Kathie McDonald-McClure and Matt San Roman, members of Wyatt’s Data Privacy & Security Service Team, were recently interviewed for Corporate Counsel magazine. The article, “Tennessee Enacted the Toughest Data Breach Law Yet,” addresses the new amendment to the Tennessee Identity Theft Deterrence Act of 1999. The amendment, among other changes, may eliminate the “encryption safe harbor” rule (pending a legislative fix to other language that may keep it in). Other states may follow suit if cybercriminals demonstrate ways around popular encryption methods.
We recently posted an article about Tennessee’s amendment to its data breach notification law. This amendment has drawn much attention among cyber security professionals and corporate general counsel across the country. As Jennifer Williams-Alvarez reported in her article for Corporate Counsel magazine, cyber security was a plenary session topic at the 2016 Association of Corporate Counsel (ACC) Mid-Year Meeting in New York City this week. See “At ACC Event, Experts Say Data Breaches Are Inevitable. So Now What?”, Corporate Counsel (April 14, 2016)(Read more: here). In fact, an ACC Foundation report on the “State of Cybersecurity”, released in December 2015, said one-third of in-house counsel reported that their companies experienced a data breach and more than one-half reported increased spending in cybersecurity.
Matt San Roman and I spoke with Ms. Williams-Alvarez this morning. She is working on a follow-up article regarding the amendments (HB2005 and SA0618) to the Tennessee data breach law. When the article is published, we will provide a link here for those of you who are not currently Corporate Counsel subscribers. Stay tuned . . .
On March 24, 2016, Tennessee Governor Bill Haslam signed into law SB2005 as amended by SA0618, revising the Tennessee Identity Theft Deterrence Act of 1999, currently codified at T. C. A. § 47-18-2101, et seq. Under the revised law, organizations subject to the law that experience a data breach will be required to notify affected individuals in Tennessee “immediately” and no later than 45 days from the discovery or notification of a security breach of computerized personal information, unless a law enforcement investigation related to the breach requires a delay in notification. While most similar state laws refrain from mandating a definite period within which to provide notification to affected individuals or state agencies, Tennessee, effective July 1, 2016, will join seven other states in requiring notification within a specific time.
Perhaps more notably with this amendment, Tennessee “may” be the first state in the United States to remove the encryption safe harbor.* The 46 other state data breach notification laws require notification to affected individuals if Continue reading
The Department of Health and Human Services’s Office for Civil Rights (OCR) announced last week that it has launched Phase 2 of its HIPAA Audit Program. Under this Audit Program, OCR will review whether entities subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Data Breach Notification regulations are complying with those regulations. OCR has already begun to send initial emails to “covered entities” and “business associates” (defined in the HIPAA regulations) regarding the audits that seek to verify contact information.
Tip: These emails may be incorrectly classified as spam by corporate or email filters. OCR expects covered entities and business associates to check spam and junk email folders for emails from OCR.
Warning: Sophisticated cybercriminals could use the OCR audits as an opportunity to send fake OCR emails (“phishing emails”) in an attempt to trick employees into turning over individual health information or to click on links that download harmful malware into the organization’s computer network. Do not click on links or supply any documentation until Continue reading
Earlier this week, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced two, multimillion dollar settlements relating to “potential” privacy and security violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Both settlements stem from the entity’s reports to OCR of the thefts of unencrypted laptops containing electronic protected health information (ePHI) even though one of the laptops was password protected.
First, on March 16, 2016, OCR announced that North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle potential violations of the HIPAA Privacy and Security Rules after a laptop containing the ePHI of 9,497 individuals was stolen from the vehicle of one of its contractors in July 2011.
OCR’s subsequent investigation determined that North Memorial failed to enter into a business associate agreement with this contractor, as required under the HIPAA Privacy and Security Rules. The investigation also discovered that North Memorial failed to conduct an organization-wide risk analysis to address all of the risks and vulnerabilities to its ePHI. OCR concluded Continue reading