Tennessee Amends Data Breach Notification Law – Removes Encryption Exemption (or does it?)

By Kathie McDonald-McClure and Matt San Roman

data-breaches-notification

On March 24, 2016, Tennessee Governor Bill Haslam signed into law SB2005 as amended by SA0618, revising the Tennessee Identity Theft Deterrence Act of 1999, currently codified at T. C. A. § 47-18-2101, et seq.  Under the revised law, organizations subject to the law that experience a data breach will be required to notify affected individuals in Tennessee “immediately” and no later than 45 days from the discovery or notification of a security breach of computerized personal information, unless a law enforcement investigation related to the breach requires a delay in notification. While most similar state laws refrain from mandating a definite period within which to provide notification to affected individuals or state agencies, Tennessee, effective July 1, 2016, will join seven other states in requiring notification within a specific time.

Perhaps more notably with this amendment, Tennessee “may” be the first state in the United States to remove the encryption safe harbor.* The 46 other state data breach notification laws require notification to affected individuals if Continue reading

Federal Agency to Develop Model Privacy Notice for Healthcare Apps

Healthcare_Apps_for_Android_TabletsOn Friday, February 26, 2016, the Office of the National Coordinator (ONC) for Health Information Technology (HIT) announced via a blog post, that ONC will be updating the Model Privacy Notice (MPN) that, in 2011, ONC developed in concert with the Federal Trade Commission (FTC) for “personal health records” (PHRs), which was the emerging technology at the time.  ONC noted that since 2011, many retail healthcare apps such as exercise trackers and other wearable technology, have emerged and that consumers using such technology should be informed on how data collected through such apps is being used by the app developer and other third parties.  ONC stated that the MPN is “a voluntary, openly available resource designed to help developers provide transparent notice to consumers about what happens to their data.”

Importantly, healthcare app developers should take heed that ONC is not the only federal agency interested in ensuring that there is adequate consumer protection for individuals taking Continue reading

Update to “Ten Easy Cyber Security Measures to Add to Your 2016 List of New Year’s Resolutions”

financial institutions pic 9661402Medium(1)One of the goals of our HITECH Law blog is to start dialogue and share information and insights in the ever changing world of cyber security.  In our previous post, “Ten Easy Cyber Security Measures…”, we relayed some information from the FBI about thieves breaking into gas pumps and inserting card readers.  One of our readers sent us some additional information we are passing along, with her permission.

“Some responsible retailers have studied how criminals are getting into pumps, and those retailers have invested a lot of time and money in pump protection after delivery from the manufacturer.  Because the safety and security of our guests is of utmost importance to us, Thorntons has spent more than $1 million over the past 18 months to make our pumps more secure for our customers.  To prevent card skimming at Thorntons’ pumps, we added Continue reading

Ten Easy Cyber Security Measures To Add To Your 2016 List Of New Year’s Resolutions

NewYearsEveClockWhen thinking about your 2016 New Year’s resolutions, include some data security resolutions on your list! The Kentucky Chamber of Commerce in coordination with Wyatt Tarrant & Combs, LLP, hosted a Cyber Security and Data Privacy seminar on December 17, 2015. This blog post highlights several ideas for resolutions that came from thoughts expressed by speakers during the seminar. In the coming year, think about what you should be doing to protect your personal identity as well as to protect the personal information of your customers, clients, patients and employees.  Here are ten resolutions to get you started:

RESOLUTION #1 – I will NOT use a credit or debit card at a gas pump. This resolution can serve a two-fold purpose: a) You can make progress toward your 10,000 steps by walking to the cashier window, and b) you can protect yourself from identity theft. Dan Jackman, a cyber security task force officer with the FBI, stated during the seminar that thieves are stealing credit card information from gas pumps and explained how they do it. According to Officer Jackman, there are ONLY five different pump keys for the entire Commonwealth of Kentucky.  So, dishonest fraudsters take a job with a gas station just to get access to the pump key so they can open the pump casing and change out credit card readers, not just at that station but dozens of stations using the same key.  By gaining access to the inside of the pump, they can replace the card reader in a way that it cannot be detected when closing and locking the pump casing.  The fraudster makes the switch in the dead of the night.  Credit/debit cards are being ripped off in a matter of seconds within the time they are used at a pump with a fake card reader. Apparently, this type of theft is rampant in Kentucky.

Officer Jackman recommends going to the window to use a credit card or pay cash (thereby making this a two-part resolution because you will get some steps). If you cannot break the habit of paying at the pump, then use a prepaid card to limit your losses. Avoid using a debit card tied to your checking account. Continue reading