Kroll Fraud Solutions Blog – A Dialogue on Data Security

Make plans now to attend Kroll’s upcoming webinar, How to Avoid the Data Breach Hot Seat, scheduled for Wednesday, October 12 at 1:00 p.m. Central/2:00 p.m. Eastern. This is a free webinar and you can register as many representatives from your organization as you’d like. To register, please click here.

This webinar tackles the challenges specific to healthcare privacy, compliance and security officers, as well as IT professionals, legal counsel, and ultimately, C-suite officers. These include the evolution of cyber risk, recognizing the symptoms of an intrusion, looking beyond perimeter protection toward defense-in-depth, and determining steps to ensure effective incident management and response later.

California continues to tinker with its notification laws, and as mentioned in the first of this two-part series, these will be effective January 1, 2012. The California amendment requires that breach notification be written in plain language and contain:

• Name & contact info of the data owner/licensor providing notice
• Date of the notice
• List of types of info believed breached
• Toll-free telephone # and address for credit bureaus if breach exposed SSN, driver’s license or state ID #
• If available at the time of notice, notice must also contain:
  • General description of breach incident;

States continue to individually fine-tune their breach notification laws, with California and Illinois each making changes effective January 1, 2012. The Illinois amendment adds requirements around what the notification to affected residents and owners or licensees of data must (and must not) contain. Specifically, notice to individuals must include:

1. Toll-free numbers and addresses of credit bureaus;
2. Toll-free number, address, and website address of FTC; and
3. A statement that the individual can obtain information from these sources about fraud alerts and security freezes.

Note that this does not include the number of Illinois residents affected by the breach.

In the previous segments of this series, we introduced two recent federal regulations that are poised to have a significant effect on the health care industry – the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Identity Theft Red Flags and Notices of Address Discrepancy (Red Flags Rule).

As the previous segments discussed, both HITECH and the Red Flags Rule establish new and complex regulatory requirements. Without a doubt, the best defense against regulatory fever is prevention through proactive planning. However, this is certainly easier said than done. While the regulatory framework of HITECH and the Red Flags Rule are complex, perhaps the most troubling aspect is the emerging IT market structure and its interplay with the new regulations.

In the absence of federal action, many states have taken the initiative to address data breaches with their own notification laws. However, to avoid multiple notifications and conflicting obligations, both the Health and Human Services (HHS) and the Federal Trade Commission (FTC) rules expressly preempt state laws to the extent they conflict with federal requirements. State laws with greater notification requirements are not considered in conflict, though, and must be followed in addition to all federal requirements.[1] To avoid duplicative notifications, the federal government strongly recommends that entities strive to meet federal and state obligations in concert.