CSI 2008, Legal Developments In Security and Privacy Law


Published on

Annual CSI Privacy and Security Legal Update

Published in: News & Politics
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • CSI 2008, Legal Developments In Security and Privacy Law

    1. 1. Developments in Security & Privacy Law Fall 2008
    2. 2. Agenda <ul><li>Overview of key security and privacy legal developments from November 2007 until November 2008, including: </li></ul><ul><ul><li>New and Proposed Federal Legislation </li></ul></ul><ul><ul><li>New and Proposed Federal Agency Rules and Guidelines </li></ul></ul><ul><ul><li>New and Proposed State Legislative Activities </li></ul></ul><ul><ul><li>Agency Enforcement Actions and </li></ul></ul><ul><ul><li>Private and Security Litigation </li></ul></ul>
    3. 3. Universe of Legal Requirements <ul><li>Federal </li></ul><ul><ul><li>GLBA </li></ul></ul><ul><ul><li>FTCA </li></ul></ul><ul><ul><li>SOX </li></ul></ul><ul><ul><li>FCRA/FACTA </li></ul></ul><ul><ul><li>HIPAA </li></ul></ul><ul><ul><li>FISMA </li></ul></ul><ul><ul><li>FERPA </li></ul></ul><ul><ul><li>21 C.F.R. Part 11 (FDA Regulations) </li></ul></ul><ul><li>State </li></ul><ul><ul><li>Notice of Security Breach </li></ul></ul><ul><ul><li>Other State Laws </li></ul></ul><ul><li>International </li></ul><ul><ul><li>EU Data Protection Directive </li></ul></ul><ul><ul><ul><li>Member Country Legislation </li></ul></ul></ul><ul><ul><ul><li>Binding Corporate Rules, etc. </li></ul></ul></ul><ul><ul><ul><li>US Safe Harbor – </li></ul></ul></ul><ul><ul><li>Canada PIPEDA </li></ul></ul><ul><ul><li>Others (e.g., Japan, Australia) </li></ul></ul><ul><li>Private Contractual Requirements </li></ul><ul><ul><li>PCI DSS </li></ul></ul><ul><ul><li>Business Associate Agreements </li></ul></ul><ul><ul><li>Service Provider Agreements </li></ul></ul>
    4. 4. New and Proposed Federal Legislation
    5. 5. New: Former Vice President Protection Act of 2008/Identity Theft Enforcement and Restitution Act of 2008 (H.R. 5938) <ul><li>Signed by President Bush on Sept. 26, 2008 </li></ul><ul><li>Key Provisions </li></ul><ul><ul><li>eliminates the jurisdictional requirement that a computer's information must be stolen through an interstate or foreign communication in order to federally prosecute the crime </li></ul></ul><ul><ul><li>makes it a crime to threaten to obtain or release information from a computer for extortion purposes </li></ul></ul><ul><ul><li>extends the jurisdiction of federal computer fraud statutes to cover small businesses and corporations and makes it a felony to employ “spyware” or “keyloggers” resulting in damage 10 or more computers, regardless of the aggregate amount of damage caused (removes $5,000 threshold) </li></ul></ul><ul><ul><li>expand remedies for identity theft victims by allowing them to seek restitution, </li></ul></ul><ul><ul><ul><li>Helpful to identity theft victims who do not incur direct monetary losses from identity theft but often expend considerable uncompensated time and effort to address fraudulent credit card charges </li></ul></ul></ul>
    6. 6. New: Credit and Debit Card Receipt Clarification Act of 2007 <ul><li>Signed by President Bush on June 3, 2008 </li></ul><ul><ul><li>amends the 2003 Fair and Accurate Credit Transactions Act,15 U.S.C. §1681c(g), which itself amended the Fair Credit Reporting Act </li></ul></ul><ul><ul><li>bars plaintiffs from suing merchants based on a claimed willful violation of the FACT Act if merchants truncated customer payment card numbers on electronic receipts to five or fewer numbers—which complies with the FACT Act—but printed card expiration dates on the receipts—which is prohibited under the FACT Act </li></ul></ul>
    7. 7. Other New Laws <ul><li>Consolidated Security, Disaster Assistance, and Continuing Appropriations Act” (H.R. 2638) </li></ul><ul><ul><li>provides among other things, $100 million to continue E-Verify in fiscal year 2009 </li></ul></ul>
    8. 8. What is Happening with the Federal Notice of Breach Law? <ul><li>There have been 14 bills introduced in the 110th Congress </li></ul><ul><ul><li>9 of them would require businesses to notify individuals if their personal information is breached contain a provision to preempt the existing body of state breach notice laws </li></ul></ul><ul><ul><li>2 bills would require notice only for the breach of health information protected under the HIPAA. </li></ul></ul><ul><ul><li>3 bills would require only federal agencies to provide breach notice to individuals </li></ul></ul><ul><li>The House and Senate are to return Nov. 17 for a lame duck session. But given the press of other business, it is unlikely that the 110th Congress will clear any of the breach notice bills before closing in January 2009 </li></ul>
    9. 9. Senate Bills <ul><li>S . 239 , Feinstein: Passed Judiciary May 3, 2007 </li></ul><ul><ul><li>5/31/07, Placed on Senate Legislative Calendar under General Orders. Calendar No. 180 </li></ul></ul><ul><li>S . 495 , Leahy and Specter: Passed Judiciary May 3, 2007 </li></ul><ul><ul><li>5/23/07, Placed on Senate Legislative Calendar under General Orders. Calendar No. 168 </li></ul></ul><ul><li>S . 1178 , Stevens and Inouye: Passed Commerce April 24, 2007 </li></ul><ul><ul><li>12/5/07 Placed on Senate Legislative Calendar under General Orders. Calendar No. 520 </li></ul></ul><ul><li>S . 1202 , Sessions: Failed in Judiciary May 3, 2007 </li></ul><ul><li>S . 1260 , Carper and Bennett: Introduced May 1, 2007 </li></ul><ul><ul><li>5/1/07 Referred to Senate committee. Status: Read twice and referred to the Committee on Banking, Housing, and Urban Affairs </li></ul></ul><ul><li>S . 1558 [Federal Agencies Only], Coleman: Introduced June 6, 2007; referred to Homeland Security </li></ul>
    10. 10. House Bills <ul><li>H.R. 836 , Smith: Introduced Feb. 6, 2007; referred to Judiciary </li></ul><ul><li>H.R. 958 , Rush and Stearns: Introduced Feb. 8, 2007referred to Commerce </li></ul><ul><li>H.R. 1685 , Price: Introduced March 26, 2007;referred jointly to Financial Services and Government Reform </li></ul><ul><li>H.R. 2124 [Federal Agencies Only], Davis, Tom: Introduced May 3, 2007; referred to Government Reform </li></ul><ul><li>H.R. 3800 [Health Information Only], Rogers and Eshoo: Introduced Oct. 10, 2007; referred to Energy and Commerce. </li></ul><ul><li>H.R. 4175 , Conyers and Smith: Introduced Nov. 14, 2007; referred to Judiciary </li></ul><ul><li>H.R. 4791 [Federal Agencies Only], Clay; Passed House June, Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs </li></ul><ul><li>H.R. 6357 [Health Information Only], Dingell: Passed House Energy and Commerce Health Subcommittee June 26; referred to House Committee on Ways and Means Granted an extension for further consideration ending no later than June 3, 2009 </li></ul>
    11. 11. Key Health Information Technology Bill <ul><li>Wired for Health Care Quality Act (S. 1693) introduced by Kennedy (D-MA), Enzi (R-WY) Clinton (D-NY) and Hatch (R-UT): </li></ul>May 2008: Appeared to be headed to the floor after Senate Judiciary Committee Chairman Patrick Leahy (D-VT) and HELP committee leaders reached agreement on new privacy provisions to be included in the bill June 2007: Approved by the Health , Education, Labor and Pensions (HELP) Committee October 1, 2008 Kennedy Filed a report on the Bill, but the Bill was not put up to vote Passage by the 110 Congress Not Likely
    12. 12. HIT bills before Congress, House The House Energy and Commerce Committee approved the bill July 23 House Ways and Means Committee retained jurisdiction over the bill and as of Oct. 2 had not acted on it <ul><li>H.R. 6357 </li></ul><ul><li>H.R. 2991 </li></ul><ul><li>H.R. 6179 </li></ul><ul><li>H.R. 6898 </li></ul>Breach Notification Exempts good faith disclosures or encrypted information Continues HIPAA Security
    13. 13. Proposed FISMA Act of 2008: <ul><li>Introduced Sept. 11 Sens. Thomas Carper (D-DE) and Norm Coleman (R-MN), Committee Chairman Joseph Lieberman (I-CT), and Ranking Minority Member Susan Collins (R-ME) </li></ul><ul><li>The legislation was approved Sept. 23 by the Senate Committee on Homeland Security and Governmental Affairs, without amendment on a voice vote </li></ul>
    14. 14. Proposed FISMA Act of 2008 <ul><li>Amends FISMA 2002 </li></ul><ul><li>S. 3474, if passed, would: </li></ul><ul><ul><li>turn the current FISMA requirement for an annual compliance &quot;evaluation&quot; into a mandatory yearly &quot;audit&quot; of data security practices at each agency </li></ul></ul><ul><ul><li>require that an audit include &quot;a conclusion as to whether the agency's information security controls are effective, including an identification of any significant deficiencies in the controls </li></ul></ul>
    15. 15. Proposed FISMA Act of 2008 (cont’d) <ul><ul><li>require agencies to hire a CISO, create a Chief Information Security Office and create an interagency Chief Information Security Officer Council, to provide data security best practices guidance </li></ul></ul><ul><ul><li>require agencies to continuously monitor their information networks for malicious activity </li></ul></ul><ul><ul><li>require the DHS to provide annual reports to Congress on cybersecurity operational evaluations and testing protocols employed by each federal agency </li></ul></ul>
    16. 16. Proposed FISMA Act of 2008: Contractor Requirements <ul><ul><li>Would require that within 180 days enactment that the OMB, in consultation with the NIST, propose information security regulations governing contracts </li></ul></ul><ul><ul><li>Contracts to include: </li></ul></ul><ul><ul><ul><li>task and/or delivery orders issued pursuant to contracts </li></ul></ul></ul><ul><ul><ul><li>Between the federal government and any individual, corporation, partnership, organization, or other entity that interfaces with an information system of an agency or collects, stores, operates, or maintains information on behalf of the agency </li></ul></ul></ul>
    17. 17. Proposed FISMA Act of 2008: Contractor Requirements Increase Oversight of Contractor Systems Improve Inventory of Contractor-Run Systems Contractually Impose Compliance
    18. 18. House Bill to Amend FISMA <ul><li>H.R. 4791 would require OMB to establish rules to require that contracts with all outside companies used by the government that maintain PII abide by the minimum network configuration, mobile devices, and other data security rules. </li></ul><ul><ul><li>Status: 6/4/2008 Referred to Senate committee. Status: Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs </li></ul></ul>
    19. 19. Federal Trade Commission Reauthorization Act of 2008&quot; (S. 2831) <ul><li>would allow the FTC: </li></ul><ul><ul><li>for the first time to seek civil penalties against companies for violations of any of the laws it enforces--including Section 5 of the FTC Act </li></ul></ul><ul><ul><li>to file enforcement lawsuits in federal court, including Section 5 cases, on its own rather than asking the Justice Department to file such suits on behalf of the FTC </li></ul></ul><ul><ul><li>to conduct rulemaking procedures through Section 553 of the Administrative Procedures Act </li></ul></ul><ul><li>Latest Major Action: 4/8/2008 Referred to Senate committee. Status: Read twice and referred to the Committee on Commerce, Science, and Transportation </li></ul>
    20. 20. Other Pending Legislation <ul><li>Federal Spyware Law </li></ul><ul><ul><li>S. 1625 Federal Anti-spyware Law </li></ul></ul><ul><ul><ul><li>Would preempt state spyware laws </li></ul></ul></ul><ul><ul><ul><li>6/11/2008 Senate committee/subcommittee actions. Status: Committee on Commerce, Science, and Transportation. Hearings held </li></ul></ul></ul>
    21. 21. Proposed or New Federal Agency Rules and Guidelines Security, Privacy, Identity Theft
    22. 22. Proposed Amendments to Regulation S-P <ul><li>GLBA/FACTA </li></ul><ul><li>Applies to brokers, dealers, registered investments advisers, investment companies and transfer agents </li></ul><ul><li>Broadens Safeguards </li></ul><ul><li>Disposal Rule </li></ul><ul><li>Notice of Breach Rule </li></ul><ul><li>Contains new exception to opt-out of information sharing </li></ul><ul><li>73 Fed. Reg. 13692 (March 13,2008) </li></ul>
    23. 23. FACT Act Red Flags Regulations <ul><li>October 31, 2007 a joint final rule* was released implementing sections 114 and 315 of the FACT Act (FACTA) </li></ul><ul><li>The rule, referred to the “Red Flag Rule,” establishes interagency regulations requiring “financial institutions and creditors” to implement measures to create identity theft prevention program: </li></ul><ul><ul><li>written identity theft prevention programs; </li></ul></ul><ul><ul><li>describe the factors that financial institutions and creditors should address in their programs' policies and procedures; </li></ul></ul><ul><li>The rules became effective Jan. 1, and covered entities were given until Nov. 1 to comply but enforcement has been delayed until May 2009 for entities subject to the FTC rules </li></ul>
    24. 24. FTC Enforcement Delay <ul><li>Some industries uncertain whether they need to comply with the Red Flag Rules as the did not know they fell under definition of “creditor” or “financial institution,” </li></ul><ul><ul><li>Under the rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer, such as a checking account, savings deposit subject to automatic transfers, or share draft account. </li></ul></ul><ul><ul><li>Under the rules, a creditor includes any entity that “regularly extends, renews, or continues credit.” </li></ul></ul><ul><li>The FTC has authority over enforcement of the rule for most entities that fall under the “creditor” prong of the rule </li></ul><ul><li>Affects many businesses that set up accounts and permits payments over time: </li></ul><ul><ul><li>Hospitals </li></ul></ul><ul><ul><li>Finance Companies </li></ul></ul><ul><ul><li>Automobile Dealers </li></ul></ul><ul><ul><li>Mortgage Brokers </li></ul></ul><ul><ul><li>Utility Companies, </li></ul></ul><ul><ul><li>Telecommunications firms. </li></ul></ul>
    25. 25. ID Theft Prevention Program <ul><li>Requires reasonable policies and procedures to: </li></ul><ul><ul><li>identify relevant patterns, practices, and specific forms of activity that are &quot;red flags&quot; signaling possible identity theft and incorporate those red flags into the program; </li></ul></ul><ul><ul><li>detect red flags that have been incorporated into the program; </li></ul></ul><ul><ul><li>respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and </li></ul></ul><ul><ul><li>ensure the program is updated periodically to reflect changes in risks from identity theft </li></ul></ul>*Red flags are sets of condition that could point to ID theft, such as an atypical spending pattern, or receipt of a change of address notice followed immediately by multiple credit and/or debit card requests.
    26. 26. State Legislative Action When Congress Doesn’t Act, States Fill in the Gaps
    27. 27. 44 States Have Enacted State Notice of Breach Laws <ul><li>All require businesses and/or government to notify state residents if their computerized personal information is compromised in a data breach incident </li></ul><ul><li>Compliance obligations can differ significantly </li></ul><ul><ul><li>Inconsistent provisions </li></ul></ul><ul><ul><li>Requires research of key </li></ul></ul><ul><li>The following have not: </li></ul><ul><li>Alabama </li></ul><ul><li>Kentucky </li></ul><ul><li>Missouri </li></ul><ul><li>Mississippi </li></ul><ul><li>New Mexico </li></ul><ul><li>South Dakota </li></ul><ul><li>PLUS: </li></ul><ul><li>District of Columbia (B16-810, D.C. Code § 28-3851) </li></ul><ul><li>Puerto Rico (Law 111 and Regulation 7207) </li></ul>
    28. 28. Inconsistent State Breach Notice Laws <ul><li>Personal Information At a minimum, define &quot;personal information“--as a name, in combination with a Social Security number, driver's license or state identification number, or financial account or debit card number plus an access code --the breach of which triggers the need to notify consumers </li></ul><ul><ul><li>Some include passports or other forms of federal identification </li></ul></ul><ul><li>Breach Most apply only to breaches of unencrypted electronic personal information, and require written notification after a breach is discovered </li></ul><ul><ul><li>Some require notice of encryption key is breached along with unencrypted data </li></ul></ul><ul><li>Notification Most require notification if there has been, or there is a reasonable basis to believe that, unauthorized access that compromises electronic has occurred </li></ul><ul><li>Risk of Harm In some states, entities need not notify individuals of a breach if an investigation by the covered entity (sometimes in conjunction with law enforcement) finds no significant possibility that the breached data will be misused to do harm to the individual </li></ul>
    29. 29. Inconsistent State Breach Laws (cont’d) <ul><li>Enforcement Authority Most give state’s Attorney General enforcement authority. </li></ul><ul><ul><li>A few provide a private cause of action </li></ul></ul><ul><li>Law Enforcement Delay Most allow for a delay in notification if a disclosure would compromise a law enforcement investigation, except Illinois </li></ul><ul><li>Substitute Notice Most allow substitute notice to affected individuals via announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification would exceed $250,000 -- RI, DE, NE, OH set lower thresholds </li></ul><ul><li>Safe Harbor Some provide a “safe harbor” for covered entities that maintain internal data security policies that include breach notification provisions consistent with state law or federal law such as HIPAA and GLBA. ( e.g. , OH,MD) </li></ul><ul><li>Security and Privacy Programs Some require implementation of safeguards to protect information security and privacy ( e.g. , MD) </li></ul><ul><li>Disposal Some Require Proper Disposal of PI ( e.g. , MD, MA, OR) </li></ul>
    30. 30. 2007 “SB 1386” Amendment <ul><li>Includes medical and health information in the definition of &quot;personal information&quot; </li></ul><ul><ul><li>Such information can include medical history, diagnosis, policy number, subscriber number, an application, claims history, and appeals history </li></ul></ul><ul><li>Expands the state's Confidentiality of Medical Information Act to include in its scope businesses that handle or maintain medical information even if the business is not primarily engaged in maintaining medical records. </li></ul><ul><li>Expands the scope of information required in breach notices to consumers which now must include: </li></ul><ul><ul><li>who had the data; </li></ul></ul><ul><ul><li>when the breach occurred (date or estimated date), </li></ul></ul><ul><ul><li>a description of the categories of information involved, </li></ul></ul><ul><ul><li>A toll-free numbers to contact the responsible entity and the credit bureaus. </li></ul></ul>
    31. 31. Emerging State Data Security Laws <ul><li>10 States - AR, CA, CT, MD, MA, NV, RI, OR, TX, and UT - have laws requiring businesses to protect the “security and confidentiality” of personal information about residents </li></ul><ul><ul><li>Massachusetts 201 CMR 17.00 specifies: </li></ul></ul><ul><ul><ul><li>Implement a risk-based “ comprehensive, written information security program” in accordance with a detailed list of requirements; and </li></ul></ul></ul><ul><ul><ul><li>Encrypt all personal information stored on laptops or other portable devices, all records and files transmitted over public networks “to the extent technically feasible,” and all data transmitted wirelessly. </li></ul></ul></ul><ul><li>NOTE: Compliance Deadline Moved: </li></ul><ul><ul><li>From 1/1/09 to 5/1/09 </li></ul></ul><ul><ul><ul><li>General Compliance </li></ul></ul></ul><ul><ul><ul><li>Ensuring and contractually binding that third-party service providers to provide adequate safeguards </li></ul></ul></ul><ul><ul><ul><li>Ensuring encryption of laptops </li></ul></ul></ul><ul><ul><li>From 1/1/09 to 1/1/10 </li></ul></ul><ul><ul><ul><li>Ensuring encryption of other portable devices </li></ul></ul></ul><ul><ul><ul><li>Obtaining written certification from third-party providers </li></ul></ul></ul>
    32. 32. Massachusetts Compliance Program Elements <ul><li>Assign Responsibility: Designate one or more employees to maintain the security program; </li></ul><ul><li>Identify Information Assets : Identify the corporate information assets that need to be protected, including records containing personal information and computing systems and storage media (such as laptops and portable devices) used to store such personal information; </li></ul><ul><li>Conduct Risk Assessment: Conduct a risk assessment to identify and assess internal and external risks to the security , confidentiality, and/or integrity of its information assets, and evaluate the effectiveness of the current safeguards for minimizing such risks; </li></ul><ul><li>Implement Security Controls: Select and implement appropriate physical, administrative, and technical security controls to minimize the risks identified in its risk assessment, including security controls within certain identified “categories”; </li></ul><ul><li>Monitor Effectiveness: Regularly monitor and test the security controls it has implemented to ensure that the security program is operating in a manner reasonably calculated to protect the personal information; and upgrade the security controls as necessary to limit risks; </li></ul><ul><li>Regularly Review Program: Review and adjust the security program at least annually, including: (i) whenever there is a material change in business practices that could affect personal information, and (ii) following any incident involving a breach of security ; and </li></ul><ul><li>Address Third Party Issues: Carefully select, retain and supervise contractors and third party service providers that have access to the company's personal information by (i) taking reasonable steps to verify that they are capable of maintaining safeguards for the personal information; (ii) contractually requiring them to maintain such safeguards and to provide appropriate assurances, and (iii) monitoring their compliance with those commitments. </li></ul>
    33. 33. Massachusetts Safeguards Physical Administrative Technical Note: Massachusetts also has data destruction Requirements. Mass. Gen. Law 93I <ul><li>- Limit the amount of personal information (PI) collected, retention periods, and the persons who are allowed to access </li></ul><ul><li>- Implement policies and procedures regarding: </li></ul><ul><ul><li>employee access and transport of records outside of business premises; </li></ul></ul><ul><ul><li>Disciplinary measures for violations of the security program; </li></ul></ul><ul><ul><li>To prevent terminated employees from accessing records; and </li></ul></ul><ul><li>- Provide Security education and training for employees. </li></ul>- Secure user authentication protocols; - Secure access, providing access to only to those require information to perform their job duties; assign unique ID and passwords to each person; - Encrypt records containing PI transmitted over the Internet, transmitted wirelessly, or are stored on laptops or other portable devices; - Monitor systems for unauthorized access or use; and - Keep current firewall protection, operating system security patches for systems connected to the Internet, and malware/virus software. - Implement reasonable restrictions on physical access to records; and - storage of records containing PI and data in locked facilities, storage areas or containers.
    34. 34. Spyware -- State Laws <ul><li>Alaska </li></ul><ul><li>Arizona </li></ul><ul><li>Arkansas </li></ul><ul><li>California </li></ul><ul><li>Georgia </li></ul><ul><li>Hawaii (Limited Provisions) </li></ul><ul><li>Indiana </li></ul><ul><li>Iowa </li></ul><ul><li>Louisiana </li></ul><ul><li>Nevada </li></ul><ul><li>New Hampshire </li></ul><ul><li>Rhode Island </li></ul><ul><li>Texas </li></ul><ul><li>Utah </li></ul><ul><li>Virginia </li></ul><ul><li>Washington </li></ul><ul><ul><li>Amended in 2008 (HB 2879) </li></ul></ul>State Statutes specifically targeting spyware and adware:
    35. 35. New 2008 State Spyware Efforts <ul><li>Alabama (SB 145) (Failed) </li></ul><ul><li>Florida (SB 1658) Intro. 2/7/08 ( Failed ) </li></ul><ul><li>Hawaii HB 2033 (Criminalization) (Failed) </li></ul><ul><li>Illinois (SB 1199, SB 1495) (No Action – Alive, Session Ends Early 09) </li></ul><ul><li>Maine (LD 1029) (Failed) </li></ul><ul><li>Massachusetts (SB 259, HD 350) (No Action – Alive, Session Ends 12/31/08) </li></ul><ul><li>Michigan (SB 145) (No Action – Alive, Session Ends Early 09) </li></ul><ul><li>Mississippi (SB 2412) (Failed) </li></ul><ul><li>Missouri (HB 2203) (Failed) </li></ul><ul><li>New York (AB 6531/SB 1459 SB 3655 SB 4948) (No Action – Alive Session Ends Early 09) </li></ul><ul><li>Pennsylvania (HB 755, S.B. 711) (No Action – Alive, Session Ends 11/30/08) </li></ul><ul><li>Washington (HB 2879), Intro. 1/17/08 (Passed) </li></ul><ul><ul><li>adds a host of computer-related spyware provisions to Washington current spyware law, and changes the burden of proof for existing provisions </li></ul></ul><ul><li>West Virginia (HB 4053), Intro. 1/16/08; (Failed) </li></ul>
    36. 36. State Social Security Laws <ul><li>Over the last three years the number of states with some sort of SSN restriction law has grown from 8 to 39 </li></ul><ul><li>The Social Security Laws vary widely from state-to-state. Some prohibitions on SSN uses that are common are as follows: </li></ul><ul><ul><li>public posting of SSN information; </li></ul></ul><ul><ul><li>use of SSNs on registration and service cards; </li></ul></ul><ul><ul><li>requiring SSNs for access to Web sites; </li></ul></ul><ul><ul><li>transmitting SSN data over the Internet; </li></ul></ul><ul><ul><li>sending mail with visible SSNs; </li></ul></ul><ul><ul><li>putting SSNs on faxes; </li></ul></ul><ul><ul><li>using SSNs as an employee ID number; </li></ul></ul><ul><ul><li>using SSNs as customer account numbers; </li></ul></ul><ul><ul><li>printing SSNs on pay stubs; and </li></ul></ul><ul><ul><li>selling SSNs. </li></ul></ul>
    37. 37. Agency Enforcement Actions and Private Litigation
    38. 38. HIPAA Security Enforcement <ul><ul><li>364 Cases Total </li></ul></ul><ul><ul><ul><li>84 Open </li></ul></ul></ul><ul><ul><ul><li>280 Closed </li></ul></ul></ul>
    39. 39. CMS Security Audits <ul><li>2008 CMS Announces Contract with PwC to Conduct Security Audits (Compliance Reviews) </li></ul><ul><li>Target: Covered Entities for Which CMS has Received a Complaint </li></ul><ul><li>Purpose: To Evaluate Security Rule Compliance/Corrective Action Plans Following a Complaint </li></ul>
    40. 40. DCM PwC Compliance Reviews <ul><li>Started in January 2008; Plan to Complete 14 by End of the Year </li></ul><ul><li>Target Organization Given One Month Warning </li></ul><ul><li>Results to be published in confidential form </li></ul><ul><li>Looking at a wide range of areas including remote access, devices and policies and procedures </li></ul>
    41. 41. CMS Guidance <ul><li>Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews </li></ul><ul><ul><li>Lists personnel who may be interviewed </li></ul></ul><ul><ul><li>Areas of Inquiry </li></ul></ul><ul><ul><li>Documents and other informationthat may be requested </li></ul></ul>
    42. 42. Providence Health Systems <ul><li>Violations between 09/2005 and 03/2006 </li></ul><ul><ul><li>Backup tapes, optical disks, and laptops containing unencrypted EPHI were removed from Providence premises and left unattended </li></ul></ul><ul><ul><li>Media and laptops stolen resulting in a possible compromise of 360,000 patients </li></ul></ul>
    43. 43. Resolution Agreement <ul><li>Payment of $100,000 </li></ul><ul><li>Implementation of a detailed corrective action plan </li></ul>
    44. 44. Corrective Action Plan <ul><li>Policies and procedures revision/distribution </li></ul><ul><li>Training workforce members </li></ul><ul><li>Monitoring through periodic audits and site visits </li></ul><ul><li>Compliance reports to be submitted to HHS for 3 years </li></ul>
    45. 45. HHS Office of Inspector General (OIG) <ul><li>HHS OIG responsible for reviews of CMS’ oversight, implementation and enforcement of the HIPAA security rule </li></ul><ul><ul><li>Cedar-Sinai Medial Center, Los Angeles, CA </li></ul></ul><ul><ul><li>(2008) </li></ul></ul><ul><ul><li>Piedmont hospital Atlanta, GA (2007) </li></ul></ul><ul><li>2009: OIG Work Plan: These Will Continue </li></ul>
    46. 46. OIG Audit of CMS’ HIPAA Enforcement <ul><li>OIG found that (CMS) had taken limited actions to ensure that covered entities adequately implemented the HIPAA Security Rule </li></ul><ul><ul><li>Has a sufficient method to track complaints </li></ul></ul><ul><ul><li>Has no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that EPHI was being adequately protected </li></ul></ul><ul><li>CMS agreed with OIG’s recommendation to establish specific policies and procedures for conducting compliance reviews of covered entities </li></ul><ul><li>Audit was released on 10/27/08 http://oig.hhs.gov/oas/reports/region4/40705064.asp </li></ul>
    47. 47. FTC Security Enforcement Based on notice of privacy practices and official statements regarding how an organization safeguards sensitive information. (e.g., In re Guidance Software Inc. Deceptive Trade Practices Unfair Trade Practices Practices that &quot;threaten data security“ are unfair practices. (e.g., In re BJ’s Wholesale Club ) GLBA Safeguards Violations of Safeguards Rule, (e.g., In re Superior Mortgage Corp. )
    48. 48. Enforcement/Consent Orders - FTCA <ul><li>In re Reed Elsevier Inc. , FTC, File No. 052 3094, 3/27/08 </li></ul><ul><li>In re TJX Cos. Inc. , FTC, File No. 072 3055 (3/27/08) </li></ul><ul><li>United States v. ValueClick Inc. , C.D. Cal., No. CV08-01711, (3/17/08) </li></ul><ul><li>Life is good Inc. , FTC, File No. 072-3046, (1/17/08) </li></ul><ul><li>In re Guidance Software Inc. , FTC, File No. 062 3057 (11/16/06) </li></ul><ul><li>United States v. ChoicePoint , 106-cv-0198 (N.D. GA, 2-15-06) </li></ul><ul><li>In re CardSystems Solutions Inc ., FTC, File No. 052 3148 (9/5/06) </li></ul>Total of 18 Cases
    49. 49. FTC Enforcement - GLBA Safeguards <ul><li>In re Goal Fin. LLC , FTC, No. 072-3013, (2/19/08) </li></ul><ul><li>United States v. American United Mortgage Co. , No. 07C 7064, (N.D. Ill., 12/17/07) (Disposal Rule) </li></ul><ul><li>In re Nations Title Agency Inc ., FTC, No. 052 3117, (5/10/06) </li></ul><ul><li>In re Superior Mortgage Corp., FTC, File No. 052 3136, (9/28/05) </li></ul><ul><li>In the Matter of Nationwide Mortgage Group, Inc., and John D. Eubank , FTC File No. 042-3104 4/15/05 </li></ul><ul><li>In re Sunbelt Lending Services , FTC, File No. 042-3153, 11/16/04) </li></ul>
    50. 50. Consent Orders and Security <ul><li>Security Program Elements: </li></ul><ul><ul><li>designate an employee or employees to coordinate the information security program; </li></ul></ul><ul><ul><li>identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place; </li></ul></ul><ul><ul><li>design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness; </li></ul></ul><ul><ul><li>develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies; and </li></ul></ul><ul><ul><li>evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs </li></ul></ul>Implement administrative, technical, and physical safeguards appropriate to the size, the nature of the company’s activities, and the sensitivity of the personal information collected by each organization. <ul><li>Biennial outside assessment of security programs basis for 20 years. </li></ul><ul><ul><li>Auditors certification that the companies' security programs meet or exceed the requirements of the consent orders and are operating with sufficient effectiveness to provide reasonable assurance that the security of consumers' PI is being protected. </li></ul></ul>
    51. 51. SEC Enforcement of Regulation S-P <ul><li>In re LPL Fin. Corp. , SEC, Admin. Proc. File No. 3-13181, 9/11/08 </li></ul><ul><ul><li>SEC sanctioned broker-dealer LPL Financial Corp. for willfully failing to safeguard customer information, allowing hackers to gain access to the company's customer accounts </li></ul></ul><ul><li>Penalties </li></ul><ul><ul><li>$275,000 fine and to cease and desist from future violations of the safeguards rule of Regulation S-P </li></ul></ul><ul><ul><li>Undertake remedial actions, including the implementation policies and procedures for training its workers and registered representatives on the safeguarding of customer records and information. </li></ul></ul><ul><ul><li>Hire a consultant to review information security program </li></ul></ul>
    52. 52. U.S. InfoSec Litigation <ul><li>TJX Class Actions (Discussed Next) </li></ul><ul><li>Guin v. Brazos Higher Educ. Serv. Corp. Inc. , No. 05-668 (D. Minn. Feb. 2, 2006) </li></ul><ul><li>Key v. DSW Inc. , 454 F. Supp. 2d 684 (D. Ohio 2006); </li></ul><ul><li>Bell v. Acxiom Corp. , No. 4:06CV00458-WRW (E.D. Ark. Oct. 3, 2006) </li></ul><ul><li>Stollenwerk v. Tri-West Healthcare Alliance. , No. Civ. 03-0185 (D. Ariz. September 6, 2005 </li></ul><ul><li>Forbes v. Wells Fargo Bank , No. 05-2409 (DSD/RLE) (D. Minn., March 16 2006 </li></ul>“ no court has considered the risk [of ID theft] itself to be damage” This changes with actual damages
    53. 53. TJX Companies Breach <ul><li>On Jan. 17, 2007 , TJX Companies Inc, including TJ Maxx, Marshalls and Home Goods announced that that the portion of its computer network that handles customer transactions was broken into by unauthorized individuals and at least 46.2 million credit and debit cards may have been compromised </li></ul><ul><ul><li>This resulted in litigation and investigations consideration of new laws to protect banks in California, Connecticut, Illinois, Massachusetts, Minnesota New Jersey and Texas. Only the Minnesota law was actually enacted </li></ul></ul><ul><ul><li>have reduced what once was as many as 18 separate putative bank and consumer class action lawsuits against the company </li></ul></ul><ul><li>September 2007 - Settlement include $7 million to reimburse customers for credit monitoring and other identity theft mitigation measures they undertook and to hold a company wide one-day sale </li></ul><ul><li>November 2007 - Settlement with Visa (and issuing banks) $40.9 million </li></ul><ul><li>December 2007 - TJX settled for $40 million with banking associations and all but one individual bank that filed class actions seeking reimbursement of their costs associated with the breach, such as reissuing compromised credit cards and covering fraudulent purchases </li></ul><ul><li>April 2008 - Settlement with MasterCard (and issuing banks) $34 million </li></ul>
    54. 54. New Security Breach Cases <ul><li>Hannaford Bros. Co. supermarket chain and its parent corporation Delhaize America Inc. </li></ul><ul><ul><li>Over 12 separate class actions in Florida, Maine, New Hampshire and New York </li></ul></ul><ul><li>Schaffer v. Davidson, D. Mont., No. 2:08-cv-00019-SEH, complaint filed 3/27/08 </li></ul><ul><ul><li>Breach of 226,000 clients’ PI </li></ul></ul>
    55. 55. Thank You! M. Peter Adler Attorney at Law 202.220.1278 Direct Fax: 800.684.2749 [email_address] Hamilton Square 600 Fourteenth Street, N.W. Washington DC 20005-2004 202.220.1200 Fax: 202.220.1665 www.pepperlaw.com