States' penalties can apply to data breach
States' penalties can apply to data breach
Risk managers who fret so much about compliance with the Health Insurance Portability and Accountability Act (HIPAA) should worry at least that much about the potential liability from state laws addressing data breaches, say experts on personal data security.
Growing public concern about identity theft has prompted many states to enact laws that obligate businesses to protect personal data about customers, and those laws hit health care providers the hardest because of the vast amount of personal information collected on patients. Failing to protect that information can result in major liability, warns Roz Allen, JD, a partner with the law firm of Holland & Knight in Washington, DC.
Allen specializes in liability stemming from protected health care information. In recent years, legislators have created mandatory data breach notification statutes in 39 states plus the District of Columbia and Puerto Rico, Allen says. Many of those laws are brand new; only 23 states had such statutes in 2006, Allen notes. The actions came in response to growing concerns about identity theft and many highly publicized thefts of data, including stories about stolen or lost laptops that contained financial and health information on thousands of people.
One of the most significant data losses recently reported was made by ChoicePoint, a major data mining company with headquarters in Alpharetta, GA, Allen says. One of the largest data aggregators and resellers in the country, ChoicePoint compiles, stores, and sells information about virtually every U.S. adult. Insufficient safeguards allowed identity thieves to obtain ChoicePoint accounts through the establishment of fake businesses, which they then used to obtain personal information they could use to commit identity theft. The records of 163,000 people were affected, Allen says.
ChoicePoint's failure to properly protect sensitive consumer data culminated on Jan. 26, 2006, in a $15 million settlement with the Federal Trade Commission (FTC) based on violations of the Fair Credit Reporting Act (FCRA) and the Federal Trade Commission Act (FTC Act).
"The ChoicePoint settlement is notable not only for its large civil penalty and long-term auditing and reporting requirements, but also the legal basis upon which it is predicated," Allen says. "In addition to charging the company with violating the FCRA, a law with somewhat limited reach, the government alleged that the company violated the unfairness prong of Section 5 of the FTC Act."
That means that virtually every company handling consumer information in interstate commerce, which means nearly any health care provider, may be subject to FTC action.
State laws pose most risk
Nevertheless, the greatest potential for liability comes from the state data breach notification laws, she says. Allen says the nation's first data breach notification law was implemented by California in July 2003, and it still is considered the framework on which many other states base their own legislation. Though state laws vary in the details, they all require companies, state agencies, and other entities to notify state residents whose personally identifiable information is acquired, or reasonably believed to have been acquired, by unauthorized persons. In some states, third parties storing personal data on behalf of other businesses also are required to promptly notify such businesses of unauthorized access or reasonable belief that unauthorized access has occurred, she says.
"That creates a tremendous obligation for the health care provider to protect that information and to act responsibly if there is reason to think it has gotten into the wrong hands," she says. "The state laws usually carry a big stick in terms of big penalties and the ability for those who are harmed to pursue civil action."
Allen notes that most of the state laws do not require breach disclosure if the data are stored in encrypted form, as long as there is no reason to think the encryption key has been compromised. However, she cautions risk managers not to put too much faith in the encryption if the data itself has been stolen or lost.
"Especially if the laptop is stolen or if someone breaks into your system, it is not a stretch to think that someone willing to do that is also willing and capable of breaking through your encryption safeguards," she says.
Usually a human failure
Jim Jacobson, JD, a partner with Holland & Knight in Boston, says electronic and physical safeguards only are part of the solution.
"It's not usually the failure of a firewall, or a server, or encryption, or some other technical issue. It's so much more often the failure of a policy or a rogue employee," he says. "It's usually the failure of people to take the appropriate action according to their policies. We see clients worrying so much about the technical issues, but it's really the people, the personnel, the policies and procedures that make the difference."
Federal legislation that would impose similar notification rules has been proposed in recent years, but it has failed several times. Allen says a federal rule still is possible but, for now, the state laws provide plenty of impetus for risk managers to act. Jacobson notes that risk managers tend to spend far more time worrying about compliance with HIPAA than state laws regarding data breaches, when the latter poses just as big a threat.
"The state laws carry quite a bit more risk than HIPAA does. There can be punitive penalties in some states and there is a lot of potential for civil action," Jacobson says. "Some of the states also provide for criminal penalties, so that is really a big stick for officials who want to make a statement and make an example of you."
Sources
For more information on liability regarding data breaches, contact:
- Roz Allen, JD, Partner, Holland & Knight, Washington, DC. Telephone: (202) 419-2415. E-mail: [email protected].
- Jim Jacobson, JD, Partner, Holland & Knight, Boston. Telephone: (617) 305-2057. E-mail: [email protected].
Isolate some data to lower the risk
So what should a risk manager do to avoid liability under the state data breach statutes? The first step is to protect the data itself, says Roz Allen, JD, a partner with the law firm of Holland & Knight in Washington, DC.
Make sure they are stored securely and encrypted. Pay special attention to information that includes certain types of data that, in most states, trigger the obligation to notify after a breach, she says. That data include Social Security number, driver's license, state identification card, and financial information such as account numbers, debit cards, or credit cards.
"That data usually trigger the law only if it is associated with the first and last name of the person, so you can desensitize some of that data by storing it in a way that strips out the associated name and separates different types of personal information," she says.
Risk managers also should review their information security practices to ensure that as soon as anyone suspects protected information may have fallen into unauthorized hands, that suspicion is promptly reported up the chain of command. The risk manager and other leaders should assess whether the circumstances require notification.
"These state laws are all aimed at making you come forward and tell the affected parties that their data may be out there," Allen says. "Don't sit on it and hope nobody finds out. That's what the penalties are designed to discourage."
With little case law so far to give guidance, Allen says the best bet is to just play it safe. Work to keep data secure, but if a breach happens, notify quickly and thoroughly.
Most states have data breach laws
Thirty-nine states, plus Puerto Rico and the District of Columbia, have laws requiring health care providers and other businesses to protect sensitive data and promptly report any breach, according to Roz Allen, JD, a partner with the law firm of Holland & Knight in Washington, DC.
Laws regarding notification after a data breach are found in Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington, Wisconsin, Wyoming, and Puerto Rico.
For information on individual state laws, as well as the state of California's advice on how to respond to a security breach, go to the web site of the National Conference of State Legislatures at www.ncsl.org. On the home page, choose "State & Federal Issues," then "Issue Areas A-Z," then "Telecomm & Infor Technology." From that page, choose "Legislation on Notice of Security Breaches" from the menu on the right.
Risk managers who fret so much about compliance with the Health Insurance Portability and Accountability Act (HIPAA) should worry at least that much about the potential liability from state laws addressing data breaches, say experts on personal data security.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.