ct, hi & vt – oh my! what do the latest privacy regulation updates mean to you?
TRANSCRIPT
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
1/17
The information and images contained in this document are of a proprietary and confidential nature.The disclosure, duplication, use in whole, or use in part, of the document for any purposes other thanclient evaluation without the written permission of Apperian, Inc. is strictly prohibited.
Co3 Systems Inc. 2011 All Rights Reserved.!
Vermont, Connecticut and Hawaii:
Changes to State Breach Notification Lawsand Their Larger Implications
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
2/17
Page 2
Agenda
Introductions About Co3 State Disclosure Law Updates
Vermont Connecticut Hawaii
Refresher on HIPAA Presumption Questions
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
3/17
Page 3
SI
MULA
TIO
NS
INCIDENTS
EVE
NT
S
Co3 Automates Breach Management
PrepareAssign response team Describe environment Simulate events and incidents Focus on organizational gaps
Report Document incident results Track historical performance Calculate cost to close Generate audit/compliance reports
Assess Track events Scope regulatory requirements See $ exposure Send notice to team Generate PIAs
Manage Is this a breach? Escalate to complete IR plan Oversee the complete planAssign tasks: who/what/when Notify regulators and clients Monitor progress to completion
Co3Systems
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
4/17
Page 4
Todays Speakers
Colin Zick Partner and Co-Chair, Security and Privacy Foley Hoag [email protected]
Gant Redmon General Counsel Co3 Systems, Inc. [email protected]
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
5/17
Page 5
State Data Security Laws, 2.0
The vast majority of states now have data security and breach notificationlaws, and most have had them for several years. Experience in applying these laws has revealed holes and flaws in many. State legislatures are now starting the process of repairing these. We can expect more states to re-examine and revise their data security and
breach notification statutes.
The actions of CT, VT and HI are a preview of what we can expect in otherstates during the next 1-2 years.
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
6/17
Page 6
Vermont
Summary of Changes
Revises definition of a breach. Specifies timeframe for notifications. Adds requirement for notification to AG. Updates some terminology. Became effective May 8, 2012.
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
7/17
Page 7
Vermont Breach Definition
Security breach: Unauthorized acquisition of electronic data or a
reasonable belief of an unauthorized acquisition of electronic data thatcompromises the security confidentiality, or integrity of a consumerspersonally identifiable information maintained by the data collector.
Previously, the law was triggered by unauthorized access OR unauthorizedacquisition. New definition removes access trigger.
Eliminated computerized data and replaced with the more appropriateelectronic data.
Adds series of factors, any or all of which can help determine acquisition:1) Is the information in the physical possession and control of a person without valid
authorization?
2) Has the information been downloaded or copied?3) Has the information been used by an unauthorized person?4) Has the information been made public?
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
8/17
Page 8
Vermont Terminology Updates & Effective Date
Other terminology has been revised, and is now more in line withother state laws:
Personal information is now Personally Identifiable Information Computerized information is now electronic information Business is now data collectorChanges became effective upon passage of the law on May 8, 2012.
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
9/17
Page 9
Vermont Timeframe & Notice to AG
Specifies 45 day limit for notification to consumers. Prior requirement was most expedient time possible and without
unreasonable delay. This still exists, so faster notification should happen ifpossible.
Adds requirement to notify VT Attorney General. Within 14 business days of date of discovery OR when notice is provided to
consumers, whichever is sooner.
Must include date of breach and date of discovery, a preliminary description ofthe breach, and the number of consumers affected.
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
10/17
Page 10
Vermont Letters
Vermonts new statute and guidelines require up to four different letters to
be sent:
Preliminary Letter to VT AG 14 days from breach discovery containing date ofbreach, date of discovery, and preliminary description of the breach.
No Misuse Letter to Consumer Protection Unit of VT AG containing detailedexplanation why misuse unlikely.
Notice of Breach Letter to consumers. Notice of Notice of Breach Letter to VT AG with a copy of the consumer notice,
with information on nature of breach redacted.
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
11/17
Page 11
Connecticut
Summary of Changes
Provides clarification on wording in breach definition: breach of security means unauthorized access to or unauthorized acquisition of
electronic files, media databases, or computerized data
Adds requirement that notification of breach must be provided to the CTAttorney General as well as consumers: Notification to AG must be provided no later than the time when notice is provided to
consumers.
Becomes effective October 1, 2012
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
12/17
Page 12
Hawaii
Summary of Changes
Relates only to information covered by HIPAA (PHI) Law acknowledges that a complex array of state laws and rules
unfairly burdens health care providers.
In order to address this problem, the law equates Hawaii law withHIPAA, so HIPAA controls.
Became effective July 10, 2012.
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
13/17
Page 13
Refresher on HIPAA Preemption
HIPAA generally preempts state law. However, where state law privacy protections for health information are
more stringent than a HIPAA protection, the state protections should
still govern [45 C.F.R. 160.203(b)] Steps in the Pre-emption Analysis:
Does HIPAA even apply? If HIPAA applies, does it conflict with some element of state law? If HIPAA does conflict with some element of state law, is that law exempted
from HIPAA?
If that state law is not exempted from HIPAA, are HIPAAs protections morestringent or contrary to state law?
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
14/17
2011 Co3 Systems, Inc.
The information contained herein is proprietary and confidential.Page 14
Questions?
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
15/17
Page 15
Thank You
Gartner:
Co3 define(s) what software
packages for privacy look like.
1 Alewife Center, Suite 450Cambridge, MA 02140
ph: 617-206-3900e: [email protected]
www.co3sys.com
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
16/17
Page 16
Colin Zick
Colin is a partner with Foley Hoag LLP, in its Boston office. His practice focuses onhealth care and compliance issues, and often involves the intersection of thosetwo subjects in administrative proceedings or litigation. He frequently counselsclients on issues involving information privacy and security, such as data breach,
and state and federal data security laws and regulations (including those of the
FTC and Department of Commerce). He advises clients on HIPAA and the HITECH
Act and has served as the editor of the Massachusetts Health Information
Management Associations Medicolegal Guide to Health Record Information since2003. Mr. Zick co-founded Foley Hoags Data Security and Privacy Practice Groupand regularly contributes to its blog, www.securityprivacyandthelaw.com. He andhis firm also serve as counsel to the Advanced Cyber Security Center, acollaborative, cross-sector research facility working to address the most criticaland sophisticated cyber security challenges. Mr. Zick also has submitted amicus
briefs in cases in state and federal court regarding the constitutionality of DNAdatabases and other health data issues.
He can be reached at (617) 832-1275, [email protected].
-
7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?
17/17
Page 17
Gant Redmon
Gant is General Counsel and Vice President for Co3 Systems. He has practiced law fornineteen years; fifteen of those years as in-house counsel for security softwarecompanies. Prior to joining Co3 Systems, Gant was General Counsel of ArborNetworks, now part of the Danaher Corporation. Gant has also been Counsel at
Authentica (acquired by RSA/EMC) and AXENT Technologies (acquired by
Symantec). In 1997, Gant was appointed membership on the President Clintons
Export Counsel Subcommittee on Encryption (PECSENC).
Gant holds a Juris Doctorate degree from Wake Forest University School of Law
and a Bachelor of Arts degree from the University of Virginia, and is admitted topractice law in Virginia and Massachusetts. Gant also holds the CIPP/UScertification (Certified Information Privacy Professional/United States).
Gant Redmon