What Does Privacy Law and Data Security Have to Do With Nonprofits? Theodore P. Augustinos Partner...
-
Upload
gervais-milo-payne -
Category
Documents
-
view
213 -
download
0
Transcript of What Does Privacy Law and Data Security Have to Do With Nonprofits? Theodore P. Augustinos Partner...
What Does Privacy Law and Data Security Have to Do With Nonprofits?
Theodore P. AugustinosPartner
Hartford, Connecticut
Andrew M. GrumetPartner
New York, New York
David S. SzaboPartner
Boston, Massachusetts
November 9, 2010
2
Agenda
The Significance of Privacy Data Breach Issues
Nonprofits as Users of Protected Information
What Constitutes a Breach
HIPAA and Fundraising
Breach Prevention
Breach Response
Enforcement and Exposure Issues
3
Data Breaches Are Everywhere: SomeNightmare Statistics of 2009
222 Million Records were reported to have been potentially compromised in 2009
As of August 2010, there were 404 reported breaches, making 2010 on track to substantially exceed 2009’s 498 reported breaches
Average total cost of a data breach per company in 2009 was more than $6.75 million (with range of $750,000 to $31 million in one study)
Average cost per record compromised was $204 in 2009
$144 of that pertains to indirect costs such as customer departures (Lost Business)
4
Data Breaches Are Everywhere: Some Nightmare Statistics of 2009 (continued)
48% caused by insiders; 11% implicated business partners
85% of attacks on data were not considered highly difficult
Over 90% of breaches were avoidable through simple to moderate security controls
5
Some Healthcare IndustryStatistics
3% of 2009 reported breaches are from the healthcare industry, but sources vary up to 13%
One source reports that already in 2010 almost 12.7% breaches and 26.4 % records breached are from the healthcare industry (131 breaches, 1.7 million records) as of Sept. 7, 2010 #
The Department of Health and Human Services reported that it received 773 complaints in its HIPAA privacy enforcement program in April 2010, and 651 complaints in July for a total of 53,789 since enforcement began in April 2003†
° Poneman Institute, 2009 Annual Study: Cost of a Data Breach# www.idtheftcenter.com† www.melamedia.com/HIPAA.stats.
6
Some Healthcare IndustryStatistics (continued)
Of the 4.7 million patient records breached, Business Associates accounted for 30%†
The healthcare industry has one of the highest rates of turnover of customers resulting from a data breach °
Paper records still most frequent source of breaches, but theft of laptops and other portable electronic devices are the more damaging
° Poneman Institute, 2009 Annual Study: Cost of a Data Breach# www.idtheftcenter.com† www.melamedia.com/HIPAA.stats.
7
Nonprofits as Users of Protected Information
Types of Information
Personal Information
Includes information collected in the course of receiving contributions (e.g., checks, wiring instructions, grant agreements, pledge cards), collection of membership dues, payments from program services and special events, may also include information gathered by planned giving and major gift officers during donor cultivation meetings - also includes personal information collected about employees and volunteers
8
Nonprofits as Users of Protected Information (continued)
Protected Health Information
Includes medical records, billing information, and insurance information held by a Covered Entity or a Business Associate, but not information held by an employer in its capacity as an employer, and not information protected by FERPA
Other Confidential Information
Educational Records – FERPA
Trade secrets and other commercially valuable information
9
Nonprofits as Users of Protected Information (continued)
Which Rules Apply to Your Organization?
Changes in your operations or customers may change your legal status—e.g. you could become a covered entity or a business associate if you start providing services to employer-sponsored health plans
Rules and standards are in transition
Recipients of Donations
Sellers of Goods and Services
Educational Institutions
Health Nonprofits
Other
Employers
10
What Constitutes a Data Breach?Definitions of PI and PHI
The Current Focus: Personal Information that can be used for Identity Theft Generally, first and last name, or first initial and last
name, plus one or more of the following: Social Security Number Drivers License or Government Issued ID Financial Account Number, or Credit or Debit Card
Number, with or without any required security code, access code, PIN or password, that would permit access to a financial account
Some states include health and medical information Basically, personally identifiable financial and health
information of individuals Electronic or Paper, depending on the jurisdiction,
but electronic under FTC and most state rules
11
What Constitutes a Data Breach?Definitions of PI and PHI (continued)
Protected Health Information
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual
12
What Constitutes a Data Breach?General Definitions
Federal - HIPAA
“Breach” means the unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of the PHI and poses a significant risk of financial, reputational, or other harm to the individual. Not all violations of either the Privacy Rule or the Security Rule constitute breaches of PHI
13
What Constitutes a Data Breach?General Definitions (continued)
States
Massachusetts
Unauthorized acquisition or unauthorized use of unencrypted data, or encrypted data and the encryption key that is capable of compromising the security, confidentiality or integrity of PI that creates a substantial risk of ID theft or fraud
Some states have harm or likelihood of harm standard; others do not
Contractual
14
What Constitutes a Data Breach?
How do Breaches Occur? Causes: Carelessness, Maliciousness and Other
Incidents Some types of breaches:
Paper records improperly disposed Stolen or lost laptops Lost backup tapes Stolen hard drives Fired employees use passwords that aren’t
cancelled Improperly mailed/faxed patient records Illegal sale of patient information (e.g. insurance
ids). Insiders, outsiders, third party providers (vendors and
Business Associates)
15
HIPAA and FundraisingCurrent Rule
Current Privacy Rule permits limited uses and disclosures of PHI to support fundraising by a covered entity without an Authorization
Demographic information
Dates of health care services provided
Individuals can opt out, and CE must make “reasonable efforts” to honor that request
Individual must be put on notice though the Notice of Privacy Practices
16
HIPAA and FundraisingCurrent Rule (continued)
Other potentially useful information cannot be used or disclosed without an Authorization:
Physician name
Department or Service (e.g. cardiology unit)
Outcomes Information
Result: Solicitations not well-targeted
17
HIPAA and FundraisingProposed Rule
Proposal to update based on HITECH changes
HITECH requires a “clear and conspicuous” notice of the right to opt out of receiving further fundraising communications
Rule would require that each communication include notice of the opt out right
Opt out must not involve “undue burden or more than nominal costs”
CE cannot condition treatment or payment based on opt out
Clear ban on further fundraising communication after opt out is exercised
18
HIPAA and FundraisingRequests for Comment
OCR has solicited comment on whether the rule should permit more information, such as departmental information, to be used for fundraising
OCR also has solicited comment on how the opt out right should be implemented
19
Breach Prevention An Ounce of Prevention
Information Security Assemble the Right Team
Legal IT Personnel Operations Administration
Identify Applicable Requirements States, like Massachusetts Federal
HIPAA and HITECH Develop, upgrade and implement written Policies
and Procedures Implement appropriate Technology
20
Breach PreventionAn Ounce of Prevention (continued)
Review Contractual Obligations
BA Agreements
PCI-DSS
PayPal and other Online Donations
Identify existing Safeguards
Policies and Procedures
Review and Document Unwritten Practices and Capabilities
Identify and Satisfy applicable requirements
Train, Monitor, Report and Update
Security Risk Assessment
21
Breach PreventionAn Ounce of Prevention (continued)
Gap Analysis and Remediation
Third party validation:
Penetration testing
Security Audit
Adherence to Industry Standards (how to determine if your safeguards were “reasonable and appropriate”)
22
Breach ResponseCustomer/Client Retention
How a Company Responds to a Data Breach CanSignificantly Affects Customer/Client Retention
According to a recent study:
83% of consumers surveyed reported receiving data breach notification during prior 24 months
63% said notification offered them no direction on steps to take to protect themselves and as a result:
31% terminated their relationship
57% said they lost their trust and confidence
Source: Consumers’ Report Cart on Data Breach Notification, April 15, 2008, conducted by Ponemon Institute and sponsored by id experts
23
Breach ResponseCustomer/Client Retention (continued)
Lawsuits based on breaches often include causes of action based on allegations of:
Failure to timely and properly notify affected individuals
Result and damages
Source: Consumers’ Report Cart on Data Breach Notification, April 15, 2008, conducted by Ponemon Institute and sponsored by idexperts
24
Breach Response Key Steps
Plan in advance
Assemble the Right Team
Legal
IT
Operations
Customer Relations
Government Relations
Public Relations
Forensics - Do you hire an outside expert?
25
Breach Response Key Steps (continued)
Develop and Disseminate Breach Response Protocol
Immediate Identification and Escalation
Containment
Assessment
Forensics
Analysis
Communication
When a Potential Breach Incident Occurs, Follow the Protocol
Post-Mortem Review
26
Breach Response HIPAA Breach Notification
Breach notification to Individuals is required by Section 13402 of HITECH in the event of a data breach of “unsecured” PHI
Notice is not needed if the data is Unusable, Unreadable or Indecipherable (i.e. “secured PHI”).
Notice not needed if the data is not PHI
Notice is not needed for Limited Data Sets (as defined by HIPAA) that have had birth dates and zip codes removed
27
Breach ResponseDiscovery of a Breach - HIPAA
A breach is deemed discovered by a covered entity or business associate on the first day the breach is known to the covered entity
The breach is treated as “known” as of the first day that the covered entity would have known of the breach if it has exercised “reasonable diligence”
Reasonable diligence is the “business care and prudence expect from a person seeking to satisfy a legal requirement under similar circumstances”
Ignorance is not bliss!
28
Breach ResponseTiming of Notice
HIPAA notice must be given promptly, and not later than 60 days of the discovery of the breach
A CE should give actual notice to the individual
BA must notify CE, who in turn must notify the individual
Substitute notice permitted where contact information is not available
Urgent notice by telephone is permitted, but does not replace the need for written notice
29
Breach Response Timing of Notice (continued)
States, including Insurance Department bulletins, must be reviewed for short, agency specific reporting requirements
MA – Section 93H: “As soon as practicable and without unreasonable delay”
CT – Statute says “without unreasonable delay” but Insurance Department bulletin requires notice to Insurance Department no later than 5 days
FL – 45 days
Other states
30
Breach ResponseHIPAA - Alert the Media and the Secretary
Required if the breach impacts 500 or more individuals
Must use a “Prominent Media Outlet”
The media outlet must have appropriate coverage in light of the location of the individuals (citywide, statewide, etc.)
Immediate notice to the Secretary for large breaches.
Breach log to aggregate events involving less than 500 persons, with annual submission to the Secretary
31
Enforcement Triggers
Large breaches will be reported in the media
See www.breachblog.com or www.idtheftcenter.org
Enforcement may accompany
Identity theft prosecutions
Investigations under Computer Fraud and Abuse Act
False Claims Investigations
Any breach incident
32
Enormous Exposures for Data Breach
Potential First Party Costs
Forensic costs
Determining what happened and how to stop/prevent recurrence
Professional advice on requirements triggered and their content
Notification costs
Content, printing, mailing
Call centers and other follow-up
Mitigation costs
Credit monitoring, etc.
Reputational Harm/Lost business
33
Enormous Exposures for Data Breach (continued)
HIPAA imposes civil monetary penalties for violations of the security rule, with a sliding scale based on intent and number of standards violated
Criminal penalties for intentional misuse of protected health information
Violations of Massachusetts data security rule (and other state requirements) may implicate civil penalties and damages under the state consumer protection law
34
Enormous Exposures for Data Breach (continued)
Potential Third Party Claims
By consumer subject to Identity theft and other data losses
Fear of unauthorized use/identity theft without improper use generally insufficient
By others with resulting losses
Banks, credit unions and other issuers of payment cards that pay for fraudulent transactions and card replacements – claims being made, some dismissed
Insurers of those who pay
Other merchants, etc. affected by card cancellations and fraudulent transactions
35
Mitigating Exposures Prevention Recap
Compliance
Statutes, regulations and industry standards directed at data protection
Limiting Access and Retention
What is necessary
Who has access
Duration of retention
36
Mitigating ExposuresPrevention Recap (continued)
Studies report that over 90% of breaches were preventable with minimum to moderate security
Vendor/service providers – ensuring data security procedures in place
Buy in at highest levels
Training/Awareness
Common sense precautions
Recognize, identify and protect against your own exposure to data breach
37
Conclusion
Data security is an area requiring attention of all employers, financial services firms, and healthcare providers, and anyone else who obtains or maintains personal financial or health information
Compliance and Prevention are on-going efforts
The cost of not complying with regulatory requirements include: Legal, Regulatory, Contractual and Reputational Risks
Data breaches are a growing exposure with increasing costs
Theodore P. Augustinos20 Church StreetHartford, CT [email protected]
Andrew M. Grumet750 Lexington AvenueNew York, NY 10022 [email protected]
David S. Szabo111 Huntington AvenueBoston, MA 02199 [email protected]
EAPD Contacts