Editor's Note: This article is the second in a series that highlights some of the substantial risks associated with the loss of sensitive data and summarizes ways you can protect your organization from such risks.
As we outlined in the March 2010 issue of the Litigation & Counseling Alert, losing sensitive personal information or having a breach of computer systems that store such information can have significant economic consequences. This month, we address two legislative attempts designed to protect confidential data and information disclosure: the HITECH Act and the Red Flags Rule.
Health care providers and health plans have been subject to regulations governing the privacy and security of protected health information for some time under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The American Recovery and Reinvestment Act of 2009, however, made several significant changes to HIPAA through the Health Information Technology for Economic and Clinical Health Act, also known as the HITECH Act.
One of the major provisions of the HITECH Act requires "covered entities" (defined by HIPAA to include health care providers, health plans and health clearinghouses) to notify individuals of any "breach" of their "unsecured protected health information" (defined as protected health information that is not secured through the use of technology or methodology). Methods of securing protected health information, including encryption and destruction, must make the data "unusable, unreadable or indecipherable."
In addition to the basic notification requirement, a covered entity now has additional reporting obligations if the breach involves more than 500 individuals. In these instances, the covered entity must report the breach to the Secretary of Health and Human Services (HHS), who will then make available on the HHS website a list that identifies each covered entity involved in a breach. If a breach involves more than 500 individuals from a single state or jurisdiction, the covered entity must also notify prominent media outlets serving that state or jurisdiction.
Another major provision of the HITECH Act affects the so-called "business associates" of the covered entities. HIPAA already required that business associates have agreements with covered entities governing the use and disclosure of protected health information; however, it was the covered entity that was directly responsible for compliance. The HITECH Act amends HIPAA by also requiring business associates to comply with many of the HIPAA privacy and security rules. As of February 10, 2010, even business associates will need policies and procedures regarding the privacy and security of protected health information. In addition, business associates are required to report to covered entities instances in which the business associate is aware of a breach of unsecured protected health information.
In light of the HITECH Act, business associates must now evaluate whether they are in compliance with the HIPAA privacy and security rules. In particular, covered entities and their business associates should determine whether or not their existing agreements require amendment. For general information about the HITECH ACT, visit the HHS website. For legal advice regarding your particular situation, businesses should consult with their attorneys.
Red Flags Rule
In addition to the statutes and regulations specific to certain industries (primarily health care), a new regulation has been issued that applies to a wide range of businesses. Known as the Red Flags Rule, the regulation goes into effect on June 1, 2010 and will be enforced by the Federal Trade Commission (FTC), all federal bank regulatory agencies and the National Credit Union Administration.
The Red Flags Rule requires that all organizations subject to the Fair and Accurate Credit Transactions Act of 2003 (FACTA) develop and implement a formal, written and revisable "Identity Theft Prevention Program" to detect, prevent and mitigate identity theft.
This new regulation applies to financial institutions and creditors with so-called "covered accounts," which include such things as credit card accounts, mortgage loans, auto loans, margin accounts, cell phone accounts, utility accounts, checking accounts and most types of savings accounts. In fact, any account for which there is a foreseeable risk of identity theft is a covered account under the Red Flags Rule. "Financial institution" is defined broadly as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a transaction account belonging to a consumer. A "transaction account" is considered a deposit or other account from which the owner makes payments or transfers, including checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.
What makes the Red Flags Rule so sweeping, however, is its applicability to "creditors," which are defined as any entity with covered accounts that regularly extends, renews or continues credit; any entity that regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor that is involved in the decision to extend, renew or continue credit.
Accepting credit cards as a form of payment, by itself, does not make an entity a creditor. The range of businesses that fall within the scope of this definition, however, is enormous and includes finance companies, automobile dealers, mortgage brokers, utilities and telecommunication companies. The FTC has argued that law firms are also creditors for purposes of the Red Flags Rule, but the Federal District Court in Washington, D.C., ruled otherwise in early 2010. The FTC recently announced that it will appeal that decision.
Even not-for-profit organizations and government entities are not exempt. If they defer payment for goods or services, they will be treated as creditors for purposes of the Red Flags Rule.
To comply with this sweeping legislation, businesses must develop a written program that identifies and detects the warning signs of identity theft. These "red flags" fall into five general categories:
- Alerts, notifications or warnings from a consumer reporting agency
- Suspicious documents
- Suspicious personally identifying information, such as a suspicious address
- Unusual use of or suspicious activity relating to a covered account
- Notices from customers, victims of identity theft, law enforcement authorities or other businesses about possible identity theft in connection with covered accounts
The written program must describe appropriate responses that would prevent and mitigate identity theft, and detail a plan to update the program. Furthermore, it must be managed by the business' board of directors (or senior employees in the case of a financial institution or creditor), include appropriate staff training, and provide for oversight of any service providers used by the business.
Many businesses already have general risk policies and procedures in place, but even those may not pass muster under the Red Flags Rule. In fact, the final regulation requires a separate Identity Theft Prevention Program, although it can reference other policies and procedures already in place to avoid unnecessary duplication.
The Red Flags Rule does not require businesses to be perfect in order to be in compliance. If the FTC or other governing agency raises an issue, the business will have an opportunity to show that it made a "reasonable effort" to comply with the regulation. Failure to comply may result in agency-imposed sanctions. Of even greater concern, however, is the risk associated with lawsuits that could result from failing to comply, as well as damage to the business' reputation.
For general information about the Red Flags Rule, visit the news section of the FTC's website and its How-To Guide for Business. For legal advice regarding your particular situation, businesses should consult with their attorneys.
In Part 3 of this series, we will address the Gramm Leach Bliley Act. In addition, we will look at several ways that companies can use contractual provisions to reduce their risks regarding data security and privacy. We will also discuss the availability of insurance to cover data theft and privacy breaches, along with the important questions to ask your insurance brokers and legal advisors.