What Does Privacy Law and Data Security Have to Do With Nonprofits? Theodore P. Augustinos Partner Hartford, Connecticut Andrew M. Grumet Partner New York, New York David S. Szabo Partner Boston, Massachusetts November 9, 2010

2 Agenda  The Significance of Privacy Data Breach Issues  Nonprofits as Users of Protected Information  What Constitutes a Breach  HIPAA and Fundraising  Breach Prevention  Breach Response  Enforcement and Exposure Issues

3 Data Breaches Are Everywhere: Some Nightmare Statistics of 2009  222 Million Records were reported to have been potentially compromised in 2009  As of August 2010, there were 404 reported breaches, making 2010 on track to substantially exceed 2009’s 498 reported breaches  Average total cost of a data breach per company in 2009 was more than $6.75 million (with range of $750,000 to $31 million in one study)  Average cost per record compromised was $204 in 2009  $144 of that pertains to indirect costs such as customer departures (Lost Business)

4 Data Breaches Are Everywhere: Some Nightmare Statistics of 2009 (continued)  48% caused by insiders; 11% implicated business partners  85% of attacks on data were not considered highly difficult  Over 90% of breaches were avoidable through simple to moderate security controls

5 Some Healthcare Industry Statistics  3% of 2009 reported breaches are from the healthcare industry, but sources vary up to 13%  One source reports that already in 2010 almost 12.7% breaches and 26.4 % records breached are from the healthcare industry (131 breaches, 1.7 million records) as of Sept. 7, 2010 #  The Department of Health and Human Services reported that it received 773 complaints in its HIPAA privacy enforcement program in April 2010, and 651 complaints in July for a total of 53,789 since enforcement began in April 2003† ° Poneman Institute, 2009 Annual Study: Cost of a Data Breach # †

6 Some Healthcare Industry Statistics (continued)  Of the 4.7 million patient records breached, Business Associates accounted for 30%†  The healthcare industry has one of the highest rates of turnover of customers resulting from a data breach °  Paper records still most frequent source of breaches, but theft of laptops and other portable electronic devices are the more damaging ° Poneman Institute, 2009 Annual Study: Cost of a Data Breach # †

7 Nonprofits as Users of Protected Information Types of Information  Personal Information  Includes information collected in the course of receiving contributions (e.g., checks, wiring instructions, grant agreements, pledge cards), collection of membership dues, payments from program services and special events, may also include information gathered by planned giving and major gift officers during donor cultivation meetings - also includes personal information collected about employees and volunteers

8 Nonprofits as Users of Protected Information (continued)  Protected Health Information  Includes medical records, billing information, and insurance information held by a Covered Entity or a Business Associate, but not information held by an employer in its capacity as an employer, and not information protected by FERPA  Other Confidential Information  Educational Records – FERPA  Trade secrets and other commercially valuable information

9 Nonprofits as Users of Protected Information (continued)  Which Rules Apply to Your Organization?  Changes in your operations or customers may change your legal status—e.g. you could become a covered entity or a business associate if you start providing services to employer-sponsored health plans  Rules and standards are in transition  Recipients of Donations  Sellers of Goods and Services  Educational Institutions  Health Nonprofits  Other  Employers

10 What Constitutes a Data Breach? Definitions of PI and PHI  The Current Focus: Personal Information that can be used for Identity Theft  Generally, first and last name, or first initial and last name, plus one or more of the following:  Social Security Number  Drivers License or Government Issued ID  Financial Account Number, or Credit or Debit Card Number, with or without any required security code, access code, PIN or password, that would permit access to a financial account  Some states include health and medical information  Basically, personally identifiable financial and health information of individuals  Electronic or Paper, depending on the jurisdiction, but electronic under FTC and most state rules

11 What Constitutes a Data Breach? Definitions of PI and PHI (continued)  Protected Health Information  Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual

12 What Constitutes a Data Breach? General Definitions  Federal - HIPAA  “Breach” means the unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of the PHI and poses a significant risk of financial, reputational, or other harm to the individual. Not all violations of either the Privacy Rule or the Security Rule constitute breaches of PHI

13 What Constitutes a Data Breach? General Definitions (continued)  States  Massachusetts  Unauthorized acquisition or unauthorized use of unencrypted data, or encrypted data and the encryption key that is capable of compromising the security, confidentiality or integrity of PI that creates a substantial risk of ID theft or fraud  Some states have harm or likelihood of harm standard; others do not  Contractual

14 What Constitutes a Data Breach?  How do Breaches Occur?  Causes: Carelessness, Maliciousness and Other Incidents  Some types of breaches:  Paper records improperly disposed  Stolen or lost laptops  Lost backup tapes  Stolen hard drives  Fired employees use passwords that aren’t cancelled  Improperly mailed/faxed patient records  Illegal sale of patient information (e.g. insurance ids).  Insiders, outsiders, third party providers (vendors and Business Associates)

15 HIPAA and Fundraising Current Rule  Current Privacy Rule permits limited uses and disclosures of PHI to support fundraising by a covered entity without an Authorization  Demographic information  Dates of health care services provided  Individuals can opt out, and CE must make “reasonable efforts” to honor that request  Individual must be put on notice though the Notice of Privacy Practices

16 HIPAA and Fundraising Current Rule (continued)  Other potentially useful information cannot be used or disclosed without an Authorization:  Physician name  Department or Service (e.g. cardiology unit)  Outcomes Information  Result: Solicitations not well-targeted

17 HIPAA and Fundraising Proposed Rule  Proposal to update based on HITECH changes  HITECH requires a “clear and conspicuous” notice of the right to opt out of receiving further fundraising communications  Rule would require that each communication include notice of the opt out right  Opt out must not involve “undue burden or more than nominal costs”  CE cannot condition treatment or payment based on opt out  Clear ban on further fundraising communication after opt out is exercised

18 HIPAA and Fundraising Requests for Comment  OCR has solicited comment on whether the rule should permit more information, such as departmental information, to be used for fundraising  OCR also has solicited comment on how the opt out right should be implemented

19 Breach Prevention An Ounce of Prevention  Information Security  Assemble the Right Team  Legal  IT  Personnel  Operations  Administration  Identify Applicable Requirements  States, like Massachusetts  Federal  HIPAA and HITECH  Develop, upgrade and implement written Policies and Procedures  Implement appropriate Technology

20 Breach Prevention An Ounce of Prevention (continued)  Review Contractual Obligations  BA Agreements  PCI-DSS  PayPal and other Online Donations  Identify existing Safeguards  Policies and Procedures  Review and Document Unwritten Practices and Capabilities  Identify and Satisfy applicable requirements  Train, Monitor, Report and Update  Security Risk Assessment

21 Breach Prevention An Ounce of Prevention (continued)  Gap Analysis and Remediation  Third party validation:  Penetration testing  Security Audit  Adherence to Industry Standards (how to determine if your safeguards were “reasonable and appropriate”)

22 Breach Response Customer/Client Retention How a Company Responds to a Data Breach Can Significantly Affects Customer/Client Retention  According to a recent study:  83% of consumers surveyed reported receiving data breach notification during prior 24 months  63% said notification offered them no direction on steps to take to protect themselves and as a result:  31% terminated their relationship  57% said they lost their trust and confidence Source: Consumers’ Report Cart on Data Breach Notification, April 15, 2008, conducted by Ponemon Institute and sponsored by id experts

23 Breach Response Customer/Client Retention (continued)  Lawsuits based on breaches often include causes of action based on allegations of:  Failure to timely and properly notify affected individuals  Result and damages Source: Consumers’ Report Cart on Data Breach Notification, April 15, 2008, conducted by Ponemon Institute and sponsored by idexperts

24 Breach Response Key Steps  Plan in advance  Assemble the Right Team  Legal  IT  Operations  Customer Relations  Government Relations  Public Relations  Forensics - Do you hire an outside expert?

25 Breach Response Key Steps (continued)  Develop and Disseminate Breach Response Protocol  Immediate Identification and Escalation  Containment  Assessment  Forensics  Analysis  Communication  When a Potential Breach Incident Occurs, Follow the Protocol  Post-Mortem Review

26 Breach Response HIPAA Breach Notification  Breach notification to Individuals is required by Section of HITECH in the event of a data breach of “unsecured” PHI  Notice is not needed if the data is Unusable, Unreadable or Indecipherable (i.e. “secured PHI”).  Notice not needed if the data is not PHI  Notice is not needed for Limited Data Sets (as defined by HIPAA) that have had birth dates and zip codes removed

27 Breach Response Discovery of a Breach - HIPAA  A breach is deemed discovered by a covered entity or business associate on the first day the breach is known to the covered entity  The breach is treated as “known” as of the first day that the covered entity would have known of the breach if it has exercised “reasonable diligence”  Reasonable diligence is the “business care and prudence expect from a person seeking to satisfy a legal requirement under similar circumstances” Ignorance is not bliss!

28 Breach Response Timing of Notice  HIPAA notice must be given promptly, and not later than 60 days of the discovery of the breach  A CE should give actual notice to the individual  BA must notify CE, who in turn must notify the individual  Substitute notice permitted where contact information is not available  Urgent notice by telephone is permitted, but does not replace the need for written notice

29 Breach Response Timing of Notice (continued)  States, including Insurance Department bulletins, must be reviewed for short, agency specific reporting requirements  MA – Section 93H: “As soon as practicable and without unreasonable delay”  CT – Statute says “without unreasonable delay” but Insurance Department bulletin requires notice to Insurance Department no later than 5 days  FL – 45 days  Other states

30 Breach Response HIPAA - Alert the Media and the Secretary  Required if the breach impacts 500 or more individuals  Must use a “Prominent Media Outlet”  The media outlet must have appropriate coverage in light of the location of the individuals (citywide, statewide, etc.)  Immediate notice to the Secretary for large breaches.  Breach log to aggregate events involving less than 500 persons, with annual submission to the Secretary

31 Enforcement Triggers  Large breaches will be reported in the media  See or  Enforcement may accompany  Identity theft prosecutions  Investigations under Computer Fraud and Abuse Act  False Claims Investigations  Any breach incident

32 Enormous Exposures for Data Breach  Potential First Party Costs  Forensic costs  Determining what happened and how to stop/prevent recurrence  Professional advice on requirements triggered and their content  Notification costs  Content, printing, mailing  Call centers and other follow-up  Mitigation costs  Credit monitoring, etc.  Reputational Harm/Lost business

33 Enormous Exposures for Data Breach (continued)  HIPAA imposes civil monetary penalties for violations of the security rule, with a sliding scale based on intent and number of standards violated  Criminal penalties for intentional misuse of protected health information  Violations of Massachusetts data security rule (and other state requirements) may implicate civil penalties and damages under the state consumer protection law

34 Enormous Exposures for Data Breach (continued)  Potential Third Party Claims  By consumer subject to Identity theft and other data losses  Fear of unauthorized use/identity theft without improper use generally insufficient  By others with resulting losses  Banks, credit unions and other issuers of payment cards that pay for fraudulent transactions and card replacements – claims being made, some dismissed  Insurers of those who pay  Other merchants, etc. affected by card cancellations and fraudulent transactions

35 Mitigating Exposures Prevention Recap  Compliance  Statutes, regulations and industry standards directed at data protection  Limiting Access and Retention  What is necessary  Who has access  Duration of retention

36 Mitigating Exposures Prevention Recap (continued)  Studies report that over 90% of breaches were preventable with minimum to moderate security  Vendor/service providers – ensuring data security procedures in place  Buy in at highest levels  Training/Awareness  Common sense precautions  Recognize, identify and protect against your own exposure to data breach

37 Conclusion  Data security is an area requiring attention of all employers, financial services firms, and healthcare providers, and anyone else who obtains or maintains personal financial or health information  Compliance and Prevention are on-going efforts  The cost of not complying with regulatory requirements include: Legal, Regulatory, Contractual and Reputational Risks  Data breaches are a growing exposure with increasing costs

Theodore P. Augustinos 20 Church Street Hartford, CT Andrew M. Grumet 750 Lexington Avenue New York, NY David S. Szabo 111 Huntington Avenue Boston, MA EAPD Contacts