1 / 26

2009 Privacy Initiatives

2009 Privacy Initiatives . Susan Blair, MSJ, MBA, CIPP, CCEP, CIA Chief Privacy Officer, University of Florida. Privacy Officers in a Nutshell. DO. PLAN. WATCH. Little Time to LOL …. COPPA. facta. GLBA. CFAA. DPPA. HIPAA. ADA. ITADA. The Privacy Act. FERPA. TCFAPA. ECPA.

adora
Download Presentation

2009 Privacy Initiatives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2009 Privacy Initiatives Susan Blair, MSJ, MBA, CIPP, CCEP, CIA Chief Privacy Officer, University of Florida

  2. Privacy Officers in a Nutshell DO PLAN WATCH

  3. Little Time to LOL ….. COPPA facta GLBA CFAA DPPA HIPAA ADA ITADA The Privacy Act FERPA TCFAPA ECPA CPNI pcidss REDFLAGS

  4. Definitions: Complaint v. Incident • Privacy Complaint: An allegation by an individual that an organization is not complying with the requirements of the federal privacy and/or security regulations or the organization’s own policies and procedures related to the privacy / security of personal information. • Privacy Incident: A known or suspected action, inconsistent with the organization’s privacy policies and procedures, or an adverse event, related to restricted or sensitive information.

  5. Incidents by Type – 2003-2008

  6. Incidents by Area – 2003-2008

  7. 2008 Privacy Violation by Type • PHI: 3,440 • PHI/PII: 335,353 • PII: 825 • Student Record: 4,955 • PII/Student Record: 13,516 • Financial: 2 • Human Resources: 32

  8. Significant 2008 Privacy Violations and Incidents by Area • College of Dentistry: 334,238#/7 • College of Medicine: 3,501/91 • Academic Technology-CLAS: 11,562/2 • College of Engineering: 4,423/3 • Reitz Union: 612/1 • IFAS: 271/2 • College of Education: 145/1 • *Number of Violations/Incidents #334,234 were both PHI and PII violations

  9. 2009 Legislative Mandates Genetic Information Nondiscrimination Act Red Flag Rules American Reinvestment and Recovery Act (ARRA) Health Information Technology for Economic and Clinical Health Act (HITECH)

  10. Genetic Information Nondiscrimination Act • Results of genetic tests for individuals or family members that provides any data about medical history; includes predictive testing • Mandates modification of HIPAA’s Privacy Rule so that genetic information is treated as protected health information; became effective May 21, 2009 • Confidentiality safeguards required for collection, maintenance, and storage; also limits disclosure of genetic information.

  11. FTC’s Red Flag Rules • FTC Red Flag Rules, became effective May 1, 2009 but delayed to August 1, 2009 • Written ID Theft Prevention Program for any ‘covered account’ for individuals or households. • regularly extending, renewing, or continuing credit; • regularly arranging for such credit; • acting as an assignee of an original creditor

  12. Red Flags’ Hybrid Checklist • Inventory and Risk Assessment of Accounts • Board of Trustees Review and Approval of Written Policies and Procedures • Red Flags Training • Departmental Procedures & Training • Compliance Audits • Cross-reference to Critical Incident and Breach Notification Plan and SSN Monitoring • Add or revise contract language to require contractors to establish a written identity theft program or to mirror the University’s Red Flags Program • Audit compliance at least annually.

  13. ARRA: Effective February 2009 • Restrictions on Disclosures prohibited with limited exceptions (as required by law) • Enforcement by State Attorney General • Civil case (violation) on interest to state residents • Damages and court fees to be awarded • Federal court venue • Effective for violations that occurred after enactment • Tiered Civil Monetary Penalties Collected • Employees or individuals can be found liable under HIPAA.

  14. ARRA: Effective February 2009 • Minimum Penalties “Did not know” • Tier A $100 “Reasonable cause” • Tier B $1,000 “Willful neglect” • Tier C $10,000 “Uncorrected violation” • Tier D $50,000 • Maximum Penalties • Tier A $25,000 • Tier B $100,000 • Tier C $250,000 • Tier D $1,500,000 Minimum per Violation Annual Maximum

  15. ARRA: Provisions Changes Due August 2009: Breach notification provisions and PHI breach notification February 2010: Business Associates and Marketing August 2010: Minimum Necessary and Prohibition on sale of electronic health records/PHRs. January 2011: Accounting for Disclosures February 2011: Enforcement for ‘willful neglect’

  16. “HITECH” Enhances HIPAA • Section 13402 requires HIPAA covered entities to notify affected individuals of a breach of “unsecured protected health information” • “Not secured through the use of a technology or methodology specified by the Secretary of HHS through guidance” • April 17th HHS Guidance recommends either encryption or destruction.

  17. HITECH Guidance • Encryption According to National Institute of Standards and Technology (“NIST”) or Federal Information Processing Standards (“FIPS”): • “Data at rest” - NIST 800-111, Guide to Storage Encryption Technologies for End User Devices • “Data in motion” – FIPS 140-2, including • NIST 800-52, Guidelines for the Selection and Use of Transport Layer Security Implementation • NIST 800-77, Guide to IPSet VPNs • NIST 800-113, Guide to SSL VPNs

  18. HITECH Guidance • Destruction : • Paper, film, or other hard copy media must be shredded or destroyed to the extent that the PHI cannot be read or reconstructed. • Electronic media must be cleared, purged or destroyed such that the PHI cannot be retrieved, and such destruction must be consistent with NIST 800-88, Guidelines for Medical Sanitization.

  19. HITECH Breach Notification • Notification: Sets thresholds for triggering breach notification requirements as well as parameters for the method, content, and timing of the notification. For example, • Must provide notice to consumers and FTC within 60 days of discovery; • Notice must include mitigation details; and • If 10 or more individuals cannot be reached, must post conspicuously for six months on homepage of website; or, provided to print and broadcast media outlets in areas affected by breach. • Applies to breaches discovered on or after September 18, 2009.

  20. Academic Data BreachesMinnesota Privacy Consultants • Over 50 colleges and universities have experienced multiple reported privacy incidents since 2001. At a state level, California is home to seven twice breached universities, while Ohio follows at four schools. • At least four universities have experienced five or more publicized privacy incidents. • Purdue University (7) • Ohio University (5) • University of Florida (5) • University of Iowa (5)

  21. Privacy Breaches SamplingJanuary – December 2008 • University Minnesota: 3,100 • Long Island University: 30,000 • Middle Tenn. State: 1,500 • Texas A&M: 3,000 • Harvard University: 6,600 • Binghamton University: 300 • University of Miami: 2,100,000 • University of Florida: 11,300 • University of Utah: 2,200,000 • University of Florida: 344, 448 • Oklahoma St. University: 70,000 • UC San Francisco: 3, 569 • Stanford University 72,000 • University Georgia: 4,250 • University Akron: 800 • University of Florida: 101 • Ohio University 492 • Tennessee Tech: 990 • University Texas: 2,500 • University of Maryland 23,000 • Penn State: 677 • Georgetown University: 38,000 • University of Florida: 1,900

  22. Top Reasons for University Breaches • Data-rich information systems creating a natural target. • Outdated and non-enforced data security safeguards. • Sophisticated intruders with potential criminal intent. • Careless or inattentive data systems management. • Negligent hiring practices or employee misuse of data. • Demonstrated opportunities for repeat access. • Business partners or research sponsors who fail to protect information.

  23. Watch for “Seminal” Court Cases • Seminal means “Highly original and influencing the development of future events”. • When does Privacy Breach cause harm? • Identity theft and financial fraud • Offensive publication of illicitly acquired PII • Limit economic opportunities, i.e. job applicant • Canada, Australia, New Zealand are codifying that privacy-security breaches can cause harm.

  24. Cause for Caution • Federal Precedent: Ninth Circuit Court (Stollenwerk) opined that ‘harm’ was not necessary for class action lawsuits resulting from data breach. • Partnering of Federal Agencies: FTC joined OCR to pursue claims against CVS with settlement costs of $2.25 million. Also, FTC can levy penalties where identity theft results. • States’ Action: ARRA permits states’ AG to sue for damages on behalf of residents.

  25. In Summary: Nowhere to Hide • Increased Governmental Regulations, especially for identity theft and healthcare operations • Emerging Technology Risks and Expanding Data Security Obligations • Probable Civil Case Law Developments as well as Enhanced Enforcement, especially from state AGs. • Continuing infrastructure and resource challenges

  26. Contact Information UF Privacy Office • http://privacy.ufl.edu • 352-273-5094 • Toll-free Hotline: 866-876-4472

More Related