Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Size: px

Start display at page:

Download "Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?"

Georgiana Anthony
5 years ago
Views:

1 Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite? Minnesota RIMS 39 th Annual Seminar Risk : Can You Hack It? Managing New Risks in the Information Age January 26, 2012 Melissa J. Krasnow, Partner and Certified Information Privacy Professional This presentation was created by Dorsey & Whitney LLP, 50 South Sixth Street, Suite 1500, Minneapolis, MN This presentation is intended for general information purposes only and should not be construed as legal advice or legal opinions on any specific facts or circumstances. An attorney-client relationship is not created or continued by sending and/or receiving this presentation. Members of Dorsey & Whitney will be pleased to provide further information regarding the matters discussed in this presentation.

2 Breaches Breaches and incidents (including cyber and hacking attacks) frequently occur, are reported and publicized by the media and on the internet Legal issues and business considerations Data crosses country borders 1

3 State breach notification laws Cover personal information, meaning name, plus any of: social security number driver s license number financial account information (e.g., credit card, bank account, etc.) in some cases, health information 2012 amendments to state breach notification laws (e.g., California, Illinois and Texas) Calls for national breach notification law 2

4 Enforcement of state breach notification laws varies State attorney general enforcement in Minnesota Private right of action in California Administrative fines in Florida 3

5 Massachusetts privacy regulation Covers any entity (regardless of whether in Massachusetts) with access to Massachusetts resident personal information Written information security program (WISP) must be implemented: encryption of personal information transmitted wirelessly and stored on portable devices third party service provider to an entity by contract provision must implement and maintain appropriate security measures for personal information (March 1, 2012 deadline for contracts entered into on or before March 1, 2010; effective for contracts entered into after March 1, 2010) 4

6 Massachusetts privacy regulation documentation of actions taken in response to incident involving a breach and mandatory post-incident review to make changes in business practices for protection Reporting a breach to the Massachusetts attorney general (which is required under the Massachusetts breach notification law) could trigger an investigation of a reporting entity, including that the entity submit its WISP for review Massachusetts attorney general privacy enforcement actions 5

7 State social security number laws Could be implicated in a breach involving social security numbers 6

8 Federal HIPAA / HITECH Act breach notification Applies to covered entities and business associates Covered entity means (i) health plan, (ii) health care clearinghouse or (iii) health care provider Business associate that (i) on behalf of a covered entity, performs activity involving use or disclosure of individually identifiable health information or (ii) provides legal, actuarial, accounting, consulting, management, administrative, accreditation or financial services for the covered entity involving the disclosure of individually identifiable health information from the covered entity to the person 7

9 Federal HIPAA / HITECH Act breach notification Protected health information means individually identifiable health information relating to health care treatment, a health condition or payment for the provision of health care Covered entity notification to each individual, U.S. Department of Health and Human Services (if breach involves more than 500 individuals) and prominent media outlet (if breach involves more than 500 residents of state or jurisdiction) Business associate notification to covered entity 8

10 Enforcement of federal HIPAA / HITECH Act U.S. Department of Health and Human Services enforcement Civil penalties Criminal penalties State attorney generals also can bring civil actions No private right of action 9

11 Review information and documentation and determine applicable laws Personally identifiable information what, where and in which form is it? Which company policies and procedures and agreements have provisions relating to privacy and confidentiality? Determine which laws apply and what the requirements are (e.g., policies and procedures and agreements) Sometimes, policies and procedures are advisable, though not required by law Which federal and state and other laws apply? 10

12 Be prepared Prepare policies and procedures and ensure they are consistent and integrated with company policies and procedures Devise a roadmap of what to do in the event of a possible breach Consider handling of investigations How should a company respond internally and externally to media, employees and others about breach circumstances and status? 11

13 SEC guidance on cybersecurity and cyber incident disclosure Securities and Exchange Commission (SEC) guidance about public company disclosure of cybersecurity risks and cyber incidents: not a rule, regulation or statement of the SEC no disclosure requirement specifically refers to cybersecurity risks and cyber incidents certain disclosure obligations may require discussion of cybersecurity risks and cyber incidents 12

14 SEC guidance on cybersecurity and cyber incident disclosure risk factors (if among the most significant factors that make an investment in the company speculative or risky), for example: aspects of the company s business that give rise to material cybersecurity risks and the potential costs and consequences description of material cyber incidents experienced by the company and the costs and other consequences 13

15 SEC guidance on cybersecurity and cyber incident disclosure management s discussion and analysis of financial condition and results of operations description of business (if materially affects its products, services, relationships with customers or suppliers or competitive conditions) legal proceedings (where a party to a material pending legal proceeding that involves a cyber incident) disclosure controls and procedures (where poses a risk to the company s ability to record, process, summarize and report information required to be disclosed in SEC filings) financial statement disclosure 14

16 Privacy developments Federal Trade Commission preliminary report on privacy in 2010 final report in 2012 FTC proposed amendments to the Children s Online Privacy Protection Act in September 2011 Department of Commerce green papers in 2010 and 2011 white paper in 2012 Cybersecurity legislation with critical infrastructure focus called for by the Obama administration 15

17 Any questions? Melissa J. Krasnow (612) 16

Data Privacy & Protection

Data Privacy & Protection March 10, 2016 Data Breach Notification and Cybersecurity Developments in 2016 Melissa J. Krasnow, Dorsey & Whitney LLP, and Certified Information Privacy Professional/US This