slide1
Download
Skip this Video
Download Presentation
U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana S. Hare Associate Gene

Loading in 2 Seconds...

play fullscreen
1 / 30

U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana S. Hare Associate Gene - PowerPoint PPT Presentation


  • 97 Views
  • Uploaded on

U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana S. Hare Associate General Counsel Drexel University College of Medicine [email protected] U.S. Privacy and Security Laws. Contents: DISCLAIMER Audience Participation

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana S. Hare Associate Gene' - tyne


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1
U. S. Privacy and Security Laws

DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE

April 1, 2009

Diana S. Hare

Associate General Counsel

Drexel University College of Medicine

[email protected]

u s privacy and security laws
U.S. Privacy and Security Laws

Contents:

  • DISCLAIMER
  • Audience Participation

III. What’s Protected?

  • Sources of Privacy & Security Obligations

- Trends

  • What’s Loss, Liability, Breach?

- Sanctions/Liability

VI. Lessons Learned

VII. Resources

i disclaimer
I. DISCLAIMER

This presentation does not include every privacy and security law and regulation in the United States. Its purpose is to provide context, key principles and trends.

Thank you!

ii audience participation
II. Audience Participation
  • Who knows they are covered by the FTC Guidelines on protecting consumer information collected online?
  • Who knows they are covered by HIPAA because they have an employer-sponsored health plan?
  • Who knows they are covered by the Red Flags Rule? (And who knows what it is?)
ii audience participation5
II. Audience Participation
  • Who knows they are covered by state data breach notification acts other than Pennsylvania? By the new federal data breach notification act?
  • Who has not had employees or consultants lose the company’s customers’ personally identifying information, or access such data beyond their scope of authorization?
iii what s protected
III. What’s Protected?
  • Identity
    • Individually Identifiable Information
    • Personal Information
    • Education Record
    • Name, social security number (cf. redacted to last 4), credit card number
    • HIPAA has 18 Identifiers – down to stripping the Zip Code
iii what s protected7
III. What’s Protected?
  • Sensitive Information about a Person

Drug and alcohol treatment

HIV Status

Genetic screening

Children 13 or younger

Privileged communications

iii what s protected8
III. What’s Protected?
  • Data “CIA” =
    • Confidentiality
    • Integrity
    • Availability
  • Collection, Use and Disclosure
  • Informed Consent
iv sources of privacy security obligations
IV. Sources of Privacy & Security Obligations

General Sources

  • U.S. Constitution – 4th Amendment; 14th Amendment; U.S. v. Griswold
  • Torts – Intrusion upon Seclusion; Invasion of Privacy
  • Privileges – Judicial Codes
    • Accountant
    • Psychologist – 42 PA C.S.A. § 5944
    • Sexual Abuse Victim Counseling – 42 PA C.S.A. § 5945.1
    • Attorney
    • Physician
iv sources of privacy security obligations10
IV. Sources of Privacy & Security Obligations

Federal Laws and Regulations and Guidance:

  • U.S. Constitution –see above
  • Federal Privacy Act of 1974 – 5 U.S.C. §552a
  • FTC Consumer Online Privacy Principles 1998; Online Behavioral Advertising Principles 2009
  • FTC COPPA – Children’s Online Privacy Protection Rule – 16 C.F.R. 312
iv sources of privacy security obligations11
IV. Sources of Privacy & Security Obligations
  • HIPAA – Health Insurance Portability and Accountability Act of 1996 and Privacy and Security Rules, 45 CFR §§ 160, 162 and 164, as Amended by HITECH Act (see below)
  • GLB – Gramm-Leach Bliley Act (Financial Modernization Act of 1999) 15 U.S.C. §6801 et seq. and Financial Privacy Rule 16 C.F.R. 313 and Financial Safeguards Rule 16 C.F.R. 314
  • Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
iv sources of privacy security obligations12
IV. Sources of Privacy & Security Obligations
  • FCRA – Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); amended by FACT Act – Fair and Accurate Credit Transactions Act of 2003
    • Section 114 – Identity Theft Prevention – Red Flags Rules – 16 C.F. R. 681
    • Section 116 – Proper Disposal of Consumer Information – Disposal of Consumer Report Information and Records - 16 C.F.R. 682
iv sources of privacy security obligations13
IV. Sources of Privacy & Security Obligations
  • FDA – Research Data – Electronic Records and Signatures – “Part 11” – 21 C.F.R. 11
iv sources of privacy security obligations14
IV. Sources of Privacy & Security Obligations
  • ARRA – American Recovery and Reinvestment Act of 2009 (“Stimulus Bill”) February 17, 2009 (www.whitehouse.gov ≥ http://frwebgate.access.gpo.gov/)
    • HITECH Act – Health Information Technology for Economic and Clinical Health Act – Division A, Title XIII of ARRA
      • Subtitle D – Privacy - §§13400 -13424 – Amends HIPAA, substantially increases penalties (now) and new Federal Data Breach Notification as to Protected Health Information
iv sources of privacy security obligations15
IV. Sources of Privacy & Security Obligations

State Laws:

  • More stringent state laws on protected health information supersede HIPAA – e.g.
    • PA Confidentiality of HIV-Related Information Act (“Act 148”) 35 P.S §7601 et seq.
  • Limit use of Social Security Numbers, e.g.
    • PA Social Security Number Privacy Act – 71 P.S. § 2601 et seq.
iv sources of privacy security obligations16
IV. Sources of Privacy & Security Obligations
  • Data Breach Notification Acts –
    • California and Massachusetts lead the trends
    • PA – Breach of Personal Information Notification Act – 73 P.S. § 2301
    • NJ – New Jersey Identity Theft Prevention Act – N.J.S.A. § 56:11- 44 et seq. and new draft rules with comment period closed 2/13/09
    • DEL – Computer Security Breaches – Title 6, Chapter 12B
iv sources of privacy security obligations17
IV. Sources of Privacy & Security Obligations
  • Torts – see above
  • Privileges – Judicial Codes (see above)
iv sources of privacy security obligations18
IV. Sources of Privacy & Security Obligations

Industry Standards –

PCI – Payment Card Industry

iv sources of privacy security obligations19
IV. Sources of Privacy & Security Obligations

Key obligations shared:

  • Risk assessment
  • Administrative, Physical and Technical Safeguards
  • Policies and Procedures
  • Training
  • Sanctions
trends in privacy and security laws
- Trends in Privacy and Security Laws

Trends in Laws:

  • Mandatory encryption
  • Mandatory and prompt reporting of data breaches
  • Increased penalties; enforcement
  • Increased third party vendor oversight, liability
  • Board level responsibility (e.g. Red Flags Rule)
trends in privacy and security
-Trends in Privacy and Security
  • Data breaches
  • Increased Identity Theft
  • Class Actions
v what s loss liability breach
V. What’s Loss, Liability, Breach?
  • Unauthorized Access
  • Loss that reasonably could lead to theft
sanctions liability for violations examples
- Sanctions/Liability for Violations:Examples

Laws:

Section 5 of the FTC Act - unfair or deceptive acts

States – “Baby FTC Acts”

HIPAA  HITECH Act

sanctions liability for violations enforcement actions lawsuits
- Sanctions/Liability for Violations:Enforcement Actions; Lawsuits:
  • Providence Health – unencrypted tapes – OCR/CMS/HIPAA sanction; 1st monetary penalty ($100K)

- Treatment Assocs of Victoria – TX AG – charge - unlawfully dumping client records in publicly accessible garbage;TX Identity Theft Act and Baby FTC Act

  • Heartland Payment Systems, N.J. – (payment card processor); hacker; PCI standards; Class Action – on behalf affected financial institutions
sanctions liability for violations enforcement actions lawsuits25
- Sanctions/Liability for Violations:Enforcement Actions; Lawsuits:
  • CVS – dumped prescription labels in dumpster. OCR and FTC JT enforcement: HIPAA Privacy Rule and FTC Act; $2.25 million; FTC 20 year monitoring.
  • Premier Capital Lending – GLB Privacy and Security Rules; customer data. Mortgage broker gave access that was used improperly.
  • Mortgage Broker Gregory Navone – consumer info into unsecured dumpster; FCRA Disposal Rule violation charged w/failure to implement training & exercise oversight of serviceproviders.
vi privacy security lessons learned
VI. Privacy & Security – Lessons Learned
  • Access is key; audit logs
  • Audit/Assessment of Risks
  • Effective Policies and Procedures
  • Sanction employees
  • Train employees
  • It is internal employees and consultants with authorized access
vi privacy security lessons learned27
VI. Privacy & Security – Lessons Learned
  • Vendor management/Due diligence – not just contractual language required by HIPAA, GLB, Red Flag Rules, etc.
  • Encryption
  • Data Breach – Prepare
  • Incident Reporting Team/Committee
  • Mandatory Reporting
  • Insurance
vii privacy security resources
VII. Privacy & Security - Resources
  • Data breach remedial products:
    • Credit monitoring products – negotiate contract (Experian)
    • Debix
    • Insurance coverage purchased (Data breach for one company cost $65K in postage alone!)
vii privacy security resources29
VII. Privacy & Security - Resources
  • FTC.gov
  • OCR Listserv (Office of Civil Rights – DHHS)
  • CMS – HIPAA Security Rule
  • NIST - National Institute of Standards and Technology www.nist.gov; Computer Security Resource Center (http://csrc.nist.gov); (Draft) Guide to Protecting Confidentiality of Personally Identifiable Information -1/13/09
  • IAPP www.privacyassociation.org
u s privacy security laws
U.S. Privacy & Security Laws

Questions?

Diana S. Hare

Associate General Counsel

Drexel University College of Medicine

215.255.7842

[email protected]

ad