3 Little Time to LOL ….. COPPA facta GLBA CFAA DPPA HIPAA ADA ITADA The Privacy ActFERPATCFAPAECPACPNIpcidssRED FLAGS
4 Definitions: Complaint v. Incident Privacy Complaint: An allegation by an individual that an organization is not complying with the requirements of the federal privacy and/or security regulations or the organization’s own policies and procedures related to the privacy / security of personal information.Privacy Incident: A known or suspected action, inconsistent with the organization’s privacy policies and procedures, or an adverse event, related to restricted or sensitive information.
7 2008 Privacy Violation by Type PHI: 3,440PHI/PII: 335,353PII: 825Student Record: 4,955PII/Student Record: 13,516Financial: 2Human Resources: 32
8 Significant 2008 Privacy Violations and Incidents by Area College of Dentistry: 334,238#/7College of Medicine: 3,501/91Academic Technology-CLAS: 11,562/2College of Engineering: 4,423/3Reitz Union: 612/1IFAS: 271/2College of Education: 145/1*Number of Violations/Incidents #334,234 were both PHI and PII violations
9 2009 Legislative Mandates Genetic Information Nondiscrimination Act Red Flag RulesAmerican Reinvestment and Recovery Act (ARRA)Health Information Technology for Economic and Clinical Health Act (HITECH)
10 Genetic Information Nondiscrimination Act Results of genetic tests for individuals or family members that provides any data about medical history; includes predictive testingMandates modification of HIPAA’s Privacy Rule so that genetic information is treated as protected health information; became effective May 21, 2009Confidentiality safeguards required for collection, maintenance, and storage; also limits disclosure of genetic information.
11 FTC’s Red Flag RulesFTC Red Flag Rules, became effective May 1, 2009 but delayed to August 1, 2009Written ID Theft Prevention Program for any ‘covered account’ for individuals or households.regularly extending, renewing, or continuing credit;regularly arranging for such credit;acting as an assignee of an original creditor
12 Red Flags’ Hybrid Checklist Inventory and Risk Assessment of AccountsBoard of Trustees Review and Approval of Written Policies and ProceduresRed Flags TrainingDepartmental Procedures & TrainingCompliance AuditsCross-reference to Critical Incidentand Breach Notification Plan and SSN MonitoringAdd or revise contract language to require contractors to establish a written identity theft program or to mirror the University’s Red Flags ProgramAudit compliance at least annually.
13 ARRA: Effective February 2009 Restrictions on Disclosures prohibited with limited exceptions (as required by law)Enforcement by State Attorney GeneralCivil case (violation) on interest to state residentsDamages and court fees to be awardedFederal court venueEffective for violations that occurred after enactmentTiered Civil Monetary Penalties CollectedEmployees or individuals can be found liable under HIPAA.
14 ARRA: Effective February 2009 Minimum Penalties“Did not know”Tier A $100“Reasonable cause”Tier B $1,000“Willful neglect”Tier C $10,000“Uncorrected violation”Tier D $50,000Maximum PenaltiesTier A $25,000Tier B $100,000Tier C $250,000Tier D $1,500,000Minimum per ViolationAnnual Maximum
15 ARRA: Provisions Changes Due August 2009: Breach notification provisions and PHI breach notificationFebruary 2010: Business Associates and MarketingAugust 2010: Minimum Necessary and Prohibition on sale of electronic health records/PHRs.January 2011: Accounting for DisclosuresFebruary 2011: Enforcement for‘willful neglect’
16 “HITECH” Enhances HIPAA Section requires HIPAA covered entities to notify affected individuals of a breach of “unsecured protected health information”“Not secured through the use of a technology or methodology specified by the Secretary of HHS through guidance”April 17th HHS Guidance recommends either encryption or destruction.
17 HITECH GuidanceEncryption According to National Institute of Standards and Technology (“NIST”) or Federal Information Processing Standards (“FIPS”):“Data at rest” - NIST , Guide to Storage Encryption Technologies for End User Devices“Data in motion” – FIPS 140-2, includingNIST , Guidelines for the Selection and Use of Transport Layer Security ImplementationNIST , Guide to IPSet VPNsNIST , Guide to SSL VPNs
18 HITECH Guidance Destruction : Paper, film, or other hard copy media must be shredded or destroyed to the extent that the PHI cannot be read or reconstructed.Electronic media must be cleared, purged or destroyed such that the PHI cannot be retrieved, and such destruction must be consistent with NIST , Guidelines for Medical Sanitization.
19 HITECH Breach Notification Notification: Sets thresholds for triggering breach notification requirements as well as parameters for the method, content, and timing of the notification. For example,Must provide notice to consumers and FTC within 60 days of discovery;Notice must include mitigation details; andIf 10 or more individuals cannot be reached, must post conspicuously for six months on homepage of website; or, provided to print and broadcast media outlets in areas affected by breach.Applies to breaches discovered on or after September 18, 2009.
20 Academic Data Breaches Minnesota Privacy Consultants Over 50 colleges and universities have experienced multiple reported privacy incidents since At a state level, California is home to seven twice breached universities, while Ohio follows at four schools.At least four universities have experienced five or more publicized privacy incidents.Purdue University (7)Ohio University (5)University of Florida (5)University of Iowa (5)
21 Privacy Breaches Sampling January – December 2008 Stanford University 72,000University Georgia: 4,250University Akron: 800University of Florida: 101Ohio University 492Tennessee Tech: 990University Texas: 2,500University of Maryland 23,000Penn State: 677Georgetown University: 38,000University of Florida: 1,900University Minnesota: 3,100Long Island University: 30,000Middle Tenn. State: 1,500Texas A&M: 3,000Harvard University: 6,600Binghamton University: 300University of Miami: 2,100,000University of Florida: 11,300University of Utah: 2,200,000University of Florida: 344, 448Oklahoma St. University: 70,000UC San Francisco: 3, 569
22 Top Reasons for University Breaches Data-rich information systems creating a natural target.Outdated and non-enforced data security safeguards.Sophisticated intruders with potential criminal intent.Careless or inattentive data systems management.Negligent hiring practices or employee misuse of data.Demonstrated opportunities for repeat access.Business partners or research sponsors who fail to protect information.
23 Watch for “Seminal” Court Cases Seminal means “Highly original and influencing the development of future events”.When does Privacy Breach cause harm?Identity theft and financial fraudOffensive publication of illicitly acquired PIILimit economic opportunities, i.e. job applicantCanada, Australia, New Zealand are codifying that privacy-security breaches can cause harm.
24 Cause for CautionFederal Precedent: Ninth Circuit Court (Stollenwerk) opined that ‘harm’ was not necessary for class action lawsuits resulting from data breach.Partnering of Federal Agencies: FTC joined OCR to pursue claims against CVS with settlement costs of $2.25 million. Also, FTC can levy penalties where identity theft results.States’ Action: ARRA permits states’ AG to sue for damages on behalf of residents.
25 In Summary: Nowhere to Hide Increased Governmental Regulations, especially for identity theft and healthcare operationsEmerging Technology Risksand Expanding Data Security ObligationsProbable Civil Case LawDevelopments as well as Enhanced Enforcement,especially from state AGs.Continuing infrastructure and resource challenges