What Does Privacy Law and Data Security Have to Do With Nonprofits?

Theodore P. AugustinosPartner

Hartford, Connecticut

Andrew M. GrumetPartner

New York, New York

David S. SzaboPartner

Boston, Massachusetts

November 9, 2010

2

Agenda

The Significance of Privacy Data Breach Issues

Nonprofits as Users of Protected Information

What Constitutes a Breach

HIPAA and Fundraising

Breach Prevention

Breach Response

Enforcement and Exposure Issues

3

Data Breaches Are Everywhere: SomeNightmare Statistics of 2009

222 Million Records were reported to have been potentially compromised in 2009

As of August 2010, there were 404 reported breaches, making 2010 on track to substantially exceed 2009’s 498 reported breaches

Average total cost of a data breach per company in 2009 was more than $6.75 million (with range of $750,000 to $31 million in one study)

Average cost per record compromised was $204 in 2009

$144 of that pertains to indirect costs such as customer departures (Lost Business)

4

Data Breaches Are Everywhere: Some Nightmare Statistics of 2009 (continued)

48% caused by insiders; 11% implicated business partners

85% of attacks on data were not considered highly difficult

Over 90% of breaches were avoidable through simple to moderate security controls

5

Some Healthcare IndustryStatistics

3% of 2009 reported breaches are from the healthcare industry, but sources vary up to 13%

One source reports that already in 2010 almost 12.7% breaches and 26.4 % records breached are from the healthcare industry (131 breaches, 1.7 million records) as of Sept. 7, 2010 #

The Department of Health and Human Services reported that it received 773 complaints in its HIPAA privacy enforcement program in April 2010, and 651 complaints in July for a total of 53,789 since enforcement began in April 2003†

° Poneman Institute, 2009 Annual Study: Cost of a Data Breach# www.idtheftcenter.com† www.melamedia.com/HIPAA.stats.

6

Some Healthcare IndustryStatistics (continued)

Of the 4.7 million patient records breached, Business Associates accounted for 30%†

The healthcare industry has one of the highest rates of turnover of customers resulting from a data breach °

Paper records still most frequent source of breaches, but theft of laptops and other portable electronic devices are the more damaging

° Poneman Institute, 2009 Annual Study: Cost of a Data Breach# www.idtheftcenter.com† www.melamedia.com/HIPAA.stats.

7

Nonprofits as Users of Protected Information

Types of Information

Personal Information

Includes information collected in the course of receiving contributions (e.g., checks, wiring instructions, grant agreements, pledge cards), collection of membership dues, payments from program services and special events, may also include information gathered by planned giving and major gift officers during donor cultivation meetings - also includes personal information collected about employees and volunteers

8

Nonprofits as Users of Protected Information (continued)

Protected Health Information

Includes medical records, billing information, and insurance information held by a Covered Entity or a Business Associate, but not information held by an employer in its capacity as an employer, and not information protected by FERPA

Other Confidential Information

Educational Records – FERPA

Trade secrets and other commercially valuable information

9

Nonprofits as Users of Protected Information (continued)

Which Rules Apply to Your Organization?

Changes in your operations or customers may change your legal status—e.g. you could become a covered entity or a business associate if you start providing services to employer-sponsored health plans

Rules and standards are in transition

Recipients of Donations

Sellers of Goods and Services

Educational Institutions

Health Nonprofits

Other

Employers

10

What Constitutes a Data Breach?Definitions of PI and PHI

The Current Focus: Personal Information that can be used for Identity Theft Generally, first and last name, or first initial and last

name, plus one or more of the following: Social Security Number Drivers License or Government Issued ID Financial Account Number, or Credit or Debit Card

Number, with or without any required security code, access code, PIN or password, that would permit access to a financial account

Some states include health and medical information Basically, personally identifiable financial and health

information of individuals Electronic or Paper, depending on the jurisdiction,

but electronic under FTC and most state rules

11

What Constitutes a Data Breach?Definitions of PI and PHI (continued)

Protected Health Information

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual

12

What Constitutes a Data Breach?General Definitions

Federal - HIPAA

“Breach” means the unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of the PHI and poses a significant risk of financial, reputational, or other harm to the individual. Not all violations of either the Privacy Rule or the Security Rule constitute breaches of PHI

13

What Constitutes a Data Breach?General Definitions (continued)

States

Massachusetts

Unauthorized acquisition or unauthorized use of unencrypted data, or encrypted data and the encryption key that is capable of compromising the security, confidentiality or integrity of PI that creates a substantial risk of ID theft or fraud

Some states have harm or likelihood of harm standard; others do not

Contractual

14

What Constitutes a Data Breach?

How do Breaches Occur? Causes: Carelessness, Maliciousness and Other

Incidents Some types of breaches:

Paper records improperly disposed Stolen or lost laptops Lost backup tapes Stolen hard drives Fired employees use passwords that aren’t

cancelled Improperly mailed/faxed patient records Illegal sale of patient information (e.g. insurance

ids). Insiders, outsiders, third party providers (vendors and

Business Associates)

15

HIPAA and FundraisingCurrent Rule

Current Privacy Rule permits limited uses and disclosures of PHI to support fundraising by a covered entity without an Authorization

Demographic information

Dates of health care services provided

Individuals can opt out, and CE must make “reasonable efforts” to honor that request

Individual must be put on notice though the Notice of Privacy Practices

16

HIPAA and FundraisingCurrent Rule (continued)

Other potentially useful information cannot be used or disclosed without an Authorization:

Physician name

Department or Service (e.g. cardiology unit)

Outcomes Information

Result: Solicitations not well-targeted

17

HIPAA and FundraisingProposed Rule

Proposal to update based on HITECH changes

HITECH requires a “clear and conspicuous” notice of the right to opt out of receiving further fundraising communications

Rule would require that each communication include notice of the opt out right

Opt out must not involve “undue burden or more than nominal costs”

CE cannot condition treatment or payment based on opt out

Clear ban on further fundraising communication after opt out is exercised

18

HIPAA and FundraisingRequests for Comment

OCR has solicited comment on whether the rule should permit more information, such as departmental information, to be used for fundraising

OCR also has solicited comment on how the opt out right should be implemented

19

Breach Prevention An Ounce of Prevention

Information Security Assemble the Right Team

Legal IT Personnel Operations Administration

Identify Applicable Requirements States, like Massachusetts Federal

HIPAA and HITECH Develop, upgrade and implement written Policies

and Procedures Implement appropriate Technology

20

Breach PreventionAn Ounce of Prevention (continued)

Review Contractual Obligations

BA Agreements

PCI-DSS

PayPal and other Online Donations

Identify existing Safeguards

Policies and Procedures

Review and Document Unwritten Practices and Capabilities

Identify and Satisfy applicable requirements

Train, Monitor, Report and Update

Security Risk Assessment

21

Breach PreventionAn Ounce of Prevention (continued)

Gap Analysis and Remediation

Third party validation:

Penetration testing

Security Audit

Adherence to Industry Standards (how to determine if your safeguards were “reasonable and appropriate”)

22

Breach ResponseCustomer/Client Retention

How a Company Responds to a Data Breach CanSignificantly Affects Customer/Client Retention

According to a recent study:

83% of consumers surveyed reported receiving data breach notification during prior 24 months

63% said notification offered them no direction on steps to take to protect themselves and as a result:

31% terminated their relationship

57% said they lost their trust and confidence

Source: Consumers’ Report Cart on Data Breach Notification, April 15, 2008, conducted by Ponemon Institute and sponsored by id experts

23

Breach ResponseCustomer/Client Retention (continued)

Lawsuits based on breaches often include causes of action based on allegations of:

Failure to timely and properly notify affected individuals

Result and damages

Source: Consumers’ Report Cart on Data Breach Notification, April 15, 2008, conducted by Ponemon Institute and sponsored by idexperts

24

Breach Response Key Steps

Plan in advance

Assemble the Right Team

Legal

IT

Operations

Customer Relations

Government Relations

Public Relations

Forensics - Do you hire an outside expert?

25

Breach Response Key Steps (continued)

Develop and Disseminate Breach Response Protocol

Immediate Identification and Escalation

Containment

Assessment

Forensics

Analysis

Communication

When a Potential Breach Incident Occurs, Follow the Protocol

Post-Mortem Review

26

Breach Response HIPAA Breach Notification

Breach notification to Individuals is required by Section 13402 of HITECH in the event of a data breach of “unsecured” PHI

Notice is not needed if the data is Unusable, Unreadable or Indecipherable (i.e. “secured PHI”).

Notice not needed if the data is not PHI

Notice is not needed for Limited Data Sets (as defined by HIPAA) that have had birth dates and zip codes removed

27

Breach ResponseDiscovery of a Breach - HIPAA

A breach is deemed discovered by a covered entity or business associate on the first day the breach is known to the covered entity

The breach is treated as “known” as of the first day that the covered entity would have known of the breach if it has exercised “reasonable diligence”

Reasonable diligence is the “business care and prudence expect from a person seeking to satisfy a legal requirement under similar circumstances”

Ignorance is not bliss!

28

Breach ResponseTiming of Notice

HIPAA notice must be given promptly, and not later than 60 days of the discovery of the breach

A CE should give actual notice to the individual

BA must notify CE, who in turn must notify the individual

Substitute notice permitted where contact information is not available

Urgent notice by telephone is permitted, but does not replace the need for written notice

29

Breach Response Timing of Notice (continued)

States, including Insurance Department bulletins, must be reviewed for short, agency specific reporting requirements

MA – Section 93H: “As soon as practicable and without unreasonable delay”

CT – Statute says “without unreasonable delay” but Insurance Department bulletin requires notice to Insurance Department no later than 5 days

FL – 45 days

Other states

30

Breach ResponseHIPAA - Alert the Media and the Secretary

Required if the breach impacts 500 or more individuals

Must use a “Prominent Media Outlet”

The media outlet must have appropriate coverage in light of the location of the individuals (citywide, statewide, etc.)

Immediate notice to the Secretary for large breaches.

Breach log to aggregate events involving less than 500 persons, with annual submission to the Secretary

31

Enforcement Triggers

Large breaches will be reported in the media

See www.breachblog.com or www.idtheftcenter.org

Enforcement may accompany

Identity theft prosecutions

Investigations under Computer Fraud and Abuse Act

False Claims Investigations

Any breach incident

32

Enormous Exposures for Data Breach

Potential First Party Costs

Forensic costs

Determining what happened and how to stop/prevent recurrence

Professional advice on requirements triggered and their content

Notification costs

Content, printing, mailing

Call centers and other follow-up

Mitigation costs

Credit monitoring, etc.

Reputational Harm/Lost business

33

Enormous Exposures for Data Breach (continued)

HIPAA imposes civil monetary penalties for violations of the security rule, with a sliding scale based on intent and number of standards violated

Criminal penalties for intentional misuse of protected health information

Violations of Massachusetts data security rule (and other state requirements) may implicate civil penalties and damages under the state consumer protection law

34

Enormous Exposures for Data Breach (continued)

Potential Third Party Claims

By consumer subject to Identity theft and other data losses

Fear of unauthorized use/identity theft without improper use generally insufficient

By others with resulting losses

Banks, credit unions and other issuers of payment cards that pay for fraudulent transactions and card replacements – claims being made, some dismissed

Insurers of those who pay

Other merchants, etc. affected by card cancellations and fraudulent transactions

35

Mitigating Exposures Prevention Recap

Compliance

Statutes, regulations and industry standards directed at data protection

Limiting Access and Retention

What is necessary

Who has access

Duration of retention

36

Mitigating ExposuresPrevention Recap (continued)

Studies report that over 90% of breaches were preventable with minimum to moderate security

Vendor/service providers – ensuring data security procedures in place

Buy in at highest levels

Training/Awareness

Common sense precautions

Recognize, identify and protect against your own exposure to data breach

37

Conclusion

Data security is an area requiring attention of all employers, financial services firms, and healthcare providers, and anyone else who obtains or maintains personal financial or health information

Compliance and Prevention are on-going efforts

The cost of not complying with regulatory requirements include: Legal, Regulatory, Contractual and Reputational Risks

Data breaches are a growing exposure with increasing costs

Theodore P. Augustinos20 Church StreetHartford, CT 06103taugustinos@eapdlaw.com860.541.7710

Andrew M. Grumet750 Lexington AvenueNew York, NY 10022 agrumet@eapdlaw.com212.912.2753

David S. Szabo111 Huntington AvenueBoston, MA 02199 dszabo@eapdlaw.com617.239.0414 

EAPD Contacts