U. S. Privacy and Security Laws
DELVACCA INAUGURAL INHOUSE COUNSEL
CONFERENCE
April 1, 2009
Diana S. Hare
Associate General Counsel
Drexel University College of Medicine
Diana.Hare@drexelmed.edu
1
U.S. Privacy and Security Laws
Contents:
I.
DISCLAIMER
II. Audience Participation
III. What’s Protected?
IV. Sources of Privacy & Security Obligations
- Trends
V. What’s Loss, Liability, Breach?
- Sanctions/Liability
VI. Lessons Learned
VII. Resources
2
I. DISCLAIMER
This presentation does not include every
privacy and security law and regulation in
the United States. Its purpose is to
provide context, key principles and trends.
Thank you!
3
II. Audience Participation
• Who knows they are covered by the FTC
Guidelines on protecting consumer information
collected online?
• Who knows they are covered by HIPAA because
they have an employer-sponsored health plan?
• Who knows they are covered by the Red Flags
Rule? (And who knows what it is?)
4
II. Audience Participation
• Who knows they are covered by state data
breach notification acts other than
Pennsylvania? By the new federal data breach
notification act?
• Who has not had employees or consultants lose
the company’s customers’ personally identifying
information, or access such data beyond their
scope of authorization?
5
III. What’s Protected?
• Identity
– Individually Identifiable Information
– Personal Information
– Education Record
– Name, social security number (cf. redacted to
last 4), credit card number
– HIPAA has 18 Identifiers – down to stripping
the Zip Code
6
III. What’s Protected?
• Sensitive Information about a Person
Drug and alcohol treatment
HIV Status
Genetic screening
Children 13 or younger
Privileged communications
7
III. What’s Protected?
• Data “CIA” =
– Confidentiality
– Integrity
– Availability
• Collection, Use and Disclosure
• Informed Consent
8
IV. Sources of Privacy & Security
Obligations
General Sources
• U.S. Constitution – 4th Amendment; 14th Amendment;
U.S. v. Griswold
• Torts – Intrusion upon Seclusion; Invasion of Privacy
• Privileges – Judicial Codes
– Accountant
– Psychologist – 42 PA C.S.A. § 5944
– Sexual Abuse Victim Counseling – 42 PA C.S.A. §
5945.1
– Attorney
– Physician
9
IV. Sources of Privacy & Security
Obligations
Federal Laws and Regulations and Guidance:
• U.S. Constitution –see above
• Federal Privacy Act of 1974 – 5 U.S.C. §552a
• FTC Consumer Online Privacy Principles 1998; Online
Behavioral Advertising Principles 2009
• FTC COPPA – Children’s Online Privacy Protection Rule
– 16 C.F.R. 312
10
IV. Sources of Privacy & Security
Obligations
• HIPAA – Health Insurance Portability and Accountability
Act of 1996 and Privacy and Security Rules, 45 CFR §§
160, 162 and 164, as Amended by HITECH Act (see
below)
• GLB – Gramm-Leach Bliley Act (Financial Modernization
Act of 1999) 15 U.S.C. §6801 et seq. and Financial
Privacy Rule 16 C.F.R. 313 and Financial Safeguards
Rule 16 C.F.R. 314
• Family Educational Rights and Privacy Act (FERPA) (20
U.S.C. § 1232g; 34 CFR Part 99)
11
IV. Sources of Privacy & Security
Obligations
• FCRA – Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.); amended by FACT Act – Fair and Accurate Credit
Transactions Act of 2003
– Section 114 – Identity Theft Prevention – Red Flags
Rules – 16 C.F. R. 681
– Section 116 – Proper Disposal of Consumer
Information – Disposal of Consumer Report
Information and Records - 16 C.F.R. 682
12
IV. Sources of Privacy & Security
Obligations
• FDA – Research Data – Electronic Records and
Signatures – “Part 11” – 21 C.F.R. 11
13
IV. Sources of Privacy & Security
Obligations
• ARRA – American Recovery and Reinvestment Act of
2009 (“Stimulus Bill”) February 17, 2009
(www.whitehouse.gov ≥
http://frwebgate.access.gpo.gov/)
– HITECH Act – Health Information Technology for
Economic and Clinical Health Act – Division A, Title
XIII of ARRA
• Subtitle D – Privacy - §§13400 -13424 – Amends
HIPAA, substantially increases penalties (now) and
new Federal Data Breach Notification as to
Protected Health Information
14
IV. Sources of Privacy & Security
Obligations
State Laws:
• More stringent state laws on protected health information
supersede HIPAA – e.g.
– PA Confidentiality of HIV-Related Information Act (“Act 148”) 35
P.S §7601 et seq.
• Limit use of Social Security Numbers, e.g.
– PA Social Security Number Privacy Act – 71 P.S. § 2601 et seq.
15
IV. Sources of Privacy & Security
Obligations
• Data Breach Notification Acts –
– California and Massachusetts lead the trends
– PA – Breach of Personal Information Notification Act – 73 P.S. §
2301
– NJ – New Jersey Identity Theft Prevention Act – N.J.S.A. §
56:11- 44 et seq. and new draft rules with comment period
closed 2/13/09
– DEL – Computer Security Breaches – Title 6, Chapter 12B
16
IV. Sources of Privacy & Security
Obligations
• Torts – see above
• Privileges – Judicial Codes (see above)
17
IV. Sources of Privacy & Security
Obligations
Industry Standards –
PCI – Payment Card Industry
18
IV. Sources of Privacy & Security
Obligations
Key obligations shared:
• Risk assessment
• Administrative, Physical and Technical
Safeguards
• Policies and Procedures
• Training
• Sanctions
19
- Trends in Privacy and Security
Laws
Trends in Laws:
•
•
•
•
•
Mandatory encryption
Mandatory and prompt reporting of data
breaches
Increased penalties; enforcement
Increased third party vendor oversight, liability
Board level responsibility (e.g. Red Flags Rule)
20
-Trends in Privacy and Security
• Data breaches
• Increased Identity Theft
• Class Actions
21
V. What’s Loss, Liability, Breach?
• Unauthorized Access
• Loss that reasonably could lead to theft
22
- Sanctions/Liability for Violations:
Examples
Laws:
Section 5 of the FTC Act - unfair or
deceptive acts
States – “Baby FTC Acts”
HIPAA  HITECH Act
23
- Sanctions/Liability for Violations:
Enforcement Actions; Lawsuits:
– Providence Health – unencrypted tapes –
OCR/CMS/HIPAA sanction; 1st monetary penalty
($100K)
- Treatment Assocs of Victoria – TX AG – charge unlawfully dumping client records in publicly
accessible garbage; TX Identity Theft Act and Baby
FTC Act
– Heartland Payment Systems, N.J. – (payment card
processor); hacker; PCI standards; Class Action – on
behalf affected financial institutions
24
- Sanctions/Liability for Violations:
Enforcement Actions; Lawsuits:
– CVS – dumped prescription labels in dumpster. OCR
and FTC JT enforcement: HIPAA Privacy Rule and
FTC Act; $2.25 million; FTC 20 year monitoring.
– Premier Capital Lending – GLB Privacy and Security
Rules; customer data. Mortgage broker gave access
that was used improperly.
– Mortgage Broker Gregory Navone – consumer info
into unsecured dumpster; FCRA Disposal Rule
violation charged w/failure to implement training &
exercise oversight of service providers.
25
VI. Privacy & Security – Lessons
Learned
•
•
•
•
•
•
Access is key; audit logs
Audit/Assessment of Risks
Effective Policies and Procedures
Sanction employees
Train employees
It is internal employees and consultants with authorized
access
26
VI. Privacy & Security – Lessons
Learned
• Vendor management/Due diligence – not just contractual language
required by HIPAA, GLB, Red Flag Rules, etc.
• Encryption
• Data Breach – Prepare
• Incident Reporting Team/Committee
• Mandatory Reporting
• Insurance
27
VII. Privacy & Security - Resources
• Data breach remedial products:
– Credit monitoring products – negotiate
contract (Experian)
– Debix
– Insurance coverage purchased (Data breach
for one company cost $65K in postage alone!)
28
VII. Privacy & Security - Resources
•
•
•
•
FTC.gov
OCR Listserv (Office of Civil Rights – DHHS)
CMS – HIPAA Security Rule
NIST - National Institute of Standards and Technology
www.nist.gov; Computer Security Resource Center
(http://csrc.nist.gov); (Draft) Guide to Protecting
Confidentiality of Personally Identifiable Information 1/13/09
• IAPP www.privacyassociation.org
29
U.S. Privacy & Security Laws
Questions?
Diana S. Hare
Associate General Counsel
Drexel University College of Medicine
215.255.7842
Diana.Hare@drexelmed.edu
30