Monday, September 21, 2009

What to Know About Red Flags, Notification Laws and the Hi Tech Act


Data breaches have hit an all time high and with that have been a dramatic increase in new data security and privacy laws and regulations. Both state and federal regulations have been in place for several years with regards to security and privacy of Personal Identifiable Information (PII) and Protected Health Information (PHI). However, new regulations have popped up at a rapid pace. Just a few years ago there were only a handful of states that had data breach notification laws. Today, 44 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted data breach privacy laws and federal legislation is well on its way.

Today, more than ever, it is difficult for business owners and chief information officers (CIO) to navigate the ever expanding minefield of data breach privacy laws. Just as we have begun to get comfortable understanding laws like HIPAA, Gramm-Leach-Bliley and the Fair Credit Reporting Act, businesses now have to decipher the Red Flags Rule, Hi Tech Act and a myriad of state notification laws. Following is a list of current regulations that business owners and CIOs should be familiar with, including some key compliance dates.

State Notification Laws

The majority of states (44 as of this writing plus the District of Columbia, Puerto Rico and the Virgin Islands) have enacted data breach notification laws. These laws require businesses to timely notify any customer or patient that may be affected by a data breach. Every state has their own unique requirements as to the format of notification, time frame with which to notify, and content of the notification letter. In many cases, failure to notify pursuant to a particular state's notification law may lead to fines and penalties imposed upon the business owner.

Red Flags Rule

In November 2007, Federal Banking Agencies and the Federal Trade Commission (FTC) created an addition to the Fair Credit Reporting Act called the "Red Flags Rule". The Red Flags Rule applies to "financial institutions" and "creditors" with "covered accounts," as defined by the regulation. The intent was to have affected businesses implement an identity theft prevention program. However, there has been a tremendous amount of controversy over the terms "creditors" and "covered accounts." The law is not perfectly clear as to what these terms mean and has a number of business groups concerned about their requirement to comply with the regulation. For example, it has been debated if a health care provider, such as a physician or dentist, is considered a "creditor" under the rule. A "creditor" is defined as any entity that regularly extends, renews or continues credit or any entity that regularly arranges for the extension, renewal or continuation of credit. Under this description, many businesses may be required to comply with the Red Flags Rule. Recently, the FTC has extended the date for compliance to Aug. 1, 2009.

Massachusetts 201 CMR 17.00 (Standards for the Protection of Personal Information of Residents of the Commonwealth)

In September 2008 the Massachusetts Office of Consumer Affairs & Business Regulation issued a regulation intended to protect the unauthorized disclosure of personal information of Massachusetts residents. The regulation establishes very strict requirements for any "persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts" with regards to ensuring the security and confidentiality of personal information.

What makes this specific state law so important is that it applies to any person or business, whether or not they are domiciled in the state of Massachusetts, that have personal information on even one resident of Massachusetts. This regulation mandates sweeping changes in the development of data security protection. In addition to the expanded data protection requirements, the new law also includes penalties for non-compliance (violators may be subject to a $5,000 civil penalty for each violation of each affected person). Compliance with the new regulation has been postponed until Jan. 1, 2010.

Hi-Tech Act

Part of the 2009 American Recovery and Reinvestment Act, otherwise known as the Stimulus package, the HITECH Act provides incentives for physicians who implement "meaningful use" of an Electronic Health Record system. While the exact criteria are still being defined, such systems must be able to electronically e-Prescribe, exchange information, and submit clinical quality measures. In short, the federal government is making it mandatory for health care providers to disclose and disperse reams of personal data electronically. What this act also does is create a federal notification requirement for the breach of Protected Health Information. So in addition to the 44 state notification requirements, health care professionals will have to comply with a federal mandate to notify patients if their records have been compromised. Since this regulation is still new, it is not known how this will impact health care providers in their expanded requirements to notify patients of potential breaches.

What's Around the Corner?

H.R. 2221, the Data Accountability and Trust Act, recently passed the House subcommittee on Commerce, Trade, and Consumer Protection by a voice vote during a markup session. The bill, which was introduced by House Subcommittee Chair Rep. Bobby Rush, D-Ill., would require businesses to notify affected customers when outside parties gain access to sensitive information due to a security breach. If this act is passed it will create yet another data breach notification law for businesses to comply with and, additional costs imposed upon them in the event of a data breach.

Insurance and Risk Management Solutions

With this rapid expansion of data breach laws, the insurance industry has responded by introducing innovative new insurance products to protect businesses from data security breaches and failure to protect personal information of customers and patients. Cyber liability or security and privacy insurance has been developed by a number of insurance carriers to provide coverage for exposures, such as:

•First Party Coverages — network attack business income and extra expense; cyber extortion; crisis management expenses; and notification costs and credit monitoring expenses.

•Third Party Coverages — network security liability; privacy liability; regulatory defense coverage (including fines and penalties); and Internet and media liability.

The policy forms that exist in the marketplace today are not all alike and there are no standard policy forms. Each policy requires extensive review and analysis in order to determine the coverage needs of each prospective insured.

In addition to the insurance policies provided by insurance carriers, there are also risk management services that are provided via third party vendors. There are a number of third party vendors that offer services, including: network security policy and procedure development; network security exposure analysis; crisis management services; forensic investigation services; credit monitoring services, among other services.

With the number of known data breaches and data breach costs on the rise, the increase in legislation and the availability of insurance and risk management solutions, it is imperative that business owners review and analyze the costs associated with compliance of these new laws and the cost to transfer the risk.

Insurance Journal

2 comments:

  1. What's the deal with H.R. 2221? Exactly who is covered under the definitions that would have to provide notifications if breaches occurred? Isn't this just a nationalization of a patchwork of state regulations?

    ReplyDelete
  2. Data Accountability and Trust Act - Requires the Federal Trade Commission ( FTC) to promulgate regulations requiring each person engaged in interstate commerce that owns or possesses electronic data containing personal information to establish security policies and procedures. Authorizes the FTC to require a standard method or methods for destroying obsolete nonelectronic data. Requires information brokers to submit their security policies to the FTC in conjunction with a security breach notification or on FTC request. Requires the FTC to conduct or require an audit of security practices when information brokers are required to provide notification of such a breach. Authorizes additional audits after a breach. Requires information brokers to: (1) establish procedures to verify the accuracy of information that identifies individuals; (2) provide to individuals whose personal information it maintains a means to review it; (3) place notice on the Internet instructing individuals how to request access to such information; and (4) correct inaccurate information. Directs the FTC to require information brokers to establish measures which facilitate the auditing or retracing of access to, or transmissions of, electronic data containing personal information. Prohibits information brokers from obtaining or disclosing personal information by false pretenses (pretexting). Prescribes procedures for notification to the FTC and affected individuals of information security breaches. Sets forth special notification requirements for breaches: (1) by contractors who maintain or process electronic data containing personal information; (2) involving telecommunications and computer services; and (3) of health information. Preempts state information security laws.

    ReplyDelete