Summary Comparison of Current Senate Data Security and Breach Notification Bills

Similar documents
NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Changes to HIPAA Privacy and Security Rules

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

BREACH NOTIFICATION POLICY

Public Act No

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

NEVADA SYSTEM OF HIGHER EDUCATION PROCEDURES AND GUIDELINES MANUAL CHAPTER 13 IDENTITY THEFT PREVENTION PROGRAM (RED FLAG RULES)

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

IDENTITY THEFT DETECTION POLICY

Christopher Newport University. Policy: Red Flag Identity Theft Identification and Prevention Program Policy Number: 3030

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

Interim Date: July 21, 2015 Revised: July 1, 2015


Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

Minnesota State Colleges and Universities Identity Theft Prevention Program

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

Fifth National HIPAA Summit West

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

H E A L T H C A R E L A W U P D A T E

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

AS PASSED BY HOUSE AND SENATE H Page 1 of 37 H.764. An act relating to data brokers and consumer protection

Middlebury Institute of International Studies Identity Theft Prevention Program

Attachment to Identity Theft Prevention Service Provider Attestation

H 7789 S T A T E O F R H O D E I S L A N D

Testimony. Submitted for the Record. American Bankers Association. Financial Institutions and Consumer Credit Subcommittee

Middlebury College Identity Theft Prevention Program

Identity Theft Prevention Program

TITLE II ADMINISTRATIVE REGULATIONS IDENTITY THEFT PREVENTION PROGRAM

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

Identity Theft Prevention. Red Flags. Training Program

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

ARE YOU HIP WITH HIPAA?

POLICY: Identity Theft Red Flag Prevention

Policy Statement. Definitions -Covered Account -Identifying Information -Identity Theft -Red Flag

CITY OF ISSAQUAH. Identity Theft Prevention Program

Patient Breach Letter Content Requirements

Cal. Civ. Code : Customer Records

It s as AWESOME as You Think It Is!

Privacy and Security Laws Beyond HIPAA: Protecting Consumer Information. Webinar Presented by Laura Bird January 29, 2014

IDENTITY THEFT RED FLAG POLICY/GUIDELINES JULY 2008

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

Palomar Community College District Procedure AP 5900 PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

BUSINESS ASSOCIATE AGREEMENT

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

UCLA Policy 420: Breaches of Computerized Personal Information

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

IV:07:11 IDENTITY THEFT PREVENTION POLICY SECTION 1: BACKGROUND

Anatomy of a Data Breach

HIPAA Basic Training for Health & Welfare Plan Administrators

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

FTC FACTS for Consumers

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Financial Transaction

PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

South Carolina General Assembly 122nd Session,

ID Theft Toolkit and Affidavit

Determining Whether You Are a Business Associate

AP 5800 PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Identity Theft Prevention Program

Does the Applicant provide data processing, storage or hosting services to third parties? Yes No

Prevention of Identity Theft in Student Financial Transactions

Polson/ Ronan Ambulance Service Identity Theft Prevention Program

Evaluating Your Company s Data Protection & Recovery Plan

Riverside Community College District Policy No Student Services PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Illinois Eastern Community Colleges. Frontier Community College Lincoln Trail College Olney Central College Wabash Valley College

Responding to Privacy Breaches

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

Protecting New Yorkers from Identity Theft. Senator David Carlucci

CALIFORNIA CODES CIVIL CODE SECTION This title may be cited as the "Song-Beverly Credit Card Act of 1971."

HOUSE... No The Commonwealth of Massachusetts

No. 179 Page 1 of No An act relating to miscellaneous consumer protection provisions. (H.593)

BUSINESS ASSOCIATE AGREEMENT

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

California State University Bakersfield Identity Theft Prevention ( Red Flag ) Implementation Plan

HIPAA PRIVACY AND SECURITY AWARENESS

GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2005 S 2 SENATE BILL 1048 Judiciary I Committee Substitute Adopted 5/23/05

HIPAA Data Breach ITPC

HIPAA Breach Notification Case Studies on What to Do and When to Report

Limited Data Set Data Use Agreement For Research

EXCERPT. Do the Right Thing R1112 P1112

COLUMBIA UNIVERSITY DATA CLASSIFICATION POLICY

Washington Association of Sewer and Water Districts (WASWD) IDENTITY THEFT PREVENTION PROGRAM

HIPAA STUDENT ASSOCIATE AGREEMENT

Personal Information Protection Act Breach Reporting Guide

Identity Theft Prevention Program Procedure

Service Agreement. UltraBranch Business Edition. alaskausa.org AKUSA R 05/15

NBT Online Banker Terms and Conditions

HITECH and Stimulus Payment Update

Transcription:

Data Security reasonable Standards measures Specific Data Security Requirements Personal Information Definition None (a) First name or (b) first initial and last name, in combination with one of the following data Any business dealing with information of 10,000 or more citizens would be subject to the security program requirements. (i) Risk Assessment; (ii) Risk Management; (iii) Data Minimization; (iv) Training; (v) Encryption (a) First and last name, or (b) first initial and last name, in combination with any two of the Reasonable policies to protect and secure sensitive account and personal information that are reasonably likely to result in substantial harm if it were subject to a data breach. These policies should be in line with the size of the covered entity, the use of the data, and the type of data in question. (a) An individual s first name and last name, (b) Address, or (c) Telephone number, in combination with The FTC would promulgate regulations within a year of the Bill s enactment that would require covered entities to create information security programs. (i) Risk assessment; (ii) Data Management Policies; (iii) Risk Management; (iv) Disposal (i) Non-truncated social security numbers; (ii) Financial account, credit or debit card numbers with any Any business dealing with information of 10,000 or more citizens would be subject to the security program requirements. (i) Risk Management; (ii) Training & Testing; (iii) Supervision of Third Parties; (iv) Assessment and Modernization Any the following data elements in electronic form: (a) First and last name, or (b) first S. 1193 has a companion bill in the House, H.R. 1468, which contains additional cybersecurity information sharing provisions. has a companion bill in the House, H.R. 3990., S. 1976, and S. 1995 allow the FTC to establish security program requirements. None of these bills will change GLBA or HIPAA security requirements. 1

elements: (i) Social security number; (ii) Government ID number; (iii) Financial account, credit, or debit card number, along with required security codes. Does not include encrypted, redacted, or secured data. following data elements: (i) Home address or telephone number; (ii) Mother s maiden name; (iii) Date of birth. The definition would also include: (i) Social security, or other government ID number; (ii) Unique biometric data; (iii) Unique account identifiers, including credit and debit card numbers. Any combination of first and last name, or first initial and last name in combination with: any one of the following data elements: (i) Social security number; (ii) Driver s license or other government ID number; (iii) taxpayer identification number. security code; or (a) First and last name, or (b) first initial and last name in combination with: (i) Driver s license or state identification document; (ii) Unique biometric data; (iii) Unique account identifier, user name, or routing code with a password that would allow access to anything of value; or Any two of: (a) Home address or phone number, (b) Mother s maiden name, or (c) Date of birth. initial and last name in combination with any two of the following: (i) Home address; (ii) Telephone number; (iii)mother s maiden name; (iv) Date of birth; or Non-truncated government ID number; Location data that is derived from an individual s electronic device, excluding device ID numbers and/or Internet Protocol addresses; Unique biometric data; Unique account identifiers, e.g. financial account, credit or debit card numbers, user name, health insurance 2

(i) Unique account identifiers, credit or debit card numbers, or any security codes or source code to generate such codes. policy numbers; or Not less than two of the following: (i) First and last name or first initial and last name; (ii) Unique account identifiers; (iii) Security code or source code that could be used to generate such codes; or (iv) Individual medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or Any combination of data elements that could allow unauthorized access or acquisition of the above information, including: (i) A unique identifier; (ii) An electronic identification 3

number; (iii) A username or routing code; or (iv) Any associated security code or source code that could be used to generate such codes What Constitutes a Security Breach Individual Notification Requirement Exemptions to Notification Requirement (Risk Trigger) Unauthorized access and acquisition of electronic data containing personal information. Notify if personal information was reasonably believed to have been accessed and acquired by an unauthorized person. Only notify if breach caused, or is likely to cause, identity theft. The acquisition and access to sensitive personally identifiable information for an unauthorized purpose or in excess of authorization. Notify if personally identifiable information has been, or is likely to have been, accessed or acquired. Only notify if breach resulted in, or will result, in identity theft, economic loss or harm, or Unauthorized acquisition of sensitive account or personal information. Notify all consumers to whom the sensitive information relates. Only notify if there is a likelihood of substantial harm arising from the breach. The unauthorized access or acquisition of personal information from a covered entity. Notify the individuals whose information was or is reasonably believed to have been acquired or accessed (i) No notice if there is no reasonable risk to identity theft, fraud, or other unlawful conduct; (ii) Law The unauthorized acquisition or access to sensitive personally identifiable information that is for an unauthorized purpose or in excess of authorization. Notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired. (i) No notice if there is no significant risk that a security breach has or will result in harm to affected individuals; (ii) Law HIPAA and GLBA covered entities are all exempt or deemed in compliance with these requirements. 4

Timing of Notification As expeditiously as practicable and without unreasonable delay following discovery of a breach. physical harm to affected individuals. Notice is to be sent without unreasonable delay following the discovery of a security breach. Requires that regulations be issued by appropriate agencies regarding timing. enforcement may stop notification if sensitive sources or national security may be harmed; (iii) Do not notify if a breach only includes an individual s credit card number or security code, and there is a security system that blocks fraud on accounts. No later than 30 days after the discovery of the breach, or as promptly as possible if the covered entity must delay past 30 days. enforcement may stop notification if sensitive sources or national security may be harmed; (iii) No notice if a security system effectively blocks fraud from accounts and if notice is given if fraud does occur on an account. Notice is required to be made without unreasonable delay following the discovery of a breach. No later than 48 hours after the FBI or Secret Service receives notice of a breach from a business entity. The regulators under the S. 1897 are: (i) the FDIC, Federal Reserve Board, (ii) National Credit Union Administration Board, (iii) SEC, (iv) CFTC, (v) Federal Housing Enterprise Oversight, (vi) the appropriate State insurance authority, and (vii) the FTC. 5

Method of Mail, telephone, Notification or email or other electronic means. Substitute Notice Excessive cost or lack of sufficient contact information. Substitute notice would consist of conspicuous notice on a website or in print and major broadcast media in the Mail, telephone, or email if the individual consented to receive notice this way and the notice is consistent with E-SIGN. Notice to the major media outlets if breach exceeds 5,000 residents of a state. Requires that the regulations issued by appropriate agencies to allow for written, telephone, or email notification. The regulations must also allow for substitute notification if there is a lack of contact information or providing other means of notice would be too costly. Mail or email if the individual consented to receive notice this way and the notice is consistent with E-SIGN. Any method must be reasonably expected to reach the individual. Lack of sufficient contact information, or if data on less than 10,000 people is held by the breached entity and the cost of direct notice would be excessive. Conspicuous emails; Conspicuous Mail, telephone, or by email unless the individual has expressly opted out or the notice is inconsistent with ESIGN. If the breach was, or is reasonably believed to, include the more than 5,000 individuals. Prominent notice via all reasonable means of electronic contact. Notice to the major media in a state where more than 5,000 affected The regulators under S. 1987 are: (i) the FDIC, Federal Reserve Board, (ii) National Credit Union Administration Board, (iii) SEC, (iv) CFTC, (v) Federal Housing Enterprise Oversight, (vi) the appropriate State insurance authority, and (vii) the FTC. The regulators under S. 1987 are: (i) the FDIC, Federal Reserve Board, (ii) National Credit Union Administration Board, (iii) SEC, (iv) CFTC, (v) Federal Housing 6

geographic region of affected individuals. Content of Notification (i) The date of the breach; (ii) A description of the information affected; and (iii) contact information for the covered entity (i) What information was affected; (ii) Toll-free numbers for from which an individual may learn about the breach and what information was maintained; and (iii) Contact information for the major credit reporting agencies. Requires regulations be issued by appropriate agencies regarding content. posting on the entities website; and Notification to major media outlets. (i) The date or date range of the breach; (ii) The type of information believed to be affected; (iii) Tollfree numbers to contact the entity; (iv) Notice of free credit reports and how to request them; (v) Toll-free number for the major credit agencies; and Contact information for the FTC. individuals reside. Written notice: (i) The type of information affected, and how the entity came into possession of it; (ii) A toll-free phone number to contact the entity; (iii) Toll-free number, website, and address for the major credit agencies; (iv) Telephone numbers and websites for federal agencies that provide information regarding identity theft; (v) Notice about free credit reports, credit monitoring, and credit freeze and how to request such services; (vi) Notice that any damages resulting from the breach will be paid Enterprise Oversight, (vi) the appropriate State insurance authority, and (vii) the FTC. 7

by the entity that was breached. Notice to Credit Agencies Notice to Government/Law Enforcement None Notify the Secret Service FBI if a breach includes, or is reasonably believed to include more than 10,000 individuals. If notification is made to more than 5,000 individuals, consumer reporting agencies would be notified without unreasonable delay of the timing and distribution of the public notices. Must notify a designated government entity of any breach of: (i) More than 5,000 individuals; (ii) Where the data Notify the consumer reporting agencies if the breach affected 5,000 or more consumers. Must notify appropriate regulator. The regulators under the Bill are: (i) the FDIC, Federal Reserve Board, (ii) National If notification is made to more than 5,000 individuals, consumer reporting agencies would be notified without unreasonable delay of the timing and distribution of the public notices. Notify a designated government entity of a breach that involves, or is reasonably believed to involve: (i) More than 5,000 individuals; (ii) Where the Telephone and public electronic notice would not require as much information as the written notice. If notification is made to more than 5,000 individuals, consumer reporting agencies would be notified without unreasonable delay of the timing and distribution of the public notices. Notify a designated government entity of a breach that involves, or is reasonably believed to involve: (i) More than 5,000 individuals; (ii) Where the data is 8

Delay Provisions The Secret Service or FBI may delay notification if it is known to, or reasonably believed to have been accessed or acquired, from a database of more than 500,000 individuals; (iii) A database owned by the federal government; or (iv) That involves the information of employees or contractors involved in national security or law enforcement. Notification at least 72 hours before individual notice is sent or no later than 10 days after discovery. The Secret Service or FBI may delay notification if it Credit Union Administration Board, (iii) SEC, (iv) CFTC, (v) Federal Housing Enterprise Oversight, (vi) the appropriate State insurance authority, and (vii) the FTC. Regulations must allow for law enforcement delay where notification data is known to, or reasonably believed to have been accessed or acquired, from a database of more than 500,000 individuals; (iii) A database owned by the federal government; or (iv) That involves the information of employees or contractors involved in national security or law enforcement. The Secret Service or FBI may delay notification if it would harm an known to, or reasonably believed to have been accessed or acquired, from a database of more than 500,000 individuals; (iii) A database owned by the federal government; or (iv) That involves the information of employees or contractors involved in national security or law enforcement. Notice delivered as promptly as possible, no later than 10 days after discovery. The Secret Service or FBI may delay notification if it would harm an The regulators under are: 9

would harm an ongoing investigation or the national security; and Reasonable time needed to assess the breach and restore the system. Criminal Penalties for Concealment of a Security Breach Civil Enforcement None A violation of the Bill would be treated as an unfair or deceptive act or practice and would harm an ongoing investigation or the national security; and Reasonable time needed to assess the breach and restore the system (not to exceed 60 days without FTC approval). Intentional concealment of a breach that results in economic harm of $1,000 or more to an individual. Violations are punishable by fines, up to 5 years in prison, or both. (i) The Attorney General; (ii) State attorneys general (if no Fed. action); Cap of would harm an ongoing investigation the national security. None The appropriate regulator would be required to enforce the Bill. The regulators ongoing investigation or the national security; and Reasonable time needed to assess the breach and restore the system. Intentional concealment of a breach that results in economic harm of $1,000 or more to an individual. Violations are punishable by fines, up to 5 years in prison, or both. (i) The FTC would be authorized to enforce a violation as an unfair or deceptive act; (ii) State attorneys ongoing investigation or the national security; and Reasonable time needed to assess the breach and restore the system. Intentional concealment of a breach that results in economic harm or substantial emotional distress to 1 or more persons. Violations are punishable by fines, up to 5 years in prison, or both. (i) The Attorney General; (ii) State attorneys general (if no Fed. action); (iii) FTC; (iv) Private individual. Each (i) the FDIC, Federal Reserve Board, (ii) National Credit Union Administration Board, (iii) SEC, (iv) CFTC, (v) Federal Housing Enterprise Oversight, (vi) the appropriate State insurance authority, and (vii) the FTC. Only provides for a private right of action. 10

enforced by the FTC. Preemption Penalty caps of $500,000 per section violated.. Any state law relating to data security or breach notification. $1,000,000 for the same act or omission. Additional $1,000,000 for willfulness. FTC may also enforce as an unfair or deceptive practice, subject to a $1,000,000 penalty cap, with an additional $1,000,000 if the act was willful. Any state law relating to data security or breach notification. Nothing in the Bill will modify GLBA or HIPAA requirements. under the Bill are: (i) the FDIC, Federal Reserve Board, (ii) National Credit Union Administration Board, (iii) SEC, (iv) CFTC, (v) Federal Housing Enterprise Oversight, (vi) the appropriate State insurance authority, and (vii) the FTC. Any state law relating to data security or breach notification. general if there is no federal action pending. Penalty caps of $5,000,000 per section violated. The Attorney General may enforce the law enforcement notification requirements. Cap of $1,000,000, with an additional $1,000,000 for willfulness. Any state law relating to data security or breach notification. No limit on state common law of tort, contract, or fraud. section and enforcer has different penalty caps. Any state law relating to data security or breach notification. No limit on state common law of tort, contract, or fraud. Credit Monitoring or Reports No limit FTC authority. None None None Free credit report provided for by the breached entity quarterly for two Free credit report provided for by the breached entity quarterly for two 11

years after a request is made. years after a request is made. May not be required depending on type of information breached. Free credit monitoring provided for by the breached entity quarterly for two years after a request is made. Free credit freeze provided for by the breached entity that will remain in place until the individual requests its removal. 12

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback