Connecticut AG creates new department focusing exclusively on privacy and data security
Connecticut Attorney General George Jepsen has announced the creation of a new Privacy and Data Security Department within the AG’s office. The Department will be tasked with handling all consumer privacy investigations and litigation, as well as educating the public and businesses about protecting sensitive data. Assistant Attorney General Matthew Fitzsimmons, who previously chaired a privacy and data security task force within the AG’s office, will head the new department and its dedicated team of lawyers. The AG has not received any additional funding for the Department.
Data Protection Legislative Hot Topic
Cyberthreat Sharing Bills Gain Momentum. On March 12, the Senate Intelligence Committee approved the Cybersecurity Information Sharing Act of 2015 (“CISA”) to increase sharing of cybersecurity threat information by U.S. companies on a vote of 14-1. The legislation grants liability protections for companies that voluntarily share cybersecurity threat information with the government or industry partners. The measure should be scheduled for a vote on the Senate floor shortly.
Montana and Wyoming amend breach notification laws
Montana Governor Steve Bullock has signed a bill, H.B. 74, that will toughen the state’s breach notification law. The bill expands the definition of “personal information” covered by the law to include medical record information (as further defined by the state’s Insurance Information and Privacy Protection Act), taxpayer identification number, or other identification number issued by the Internal Revenue Service. The revised law also requires organizations to notify the Attorney General’s Consumer Protection Office in the event of a breach. Insurance entities such as licensees or insurance support organizations must also provide notification to the state Insurance Commissioner. Notice to these regulators must identify the number of affected individuals, state the date and distribution method of the notice to affected individuals, and include a copy of the notice provided to individuals. The law takes effect October 1, 2015.
On March 2, Wyoming Governor Matt Mead signed a bill, S.F. 36, amending the state’s data breach notification law to revise the state’s definition of “personal information” and to specify the type of information required in notices to individuals. The amendment removes from the definition of “personal information” an individual’s demand deposit account, savings account, employee identification number, place of employment, and mother’s maiden name. At the same time, it adds new data elements to the definition, including taxpayer identification number, birth or marriage certificates, biometric data, medical history and health insurance information. The new law also specifies that a notification letter to individuals affected by a breach must include the types of personal identifying information that were the subject of the breach, a general description of the breach, the approximate date of the breach, and the actions taken to protect the affected system from further breaches.
OCR Levies Nearly $2 Million in HIPAA Fines for Stolen Unencrypted Laptops
On Tuesday, April 22, 2014, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that Concentra Health Services Inc. (“CHS”) and QCA Health Plan Inc. (“QCA”) have agreed to pay a total of $1,975,220, collectively, to resolve potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules stemming from the theft of unencrypted laptops. Specifically, CHS has agreed to pay $1,725,220, and QCA has agreed to pay $250,000, to OCR to settle potential HIPAA violations and will adopt corrective action plans to evidence their remediation of the potential violations. The clear message from both settlements is that OCR expects covered entities to encrypt mobile devices that store electronic Protected Health Information (“ePHI”).
Cybersecurity Developments: SEC, FINRA, NIST, DOJ/FTC
SEC Launches Cybersecurity Examination Initiative – Promoting Cyber Preparedness
On April 15, 2014 the Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert announcing that the agency will be examining 50 registered broker-dealers and investment advisers in order to assess cybersecurity preparedness in the securities industry.1 The announcement was accompanied by a sample request for information and documents. According to OCIE, the examinations will focus on “cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”
Broker-Dealers Need to Respond to Recent Focus on Cybersecurity Threats
Recent data breaches at retailers like Target have increased awareness about growing cybersecurity threats. Broker-dealers in particular need to reevaluate their own cybersecurity preparedness in light of several recent events:
- FINRA’s launch of a cybersecurity sweep, publicly announced on the FINRA website on February 6, 2014;
- The inclusion of cybersecurity as a priority in the SEC’s National Examination Program for 2014 and FINRA’s 2014 Annual Regulatory and Examination Priorities Letter;
- The White House’s February 12, 2014 release of the much-anticipated Framework for Improving Critical Infrastructure Cybersecurity; and
- An upcoming SEC public roundtable on cybersecurity issues, to be held in Washington, DC on March 26, 2014.
White House Releases NIST Cybersecurity Framework
On February 12, the White House released the widely anticipated Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”). Developed pursuant to Executive Order 13636 (issued in February 2013), the Framework strongly encourages companies across the financial, communications, chemical, transportation, healthcare, energy, water, defense, food, agriculture, and other critical infrastructure sectors to implement and comply with its voluntary standards. The provisions set forth in the Framework may establish a new baseline for industry standard practices, and may impact or guide FTC enforcement actions and plaintiff data breach lawsuits.
European Parliament votes on new EU Data Protection Regulation
The European Parliament’s Civil Liberties Committee (the “LIBE Committee”) has after several delays finally voted on the European Commission’s proposed EU Data Protection Regulation and adopted all amendments. The LIBE Committee also approved a mandate to start negotiations with the Council of Ministers (which represents EU Member States) and the Commission – the so called trilogue process. The Regulation was published by the European Commission in January 2012 and has been described as the most lobbied piece of European legislation in history receiving over 4,000 amendments in opinions from other Committees in the European Parliament as well as from numerous industries.
California’s Office of Privacy Protection Issues – Recommendations on Notification of Security Breaches Involving Personal Information
The recent release of new guidelines on responding to computer security breaches offer important guidance for all companies with valuable electronic information. On October 10, 2003, the Office of Privacy Protection within the State of California’s Department of Consumer Affairs issued its “Recommended Practices on Notification of Security Breach Involving Personal Information.” The Office of Privacy Protection is tasked with recommending policies and practices that protect California consumers’ privacy.