financial data protection and consumer notification of data security breach act of 2006 sara juster,...
TRANSCRIPT
Financial Data Protection and Consumer Notification of Data Security Breach Act
of 2006 Sara Juster, JDVice President/Corporate Compliance Officer Nebraska Methodist Health System
Sheila Wrobel, JD, MBAUNMC Compliance Officer/Privacy Officer
Chris KerbawyCreighton University Legal Intern
How does the Act apply to the health care industry?
The “Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006” is contained in the first 7 sections of LB 876, a bill relating to banking & finance.
Signed and effective April 6, 2006. The Act applies to all individuals and commercial
entities. “Commercial entity” includes any “legal entity,
whether for profit or not for profit.”
Purpose of the Act
Requires prompt investigation and notification to Nebraska residents of breaches of computer security resulting, or likely to result, in the unauthorized use of personal information.
Focus is on computerized information security breaches and not other types of incidents.
Definitions
Breach of the Security of the System:– Unauthorized acquisition of unencrypted computerized data that
compromises the security, confidentiality, or integrity of personal information.
Personal Information: – Nebraska resident’s first name or first initial and last name in
combination with: Social Security Number; Driver’s license number or State ID card number; Account number or credit or debit card number, along with access
codes/passwords; Unique electronic identification or routing code, along with access
codes/passwords; or Unique biometric data, such as fingerprint, voiceprint.
Substance of the law
Contained in Section 3. Defines what covered entities must do in the
event of a breach. Contains two different sets of requirements
for two different targeted entities.
Section 3: Two parts
Part 1– Entities which own or license computerized data
containing personal information.
Part 2– Entities which maintain, but do not own or
license, computerized data containing personal information.
Section 3, Part 1
In the event of breach, entities that own or license data have two specific duties:1) Conduct a reasonable and prompt investigation to
determine the likelihood that personal information has been or will be used for an unauthorized purpose.
2) If the investigation determines use of personal information has occurred or is reasonably likely to occur, the entity must give notice to all affected Nebraska residents as soon as possible, with due consideration for law enforcement and the entity’s internal needs of investigation and restoring system integrity.
Section 3, Part 2
In the event of breach, entities that maintain, but do not own or license, data have a general duty:
– When they become aware of a breach where use of personal information has occurred or is likely to occur, they must give notice to the owner or licensee of the personal information and cooperate with the owner or licensee.
(Cooperation includes sharing information relevant to the breach, not including proprietary information.)
Section 3, Part 2 (cont’d)
Part 2 differs from Part 1:– No requirement for the entity to investigate or
notify affected Nebraska residents. – The entity must make a initial determination
regarding the likelihood of unauthorized use.– The entity must notify the owner or licensee and
cooperate in their investigation.
Notice Guidelines
Contained in section 2. Notice can be:
– in writing;– by telephone; – Electronic; or– by substitute notice in certain circumstances.
Substitute notice- First circumstance
A) Allowed when:
- Notice would cost over $75,000.00,
- Would effect over 100,000 Nebraska residents, or
- The entity has insufficient contAct information to provide notice.
Three requirements (must do all 3):
1) Send e-mail when addresses available;
2) Post notice on the entity’s web-site if one is maintained; and
3) Provide notice to major state-wide media outlets.
Substitute notice- Second circumstance
B) Allowed when:
- The entity has less than 10 employees, and
- Notice would cost more than $10,000.00.
Four Requirements (must do all):1) Send E-mail when addresses available;
2) Buy advertisements in local newspapers at least 1/4 page in size once a week for three consecutive weeks;
3) Post notice on the entity’s web-site if one is maintained; and
4) Provide notice to major statewide media outlets operating in the local area.
Exceptions to Notice Requirement
Contained in Section 4 Certain entities are in compliance with
section 3 as long as they follow their procedures:– Entities with existing notice procedures that are
consistent with the timing requirements of the Act.– Regulated entities with breach procedures
proscribed by regulation.
Enforcement
Contained in Section 6 “The Attorney General may issue subpoenas
and seek and recover direct economic damages for each affected Nebraska resident injured by a violation of the Act.”
Recommendations
Revise Security Incident Response policy to include consumer notification requirements.
Centralize notification responsibility to ensure compliance with the law and effectively manage associated risk & potential litigation issues.
Questions???