U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana S. Hare Associate General Counsel Drexel University College of Medicine Diana.Hare@drexelmed.edu 1 U.S. Privacy and Security Laws Contents: I. DISCLAIMER II. Audience Participation III. What’s Protected? IV. Sources of Privacy & Security Obligations - Trends V. What’s Loss, Liability, Breach? - Sanctions/Liability VI. Lessons Learned VII. Resources 2 I. DISCLAIMER This presentation does not include every privacy and security law and regulation in the United States. Its purpose is to provide context, key principles and trends. Thank you! 3 II. Audience Participation • Who knows they are covered by the FTC Guidelines on protecting consumer information collected online? • Who knows they are covered by HIPAA because they have an employer-sponsored health plan? • Who knows they are covered by the Red Flags Rule? (And who knows what it is?) 4 II. Audience Participation • Who knows they are covered by state data breach notification acts other than Pennsylvania? By the new federal data breach notification act? • Who has not had employees or consultants lose the company’s customers’ personally identifying information, or access such data beyond their scope of authorization? 5 III. What’s Protected? • Identity – Individually Identifiable Information – Personal Information – Education Record – Name, social security number (cf. redacted to last 4), credit card number – HIPAA has 18 Identifiers – down to stripping the Zip Code 6 III. What’s Protected? • Sensitive Information about a Person Drug and alcohol treatment HIV Status Genetic screening Children 13 or younger Privileged communications 7 III. What’s Protected? • Data “CIA” = – Confidentiality – Integrity – Availability • Collection, Use and Disclosure • Informed Consent 8 IV. Sources of Privacy & Security Obligations General Sources • U.S. Constitution – 4th Amendment; 14th Amendment; U.S. v. Griswold • Torts – Intrusion upon Seclusion; Invasion of Privacy • Privileges – Judicial Codes – Accountant – Psychologist – 42 PA C.S.A. § 5944 – Sexual Abuse Victim Counseling – 42 PA C.S.A. § 5945.1 – Attorney – Physician 9 IV. Sources of Privacy & Security Obligations Federal Laws and Regulations and Guidance: • U.S. Constitution –see above • Federal Privacy Act of 1974 – 5 U.S.C. §552a • FTC Consumer Online Privacy Principles 1998; Online Behavioral Advertising Principles 2009 • FTC COPPA – Children’s Online Privacy Protection Rule – 16 C.F.R. 312 10 IV. Sources of Privacy & Security Obligations • HIPAA – Health Insurance Portability and Accountability Act of 1996 and Privacy and Security Rules, 45 CFR §§ 160, 162 and 164, as Amended by HITECH Act (see below) • GLB – Gramm-Leach Bliley Act (Financial Modernization Act of 1999) 15 U.S.C. §6801 et seq. and Financial Privacy Rule 16 C.F.R. 313 and Financial Safeguards Rule 16 C.F.R. 314 • Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) 11 IV. Sources of Privacy & Security Obligations • FCRA – Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); amended by FACT Act – Fair and Accurate Credit Transactions Act of 2003 – Section 114 – Identity Theft Prevention – Red Flags Rules – 16 C.F. R. 681 – Section 116 – Proper Disposal of Consumer Information – Disposal of Consumer Report Information and Records - 16 C.F.R. 682 12 IV. Sources of Privacy & Security Obligations • FDA – Research Data – Electronic Records and Signatures – “Part 11” – 21 C.F.R. 11 13 IV. Sources of Privacy & Security Obligations • ARRA – American Recovery and Reinvestment Act of 2009 (“Stimulus Bill”) February 17, 2009 (www.whitehouse.gov ≥ http://frwebgate.access.gpo.gov/) – HITECH Act – Health Information Technology for Economic and Clinical Health Act – Division A, Title XIII of ARRA • Subtitle D – Privacy - §§13400 -13424 – Amends HIPAA, substantially increases penalties (now) and new Federal Data Breach Notification as to Protected Health Information 14 IV. Sources of Privacy & Security Obligations State Laws: • More stringent state laws on protected health information supersede HIPAA – e.g. – PA Confidentiality of HIV-Related Information Act (“Act 148”) 35 P.S §7601 et seq. • Limit use of Social Security Numbers, e.g. – PA Social Security Number Privacy Act – 71 P.S. § 2601 et seq. 15 IV. Sources of Privacy & Security Obligations • Data Breach Notification Acts – – California and Massachusetts lead the trends – PA – Breach of Personal Information Notification Act – 73 P.S. § 2301 – NJ – New Jersey Identity Theft Prevention Act – N.J.S.A. § 56:11- 44 et seq. and new draft rules with comment period closed 2/13/09 – DEL – Computer Security Breaches – Title 6, Chapter 12B 16 IV. Sources of Privacy & Security Obligations • Torts – see above • Privileges – Judicial Codes (see above) 17 IV. Sources of Privacy & Security Obligations Industry Standards – PCI – Payment Card Industry 18 IV. Sources of Privacy & Security Obligations Key obligations shared: • Risk assessment • Administrative, Physical and Technical Safeguards • Policies and Procedures • Training • Sanctions 19 - Trends in Privacy and Security Laws Trends in Laws: • • • • • Mandatory encryption Mandatory and prompt reporting of data breaches Increased penalties; enforcement Increased third party vendor oversight, liability Board level responsibility (e.g. Red Flags Rule) 20 -Trends in Privacy and Security • Data breaches • Increased Identity Theft • Class Actions 21 V. What’s Loss, Liability, Breach? • Unauthorized Access • Loss that reasonably could lead to theft 22 - Sanctions/Liability for Violations: Examples Laws: Section 5 of the FTC Act - unfair or deceptive acts States – “Baby FTC Acts” HIPAA HITECH Act 23 - Sanctions/Liability for Violations: Enforcement Actions; Lawsuits: – Providence Health – unencrypted tapes – OCR/CMS/HIPAA sanction; 1st monetary penalty ($100K) - Treatment Assocs of Victoria – TX AG – charge unlawfully dumping client records in publicly accessible garbage; TX Identity Theft Act and Baby FTC Act – Heartland Payment Systems, N.J. – (payment card processor); hacker; PCI standards; Class Action – on behalf affected financial institutions 24 - Sanctions/Liability for Violations: Enforcement Actions; Lawsuits: – CVS – dumped prescription labels in dumpster. OCR and FTC JT enforcement: HIPAA Privacy Rule and FTC Act; $2.25 million; FTC 20 year monitoring. – Premier Capital Lending – GLB Privacy and Security Rules; customer data. Mortgage broker gave access that was used improperly. – Mortgage Broker Gregory Navone – consumer info into unsecured dumpster; FCRA Disposal Rule violation charged w/failure to implement training & exercise oversight of service providers. 25 VI. Privacy & Security – Lessons Learned • • • • • • Access is key; audit logs Audit/Assessment of Risks Effective Policies and Procedures Sanction employees Train employees It is internal employees and consultants with authorized access 26 VI. Privacy & Security – Lessons Learned • Vendor management/Due diligence – not just contractual language required by HIPAA, GLB, Red Flag Rules, etc. • Encryption • Data Breach – Prepare • Incident Reporting Team/Committee • Mandatory Reporting • Insurance 27 VII. Privacy & Security - Resources • Data breach remedial products: – Credit monitoring products – negotiate contract (Experian) – Debix – Insurance coverage purchased (Data breach for one company cost $65K in postage alone!) 28 VII. Privacy & Security - Resources • • • • FTC.gov OCR Listserv (Office of Civil Rights – DHHS) CMS – HIPAA Security Rule NIST - National Institute of Standards and Technology www.nist.gov; Computer Security Resource Center (http://csrc.nist.gov); (Draft) Guide to Protecting Confidentiality of Personally Identifiable Information 1/13/09 • IAPP www.privacyassociation.org 29 U.S. Privacy & Security Laws Questions? Diana S. Hare Associate General Counsel Drexel University College of Medicine 215.255.7842 Diana.Hare@drexelmed.edu 30