Treatment Assocs of Victoria – TX AG – charge - unlawfully dumping client records in publicly accessible garbage; TX Identity Theft Act and Baby FTC Act
– Heartland Payment Systems, N.J. – (payment card processor); hacker; PCI standards; Class Action – on behalf affected financial institutions
25
- Sanctions/Liability for Violations:Enforcement Actions; Lawsuits:
– CVS – dumped prescription labels in dumpster. OCR and FTC JT enforcement: HIPAA Privacy Rule and FTC Act; $2.25 million; FTC 20 year monitoring.
– Premier Capital Lending – GLB Privacy and Security Rules; customer data. Mortgage broker gave access that was used improperly.
– Mortgage Broker Gregory Navone – consumer info into unsecured dumpster; FCRA Disposal Rule violation charged w/failure to implement training & exercise oversight of service providers.
26
VI. Privacy & Security – Lessons Learned
• Access is key; audit logs• Audit/Assessment of Risks• Effective Policies and Procedures• Sanction employees• Train employees• It is internal employees and consultants with authorized
access
27
VI. Privacy & Security – Lessons Learned
• Vendor management/Due diligence – not just contractual language required by HIPAA, GLB, Red Flag Rules, etc.
• Encryption
• Data Breach – Prepare
• Incident Reporting Team/Committee
• Mandatory Reporting
• Insurance
28
VII. Privacy & Security - Resources
• Data breach remedial products:– Credit monitoring products – negotiate
contract (Experian)– Debix– Insurance coverage purchased (Data breach
for one company cost $65K in postage alone!)
29
VII. Privacy & Security - Resources
• FTC.gov • OCR Listserv (Office of Civil Rights – DHHS)• CMS – HIPAA Security Rule• NIST - National Institute of Standards and Technology
www.nist.gov; Computer Security Resource Center (http://csrc.nist.gov); (Draft) Guide to Protecting Confidentiality of Personally Identifiable Information -1/13/09
• IAPP www.privacyassociation.org
30
U.S. Privacy & Security Laws
Questions?
Diana S. HareAssociate General Counsel
Drexel University College of Medicine215.255.7842