Financial Data Protection and Consumer Notification of Data Security Breach Act

of 2006  Sara Juster, JDVice President/Corporate Compliance Officer Nebraska Methodist Health System

Sheila Wrobel, JD, MBAUNMC Compliance Officer/Privacy Officer

Chris KerbawyCreighton University Legal Intern

How does the Act apply to the health care industry?

The “Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006” is contained in the first 7 sections of LB 876, a bill relating to banking & finance.

Signed and effective April 6, 2006. The Act applies to all individuals and commercial

entities. “Commercial entity” includes any “legal entity,

whether for profit or not for profit.”

Purpose of the Act

Requires prompt investigation and notification to Nebraska residents of breaches of computer security resulting, or likely to result, in the unauthorized use of personal information.

Focus is on computerized information security breaches and not other types of incidents.

Definitions

Breach of the Security of the System:– Unauthorized acquisition of unencrypted computerized data that

compromises the security, confidentiality, or integrity of personal information.

Personal Information: – Nebraska resident’s first name or first initial and last name in

combination with: Social Security Number; Driver’s license number or State ID card number; Account number or credit or debit card number, along with access

codes/passwords; Unique electronic identification or routing code, along with access

codes/passwords; or Unique biometric data, such as fingerprint, voiceprint.

Substance of the law

Contained in Section 3. Defines what covered entities must do in the

event of a breach. Contains two different sets of requirements

for two different targeted entities.

Section 3: Two parts

Part 1– Entities which own or license computerized data

containing personal information.

Part 2– Entities which maintain, but do not own or

license, computerized data containing personal information.

Section 3, Part 1

In the event of breach, entities that own or license data have two specific duties:1) Conduct a reasonable and prompt investigation to

determine the likelihood that personal information has been or will be used for an unauthorized purpose.

2) If the investigation determines use of personal information has occurred or is reasonably likely to occur, the entity must give notice to all affected Nebraska residents as soon as possible, with due consideration for law enforcement and the entity’s internal needs of investigation and restoring system integrity.

Section 3, Part 2

In the event of breach, entities that maintain, but do not own or license, data have a general duty:

– When they become aware of a breach where use of personal information has occurred or is likely to occur, they must give notice to the owner or licensee of the personal information and cooperate with the owner or licensee.

(Cooperation includes sharing information relevant to the breach, not including proprietary information.)

Section 3, Part 2 (cont’d)

Part 2 differs from Part 1:– No requirement for the entity to investigate or

notify affected Nebraska residents. – The entity must make a initial determination

regarding the likelihood of unauthorized use.– The entity must notify the owner or licensee and

cooperate in their investigation.

Notice Guidelines

Contained in section 2. Notice can be:

– in writing;– by telephone; – Electronic; or– by substitute notice in certain circumstances.

Substitute notice- First circumstance

A) Allowed when:

- Notice would cost over $75,000.00,

- Would effect over 100,000 Nebraska residents, or

- The entity has insufficient contAct information to provide notice.

Three requirements (must do all 3):

1) Send e-mail when addresses available;

2) Post notice on the entity’s web-site if one is maintained; and

3) Provide notice to major state-wide media outlets.

Substitute notice- Second circumstance

B) Allowed when:

- The entity has less than 10 employees, and

- Notice would cost more than $10,000.00.

Four Requirements (must do all):1) Send E-mail when addresses available;

2) Buy advertisements in local newspapers at least 1/4 page in size once a week for three consecutive weeks;

3) Post notice on the entity’s web-site if one is maintained; and

4) Provide notice to major statewide media outlets operating in the local area.

Exceptions to Notice Requirement

Contained in Section 4 Certain entities are in compliance with

section 3 as long as they follow their procedures:– Entities with existing notice procedures that are

consistent with the timing requirements of the Act.– Regulated entities with breach procedures

proscribed by regulation.

Enforcement

Contained in Section 6 “The Attorney General may issue subpoenas

and seek and recover direct economic damages for each affected Nebraska resident injured by a violation of the Act.”

Recommendations

Revise Security Incident Response policy to include consumer notification requirements.

Centralize notification responsibility to ensure compliance with the law and effectively manage associated risk & potential litigation issues.

Questions???