Attached is an updated summary of the major provisions of each state law that have enacted security breach statutes. In the event of a security breach, you should consult legal counsel to ascertain the appropriate method of notification and other requirements. To date — forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. States with no security breach laws include: Alabama, Kentucky, Mississippi, New Mexico, and South Dakota. Arkansas, California, Minnesota, and Texas now include health information within the scope of their respective security breach statutes by including health information within the definition of personal information. Eight states take an acquisition based approach when defining whether notice should be given, while the remaining states take a more pragmatic risk assessment of the likelihood of harm as controlling whether notice should be sent to consumers. [...]
|
|||||
|
By Robert Hudock, on September 15th, 2009
 Print This PostSeptember 15th, 2009 | Tags: choicepoint security breach, hipaa breach notification, information security breach and notification act, security breach disclosure, Security Breach Notification, security breach notification laws | Category: Privacy Law, State Privacy and Computer Security Laws, State Security Breach Laws |
4 comments
Print This PostBy Robert Hudock, on September 8th, 2009
Print This PostSecurity Incidents can be accidental incursions or deliberate attempts to break into systems and can be benign to malicious in purpose or consequence, each incident requires a careful response at a level commensurate with its potential impact to the security of individuals and your organization as a whole however few organizations have an appropriate security incident policy. The fundamental components of a security incident response plan include the following — [...] September 8th, 2009 | Tags: malicious hackers, malware, NIST, policy, Privacy, security, security incident | Category: Computer Security Law -- Federal, Data Hemorrages, FTC Security Breach Notification, Forensic Tools, HIPAA Privacy, HIPAA Security, Identity Theft, Law and Technology, Media Sanitization, NIST, Peer-2-Peer File Sharing, Privacy, State Privacy and Computer Security Laws, State Security Breach Laws |
2 comments
Print This PostBy Robert Hudock, on August 21st, 2009
Print This PostRegulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when personal health information is breached were issued August 19th, 2009, by the U.S. Department of Health and Human Services (HHS). These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 [...] August 21st, 2009 | Tags: Data at Rest, Data Disposed, Data in Motion, Data in Use, Destruction, Encryption, FTC, Health Breach Notification Rule - FTC, HHS, HIPAA, OCR, paper, redaction, Report, security breach | Category: American Recovery and Reinvestment Act, Computer Security Law -- Federal, Encryption, FIPS 140-2, FTC Security Breach Notification, HIPAA Security, HITECH Act, Health and Humans Services (HHS), Media Sanitization, NIST, Office of Civil Rights, unsecured protected health information |
Leave a comment
Print This PostBy Robert Hudock, on August 5th, 2009
Print This PostIt appears HHS has taken this critique to heart. HHS recently released notice of an important shift in the internal responsibility/delegation of authority for the monitoring and enforcement of the HIPAA Security Rule (and all additional health IT-related security responsibilities, under ARRA). Previously responsibility for administering (interpretation, education, guidance, FAQs, etc), monitoring and enforcing the HIPAA Security Rule was a CMS responsibility (specifically, the CMS Office of E-Standards and Services or CMS/OESS). The administration, monitoring and enforcement of the HIPAA Privacy Rule fell under the Office for Civil Rights [...] August 5th, 2009 | Tags: CMS, HHS, HIPAA, OCR, Poor Enforcement | Category: CMS, Enforcement, HIPAA Security, Health and Humans Services (HHS), Office of Civil Rights, Privacy Law |
Leave a comment
Print This PostBy Robert Hudock, on July 26th, 2009
Print This PostBelow I briefly review New York’s security breach and other relevant privacy/security law provisions which are sometimes not addressed in a corporation’s privacy and security policies (but should be). I have also reference and review New York’s Guidance on business best privacy and security practices. There are three basic areas of inquiry: privacy law pertaining to the protection of confidential information that requires specific actions with respect to specific identifiers (e.g. SSN, DL Number, etc.); obligations of an employer’s to the employer’s employees that include affirmative privacy obligations; and New York’s version of a security breach notification laws currently found in 45 states. New York Consumer Protection Board (“CPB”) is New York’s key agency responsible for protecting the residents of New York by “publicizing unscrupulous and questionable business practices; conducting investigations and hearings; researching issues; developing legislation and creating consumer education programs and materials.” The CPB has released guidance (New York’s Business Guide to Privacy) that provides an excellent summary of New York State privacy and security laws. Most actions brought under the discussed statutes must be brought by the State Attorney General. HIPAA and other Federal Laws (including the new HITECH Act) I have discussed in other blog [...] July 26th, 2009 | Tags: 399-h, 899-aa, data disposal, New York, security breach, social security numbers, tampering, theft, unlawful duplication | Category: Identity Theft, New York, Privacy Law, Social Security Privacy Act (NY) |
Leave a comment
Print This PostBy Robert Hudock, on June 20th, 2009
Print This PostGoing to Court to force an ISP to disclose the identity raises many issues including First Amendment issues. For example, On June 13, 2007, the New Jersey Township of Manalapan filed a malpractice suit against its former attorney Stuart Moskovitz, alleging misconduct regarding the Township’s purchase of polluted land in 2005. The decision to file suit was met by a lively debate in the regional press and among localbloggers. One blogger who was particularly critical of the Township, of this and other decisions, was Blogspot blogger “datruthsquad” (http://www.eff.org/cases/manalapan-v-moskovitz). Long story short the Township lost, a copy of EFF’s motion squash is available here motiontoquashmpa-signed; and the Court order squashing the subpoena is available here order-122107. However, there may exist an alternative method for “unmasking” anonymous bloggers, cyber-stalkers, etc. using public information. Everyone has a unique writeprint (basically a written fingerprint that can be used to identify him or her). This technique s has traditionally been used to identify the true author of a text (e.g. a book) where authorship is disputed or unknown. Forensics linguistics has been used to provide evidence in trademark disputes cases, identifying the author of anonymous texts (such as threat or harassment letters), and identifying cases of plagiarism. The identification process relies on the analysis of an individual’s particular patterns of language use (vocabulary, collocations, pronunciation, spelling, grammar, etc.). The term “idiolect” is defined as the speech patterns of a specific person (a dialect, unique in pronunciation, grammar, and vocabulary to a single person). Stylistic features can be used to create a fingerprint of an individual’s writing style (a linguistic fingerprint is called a “writeprint”). A writeprint is composed of features that represent an author’s writing style, which are consistent across all of an individual’s writings. For a gentle introduction, see Digital fingerprints: tiny behavioral differences can reveal your identity, by Julie Rehmeyer in the January 13, 2007 issue of Science News (Westlaw cite 2007 WLNR [...] June 20th, 2009 | Tags: 1st Amendment, Bloggers, forensic linquistics, Writeprint | Category: Forensic Linguistics, Forensic Tools, Law and Technology, Open Source, Privacy, Privacy Law, Statistical Methods Use Thereof |
One comment
Print This PostBy Robert Hudock, on May 6th, 2009
Print This PostA number of Plaintiffs have brought actions following notification that their sensitive financial information had been disclosed during a security incident. Approximately 45 states including the District of Columbia now require that a party be informed when his/her sensitive information has been released, however, this exposure of someone’s identity even when coupled with the cost to guard against identity theft, generally does not constitute a compensable injury to state a claim for negligence or for breach of [...] May 6th, 2009 | Tags: appreciable harm, Damages, Data Breaches, GAO Report, Identity Theft, increased risk, injury, litigation, negligence, Pisciotta, Ruiz, Stollenwerk, summary judgment | Category: Damages, Identity Theft, Privacy Law, State Security Breach Laws |
Leave a comment
Print This PostBy Robert Hudock, on May 1st, 2009
Print This PostThe FTC announced today that the enforcement date for the Red Flag Rules is being extended until August 1, 2009 (instead of May 1, 2009). The press release is at http://www.ftc.gov/opa/2009/04/redflagsrule.shtm. May 1st, 2009 | Tags: covered accounts, creditor, delay, enforcement, FACTA, Fair and Accurate Credit Transactions Act of 2003, FTC, red flag | Category: Fair and Accurate Credit Transactions Act of 2003 (FACTA), HITECH Act, Privacy, Privacy Law |
Leave a comment
Print This PostBy Robert Hudock, on April 20th, 2009
Print This PostStimulus Update – HIPAA This alert provides a brief overview of privacy and security provisions included within “The American Recovery and Reinvestment Act of 2009” (H.R.1, S.1) (the “Stimulus”). The Stimulus also includes funding for health information technology (“HIT”) and funding for comparative effectiveness research. These provisions will be the subject of future alerts. Future [...] April 20th, 2009 | Tags: Attorney General, Business Associates, CMP, Culpability, HIPAA, HR 1, Security Breach Notification, SR 1, Stimulus, The American Recovery and Reinvestment Act of 2009 | Category: American Recovery and Reinvestment Act, HIPAA Privacy, HIPAA Security, HITECH Act, Health Information Technology, Health Reform, Privacy Law |
Leave a comment
Print This PostImprove the web with Nofollow Reciprocity. |
|||||
|
Copyright © 2010 Law Blog 2.0 - Robert Hudock, Esq., CISSP - All Rights Reserved - This Blog is a personal blog of Robert Hudock. |
|||||
HHS announced proposed rulemaking to modify the HIPAA privacy rule to comply with Section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA)
On October 7, 2009 HHS announced proposed rulemaking to modify the HIPAA privacy rule to comply with Section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA) regarding the privacy and confidentiality of genetic information. Generally, the HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The HIPAA Privacy Rule requires a covered entity (and beginning next year Business Associates) to implement reasonable and appropriate administrative, technical and physical safeguards to protect the privacy of personal health information (PHI). The HIPAA privacy rule more generally sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request [...]