5/30/2012

1

June 2, 2009

PLAN DO

WATCH

5/30/2012

2

Do: Legislative Mandates

Watch: Strategic Issues

Plan: Privacy as Business Imperative

Resources

5/30/2012

3

Family Educational Rights and Privacy Act (FERPA) Family Medical Leave Act (FMLA)

Genetic Information Nondiscrimination Act (GINA) Red Flag Rules

American Reinvestment and Recovery Act (ARRA) Health Information Technology for Economic and

Clinical Health Act (HITECH)

FERPA Amended Regulations became effective January 8, 2009. New changes include: ◦ Unauthorized education record disclosures for

health and safety emergencies. ◦ Disclosure of student identifications and user ID

numbers. ◦ Expansion of ‘attending’ to include distance

learning students. ◦ Release of education records to Contractors and

other third parties. ◦ Re-disclosure of education records under Clery Act. ◦ Recommendations for breach of student records

(NIST 800-100 and NIST 800-53 guidance)

5/30/2012

4

Employers now permitted new allowances to managed ill or injured workers. ◦ Provider certify essential functions for specific job

descriptions. ◦ May contact provider to clarify certification. ◦ Might require provider to certify in writing for

return to work (fitness for duty). Can require certification every 30 days.

Employee must provide HIPAA authorization necessary for medical certification.

Results of genetic tests for individuals or family members that provides any data about medical history

Mandates modification of HIPAA’s Privacy Rule so that genetic information is treated as protected health information

Confidentiality safeguards required for collection, maintenance, and storage; limits disclosure of genetic information.

5/30/2012

5

Employment: Prohibits discrimination in hiring, firing,

job placement or promotion

Benefits: Disallows health plans

use or disclosure of genetic

data for underwriting purposes

Regulations due in 2009

FTC Red Flag Rules, became effective May 1, 2009

Written ID Theft Prevention Program for any ‘covered account’ for individuals or households.

regularly extending, renewing, or continuing credit;

regularly arranging for such credit;

acting as an assignee of an original creditor

5/30/2012

6

(681.1) Users of consumer reports must develop reasonable policies and procedures to apply when they receive notice of an address discrepancy from a consumer reporting agency.

(681.2) Financial institutions and credits holding “covered accounts” must develop and implement a written identity theft prevention program for both new and existing accounts.

(681.3) Debit and credit card issuers must

develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card.

Inventory and Risk Assessment of Accounts

Board of Trustees Review and Approval of Written Policies and Procedures

Red Flags Training Departmental Procedures & Training Compliance Audits Cross-reference to Critical Incident and Breach Notification Plan and SSN

Monitoring Add or revise contract language to require

contractors to establish a written identity theft program or to mirror the University’s Red Flags Program

Audit compliance at least annually.

5/30/2012

7

Restrictions on Disclosures prohibited with limited exceptions (as required by law)

Enforcement by State Attorney General ◦ Civil case (violation)on interest to state residents ◦ Damages and court fees to be awarded ◦ Federal court venue ◦ Effective for violations that occurred after enactment

Tiered Civil Monetary Penalties Collected ◦ Employees or individuals can be found liable under

HIPAA.

Minimum per Violation Annual Maximum

Minimum Penalties “Did not know”

◦ Tier A $100

“Reasonable cause”

◦ Tier B $1,000

“Willful neglect”

◦ Tier C $10,000

“Uncorrected violation”

◦ Tier D $50,000

Maximum Penalties ◦ Tier A $25,000

◦ Tier B $100,000

◦ Tier C $250,000

◦ Tier D $1,500,000

5/30/2012

8

August 2009: Breach notification provisions and PHI breach notification

February 2010: Business Associates and Marketing

August 2010: Minimum Necessary and Prohibition on sale of electronic health records/PHRs.

January 2011: Accounting for Disclosures

February 2011: Enforcement for ‘willful neglect’

Section 13402 requires HIPAA covered entities to notify affected individuals of a breach of “unsecured protected health information” ◦ “Not secured through the use of a

technology or methodology specified by the Secretary of HHS through guidance”

April 17th HHS Guidance recommends either encryption or destruction.

5/30/2012

9

Encryption According to National Institute of Standards and Technology (“NIST”) or Federal Information Processing Standards (“FIPS”):

◦ “Data at rest” - NIST 800-111, Guide to Storage Encryption Technologies for End User Devices

◦ “Data in motion” – FIPS 140-2, including

NIST 800-52, Guidelines for the Selection and Use of Transport Layer Security Implementation

NIST 800-77, Guide to IPSet VPNs

NIST 800-113, Guide to SSL VPNs

Destruction :

◦ Paper, film, or other hard copy media must be shredded or destroyed to the extent that the PHI cannot be read or reconstructed.

◦ Electronic media must be cleared, purged or destroyed such that the PHI cannot be retrieved, and such destruction must be consistent with NIST 800-88, Guidelines for Medical Sanitization.

5/30/2012

10

Notification :Sets thresholds for triggering breach notification requirements as well as parameters for the method, content, and timing of the notification. For example, ◦ Must provide notice to consumers and FTC within 60

days of discovery; ◦ Notice must include mitigation details; and ◦ If 10 or more individuals cannot be reached, must

post conspicuously for six months on homepage of website; or, provided to print and broadcast media outlets in areas affected by breach.

Applies to breaches discovered on or after September 18, 2009.

Monitoring Technology

Breaches & Litigation

State Privacy Offices

5/30/2012

11

Cloud Computing: Virtualized resources (www.) where users do not control computing infrastructure. HIGH Risk

Social Networks: Online utility that

connects people with friends and others who work, study and live around them. MODERATE Risk

Texting: Short “160” messaging to mobile phones. LOW Risk

Twitter: Service to exchange quick, frequent answers to simple questions, i.e. What are you doing?

LOW Risk

Global: User, data, and computing may be different physical places and each may be in more than one place.

Locus of software applications, data storage, and data processing.

Vendors: Currently accessed via web browser; Microsoft, Google, Facebook, Hotmail, Yahoo, Myspace, ◦ Email management ◦ Data security services ◦ Hosting medical records

5/30/2012

12

Geographical/Jurisdictional Issues: ◦ Location of servers where data is stored. ◦ Location of servers where data is processed. ◦ Location of user accessing services. ◦ Citizenship of data subject. ◦ Headquarters of service provider.

System of privacy laws that govern, especially with international providers. Data content may have legal implications. i.e., PII disclosures

Behavior targeting and marketing.

Incidents of “unthinking disclosure” will increase. Technology and institutions may offer limited protections. Potential cyber-bullying.

Provide general awareness training at student orientation (about vulnerabilities of ONS) as part of educational mission; add streaming video for hosted site registration to reduce ‘tagged’ exposures.

Conduct random audits of university ‘branded’ sites to ensure that contents are consistent with institutional Code of Conduct

5/30/2012

13

Over 50 colleges and universities have experienced multiple reported privacy incidents since 2001. At a state level, California is home to seven doubly breached universities, while Ohio follows at four schools.

At least four universities have experienced five or more publicized privacy incidents.

Purdue University (7)

Ohio University (5)

University of Florida (5)

University of Iowa (5)

Stanford University 72,000

University Georgia: 4,250

University Akron: 800

University of Florida: 101

Ohio University 492

Tennessee Tech: 990

University Texas: 2,500

University of Maryland 23,000

Penn State: 677

Georgetown University: 38,000

University of Florida: 1,900

University Minnesota: 3,100

Long Island University: 30,000

Middle Tenn. State: 1,500

Texas A&M: 3,000

Harvard University: 6,600

Binghamton University: 300

University of Miami: 2,100,000

University of Florida: 11,300

University of Utah: 2,200,000

University of Florida: 344, 448

Oklahoma St. University: 70,000

UC San Francisco: 3, 569

5/30/2012

14

23

24

36

43

39

36

25

42

29

24

29

19

- 5 10 15 20 25 30 35 40 45 50

aug

jul

jun

may

apr

mar

feb

jan

dec

nov

oct

sep

# reported breaches at universities, by month

Data-rich information systems creating a natural target.

Outdated and non-enforced data security safeguards.

Sophisticated intruders with potential criminal intent.

Careless or inattentive data systems management.

Negligent hiring practices or employee misuse of data.

Demonstrated opportunities for repeat access.

Business partners or research sponsors who fail to protect information.

5/30/2012

15

Seminal means “Highly original and influencing the development of future events”.

When does Privacy Breach cause harm? ◦ Identity theft and financial fraud ◦ Offensive publication of illicitly acquired PII ◦ Limit economic opportunities, i.e. job

applicant

Canada, Australia, New Zealand are codifying that privacy-security breaches can cause harm.

Bell v. Acxion, 2006 WL 2850042(E.D.Ark. 2006): Computer hacking incident. Theft of unencrypted PII caused expenses; however, damages claim unproven for loss of income. Also, rejected breach

of contract and negligence.

Stollenwerk v. Tri-West Health Care Alliance, 254 Fed. Appx. 664 (9thCir. 2007): Lost laptop. Identity theft can cause damages. No causation evidence.

Kahle v. Litton Loan Servicing LP, 1:05-cv-00756-MRB (S.D.Ohio 2007): Economic harm prerequisite

for damages claim.

5/30/2012

16

Pinero v. Jackson Hewitt Tax Service, Inc., No.08-3535 (E.D. La. Jan. 7, 2009): Federal Court refused to dismiss claim for damages; allowed allegations of “false promise of data protection” to stand. Established basis to assert a damages claim and opens door for class action lawsuits

based on same legal theory.

Department of Veterans Affairs Data Theft Litigation, No. 06-0506, (D. DC Jan. 27, 2009): $20 million fund to pay out-of-pocket breach related expenses. Fund is sizable and VA’s willingly paying even though no actual damages or evidence to connect to possible identity theft.

Federal Precedent: Ninth Circuit Court (Stollenwerk) opined that ‘harm’ was not necessary for class action lawsuits resulting from data breach.

Partnering of Federal Agencies: FTC joined OCR to pursue claims against CVS with settlement costs of $2.25 million. Also, FTC can levy penalties where identity theft results.

States’ Action: ARRA permits states’ AG to sue for damages on behalf of residents.

5/30/2012

17

California model for state governments to protect information privacy in state agencies ◦ Privacy Offices - Arizona, California, Ohio, West

Virginia, and Wisconsin ◦ CPO – Florida ◦ Security and Technology Offices - All states

Varied Functions and Responsibilities ◦ Influence Legislative Agenda ◦ Topical Policies and Procedures ◦ Consumer Focused

New state requirements move from mitigation and loss to prevention: ◦ Nevada – Businesses to encryption PII. ◦ California – Enhanced PHI safeguards; increased

penalties for breaches; created Office of Health Information Integrity

◦ Massachusetts – Adopt technical security measures, i.e. encryption of portable media device

The added penalties, “will be seen as a revenue stream for states [as they enforce their laws]. It’s a way to pay for costs of health care.”

Shirley Morrigan, Foley & Lardner

5/30/2012

18

Self- Assess Readiness to Address 2009 and Beyond

Infrastructure: Reporting Relationships

Job Descriptions: CPO

“Most colleges and universities devote insufficient resources to assessing the risks to , and systematically protecting the privacy and ensuring the security of, personal information.”

Fred H. Cate, Educause Review, October 2006

5/30/2012

19

University Privacy Statement? Notice? System-wide privacy policies that extend

beyond medical centers and student records? Evaluate privacy implications before buying or

deploying new systems? Audit for compliance with privacy policies and

procedures? Train its faculty and staff in privacy policies

and procedures?

CPO position that reports to Board or President? Authority to act independently?

Fred Cate, Educause Review, October 2006

In a sector regulated by the Health Insurance Portability and Accountability Act, the Family Educational Rights and Privacy Act, the Graham-Leach-Bliley Act, the Fair Accounting and Credit Transaction Act, the Red Flag Rules PCIDSS, and state-level laws on SSNs and breach notification - it’s surprising how few CPOs there are in academia. Only 20 Chief Privacy Officers were identified…”

Jay Cline, ComputerWorld, March 16, 2009

5/30/2012

20

Extensive information privacy management and privacy practice experience in an academic setting; demonstrated understanding of all elements of information privacy management

Knowledge of federal and state privacy regulations and other regulations pertaining to other external agencies and businesses.

Knowledge of the issues and challenges of the university’s education and research (and clinical) components; a full understanding of and ability to adopt privacy management efforts to effectively respond to changes in education and research practices, legal or regulatory changes and technological trends.

Requires Master’s degree in Business, Health Care Administration, Public Health or a Juris Doctorate

Furst Group

A leader who understands the technical, legal and operational aspects of gathering, handling and securing personal data, and who can establish and maintain a comprehension strategic vision for handing all personal data of employees, customers, and suppliers of an organization in a manner that is legal, secure and ethical, from the point of acquisition through the point of disposition, thereby gaining public trust in the organization’s role as custodian of such data.

International Association of Privacy Professional, 2007

5/30/2012

21

Increased Governmental Regulations, especially for identity theft and healthcare operations

Emerging Technology Risks and Expanding Data Security Obligations

Probable Litigation Developments and Enhanced

Enforcement, especially from state legislators.

Continuing infrastructure and job profile challenges

What’s Missing?

5/30/2012

22

UF Privacy Office ◦ http://privacy.ufl.edu ◦ 352-273-5094 ◦ Toll-free Hotline: 866-876-4472