The information and images contained in this document are of a proprietary and confidential nature. The disclosure, duplication, use in whole, or use in part, of the document for any purposes other than client evaluation without the written permission of Apperian, Inc. is strictly prohibited. © Co3 Systems Inc. 2011 All Rights Reserved.!

Vermont, Connecticut and Hawaii: Changes to State Breach Notification Laws and Their Larger Implications

Page 2

Agenda

§  Introductions §  About Co3 §  State Disclosure Law Updates

–  Vermont –  Connecticut –  Hawaii

§  Refresher on HIPAA Presumption §  Questions

Page 3

SIM

ULA

TION

S

INCIDENTS

EVENTS

Co3 Automates Breach Management

Prepare

•  Assign response team •  Describe environment •  Simulate events and incidents •  Focus on organizational gaps

Report

•  Document incident results •  Track historical performance •  Calculate cost to close •  Generate audit/compliance reports

Assess

•  Track events •  Scope regulatory requirements •  See $ exposure •  Send notice to team •  Generate PIAs

Manage

•  Is this a breach? •  Escalate to complete IR plan •  Oversee the complete plan •  Assign tasks: who/what/when •  Notify regulators and clients •  Monitor progress to completion

Co3Systems

Page 4

Today’s Speakers

§  Colin Zick

§  Partner and Co-Chair, Security and Privacy

§  Foley Hoag

§  CJZ@foleyhoag.com

§  Gant Redmon §  General Counsel

§  Co3 Systems, Inc.

§  gredmon@co3sys.com

Page 5

State Data Security Laws, 2.0

§  The vast majority of states now have data security and breach notification laws, and most have had them for several years.

§  Experience in applying these laws has revealed holes and flaws in many.

§  State legislatures are now starting the process of repairing these.

§  We can expect more states to re-examine and revise their data security and breach notification statutes.

§  The actions of CT, VT and HI are a preview of what we can expect in other states during the next 1-2 years.

Page 6

Vermont

Summary of Changes

§  Revises definition of a breach.

§  Specifies timeframe for notifications.

§  Adds requirement for notification to AG.

§  Updates some terminology.

§  Became effective May 8, 2012.

Page 7

Vermont – Breach Definition

“Security breach”: Unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security confidentiality, or integrity of a consumer’s personally identifiable information maintained by the data collector.

§  Previously, the law was triggered by unauthorized access OR unauthorized acquisition. New definition removes “access” trigger.

§  Eliminated “computerized data” and replaced with the more appropriate “electronic data”.

§  Adds series of factors, any or all of which can help determine acquisition: 1)  Is the information in the physical possession and control of a person without valid

authorization? 2)  Has the information been downloaded or copied? 3)  Has the information been used by an unauthorized person? 4)  Has the information been made public?

Page 8

Vermont – Terminology Updates & Effective Date

Other terminology has been revised, and is now more in line with other state laws:

§  “Personal information” is now “Personally Identifiable Information” §  “Computerized information” is now “electronic information” §  “Business” is now “data collector” Changes became effective upon passage of the law on May 8, 2012.

Page 9

Vermont – Timeframe & Notice to AG

§  Specifies 45 day limit for notification to consumers.

–  Prior requirement was “most expedient time possible and without unreasonable delay”. This still exists, so faster notification should happen if possible.

§  Adds requirement to notify VT Attorney General.

–  Within 14 business days of date of discovery OR when notice is provided to consumers, whichever is sooner.

–  Must include date of breach and date of discovery, a preliminary description of the breach, and the number of consumers affected.

Page 10

Vermont – Letters

Vermont’s new statute and guidelines require up to four different letters to be sent:

§  Preliminary Letter to VT AG 14 days from breach discovery – containing date of breach, date of discovery, and preliminary description of the breach.

§  No Misuse Letter to Consumer Protection Unit of VT AG containing detailed explanation why misuse unlikely.

§  Notice of Breach Letter to consumers.

§  Notice of Notice of Breach Letter to VT AG with a copy of the consumer notice, with information on nature of breach redacted.

Page 11

Connecticut

Summary of Changes

§  Provides clarification on wording in breach definition: –  “breach of security means unauthorized access to or unauthorized acquisition of

electronic files, media databases, or computerized data…”

§  Adds requirement that notification of breach must be provided to the CT Attorney General as well as consumers:

–  Notification to AG must be provided no later than the time when notice is provided to consumers.

§  Becomes effective October 1, 2012

Page 12

Hawaii

Summary of Changes

§  Relates only to information covered by HIPAA (PHI)

§  Law acknowledges that a “complex array of state laws and rules unfairly burdens health care providers….”

§  In order to address this problem, the law equates Hawaii law with HIPAA, so HIPAA controls.

§  Became effective July 10, 2012.

Page 13

Refresher on HIPAA Preemption

§  HIPAA generally preempts state law.

§  However, where state law privacy protections for health information are “more stringent” than a HIPAA protection, the state protections should still govern [45 C.F.R. § 160.203(b)]

§  Steps in the Pre-emption Analysis:

§  Does HIPAA even apply? §  If HIPAA applies, does it conflict with some element of state law? §  If HIPAA does conflict with some element of state law, is that law exempted

from HIPAA? §  If that state law is not exempted from HIPAA, are HIPAA’s protections more

stringent or contrary to state law?

© 2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential.

Page 14

Questions?

Page 15

Thank You

Gartner: “Co3 …define(s) what software packages for privacy look like.”

1 Alewife Center, Suite 450 Cambridge, MA 02140

ph: 617-206-3900 e: info@co3sys.com

www.co3sys.com

Page 16

Colin Zick

Colin is a partner with Foley Hoag LLP, in its Boston office. His practice focuses on

health care and compliance issues, and often involves the intersection of those two subjects in administrative proceedings or litigation. He frequently counsels clients on issues involving information privacy and security, such as data breach, and state and federal data security laws and regulations (including those of the FTC and Department of Commerce). He advises clients on HIPAA and the HITECH Act and has served as the editor of the Massachusetts Health Information Management Association’s Medicolegal Guide to Health Record Information since 2003. Mr. Zick co-founded Foley Hoag’s Data Security and Privacy Practice Group and regularly contributes to its blog, www.securityprivacyandthelaw.com.  He and his firm also serve as counsel to the Advanced Cyber Security Center, a collaborative, cross-sector research facility working to address the most critical and sophisticated cyber security challenges. Mr. Zick also has submitted amicus briefs in cases in state and federal court regarding the constitutionality of DNA databases and other health data issues.

He can be reached at (617) 832-1275, czick@foleyhoag.com.

Page 17

Gant Redmon

Gant is General Counsel and Vice President for Co3 Systems. He has practiced law for

nineteen years; fifteen of those years as in-house counsel for security software companies. Prior to joining Co3 Systems, Gant was General Counsel of Arbor Networks, now part of the Danaher Corporation. Gant has also been Counsel at Authentica (acquired by RSA/EMC) and AXENT Technologies (acquired by Symantec). In 1997, Gant was appointed membership on the President Clinton’s Export Counsel Subcommittee on Encryption (PECSENC).

Gant holds a Juris Doctorate degree from Wake Forest University School of Law and a Bachelor of Arts degree from the University of Virginia, and is admitted to practice law in Virginia and Massachusetts. Gant also holds the CIPP/US certification (Certified Information Privacy Professional/United States). Gant Redmon gredmon@co3sys.com 617-300-8136