1

U. S. Privacy and Security Laws

DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE

April 1, 2009

Diana S. HareAssociate General Counsel

Drexel University College of MedicineDiana.Hare@drexelmed.edu

2

U.S. Privacy and Security Laws

Contents:I. DISCLAIMERII. Audience ParticipationIII. What’s Protected?IV. Sources of Privacy & Security Obligations

- TrendsV. What’s Loss, Liability, Breach?

- Sanctions/LiabilityVI. Lessons LearnedVII. Resources

3

I. DISCLAIMER

This presentation does not include every privacy and security law and regulation in the United States. Its purpose is to provide context, key principles and trends.

Thank you!

4

II. Audience Participation

• Who knows they are covered by the FTC Guidelines on protecting consumer information collected online?

• Who knows they are covered by HIPAA because they have an employer-sponsored health plan?

• Who knows they are covered by the Red Flags Rule? (And who knows what it is?)

5

II. Audience Participation

• Who knows they are covered by state data breach notification acts other than Pennsylvania? By the new federal data breach notification act?

• Who has not had employees or consultants lose the company’s customers’ personally identifying information, or access such data beyond their scope of authorization?

6

III. What’s Protected?

• Identity– Individually Identifiable Information– Personal Information– Education Record– Name, social security number (cf. redacted to

last 4), credit card number– HIPAA has 18 Identifiers – down to stripping

the Zip Code

7

III. What’s Protected?

• Sensitive Information about a Person

Drug and alcohol treatment

HIV Status

Genetic screening

Children 13 or younger

Privileged communications

8

III. What’s Protected?

• Data “CIA” =

– Confidentiality

– Integrity

– Availability

• Collection, Use and Disclosure

• Informed Consent

9

IV. Sources of Privacy & Security Obligations

General Sources• U.S. Constitution – 4th Amendment; 14th Amendment;

U.S. v. Griswold• Torts – Intrusion upon Seclusion; Invasion of Privacy• Privileges – Judicial Codes

– Accountant– Psychologist – 42 PA C.S.A. § 5944– Sexual Abuse Victim Counseling – 42 PA C.S.A. §

5945.1– Attorney– Physician

10

IV. Sources of Privacy & Security Obligations

Federal Laws and Regulations and Guidance:

• U.S. Constitution –see above• Federal Privacy Act of 1974 – 5 U.S.C. §552a • FTC Consumer Online Privacy Principles 1998; Online

Behavioral Advertising Principles 2009• FTC COPPA – Children’s Online Privacy Protection Rule

– 16 C.F.R. 312

11

IV. Sources of Privacy & Security Obligations

• HIPAA – Health Insurance Portability and Accountability Act of 1996 and Privacy and Security Rules, 45 CFR §§ 160, 162 and 164, as Amended by HITECH Act (see below)

• GLB – Gramm-Leach Bliley Act (Financial Modernization Act of 1999) 15 U.S.C. §6801 et seq. and Financial Privacy Rule 16 C.F.R. 313 and Financial Safeguards Rule 16 C.F.R. 314

• Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)

12

IV. Sources of Privacy & Security Obligations

• FCRA – Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); amended by FACT Act – Fair and Accurate Credit Transactions Act of 2003

– Section 114 – Identity Theft Prevention – Red Flags Rules – 16 C.F. R. 681

– Section 116 – Proper Disposal of Consumer Information – Disposal of Consumer Report Information and Records - 16 C.F.R. 682

13

IV. Sources of Privacy & Security Obligations

• FDA – Research Data – Electronic Records and Signatures – “Part 11” – 21 C.F.R. 11

14

IV. Sources of Privacy & Security Obligations

• ARRA – American Recovery and Reinvestment Act of 2009 (“Stimulus Bill”) February 17, 2009 (www.whitehouse.gov ≥ http://frwebgate.access.gpo.gov/)– HITECH Act – Health Information Technology for

Economic and Clinical Health Act – Division A, Title XIII of ARRA

• Subtitle D – Privacy - §§13400 -13424 – Amends HIPAA, substantially increases penalties (now) and new Federal Data Breach Notification as to Protected Health Information

15

IV. Sources of Privacy & Security Obligations

State Laws:

• More stringent state laws on protected health information supersede HIPAA – e.g.– PA Confidentiality of HIV-Related Information Act (“Act 148”) 35

P.S §7601 et seq.

• Limit use of Social Security Numbers, e.g.– PA Social Security Number Privacy Act – 71 P.S. § 2601 et seq.

16

IV. Sources of Privacy & Security Obligations

• Data Breach Notification Acts –

– California and Massachusetts lead the trends

– PA – Breach of Personal Information Notification Act – 73 P.S. § 2301

– NJ – New Jersey Identity Theft Prevention Act – N.J.S.A. § 56:11- 44 et seq. and new draft rules with comment period closed 2/13/09

– DEL – Computer Security Breaches – Title 6, Chapter 12B

17

IV. Sources of Privacy & Security Obligations

• Torts – see above• Privileges – Judicial Codes (see above)

18

IV. Sources of Privacy & Security Obligations

Industry Standards –

PCI – Payment Card Industry

19

IV. Sources of Privacy & Security Obligations

Key obligations shared:• Risk assessment• Administrative, Physical and Technical

Safeguards• Policies and Procedures• Training• Sanctions

20

- Trends in Privacy and Security Laws

Trends in Laws:

• Mandatory encryption• Mandatory and prompt reporting of data

breaches• Increased penalties; enforcement• Increased third party vendor oversight, liability• Board level responsibility (e.g. Red Flags Rule)

21

-Trends in Privacy and Security

• Data breaches

• Increased Identity Theft

• Class Actions

22

V. What’s Loss, Liability, Breach?

• Unauthorized Access

• Loss that reasonably could lead to theft

23

- Sanctions/Liability for Violations:Examples

Laws:

Section 5 of the FTC Act - unfair or deceptive acts

States – “Baby FTC Acts”

HIPAA HITECH Act

24

- Sanctions/Liability for Violations:Enforcement Actions; Lawsuits:

– Providence Health – unencrypted tapes – OCR/CMS/HIPAA sanction; 1st monetary penalty ($100K)

- Treatment Assocs of Victoria – TX AG – charge - unlawfully dumping client records in publicly accessible garbage; TX Identity Theft Act and Baby FTC Act

– Heartland Payment Systems, N.J. – (payment card processor); hacker; PCI standards; Class Action – on behalf affected financial institutions

25

- Sanctions/Liability for Violations:Enforcement Actions; Lawsuits:

– CVS – dumped prescription labels in dumpster. OCR and FTC JT enforcement: HIPAA Privacy Rule and FTC Act; $2.25 million; FTC 20 year monitoring.

– Premier Capital Lending – GLB Privacy and Security Rules; customer data. Mortgage broker gave access that was used improperly.

– Mortgage Broker Gregory Navone – consumer info into unsecured dumpster; FCRA Disposal Rule violation charged w/failure to implement training & exercise oversight of service providers.

26

VI. Privacy & Security – Lessons Learned

• Access is key; audit logs• Audit/Assessment of Risks• Effective Policies and Procedures• Sanction employees• Train employees• It is internal employees and consultants with authorized

access

27

VI. Privacy & Security – Lessons Learned

• Vendor management/Due diligence – not just contractual language required by HIPAA, GLB, Red Flag Rules, etc.

• Encryption

• Data Breach – Prepare

• Incident Reporting Team/Committee

• Mandatory Reporting

• Insurance

28

VII. Privacy & Security - Resources

• Data breach remedial products:– Credit monitoring products – negotiate

contract (Experian)– Debix– Insurance coverage purchased (Data breach

for one company cost $65K in postage alone!)

29

VII. Privacy & Security - Resources

• FTC.gov • OCR Listserv (Office of Civil Rights – DHHS)• CMS – HIPAA Security Rule• NIST - National Institute of Standards and Technology

www.nist.gov; Computer Security Resource Center (http://csrc.nist.gov); (Draft) Guide to Protecting Confidentiality of Personally Identifiable Information -1/13/09

• IAPP www.privacyassociation.org

30

U.S. Privacy & Security Laws

Questions?

Diana S. HareAssociate General Counsel

Drexel University College of Medicine215.255.7842

Diana.Hare@drexelmed.edu