Tennessee’s Data Breach Law Drawing National Attention

April 14, 2016April 20, 2016 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, Health Information Technology, HIPAA, Privacy & Security ACC, Association of Corporate Counsel, Corporate Counsel magazine, state data breach notification laws, Tennessee data breach law

By Kathie McDonald-McClure

We recently posted an article about Tennessee’s amendment to its data breach notification law. This amendment has drawn much attention among cyber security professionals and corporate general counsel across the country. As Jennifer Williams-Alvarez reported in her article for Corporate Counsel magazine, cyber security was a plenary session topic at the 2016 Association of Corporate Counsel (ACC) Mid-Year Meeting in New York City this week. See “At ACC Event, Experts Say Data Breaches Are Inevitable. So Now What?”, Corporate Counsel (April 14, 2016)(Read more: here). In fact, an ACC Foundation report on the “State of Cybersecurity”, released in December 2015, said one-third of in-house counsel reported that their companies experienced a data breach and more than one-half reported increased spending in cybersecurity.

Matt San Roman and I spoke with Ms. Williams-Alvarez this morning. She is working on a follow-up article regarding the amendments (HB2005 and SA0618) to the Tennessee data breach law. When the article is published, we will provide a link here for those of you who are not currently Corporate Counsel subscribers. Stay tuned . . .

A Single Stolen, Unencrypted Laptop Can Cost Entities Millions of Dollars

March 21, 2016 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Privacy & Security electronic protected health information, encryption, ePHI, Federal Law Resources, Office for Civil Rights, Privacy and Security Rules, U.S. Department of Health and Human Services

Earlier this week, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced two, multimillion dollar settlements relating to “potential” privacy and security violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Both settlements stem from the entity’s reports to OCR of the thefts of unencrypted laptops containing electronic protected health information (ePHI) even though one of the laptops was password protected.

First, on March 16, 2016, OCR announced that North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle potential violations of the HIPAA Privacy and Security Rules after a laptop containing the ePHI of 9,497 individuals was stolen from the vehicle of one of its contractors in July 2011.

OCR’s subsequent investigation determined that North Memorial failed to enter into a business associate agreement with this contractor, as required under the HIPAA Privacy and Security Rules. The investigation also discovered that North Memorial failed to conduct an organization-wide risk analysis to address all of the risks and vulnerabilities to its ePHI. OCR concluded Continue reading →

IRS Issues Cyber Alert for HR and Payroll Professionals

March 3, 2016March 30, 2016 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, Privacy & Security HR and payroll email scams, Internal Revenue Service Cyber Crime Alert, phishing and malicous emails

As the April 15th tax filing deadline draws near, cybercrime related to filing fraudulent tax returns to obtain tax refunds has picked up. On March 1, 2016, the United States Internal Revenue Service (IRS) issued an Alert for Payroll & HR Professionals on scam emails that attempt to trick company personnel into turning over employee W-2s, Social Security numbers (SSNs) or other personal information that would enable the filing of a fraudulent tax return. These emails, known as “phishing emails”, purport to be from a company executive, are most often sent directly to an employee in charge of payroll or benefits (some are sent to chief financial officers), and request W-2 or other payroll information on employees. Per the IRS Alert, the phishing emails include requests such as the following:

“Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
“Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
“I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

Many companies have fallen prey to this email phishing scheme! When employee W-2’s, SSNs, and other financial account information is turned over to an unauthorized third-party, this may trigger the application of state data breach notification laws. Forty-seven (47) of fifty states have data breach notification laws that will require notification to the affected individual when their W-2 or SSN is supplied to an unauthorized or unknown third-party. Kentucky, Indiana, Tennessee and Mississippi all have such laws.

Bottom line – Be sure your payroll and benefits staff are aware of this phishing scheme. In general, advise all employees to be ultra-cautious about responding to any email that asks for documents containing SSNs and tax information or Continue reading →

To Freeze or Not to Freeze? That Is the Question

March 1, 2016June 8, 2016 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Fraud and Abuse, Privacy & Security Commonwealth of Kentucky, credit record, credit score, Equifax, Experian, security freeze, TransUnion

UPDATE: Senate Bill 23 did not become law during 2016 Kentucky Legislative Session. The bill was passed unanimously by the Senate. It was then sent to the House, where it was read twice, amended, but never read for the third and final time.

Overview

The Commonwealth of Kentucky’s General Assembly is considering a bill which would permit parents to place security freezes on their children’s credit record. Senate Bill 23 (SB 23) was introduced in the Senate on January 6, 2016. After several readings and committee reviews, it was approved by the Senate with minor changes and sent to the House Banking & Insurance Committee on February 11, 2016. The 2016 Kentucky Legislative Session will adjourn on April 12, 2016.

Children do not have credit reports since they generally do not have credit in their names. So SB 23 provides that if there is no credit file/credit report, then the consumer reporting agency must create such a record for the protected person (as defined below).

SB 23 would require a consumer reporting agency to place a security freeze on a protected person’s record or report upon proper request by a representative. A “protected person” is defined as “an individual who is under sixteen (16) years of age at the time a request for the placement of a security freeze is made, or who is an incapacitated person or other person for whom a guardian or conservator has been appointed.”

State Laws and the Three Major Consumer Reporting Agencies Vary on Security Freezes for Children

The National Council of State Legislators reports that only “twenty-three states allow parents, legal guardians or Continue reading →

Federal Agency to Develop Model Privacy Notice for Healthcare Apps

February 29, 2016February 29, 2016 Kathie McDonald-McClure Data Privacy & Security, FTC Enforcement, Health Information Technology data privacy, data security, FTC Enforcement, mHealth, mobile apps, wearable technology

On Friday, February 26, 2016, the Office of the National Coordinator (ONC) for Health Information Technology (HIT) announced via a blog post, that ONC will be updating the Model Privacy Notice (MPN) that, in 2011, ONC developed in concert with the Federal Trade Commission (FTC) for “personal health records” (PHRs), which was the emerging technology at the time. ONC noted that since 2011, many retail healthcare apps such as exercise trackers and other wearable technology, have emerged and that consumers using such technology should be informed on how data collected through such apps is being used by the app developer and other third parties. ONC stated that the MPN is “a voluntary, openly available resource designed to help developers provide transparent notice to consumers about what happens to their data.”

Importantly, healthcare app developers should take heed that ONC is not the only federal agency interested in ensuring that there is adequate consumer protection for individuals taking Continue reading →