Winds are driving significant considerations for all organizations that handle personally identifiable information (PII) and protected health information (PHI).
At CSR, we know how easy it is for an organization to lose data that must be protected. All it takes is a lost laptop, smart phone or USB drive with sensitive data -just some of dangers surrounding portable technology. Malware attacks also result in breaches that, as privacy professionals, CSR reports to authorities for clients of the CSR Breach Reporting ToolKit™ solution.
One of our end users, a tattoo parlor, is a documented case study. A saddlebag containing credit card receipts and protected health information (PHI) fell off a motorcycle on a trip to the bank. Clearly, losing personally identifiable (PII) or PHI can happen all too easily to any business.
Identity theft is the #1 complaint of consumers contacting the FTC.
All organizations must develop a process to identify sensitive data, and put in place policies, procedures and training to achieve those ends. Courts, legislators and regulators are addressing data privacy with a goal to tighten rules in favor of the rights of the impacted individual. Here is a look at just three developments that will impact organizational privacy issues. The first two affect all organizations that handle PII and the third affects health care providers and their business associates.
Recent court actions:
If recent U.S. court rulings are any indication, we may see increased penalties for organizations that lose the personal data of their customers and employees.
State legislation regarding protection of PII:
States are passing data protection legislation requiring organizations to be proactive in protecting PII. Currently, at least seven states have legislated that organizations handling personally identifiable information must safeguard PII. Massachusetts and Oregon legislation provide detailed guidance.
HIPAA/HITECH Final Rule:
The recent HIPAA/HITECH rules increase the noncompliance penalties for covered entities (health care providers), business associates and subcontractors.
Consumers’ Right to Reasonable Expectation that Personal Data is Safeguarded
Courts may ultimately recognize that an individual consumer has a reasonable expectation that PII should be protected and that a data breach violates that expectation.
Until recently, consumers that have had their data compromised have met with very little success in the courtroom. The Anderson v. Hannaford Bros. Co. case in which millions of consumers’ payment card records were compromised and which lead to more than 1,800 known cases of fraud, could be considered groundbreaking in this area. The court allowed the consumer plaintiffs to recover the costs of reasonable efforts to mitigate the harm, such as the cost of credit monitoring.
However, the most successful cases to date involve a consumer plaintiff who suffered actual identity theft which led to fraudulent charges or some other demonstrated financial harm.
The federal courts are currently split on how to define when a private action involving data loss has “standing,” or merit. Here are 3 examples where harm and standing were found by federal courts:
Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), the court found that an injury had occurred when a laptop containing personal information was stolen. The Ninth Circuit court concluded that the risk of future harm following a data breach was sufficient to confer standing. The court weighed heavily evidence that at least one attempt had been made to steal a consumer’s identity as a result of the breach. The court concluded that the consumer plaintiff’s “generalized anxiety and stress” as a result of the breach was sufficient to confer standing.
Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007), held that an injury had occurred when a sophisticated hacker perpetrated a data breach. The court concluded that the risk of future harm was sufficient to confer standing. In the case, the consumer plaintiffs sought compensation for credit monitoring services obtained in response to a breach. The court considered evidence that there was a sophisticated and malicious hacker attack when concluding, “the injury-in-fact requirement can be satisfied by a threat of future harm.
In Lambert v. Hartman, a consumer plaintiff’s personal information was published on a public website. The Sixth Court found that standing existed where the plaintiff could “prove that she continues to face an increased risk of identity theft, and she could show that monitoring suspicious activity on her credit report would not only combat that future risk, but would also help to redress the past financial injury that she has suffered.”
The Supreme Court has yet to hear a case from the lower courts regarding what constitutes standing when PII is compromised.
New State Data Protection Laws
Over time, we’ve seen states take legislative action to ensure that consumers and state attorneys general are informed of data loss. Currently, 46 states, 3 territories and the District of Columbia all have legislated data breach laws requiring action after a breach has been detected.
The developing trend is for states to legislate that organizations must have policies and procedures, training and accountability for the personal data they handle prior to data loss. This is familiar to health care providers and their business associates who are already aware of the need to appropriately safeguard protected health information in accordance with HIPAA/HITECH. Currently, at least seven states have data protection laws including Oregon, California and Massachusetts. These three states are often the first to legislate and are emulated by others. Chances are that more states will follow suit. Therefore, all organizations handling personal data should incorporate methods to address these protections into their processes.
Following are some requirements from the Massachusetts law:
Requirement for a comprehensive information security program
Designating a responsible party to control and monitor PII
Providing ongoing training of employees
Completing a PII risk assessment
Restricting access to sensitive data
Regular monitoring of the program
Reviewing the scope of the program annually for modification
Documentation and reporting of data loss incidents
HIPAA/HITECH Final Rule Increases Noncompliance Penalties
The recent strengthening of HIPAA/HITECH rules, effective March 26, 2013, reinforces data protection requirements. Here are seven of the more important provisions that increase the penalties, tighten up restrictions, increase individual rights and the complexity of compliance:
The Department of Health and Human Services established in the Final Rule additional requirements for business associate agreements (BAAs). Business Associates must:
Comply, where applicable, with the Security Rule with regard to electronic PHI
Report breaches of unsecured PHI to the covered entity
Ensure that any subcontractors of the business associate that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to the information, and
If a business associate carries out a covered entity’s obligation under the HIPAA Privacy Rules, the business associate must comply with the requirements of the HIPAA Privacy Rule that apply to the covered entity.
In addition to Business Associate requirements the Final Rule also:
Increases the civil financial penalty structure provided by the HITECH Act. Fines now go up to $1.5M per violation.
Replaces the breach notification rule’s “harm” threshold with a more objective standard. (Now, data simply needs to be “compromised,” generally without harm having to be shown.)
Strengthens the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibits the sale of protected health information without individual authorization.
Expands individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out-of-pocket in full.
Requires modifications to, and redistribution of, a covered entity’s notice of privacy practices.
Modifies the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
These are just highlights of the Final Rule. Each business entity must evaluate all applicable legislation, regulations and court activities that will affect how they manage these issues.
Entities looking for guidance can get a free copy of CSR’s “Best Practices for Managing PII,” which provides several steps organizations can take to secure data that must be protected.
Mark Brady, CIPP/US, CIPP/G, PMP – Director of Compliance
Mark Brady’s role at CSR (Compliance Solutions and Resources), is to provide a strategic regulatory perspective for product development and consulting engagements. Mark has a broad background in data security legislation and compliance.