Posted on September 6, 2011 by Timothy Tobin

California Amends its Data Breach Notification Law

A new amendment to California’s security breach notification statute establishes specific content requirements for data breach notifications and imposes a new Attorney General notification requirement for breaches affecting more than 500 California residents. Senate Bill 24 (“SB 24”) was signed on August 31, 2011 by California governor Jerry Brown and will take effect January 1, 2012.  Since 2003, following California's enactment of the first of its kind data breach notification laws (Cal. Civ. Code §§ 1798.29 & 1798.82) California law has required any person, business or state agency that owns or licenses computerized data that includes certain personal information to notify individuals when there has been a breach of personal information, but did not specify the type of information that should be contained in the notification.  California now joins the ranks of several other states whose data breach notification laws contain breach notification content mandates. 

SB 24 requires all breach notifications to include the name and contact information of the notifying person or entity and a list of the types of personal information compromised, or reasonably believed to have been compromised. The notifying person or entity must also provide the toll-free telephone numbers and addresses of the three major credit reporting agencies – TransUnion, Equifax and Experian – if the breach exposed a Social Security number, driver’s license, or California card identification number.   Notifications must also be written in “plain language” and provide a general description of the breach if this information has been determined.

If it is possible to determine at the time of the breach, the notification must provide the date of the breach, an estimated date of the breach, or a date range within which the breach occurred. Each notice should include the date of the notice. The notification must also state whether the notification was delayed because of a law enforcement investigation.  The law allows, but does not require, the person or business to provide information regarding what the person or business has done to protect individuals whose information has been breached and recommendations on how individuals can protect themselves.

Special requirements also apply to larger-scale breaches. The law requires any agency, person or business that notifies more than 500 California residents to submit a single sample copy of the notification - excluding any personally identifiable information - to the Attorney General. 

In addition, SB 24 provides that HIPAA covered entities following the HITECH Act breach notice requirements will be deemed in compliance with the SB 24 content requirements, but such entities will still have to comply with the Attorney General notice provision.

SB 24 follows recent proposals at the federal level to implement a nationwide data breach notification requirement. See our recent post here for more information.    
Tags: , , , , , , , , , , , , , ,
Posted on July 27, 2011 by Winston Maxwell

Cloud Computing for Regulated Industries: Security Requirements Differ

Data stored in the cloud will be subject to numerous data security laws, explains Hogan Lovells partner Phil Porter in a recent article.   Specific types of data will trigger different security regulations, ranging from HIPAA rules for health data, to Gramm-Leach-Bliley Act rules for financial service data, to COPPA for data about children.  Data hosted in the cloud in the U.S. might also subject the data to U.S. national security rules, including USA Patriot Act.  Cloud service providers and customers need to tailor their contractual provisions to match these regulatory imperatives.

Tags: , , , , , ,
Posted on May 17, 2011 by Michael Epshteyn

HIPAA Security Rule Oversight by HHS is 'Insufficient' According to the OIG

The U.S. Department of Health and Human Services Office of the Inspector General issued two reports yesterday criticizing the Centers for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator for Health IT (“ONC”) for doing too little to protect the security of patient health information. The first report, Nationwide Rollup Review of the Centers for Medicare & Medicaid Services HIPAA Oversight, found that CMS oversight and enforcement "were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Security Rule."

The second report,  Audit of Information Technology Security Included in Health Information Technology Standards, took ONC to task for failing to include requirements for adequate IT security controls in its requirements for health care providers to qualify for incentive payments to adopt electronic health records under the “meaningful use” program. The report recommends that ONC: (1) broaden its focus to include well-developed general IT security controls for supporting systems, networks, and infrastructures; (2) use its leadership role to provide guidance to the health industry on established general IT security standards and IT industry security best practices; (3) emphasize to the medical community the importance of general IT security; and (4) coordinate its work with CMS and OCR to add general IT security controls where applicable.

OIG's summaries of the two reports, including links to copies of the complete reports, are available at the following links:

Nationwide Rollup Review of the Centers for Medicare & Medicaid Services HIPAA Oversight

Audit of Information Technology Security Included in Health Information Technology Standard

 
Tags: , , , , , , , ,
Posted on May 10, 2010 by Mark Paulding

OCR Issues Guidance on Risk Analysis for HIPAA Security Compliance

On Friday, May 7, 2010, the Office for Civil Rights (“OCR”) issued guidance related to the HIPAA Security Rule’s risk analysis requirement.  Under HITECH, OCR is responsible for issuing annual guidance on provisions of the HIPAA Security Rule.  This guidance is the first in a series of documents aimed at helping covered entities and business associates implement effective and appropriate administrative, physical, and technical security safeguards. 

This guidance document is generally consistent with the materials provided by the Centers for Medicare and Medicaid Services (“CMS”) prior to the introduction of HITECH.  For example, like the recently released OCR guidance, CMS historically directed covered entities to refer to the National Institute of Standards and Technology’s Special Publication 800-66 Rev.1, An Introductory Resource Guide for Implementing the HIPAA Security Rule (October 2008) (“NIST 800-66”).  NIST 800-66 frequently directs readers to consult NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002), which is also quoted extensively in the recently released OCR guidance.  Moreover, the OCR guidance is quite similar to the HIPAA Security Series, Paper 6: Basics of Risk Analysis and Risk Management which was most recently revised by CMS in March 2007. 

OCR encourages the public to offer feedback on the risk analysis guidance. Comments can be submitted to OCR at OCRPrivacy@hhs.gov

Tags: , ,