Kroll Cyber Security Blog – A Dialogue on Data Security

In the absence of federal action, many states have taken the initiative to address data breaches with their own notification laws. However, to avoid multiple notifications and conflicting obligations, both the Health and Human Services (HHS) and the Federal Trade Commission (FTC) rules expressly preempt state laws to the extent they conflict with federal requirements. State laws with greater notification requirements are not considered in conflict, though, and must be followed in addition to all federal requirements.[1] To avoid duplicative notifications, the federal government strongly recommends that entities strive to meet federal and state obligations in concert.

In the last segment, we introduced two recent laws that have significantly increased the regulatory compliance obligations of the health care industry – the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Identity Theft Red Flags and Notices of Address Discrepancy (Red Flags Rule). As the Office for Civil Rights (OCR) reporting website demonstrates, the impetus for these new data breach regulations clearly has not been overstated. HITECH requires the OCR to post PHI breaches involving more than 500 individuals, and since the rule went into effect in February of 2009, 288 incidents have been reported, four of which involve over 1 million individuals. With the threat of data breaches clear and regulatory fever now in full swing, it is important to understand the specific requirements and implications of these new laws on the health care industry.

It’s a new year, so many organizations are evaluating their options for better managing risks and facing what could be a whole new crop of data security threats – or, quite possibly, variations on the old. Kroll recently released its data security forecast for 2011, which gives an overview of what we’ll be watching in the year ahead. We’d love to hear from you – what do you think 2011 will hold? What data security and risk management tools and techniques will your organization focus on? In short, what’s your New Year’s resolution in terms of data security?

Both the House and Senate have passed the “Red Flag Program Clarification Act of 2010” (S. 3987), which would amend the Fair Credit Reporting Act’s “Red Flags Rule” to clarify which organizations or “creditors” are required to institute an identity theft prevention program. The bill awaits the President’s signature, and will most likely put an end to the speculation as to which types of service providers will be expected to comply with the Red Flags Rule.

The Federal Trade Commission (FTC) has pushed back the enforcement date for the Red Flags Rule yet again – this time to December 31, 2010. The original compliance date for this rule was November 1, 2008, and it has since been pushed back four other times: May 1, August 1, and November 1 of 2009, and then to June 1, 2010. The reasons for the delays have varied, mostly to give businesses that the FTC classified as covered entities the chance to further prepare. However, this latest delay comes at the request of several members of Congress, as they are considering legislation that may limit the scope of entities covered under the rule.