Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Slides:

Advertisements

Similar presentations

Secure IT 2005 Panel Discussion Felecia Vlahos, SDSU Sally Brainerd, UCSD Brooke Banks, CSU Chico.

Advertisements

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

NAU HIPAA Awareness Training

HIPAA Regulations What do you need to know?.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

An Act Relative to Security Freezes and Notification of Data Breaches Chapter 82 of the Acts of 2007 Massachusetts Digital Government Summit Securing Private.

Data Classification & Privacy Inventory Workshop

IT Security Challenges In Higher Education Steve Schuster Cornell University.

What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

House Committee on Business and Industry House Bill Implementation of Closed Account Notification System Texas Department of Banking April 22, 2008.

April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1.

2015 ANNUAL TRAINING By: Denise Goff

An Educational Computer Based Training Program CBTCBT.

Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.

Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.

Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

Arkansas State Law Which Governs Sensitive Information…… Part 3B

Florida Information Protection Act of 2014 (FIPA).

Coding Compliance Plan July 12, Benefits of a compliance program  To demonstrate our commitment to honest and responsible conduct, decrease the.

ENCRYPTION Team 2.0 Pamela Dornan, Thomas Malone, David Kotar, Nayan Thakker, and Eddie Gallon.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008.

© 2011 Foley Hoag LLP. All Rights Reserved. 1 What Law Applies In “the Cloud”? And how far into the Cloud does Massachusetts law extend? A CloudCamp Boston.

NEW FERPA REGULATIONS: ARE YOU IN COMPLIANCE? Presented by Cristi Millard.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.

© Copyright 2010 Hemenway & Barnes LLP H&B

FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

When Can You Redact Information Without Requesting an Attorney General Decision? Karen Hattaway Assistant Attorney General Open Records Division Views.

HOW TO RESPOND TO A DATA BREACH: IT’S NOT JUST ABOUT HIPAA ANYMORE The Thirteenth National HIPAA Summit  September 26, 2006 Renee H. Martin, JD, RN, MSN.

We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey Broadway Albany,

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

Data Security in the Cloud and Data Breaches: Lawyer’s Perspective Dino Tsibouris Mehmet Munur

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.

The State of the TPRA (Recent updates)

Florida Information Protection Act of 2014 (FIPA)

Responding to a Data Breach 360° of IT Compliance

PENNSYLVANIA BAR ASSOCIATION PROFESSIONAL LIABILITY COMMITTEE

PROTECTING YOUR COMPANY FROM A DATA PRIVACY OR CYBERSECURITY BREACH

Florida Information Protection Act of 2014 (FIPA)

Chapter 3: IRS and FTC Data Security Rules

Bob Siegel President Privacy Ref, Inc.

Security Awareness Training: System Owners

Red Flags Rule An Introduction County College of Morris

Alabama Data Breach Notification Act: What 911 Districts Need to Know

Data Breaches in Employee Benefits

Identity Theft Prevention Program Training

Alabama Data Breach Notification Act: What County Governments Need to Know Morgan Arrington, General Counsel Association of County Commissions of Alabama.

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

National HIPAA Audioconferences

Colorado “Protections For Consumer Data Privacy” Law

Presentation transcript:

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska Methodist Health System Sheila Wrobel, JD, MBA UNMC Compliance Officer/Privacy Officer Chris Kerbawy Creighton University Legal Intern

How does the Act apply to the health care industry? The “Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006” is contained in the first 7 sections of LB 876, a bill relating to banking & finance. Signed and effective April 6, The Act applies to all individuals and commercial entities. “Commercial entity” includes any “legal entity, whether for profit or not for profit.”

Purpose of the Act Requires prompt investigation and notification to Nebraska residents of breaches of computer security resulting, or likely to result, in the unauthorized use of personal information. Focus is on computerized information security breaches and not other types of incidents.

Definitions Breach of the Security of the System: – Unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information. Personal Information: – Nebraska resident’s first name or first initial and last name in combination with: Social Security Number; Driver’s license number or State ID card number; Account number or credit or debit card number, along with access codes/passwords; Unique electronic identification or routing code, along with access codes/passwords; or Unique biometric data, such as fingerprint, voiceprint.

Substance of the law Contained in Section 3. Defines what covered entities must do in the event of a breach. Contains two different sets of requirements for two different targeted entities.

Section 3: Two parts Part 1 – Entities which own or license computerized data containing personal information. Part 2 – Entities which maintain, but do not own or license, computerized data containing personal information.

Section 3, Part 1 In the event of breach, entities that own or license data have two specific duties: 1) Conduct a reasonable and prompt investigation to determine the likelihood that personal information has been or will be used for an unauthorized purpose. 2) If the investigation determines use of personal information has occurred or is reasonably likely to occur, the entity must give notice to all affected Nebraska residents as soon as possible, with due consideration for law enforcement and the entity’s internal needs of investigation and restoring system integrity.

Section 3, Part 2 In the event of breach, entities that maintain, but do not own or license, data have a general duty: – When they become aware of a breach where use of personal information has occurred or is likely to occur, they must give notice to the owner or licensee of the personal information and cooperate with the owner or licensee. (Cooperation includes sharing information relevant to the breach, not including proprietary information.)

Section 3, Part 2 (cont’d) Part 2 differs from Part 1: – No requirement for the entity to investigate or notify affected Nebraska residents. – The entity must make a initial determination regarding the likelihood of unauthorized use. – The entity must notify the owner or licensee and cooperate in their investigation.

Notice Guidelines Contained in section 2. Notice can be: – in writing; – by telephone; – Electronic; or – by substitute notice in certain circumstances.

Substitute notice - First circumstance A) Allowed when: - Notice would cost over $75,000.00, - Would effect over 100,000 Nebraska residents, or - The entity has insufficient contAct information to provide notice. Three requirements (must do all 3): 1) Send when addresses available; 2) Post notice on the entity’s web-site if one is maintained; and 3) Provide notice to major state-wide media outlets.

Substitute notice - Second circumstance B) Allowed when: - The entity has less than 10 employees, and - Notice would cost more than $10, Four Requirements (must do all): 1) Send when addresses available; 2) Buy advertisements in local newspapers at least 1/4 page in size once a week for three consecutive weeks; 3) Post notice on the entity’s web-site if one is maintained; and 4) Provide notice to major statewide media outlets operating in the local area.

Exceptions to Notice Requirement Contained in Section 4 Certain entities are in compliance with section 3 as long as they follow their procedures: – Entities with existing notice procedures that are consistent with the timing requirements of the Act. – Regulated entities with breach procedures proscribed by regulation.

Enforcement Contained in Section 6 “The Attorney General may issue subpoenas and seek and recover direct economic damages for each affected Nebraska resident injured by a violation of the Act.”

Recommendations Revise Security Incident Response policy to include consumer notification requirements. Centralize notification responsibility to ensure compliance with the law and effectively manage associated risk & potential litigation issues.

Questions???