Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006

1. Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006  Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska Methodist Health System Sheila Wrobel, JD, MBA UNMC Compliance Officer/Privacy Officer Chris Kerbawy Creighton University Legal Intern

2. How does the Act apply to the health care industry? • The “Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006” is contained in the first 7 sections of LB 876, a bill relating to banking & finance. • Signed and effective April 6, 2006. • The Act applies to all individuals and commercial entities. • “Commercial entity” includes any “legal entity, whether for profit or not for profit.”

3. Purpose of the Act • Requires prompt investigation and notification to Nebraska residents of breaches of computer security resulting, or likely to result, in the unauthorized use of personal information. • Focus is on computerized information security breaches and not other types of incidents.

4. Definitions • Breach of the Security of the System: • Unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information. • Personal Information: • Nebraska resident’s first name or first initial and last name in combination with: • Social Security Number; • Driver’s license number or State ID card number; • Account number or credit or debit card number, along with access codes/passwords; • Unique electronic identification or routing code, along with access codes/passwords; or • Unique biometric data, such as fingerprint, voiceprint.

5. Substance of the law • Contained in Section 3. • Defines what covered entities must do in the event of a breach. • Contains two different sets of requirements for two different targeted entities.

6. Section 3: Two parts • Part 1 • Entities which own or license computerized data containing personal information. • Part 2 • Entities which maintain, but do not own or license, computerized data containing personal information.

7. Section 3, Part 1 • In the event of breach, entities that own or license data have two specific duties: 1) Conduct a reasonable and prompt investigation to determine the likelihood that personal information has been or will be used for an unauthorized purpose. 2) If the investigation determines use of personal information has occurred or is reasonably likely to occur, the entity must give notice to all affected Nebraska residents as soon as possible, with due consideration for law enforcement and the entity’s internal needs of investigation and restoring system integrity.

8. Section 3, Part 2 • In the event of breach, entities that maintain, but do not own or license, data have a general duty: • When they become aware of a breach where use of personal informationhas occurred or is likely to occur, they must give notice to the owner or licensee of the personal information and cooperate with the owner or licensee. (Cooperation includes sharing information relevant to the breach, not including proprietary information.)

9. Section 3, Part 2 (cont’d) • Part 2 differs from Part 1: • No requirement for the entity to investigate or notify affected Nebraska residents. • The entity must make a initial determination regarding the likelihood of unauthorized use. • The entity must notify the owner or licensee and cooperate in their investigation.

10. Notice Guidelines • Contained in section 2. • Notice can be: • in writing; • by telephone; • Electronic; or • by substitute notice in certain circumstances.

11. Substitute notice - First circumstance A) Allowed when: - Notice would cost over $75,000.00, - Would effect over 100,000 Nebraska residents, or - The entity has insufficient contAct information to provide notice. Three requirements (must do all 3): 1) Send e-mail when addresses available; 2) Post notice on the entity’s web-site if one is maintained; and 3) Provide notice to major state-wide media outlets.

12. Substitute notice - Second circumstance B) Allowed when: - The entity has less than 10 employees, and - Notice would cost more than $10,000.00. Four Requirements (must do all): 1) Send E-mail when addresses available; 2) Buy advertisements in local newspapers at least 1/4 page in size once a week for three consecutive weeks; 3) Post notice on the entity’s web-site if one is maintained; and 4) Provide notice to major statewide media outlets operating in the local area.

13. Exceptions to Notice Requirement • Contained in Section 4 • Certain entities are in compliance with section 3 as long as they follow their procedures: • Entities with existing notice procedures that are consistent with the timing requirements of the Act. • Regulated entities with breach procedures proscribed by regulation.

14. Enforcement • Contained in Section 6 • “The Attorney General may issue subpoenas and seek and recover direct economic damages for each affected Nebraska resident injured by a violation of the Act.”

15. Recommendations • Revise Security Incident Response policy to include consumer notification requirements. • Centralize notification responsibility to ensure compliance with the law and effectively manage associated risk & potential litigation issues.

16. Questions???