Thursday, January 28, 2010

Interesting perspective on Data Privacy Day and data privacy in general

Declan McCullagh is always a good read -

It's been 10 years: Why won't people pay for privacy? Politics and Law - CNET News

Data Privacy Day -- Tip #4 -- Transactional Best Practices for Lawyers

Written by Michael Arnold and Jennifer Rubin

Even though lawyers working on both sides of an M&A transaction during the due diligence phase might immerse themselves in a “confidentiality bubble”, they still must be careful not to disclose or access confidential employee information in the course of that transaction. Attorneys evaluating potential transactions might be tempted to access information regarding target employees, such as personnel files, compensation information, and information concerning performance evaluation and other historical employment information. Transactional attorneys are often surprised to learn that dissemination of some of this information, even among those subject to a confidentiality agreement, may violate an employee’s privacy rights and even violate the law.

Some states preclude employers from disclosing employee personnel information or from revealing information regarding employee compensation altogether while other states require a waiver from the employee as a condition to dissemination to any third parties. Federal and many states laws make it illegal for companies to disclose employee medical records without authorization, and this is particularly a concern where those records include personal health information and may implicate newly-expanded HIPAA regulations. Personnel files of employees that are Massachusetts residents will contain "personal information" that can only be transmitted in compliance with the Massachusetts regulations. In the cross-border M&A context, "personal data" of employees can only be transferred to the U.S. (or to U.S. persons) in compliance with applicable data protection laws in their country of residence/employment -- and in most cases can only be with the employee's consent. Even documents in a digital "data room" that can be accessed from the U.S. may fall afoul of data protection laws in other countries.

Companies must ensure that they have the proper mechanisms in place to minimize the exposure of personnel information during a contemplated transaction, including having a good understanding as to what legally may and may not be provided to potential acquirers, and securing any necessary waivers from employees prior to turning that information over in the due diligence process.

And finally, storage and disposal of due diligence files containing personal information or protected health information must be handled in accordance with applicable state and federal laws. If you don't keep it, you can't lose it!

Data Privacy Day - Tip #3 - The weakest link??

My lunchtime speaking engagement was at the International Association of Privacy Professional's Boston KnowledgeNet. I had the pleasure to share the panel with Mike Spinney from SixWeight (www.sixweight.com) and identity theft guru Robert Siciliano. We had a spirited discussion about privacy training and awareness. You can access their blogs in the panel to the right.

Our conclusion -- People are one of the weakest links in information security: employee negligence or wrongdoing is among the most common causes of security breaches.

Implement and train employees to follow formal information security policies that protect the private information of employees and customers.

Limit the number of people who have access to and/or handle confidential documents. Be careful when hiring new employees and perform full reference checks and, where warranted, ask new hires to sign confidentiality agreements.

Privacy awareness is as important as training and it should be continuing education.

Happy Data Privacy Day! Post #3 - Cable/Online Behavioral Advertising Issues

Earlier this week, Mintz Levin’s Chris Harvie, a Member in the Communications section, spoke at the PLI Broadband and Cable Industry Law Seminar in New York City. Chris provided an overview of the cable privacy provisions found in Title VI of the Communications Act and discussed the restrictions and obligations that apply to the collection and use of personally identifiable information (PII) by cable operators. He also gave an overview of noteworthy Federal cases that provide guidance on the nature and scope of the Cable Act’s restrictions on the collection and use of PII.

The panel also featured Gerard J. Lewis, Jr., Vice President and Deputy General Counsel and Chief Privacy Officer at Comcast Cable Communications, LLC and David Sohn, Senior Policy Counsel, Center for Democracy and Technology. Mr. Lewis provided an overview of the latest policy developments at the FTC and FCC with respect to behavioral advertising, noting the growing concern expressed by privacy advocates that the “notice and consent” model for consumer privacy protection may not suffice in the online world. Mr. Sohn provided a privacy advocate’s perspective on the debate, and expressed support for the establishment of fair information practices that would govern how and when Internet users’ clickstream data can be used in connection with online behavioral advertising.

The discussions at the PLI seminar are especially relevant in light of the FTC's second privacy roundtable addressing online behavioral advertising issues which is being held today. Both FTC Chairman Jon Leibowitz and Consumer Protection Director David Vladeck have expressed doubts about the adequacy of the notice and consent, suggesting that we maybe moving to a “post-disclosure” era. We'll be blogging about today's FTC Privacy Roundtable at a later date.

Data Privacy Day Tip #2 - HITECH Act

Written by Dianne Bourque

Effective February 17, 2010, significant new compliance obligations will be imposed on business associates through the HITECH provisions of the American Recovery and Reinvestment Act of 2009 ("ARRA"). Business associates (or organizations that use or disclose protected health information on behalf of covered entities subject to HIPAA) will be directly liable for compliance with certain provisions of the HIPAA Privacy Rule and the HIPAA Security Standards, and may be audited by the Department of Health and Human Services ("HHS"). They will also be subject to increased civil and criminal penalties for non-compliance.

DATA PRIVACY DAY REMINDER: Time to update business associate agreements to reflect HITECH's new breach-notice provisions and other requirements. Business associates must also--at a minimum--(i) undertake and complete a security risk assessment, (ii) prepare and adopt written security policies and procedures, and (iii) conduct workforce training in their policies and procedures.

Link to blog post for more information:
Privacy and Security Information - Privacy MATTERS: Federal Breach Notification Rules -- NEXT WEEK. Are you ready?

Happy Data Privacy Day! Tip #1

Today is worldwide Data Privacy Day. What is your company doing to promote data privacy and security in your enterprise? I'll be participating in a KnowledgeNet in Boston, sponsored by the International Association of Privacy Professionals. The discussion topic is Privacy Awareness and Training.

And don’t forget, the March 1 deadline for compliance with the sweeping Massachusetts data security regulations is fast approaching. Click here for complete information and FAQs. We'll be posting additional tips through the day in honor of Data Privacy Day 2010.

Friday, January 15, 2010

Connecticut Attorney General Brings Charges Against Health Net for HIPAA Violations

Written by Dianne Bourque

On January 13, Connecticut Attorney General Richard Blumenthal filed charges against Health Net of Connecticut, Inc., for violating federal privacy law. Blumenthal is the first state attorney general to file such a suit using HIPAA enforcement authority granted to states under the HITECH provisions of the American Recovery and Reinvestment Act of 2009.

The law suit was prompted by Health Net’s loss of a portable disk drive from a Connecticut office. The unencrypted drive contained health and other personal information for approximately 1.5 million current and former Health Net members. Almost one-half million of the affected members were Connecticut residents.

In a statement, Health Net said that it would cooperate with the Attorney General and that there is no evidence that any of the lost data had been misused.

Monday, January 11, 2010

New Settlement Agreement in Heartland Breach

And the cash register continues to ring with respect to the Heartland Payment Systems Inc. breach.

Heartland disclosed last week in a filing with the Securities and Exchange Commission that it has agreed to pay a maximum of $60 million to Visa Inc. and Visa card-issuing banks to settle claims arising out of the massive payment card data breach last January.

The proposed settlement is conditioned on 80% of eligible banks accepting the settlement offers. Under the agreement, some $59.2 million of the maximum settlement amount would be available to pay Visa card-issuing banks for their costs associated with the data breach. An additional $780,000 would be used to clear fines related to the breach collected by Visa from banks. According to the agreement, settlement offers will go out to eligible Visa-issuing banks next week and must be accepted by January 29.

More information: The full text of the Settlement Agreement

Friday, January 8, 2010

Security Bits and Bytes

A few items to wrap up/review privacy and security issues in 2009 and open up 2010:



Gonzalez Pleads Guilty in December 2009 - but this piece from Retail Research Systems explains why retailers should not be sanguine about data security: Privacy Risks for 2010



RFID in 2010: The New Hampshire House of Representatives voted this week to prohibit the implantation of tracking devices in humans without their written consent. The bill,also includes a provision banning the use of radio frequency identification (RFID) tags to track consumers, and would require consumer notice for any goods implanted with an RFID tag. Furthermore, the bill would prohibit cloning of RFID-enabled debit and credit cards. The RFID 24-7 Newsletter highlights some additional trends to watch in 2010.



After Heartland - "Mere Compliance" with Standards Enough? Interesting article in Computerworld reports that nearly a year following the disclosure of a Heartland Payment Systems data breach affecting 130 million credit and debit card holders, the debate over the effectiveness of basic compliance continues to rage.

Federal Trade Commission - New COPPA Safe Harbor Guidelines? The Federal Trade Commission (FTC) this week issued a call for public comment on a set of proposed guidelines to help businesses comply with the Children's Online Privacy Protection Act (COPPA). The proposed guidelines were submitted by iSafe, a nonprofit organization dedicated to promoting a safe online experience for children. If adopted by the FTC, the guidelines--designed to encourage better self regulation among Web sites targeting children under the age of 13, or sites that knowingly collect information from children under the age of 13--would constitute a safe harbor program under COPPA. The public comment period will last 45 days from January 6.

Thursday, January 7, 2010

Maine - New Year, New Legislative Session, New Version of the Marketing to 'Tweens Law

As promised last year, the Maine legislative session opened this week with the introduction of a new predatory marketing bill--LD 1677. This bill would repeal the beleaguered LD 1883, which was signed to law last year, but faced major opposition from industry groups, leading Maine's attorney general to promise not to enforce the law. The new bill applies to online information only and is limited to pharmaceutical marketing. It gives the attorney general the power to adopt rules to determine its scope. Violation of the law would be considered an unfair trade practice.

New Maine Legislation

Privacy and Security Information - Privacy MATTERS: Lawsuit Filed to Block New Maine Marketing Law

Wednesday, January 6, 2010

Happy 2010 - Data Breach du Jour

We are just barely into the new year, and there is already a rather large data breach to report.

Officials at Eastern Washington University (EWU) are notifying up to 130,000 current and former students that their personal information may have been exposed in a security breach, reports the Seattle Times. The data involved includes names, Social Security numbers and dates of birth for students going back to the year 1987. Information technology staff discovered the breach during a network assessment.

The takeaway here: A good New Year's resolution should be to conduct a network assessment of your own enterprise during Q1 and if you do not have a records retention policy in place ---> get one. Keeping personal information for more than 20 years is a data breach waiting to happen.

Link
Local News Hacker may have accessed EWU student information Seattle Times Newspaper

Monday, January 4, 2010

New Regulations Propose a Definition of 'Meaningful Use'

Written by Dianne
On December 30, 2009, the Centers for Medicare & Medicare Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) issued interim final rules necessary to implement electronic health record (EHR) incentive programs enacted under the American Recovery and Reinvestment Act of 2009. The ONC rule sets initial standards, implementation specifications, and certification criteria for EHR technology. The CMS rule provides a long-awaited definition of the concept of “meaningful use” of EHR technology. Both regulations are open to public comment.

The ONC Rule
The ONC rule calls for the industry to standardize the way in which EHR information is exchanged between organizations, and sets forth criteria required for an EHR technology to be certified. These standards will support meaningful use and data exchange among providers who must use certified EHR technology to qualify for Medicare and Medicaid incentives.

The proposed rule relies heavily on existing standards for the interoperability of health information technologies, including those established and/or promoted by Health Level 7, Inc. (HL7), the National Institute of Standards and Technology (NIST), and Integrating the Healthcare Enterprise (IHE). The standards also rely on existing classification and nomenclature systems including SNOMED CT, ICD-9 and 10, X12, LOINC, NCPDP, and RxNorm.

ONC’s interim final rule may be viewed at http://www.federalregister.gov/inspection.aspx#special.. There is a 60 day comment period.


The CMS Rule
CMS’ proposed regulation defines and specifies how to demonstrate 'meaningful use' of EHR technology, which is a prerequisite for receiving incentive payments. The rule also outlines proposed payment methodologies for the Medicare and Medicaid EHR incentive programs.

The proposed criteria for meaningful use focus on electronically capturing health information in a coded format, using that information to track key clinical conditions, communicating that information for care coordination purposes, and initiating the reporting of clinical quality measures and public health information.

The criteria are based on a series of specific objectives, each of which is tied to a proposed measure that all eligible professionals and hospitals must meet in order to demonstrate that they are meaningful users of certified EHR technology. For Stage 1, which begins in 2011, CMS proposes 25 objectives/measures for eligible professionals and 23 objectives/measures for eligible hospitals that must be met to be deemed a meaningful EHR user.

CMS’ proposed rule may be viewed at http://www.cms.hhs.gov/Recovery/11_HealthIT.asp. There is a 60 day comment period.

Happy New Year - New Health Care Reform Issues

Now that it is 2010, we will be getting back up to speed with our blog postings, bringing you the latest in the world of privacy and security information.

The world of health care reform also has significant impact on all of us, and my colleagues here at Mintz published an important advisory right at the stroke of midnight -- Health Care Reform Advisory: Assessing the Impact of Federal Health Care Reform on Employers and Group Health Plans