H&H Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan & Hartson Law Firm : Data Security, E-Commerce & Technology

The recent effective data for enforcement of the new HIPAA/HITECH data-security breach notification law, and continued passage of and amendments to state notification laws, make compliance with data-security breach notification requirements more challenging than ever.

The H&H Chronicle of Data Protection thought it would be useful to provide this Short Guide to Responding to Data Security Breaches as a refresher for some and as a wake-up call for others.

Companies collect, maintain, use, and exchange vast amounts of personal data on employees, consumers and others. Unwanted release or exposure of personal information can violate privacy, lead to identity theft, and result in adverse publicity. Lawmakers, regulators, and advocates are increasingly focused on data security and breaches of it. Data security is becoming a risk-management priority at companies.

Still, breaches happen, even with the most careful precautions.

Effective handling of a data-security breach and legal compliance are achieved best with advanced planning to ensure that an business's response is effective, efficient, and timely. Business responses will be facilitated if the business already knows which laws and contracts apply to its data and what its duties will be if its information is improperly disclosed or accessed.

Fundamentally, businesses should have a detailed written data security breach response plan that has been shared with those who will implement the response, because responding to a data security breach “on the fly” creates the potential for liability-creating mistakes.

What law applies to a data-security breach?

As most businesses know by now, starting in California in 2003, the law began to impose an obligation on those who hold data on persons to provide notice if there is a breach of its security. Forty-five states, Washington, DC, the Virgin Islands, and Puerto Rico have such laws currently, and federal rules govern disclosure of health-related personal information.

The Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”) each has issued data breach notification rules. See this previous blog entry for details. The rules implement provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”) and are aimed at providing increased protection of individuals’ health information. Enforcement of the HHS and FTC breach notification rules began last month, as described here.

The Federal Trade Commission, state attorneys general, and private plaintiffs have pursued companies that have experienced data-security breaches. Such investigations typically have focused not only on whether notice protocols were followed, but also on underlying data security. Under HITECH, the Department of Health and Human Services has enhanced power to investigate and enforce against data security deficiencies.

What actions should the business take promptly after a breach?

• Email This
• Print

The Federal Communications Commission released its long-awaited National Broadband Plan today, providing an aggressive roadmap for advancing affordable broadband deployment and adoption; stimulating economic growth; and boosting the nation's capabilities in education, healthcare, homeland security, and other areas.  The Plan also appears to confirm that the FCC is looking to take an expanded role in privacy-related consumer protection issues.

In the Plan, the FCC discusses a number of broadband privacy and data security issues focused on the protection of and consumer control over personal information.  For example, the FCC states 

 

[t]he collection, aggregation and analysis of personal information are common threads among, and enablers of, many application-related innovations...

and the Plan notes the value of services such as customized suggestions for movie rentals or books and more targeted and relevant advertising.  It cautions, however

many users are increasingly concerned about their lack of control over sensitive personal data.

The FCC then remarks:  

Innovation will suffer if a lack of trust exists between users and the entities with which they interact over the Internet.  Policies therefore must reflect consumers’ desire to protect sensitive data and to control dissemination and use of what has become essentially their “digital identity.”  Ensuring customer control of personal data and digital profiles can help address privacy concerns and foster innovation.

The FCC also makes several broadband privacy and data security recommendations in the Plan, including:

• Encouraging Congress and the Federal Trade Commission (as well as the FCC) to clarify the relationship between users and their online profiles, including disclosure and consent requirements and data collection, sharing, storage, safeguarding, and accountability responsibilities;

• Suggesting that Congress consider helping spur the development of trusted "identity providers" that can help consumers maximize the privacy and security of their data;

• Having the FTC and FCC jointly develop principles to require that customers provide informed consent before broadband service providers share certain information with third parties (including account and usage information and other personally identifiable information); and

• Prompting the federal government to put additional resources into combating identity theft and fraud and enhancing consumer online security.

In addition, the Plan includes several privacy and data security recommendations in the smart grid and cybersecurity areas, including a recommendation that states require utilities to "provide consumers access to, and control of, their own digital energy information, including real-time information from smart meters and historical consumption, price and bill data over the Internet."  If states fail to do so within 18 months, the Plan recommends that Congress consider national legislation.

• Email This
• Print
• Trackbacks

Today as the HHS Office of Civil Rights begins to enforce the federal health data breach notification rule, the agency publicly posted the list of reported breaches affecting 500 or more individuals. The list is available on the  HHS’ website and includes the following information:

• the entity’s name
• state
• approximate number of affected individuals
• date of breach
• type of breach (e.g. theft, misdirected e-mail)
• location of information at time of breach (e.g. desktop computer, laptop, paper, mailing).

• Email This
• Print

Enforcement of the Department of Health and Human Services’ (“HHS’”) and the Federal Trade Commission’s (“FTC’s”) Breach Notification rules begin today. Both agencies initially exercised their enforcement discretion and delayed enforcement until February 22, 2010, to provide entities subject to the rules with time to implement compliance processes and procedures.

HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA and their business associates to provide notification following discovery of a breach of security involving an individual’s unsecured protected health information.  Under the rule, covered entities are also required to notify the HHS Secretary. For breaches affecting fewer than 500 individuals that occurred during calendar year 2009 and after the September effective date of the HHS breach rule, notification to the Secretary must be submitted by March 1, 2010. 

The FTC breach rule, issued on August 17, 2009, applies to vendors of personal health records, PHR-related entities and third-party service providers. 

• Email This
• Print

The Federal Communications Commission released a Public Notice this week seeking further comment on numerous privacy issues as part of its National Broadband Plan proceeding.  Based on questions raised in a recent Center for Democracy & Technology filing, some of the broad issues that the Notice seeks comment on include:

• Consumer expectations of privacy, and how to meet those expectations as new technologies are deployed;
• Building Privacy by Design;
• Concerns surrounding the collection, use, and storage of transactional data; and
• The regulation of third-party applications.

The FCC, which is working to complete the Plan and submit it to Congress by March 17, has thus far not focused extensively on how to protect consumer privacy and personal information in the broadband ecosystem.  This Notice, however, indicates that the FCC may be planning to highlight a number of privacy-related consumer protection issues in the Plan.  Moreover, depending in part on the comments received in response to the Notice, it could also open the door to future privacy and data protection proceedings at the FCC.

Comments are due on January 22, 2010, just over a week after the Commission issued the Notice.

• Email This
• Print
• Trackbacks

In the first HIPAA action filed by a state attorney general, Connecticut Attorney General Richard Blumenthal filed a lawsuit yesterday against Health Net of Connecticut for failing to secure private medical and financial information concerning 446,000 of its Connecticut enrollees, and for subsequently neglecting to promptly notify affected individuals. Blumenthal is also seeking a court order to prevent Health Net from continued violations by requiring the company to encrypt any protected health information (“PHI”) contained on portable electronic devices. The lawsuit is the first action by a state attorney general to enforce HIPAA since the Health Information Technology for Economic and Clinical Health Act (“HITECH”) provided state attorneys general with the power to initiate civil actions on behalf of state residents for violations of HIPAA.

In May 2009, Health Net discovered that a portable computer disk drive containing social security numbers, health claim forms and bank account numbers for approximately 446,000 Connecticut enrollees was missing. According to Blumenthal, Health Net subsequently failed to promptly notify appropriate authorities and consumers of the incident. Blumenthal further alleges that Health Net failed to comply with its own policies and federal law regarding the protection of personal information, and failed to effectively train and supervise its workforce on the proper policies for maintaining, using, and disclosing PHI.

• Email This
• Print

In a move that likely will result in a significant increase in civil penalties that can be assessed in the UK for data security breaches, this month the UK Ministry of Justice began consultation on the introduction of a maximum civil monetary penalty for serious breaches of the Data Protection Act 1998 (DPA), entitled ‘Civil Monetary Penalties: Setting the maximum penalty’.

The prospect of a maximum financial penalty was introduced into the DPA in 2008 by the Criminal Justice and Immigration Act 2008, but has yet to be implemented. After the consultation closes on 21 December 2009 it is likely to become law in April 2010.

• Email This
• Print

The American Institute of Certified Public Accountants (AICPA) on Tuesday filed a lawsuit against the Federal Trade Commission (FTC) challenging the applicability of the agency's Red Flags Rule to Certified Public Accountants.  This comes on the heels of district court ruling in a lawsuit brought by the American Bar Association (ABA) reported here that the regulations do not apply to lawyers.

 We do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered,” said  AICPA President and CEO Barry Melancon. “As trusted advisors, CPAs are personally acquainted with their clients and already adhere to strict privacy requirements governing identifying information.

The accountants' lawsuit  alleges primarily that the FTC lacks authority to regulate CPAs just as it lacks authority to regulate lawyers, both of whom are regulated by state authorities.  In addition, the lawsuit claims that the FTC failed to explain how the manner in which public accountants bill their clients in the normal course of business constitutes an "extension of credit" under the rule and that it failed to identify any legally supportable basis for applying the rule to accountants.   The FTC specifically referred to accountants as potentially covered entities in its FAQs concerning the rule published over the Summer.  In promulgating the rule, the AICPA alleges that the FTC never identified CPAs as potentially covered entities.

The Red Flags rule has been the source of significant controversy which,  in addition to the lawsuit by the American Bar Association, has resulted in repeated extensions of the FTC enforcement date.  Currently, the FTC is set to enorce the rule on June 1, 2010.

• Email This
• Print

Under the Data Protection Act 1998 (“DPA”), it is an offense to knowingly or recklessly obtain or disclose personal data, or the information contained in personal data, without the consent of the data controller.  Section 55 of the DPA details the offenses and any exclusions, or defenses, which may apply.  It also sets out the procedure for monetary penalties to be imposed.  Under the current law, the maximum penalty for those found guilty of offenses such as selling personal data is a £5,000 fine in the Magistrates Court and an unlimited fine in the Crown Court.  However, cases leading to substantial fines are rare.

The Ministry of Justice (which oversees the Information Commissioner’s Office) has recently announced a consultation exercise to decide whether to introduce tougher penalties for breaches of section 55, DPA, which could lead to the introduction of custodial sentences for those convicted.  Although provision was made to introduce prison sentences through the Criminal Justice and Immigration Act 2008, this has yet to be implemented and is subject to the consultation exercise, which is expected to close on 7 January 2010.

If adopted as law, the maximum penalty for the knowing or reckless misuse of personal data would be a prison sentence of up to 12 months (if heard in the Magistrates Court) or up to 2 years (if heard in the Crown Court).  This is an important development for the ICO, which has fairly limited powers of enforcement, and is arguably a necessary response to the increasingly serious breaches of the DPA involving the misuse of personal data.
 

• Email This
• Print

“Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?”

That is the question a federal district judge in Maine has put to the Maine Supreme Court in the data security breach litigation involiving Hannaford Brothers.  In a ruling  dated October 5, 2009, Judge D. Brock Hornby, who earlier this year had dismissed almost all of the claims in the consolidated class action for lack of "economic loss", reversed himself and sent to the Maine Supreme Court an issue that has the potential for opening the floodgates of litigation.   Plaintiffs  so far have been unsuccessful in pursing civil actions following data security breaches where they have not suffered real economic damages.

As Judge Hornby himself observed in his decision,

 “if the Maine Law Court’s answer to the certified question on the cognizable harm issue favors the plaintiffs, the plaintiffs will have both a negligence claim and an implied contract claim.”  

Such a development could have a profound impact on the vulnerability of companies experiencing data security breaches to civil claims, something they so far largely have avoided.  Thus, added to the existing costs of a data security breach (notification costs, credit monitoring costs, regulatory investigation costs, damage to reputation costs, etc.), there may soon be "time and effort" compensation costs.  As menioned in an earlier post concerning Maine's law tp protect kids from predatory marketing, which effectively is on hold, when the State of Maine enjoyed a reputation as a bellwether for presidential elections, this expression was in common parlance:

As Maine goes, so goes the nation?

It appears that while the State of Maine no longer has much impact on presidential elections, it could well have an impact on data security breach law.

• Email This
• Print

It sounds like an ‘April fool,’ but the story this week that people can sign up to a new internet game where they spot crimes on CCTV cameras posted in Britain and earn points for doing so might actually be true.  Both the Daily Mail and the Guardian’s online news pages featured stories about this bizarre game, which may be launched in November 2009 following a trial in Stratford-upon-Avon.

Customers have the opportunity to sign up to the service and have their CCTV monitored by the public in return for a fee.  Footage from the camera would be streamed on to a website to be used in the game.  Shopkeepers are an obvious target market for the service, but the police, local authorities and home owners may also be encouraged to sign up.

According to press releases, the service provider ‘Internet Eyes,’ offers users (players of the game) the chance to “earn reward money, have a chance at reducing crime, potentially become a hero and save lives.”  Users would compete to earn up to £1,000 per month, collecting points for viewing live CCTV footage and pressing a button whenever they see any suspicious activity.  If and when a crime is suspected, these alerts will be sent, by SMS, to the customer, in real-time, allowing them to take immediate action, or no action, as they wish.  Apparently it is possible to lose points for a false alarm and a ‘3 strikes and you’re out’ rule will apply.

The website also promises to feature a so-called ‘rogue’s gallery’ of ‘criminals,’ with details of their offenses and details of the user responsible for spotting them.

Internet Eyes says its service aims to reduce crime, but civil liberties campaigners and the assistant information commissioner have their doubts about the legality of the idea itself.  Disclosing images of identifiable individuals on the internet for entertainment raises serious issues under the Data Protection Act and the Human Rights Act.  The Guardian reports that the ICO will be ‘talking to’ Internet Eyes shortly.  Watch this space!

• Email This
• Print

The Department of Health & Human Services (“HHS”) published an electronic notification form for covered entities to submit notice of a breach of security to the Secretary. The electronic form, available on HHS’ website, is for notification of breaches affecting 500 or more individuals and for breaches affecting fewer than 500 individuals.

The on-line form includes all of the elements required by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the related HHS breach regulations. The form also requires covered entities to include contact information for a business associate (where the breach occurred at or by the business associate), the type of breach, the location of the breach, safeguards in place prior to the breach, and the date(s) individual notifications were provided.

If a covered entity discovers additional information related to a breach after submitting notification to the Secretary, the covered entity may submit an updated notification form using the on-line form.

• Email This
• Print

It appears that Rocky Mountain Bank v. Google (ND CA), a dispute over the disclosure of a Gmail users' account, has been settled according to this newspaper report. When an employee of the bank sent a file containing names, addresses, tax ID numbers and loan information on more than 1,000 customers to a Gmail account by mistake, the Bank sued Google to get the transmittal back and to confirm that the information sent was not inappropriately accessed. The bank obtained a court order preventing Google or its unknown Gmail account holder from accessing the file, which froze e-mail access for the unknown user. This order created some controversy, as reflected here.

One of the purposes of the lawsuit was to determine whether data security breach notification obligations had been triggered. The bank sought to seal the entire record of the case but the district court refused to seal the proceedings regarding the Gmail account. A copy of the District Court's decision is here. Sealing the record was something the plaintiff bank wanted in order to avoid prematurely (and prehaps unnecessarily) announcing a data security breach. Indeed, a major goal of the lawsuit was to seek information that would allow the Bank to avoid announcing a data security breach, but that goal was undermined by the court's refusal to seal the fact of the lawsuit (although parts of the record itself were sealed).

For many companies who misdirect e-mails containing PII, it has been a given that the misdirection alone constitutes a "breach" requiring notification to the person whose PII was in the e-mail. This case suggests that even where e-mail is misdirected, if the facts reveal that the unauthorized recipient never opened the e-mail, or for other reasons did not access the information under the definitions in the breach laws, then notice may not be required.

• Email This
• Print

Recently-enacted amendments to the Montana and North Carolina data breach notifications go into effect today, October 1, 2009.

• North Carolina. The amendment to North Carolina’s statute increases the state’s notification requirements for smaller breaches. Under the amended law, businesses and public agencies are required to notify the state attorney general every time a resident is notified. Prior to the amendment, notification to the state attorney general was only necessary if the breach affected more than 1,000 state residents. In addition, the amendment expands the contents of any notice to residents. 
•  Montana.   The amendment to Montana’s data breach statute expands the state’s private sector data breach notification statute to cover public-sector entities. State agencies that maintain computerized data containing personal information in a data system must make “reasonable efforts” to notify any person whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. In addition, the modified law requires state agencies to develop procedures to protect social security numbers.   

The amendments to the Montana and North Carolina laws exemplify the growing number of states strengthening their data breach notification laws.   It is likely that additional states will join the trend, so compliance will require monitoring amendments.

• Email This
• Print

The health breach notification rule issued by the Federal Trade Commission (“FTC”) went into effect on Thursday, September 24, 2009.

The FTC final rule, issued on August 17, 2009, applies to vendors of personal health records (“PHR vendors”), PHR-related entities and third-party service providers. HIPAA covered entities and business associates (when engaging in business associate activities) are excluded from the definition of PHR vendor and PHR-related entities and instead are subject to a separate breach notification rule issued by the Department of Health and Human Services. The FTC Rule requires PHR vendors and PHR-related entities to notify consumers following discovery of a breach involving unsecured identifiable health information that is in a personal health record. The Rule also specifies timing, method and content of notification requirements. Of particular importance, for all breaches involving 500 or more consumers, the Rule requires notice to the FTC within 10 business days of discovery of the breach. Notice of smaller breaches can be provided to the agency on an annual basis.

While the Rule is now in effect, the FTC has announced it will delay enforcement of its rule until February 22, 2010 in order to give entities time to come into compliance.

• Email This
• Print

 On July 22, 2009, Sen. Patrick Leahy (D-VT) reintroduced S. 1490, the Personal Data Privacy and Security Act (“PDPSA”), which has been referred to the Senate Judiciary Committee.   The reintroduced PDPSA is substantially similar to the prior version reported out by the Judiciary Committee in 2007, which was co-sponsored by then-Sen. Barack Obama.  Among the provisions of the proposed law are a mandated adoption and maintenance of a comprehensive information security program, a national data breach notification law, and regulation of data broker services.  Further, while the bill as currently drafted reflects many commonly accepted principles of data privacy and security underlying existing federal and state laws, it deviates from current laws and standards regarding data security and breach notification on several noteworthy points.  Although passage of this legislation during the current session of Congress is far from certain, the existing PDPSA draft may foreshadow future legislative and regulatory trends. 

• Email This
• Print

The breach notification rule issued by the Department of Health and Human Services (“HHS”) goes into effect on Wednesday, September 23, 2009. 

HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA to notify individuals, the HHS Secretary, and, in limited circumstances, the media following discovery of a breach of security involving an individual’s protected health information (“PHI”). Covered entities do not need to provide breach notification if the PHI was secured through methodologies and technologies specified by HHS in recent Guidance.  Notice also is not required if the breach does not pose a significant risk of financial, reputational or other harm to the individuals whose information was breached or in limited other exceptions for internal disclosures or involving limited health information. 

While HIPAA covered entities are expected to comply with this rule effective September 23, HHS has stated that it will not impose sanctions for failure to provide breach notifications until February 22, 2010 in order to give covered entities time to come into compliance. HHS is accepting comments on the provisions of the rule until October 23, 2009.

• Email This
• Print

Data security breaches remain a major risk for any company or entity that handles personal information.  The costs of a breach and harm to reputation can be significant.

At the IAPP Privacy Academy in Boston on September 18, I moderated a session on dealing with the aftermath of a data breach.  I was fortunate to have an expert panel -- Chris Cwalina, Vice President, Associate General Counsel, Intersections Inc. and Carol DiBarriste, SVP Privacy, Security, Compliance and Government Affairs, LexisNexis Group. You can view a copy of our Powerpoint presentation.

There is useful information in the slide deck including information on the current legislative landscape -- note the analysis of currently-pending HR 2221 and a review of recent state laws, as well as some points on the variations in the requirements of breach notification laws. 

Fundamentally, you will find helpful tips on what to do in the aftermath of a breach, and how to take steps in advance of a breach to minimize the risks.

The session in Boston concluded with a recommendation that companies conduct an assessment of how they are collecting, using, sharing, storing, securing, and disposing of personal data -- for only by understanding how data is handled can the risk of a breach (and its expensive effects) truly be avoided.  Hogan & Hartson regularly conducts such risk management assessments for our clients, which often results in recommendations on how to close the "gaps" -- how to improve policies, practices, training and auditing.

• Email This
• Print

The August 17, 2009 revisions of the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts (“Massachusetts Standards”) were accompanied by reassurances that the changes were designed to create a more flexible regulatory framework that would ease the burdens on business while protecting the public interests. However, the revisions also include more detailed provisions dealing with sharing of personal information with third party service providers.  Third party service provider relationships can be a substantial source of risk to the confidentiality, integrity, and availability of sensitive information.  Risk factors include the security practices of third parties within their own facilities as well as the seemingly simple process of transferring sensitive information to a service provider. 

The Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) has addressed these risks by requiring businesses subject to the Massachusetts Standards to take “reasonable steps to select and retain third party service providers that are capable of providing appropriate security measures” consistent with the regulations and contractually obligating those service providers to do so.  There are several particularly noteworthy implications of these requirements.

Expansive Definition of Service Provider

The revised Massachusetts Standards define a “service provider” as: “any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of service directly to a person that is subject to this regulation …” explicitly excluding the U.S. Postal Service. Accordingly, almost any vendors, suppliers, consultants, contractors, and advisors with which a business shares the personal information of Massachusetts residents appear to fall within this definition. Going forward, businesses subject to the Massachusetts Standards should carefully examine all of their third party relationships to identify all scenarios where the third party service provider requirements are applicable.  

Data Security Due Diligence

While it has been an advisable practice for some time now, the express reference to selecting third party service providers that are capable of providing appropriate security raises analysis of data security practices during due diligence to the level of a legal obligation. The Commonwealth is unlikely to be sympathetic to claims that an entity was in compliance with the Massachusetts Standards without meaningful evidence of pre-closing investigation into the data security practices of its service providers.

Monitoring Third Party Service Provider Data Security Practices

The August 17th revisions removed the prior obligation to ensure that third party service providers are applying security measures consistent with the regulations. Nonetheless, the new language contains the admonition to “retain” third party service providers capable of providing such security. Hence, OCABR maintains some authority to require monitoring of the data security performance of third party service providers. Consequently, guaranteeing the right to audit the data security measures taken by third party service providers remains a strongly advised policy. 

Limited Grandfather Clause

Finally, the August 17th revisions include a grandfather clause apparently designed to exempt third party service contracts entered into before a particular date. Due to a likely drafting error, the grandfather clause contains conflicting dates (March 1, 2010 and March 1, 2012) for the exemption. This confusion is likely to be resolved after the current public comment period. While a reasonable reading of the current language could lead one to conclude that contractual obligations are not necessary for any contract entered into before March 1, 2010, the use of contract to protect the interests of businesses subject to the Massachusetts Standards remains a very attractive option, even for agreements currently in existence. 

The grandfather clause provides no indication that it exempts presently existing third party relationships from the “selection and retention” requirements discussed above. Contractual restrictions are among the more readily practicable methods of implementing the requirement to select and retain service providers capable of providing appropriate security. Therefore, ensuring that relevant contractual obligations are in place is in the interests of all businesses subject to the Massachusetts Standards.

• Email This
• Print

UPS Ltd has joined the ever-increasing number of companies featuring in the ‘Enforcement’ section of the UK Information Commissioner’s website, for failing to ensure the adequate security of personal data, which was held on an unencrypted laptop.

Security is one of the key data protection principles set out in Schedule 1, Part 1, of the Data Protection Act 1998 (the “DPA”) and although organizations are familiar with the principle, the basic elements of protecting data can still be overlooked. As a reminder, the DPA requires all ‘data controllers’ (such as UPS Ltd in this case) to comply with the eight data protection principles. The seventh principle deals with the security of personal data and provides that data controllers must take “appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. This means, for example, using password protection and encryption on portable hardware, such as laptops and memory devices. Of course, such measures are only effective if everyone knows about them and uses them appropriately.

This recent decision involved the loss of personal data when a UPS employee’s laptop was stolen, whilst on business abroad last year. The laptop was unencrypted and was never recovered.

Unfortunately (but as is often the case) it held personal data belonging to some 9,150 UK-based employees. Worse still, the data was payroll-related and so contained information relating to employees’ names, dates of birth, National Insurance numbers, salary and bank details.
Whilst there is no legal requirement to inform the Information Commissioner’s Office (ICO) of a DPA breach, UPS Ltd’s lawyers made the notification for their client, presumably recognizing the harm that could result from the loss of such data, for the employees themselves and also for the company’s reputation.

• Email This
• Print

With the compliance date for the federal health data breach notifications in the HITECH Act looming, more states are amending their data breach notification statutes to cover health information. The possible trend is evident in the newly-enacted laws of three states – Missouri, New Hampshire and Texas – all of which have been enacted since June 2009. 

• Missouri – Within the key definition of “Personal Information,” Missouri’s new data breach notification law includes both “medical information” and “health insurance information,” which if disclosed in combination with an individual’s name, may trigger notification rights. 
• New Hampshire– In a separate provision from its general data breach notification law, disclosure of HIPAA protected health information by health care providers and business associates may trigger notice requirements even if the disclosure is permitted under federal law or does not create a risk of harm.
• Texas – Expanding its existing data breach notification statute, Texas specifically amended the definition of “sensitive personal information” to include types of health information not previously covered.

These states join California, Arkansas and Puerto Rico as the only jurisdictions to protect health data under their data breach notification statutes. Still, compliance with these statutes may be costly and burdensome.  Businesses must carefully monitor access, acquisition and disclosure of health and medical information in addition to other types of sensitive information – social security number numbers, financial account numbers, etc. – routinely protected under these statutes. Definitions of health and medical information vary, but can be quite broad to cover, among other things, information relating to:

• physical or mental health or conditions and medical histories; 
•  provision of health care;
•  treatment and diagnosis; 
•  payments for health care; and 
•  insurance policy numbers and subscriber IDs.

Although the interaction of these state laws with the federal data breach notification regulations under the HITECH Act is unsettled, state laws must continue to be monitored and analyzed closely, especially if the number of states protecting health information continues to grow and their notification obligations are consistent with, but extend beyond, the federal requirements.

• Email This
• Print

On August 17, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) issued a second set of revisions to the Standards for the Protection of Personal Information of Residents of the Commonwealth (“Massachusetts Standards”), 201 CMR 17.00. In support of the revisions, the OCABR also issued Frequently Asked Questions (“FAQs”) to clarify the regulators’ views on issues that may not have been entirely clear in the text of the rules. The revisions are intended to increase the flexibility of the regulations in a manner that will reduce burdens on entities subject to the Massachusetts Standards, particularly small and mid-sized businesses. 

Notable among the revisions are the attempts by the OCABR to: (1) introduce a more risk-based approach to the comprehensive information security programs required by the Massachusetts Standards; (2) implement a “technical feasibility” test for required technological controls; and (3) adopt a technology neutral approach to data encryption. While these initiatives should assuage some of the concerns previously expressed by the private sector, the ultimate practical impact remains in doubt.

• Email This
• Print