ct, hi & vt – oh my! what do the latest privacy regulation updates mean to you?

7/30/2019 CT, HI & VT Oh My! What Do the Latest Privacy Regulation Updates Mean to You?

1/17

The information and images contained in this document are of a proprietary and confidential nature.The disclosure, duplication, use in whole, or use in part, of the document for any purposes other thanclient evaluation without the written permission of Apperian, Inc. is strictly prohibited.

Co3 Systems Inc. 2011 All Rights Reserved.!

Vermont, Connecticut and Hawaii:

Changes to State Breach Notification Lawsand Their Larger Implications


2/17

Page 2

Agenda

Introductions About Co3 State Disclosure Law Updates

Vermont Connecticut Hawaii

Refresher on HIPAA Presumption Questions


3/17

Page 3

SI

MULA

TIO

NS

INCIDENTS

EVE

NT

S

Co3 Automates Breach Management

PrepareAssign response team Describe environment Simulate events and incidents Focus on organizational gaps

Report Document incident results Track historical performance Calculate cost to close Generate audit/compliance reports

Assess Track events Scope regulatory requirements See $ exposure Send notice to team Generate PIAs

Manage Is this a breach? Escalate to complete IR plan Oversee the complete planAssign tasks: who/what/when Notify regulators and clients Monitor progress to completion

Co3Systems


4/17

Page 4

Todays Speakers

Colin Zick Partner and Co-Chair, Security and Privacy Foley Hoag [email protected]

Gant Redmon General Counsel Co3 Systems, Inc. [email protected]


5/17

Page 5

State Data Security Laws, 2.0

The vast majority of states now have data security and breach notificationlaws, and most have had them for several years. Experience in applying these laws has revealed holes and flaws in many. State legislatures are now starting the process of repairing these. We can expect more states to re-examine and revise their data security and

breach notification statutes.

The actions of CT, VT and HI are a preview of what we can expect in otherstates during the next 1-2 years.


6/17

Page 6

Vermont

Summary of Changes

Revises definition of a breach. Specifies timeframe for notifications. Adds requirement for notification to AG. Updates some terminology. Became effective May 8, 2012.


7/17

Page 7

Vermont Breach Definition

Security breach: Unauthorized acquisition of electronic data or a

reasonable belief of an unauthorized acquisition of electronic data thatcompromises the security confidentiality, or integrity of a consumerspersonally identifiable information maintained by the data collector.

Previously, the law was triggered by unauthorized access OR unauthorizedacquisition. New definition removes access trigger.

Eliminated computerized data and replaced with the more appropriateelectronic data.

Adds series of factors, any or all of which can help determine acquisition:1) Is the information in the physical possession and control of a person without valid

authorization?

2) Has the information been downloaded or copied?3) Has the information been used by an unauthorized person?4) Has the information been made public?


8/17

Page 8

Vermont Terminology Updates & Effective Date

Other terminology has been revised, and is now more in line withother state laws:

Personal information is now Personally Identifiable Information Computerized information is now electronic information Business is now data collectorChanges became effective upon passage of the law on May 8, 2012.


9/17

Page 9

Vermont Timeframe & Notice to AG

Specifies 45 day limit for notification to consumers. Prior requirement was most expedient time possible and without

unreasonable delay. This still exists, so faster notification should happen ifpossible.

Adds requirement to notify VT Attorney General. Within 14 business days of date of discovery OR when notice is provided to

consumers, whichever is sooner.

Must include date of breach and date of discovery, a preliminary description ofthe breach, and the number of consumers affected.


10/17

Page 10

Vermont Letters

Vermonts new statute and guidelines require up to four different letters to

be sent:

Preliminary Letter to VT AG 14 days from breach discovery containing date ofbreach, date of discovery, and preliminary description of the breach.

No Misuse Letter to Consumer Protection Unit of VT AG containing detailedexplanation why misuse unlikely.

Notice of Breach Letter to consumers. Notice of Notice of Breach Letter to VT AG with a copy of the consumer notice,

with information on nature of breach redacted.


11/17

Page 11

Connecticut

Summary of Changes

Provides clarification on wording in breach definition: breach of security means unauthorized access to or unauthorized acquisition of

electronic files, media databases, or computerized data

Adds requirement that notification of breach must be provided to the CTAttorney General as well as consumers: Notification to AG must be provided no later than the time when notice is provided to

consumers.

Becomes effective October 1, 2012


12/17

Page 12

Hawaii

Summary of Changes

Relates only to information covered by HIPAA (PHI) Law acknowledges that a complex array of state laws and rules

unfairly burdens health care providers.

In order to address this problem, the law equates Hawaii law withHIPAA, so HIPAA controls.

Became effective July 10, 2012.


13/17

Page 13

Refresher on HIPAA Preemption

HIPAA generally preempts state law. However, where state law privacy protections for health information are

more stringent than a HIPAA protection, the state protections should

still govern [45 C.F.R. 160.203(b)] Steps in the Pre-emption Analysis:

Does HIPAA even apply? If HIPAA applies, does it conflict with some element of state law? If HIPAA does conflict with some element of state law, is that law exempted

from HIPAA?

If that state law is not exempted from HIPAA, are HIPAAs protections morestringent or contrary to state law?


14/17

2011 Co3 Systems, Inc.

The information contained herein is proprietary and confidential.Page 14

Questions?


15/17

Page 15

Thank You

Gartner:

Co3 define(s) what software

packages for privacy look like.

1 Alewife Center, Suite 450Cambridge, MA 02140

ph: 617-206-3900e: [email protected]

www.co3sys.com


16/17

Page 16

Colin Zick

Colin is a partner with Foley Hoag LLP, in its Boston office. His practice focuses onhealth care and compliance issues, and often involves the intersection of thosetwo subjects in administrative proceedings or litigation. He frequently counselsclients on issues involving information privacy and security, such as data breach,

and state and federal data security laws and regulations (including those of the

FTC and Department of Commerce). He advises clients on HIPAA and the HITECH

Act and has served as the editor of the Massachusetts Health Information

Management Associations Medicolegal Guide to Health Record Information since2003. Mr. Zick co-founded Foley Hoags Data Security and Privacy Practice Groupand regularly contributes to its blog, www.securityprivacyandthelaw.com. He andhis firm also serve as counsel to the Advanced Cyber Security Center, acollaborative, cross-sector research facility working to address the most criticaland sophisticated cyber security challenges. Mr. Zick also has submitted amicus

briefs in cases in state and federal court regarding the constitutionality of DNAdatabases and other health data issues.

He can be reached at (617) 832-1275, [email protected].


17/17

Page 17

Gant Redmon

Gant is General Counsel and Vice President for Co3 Systems. He has practiced law fornineteen years; fifteen of those years as in-house counsel for security softwarecompanies. Prior to joining Co3 Systems, Gant was General Counsel of ArborNetworks, now part of the Danaher Corporation. Gant has also been Counsel at

Authentica (acquired by RSA/EMC) and AXENT Technologies (acquired by

Symantec). In 1997, Gant was appointed membership on the President Clintons

Export Counsel Subcommittee on Encryption (PECSENC).

Gant holds a Juris Doctorate degree from Wake Forest University School of Law

and a Bachelor of Arts degree from the University of Virginia, and is admitted topractice law in Virginia and Massachusetts. Gant also holds the CIPP/UScertification (Certified Information Privacy Professional/United States).

Gant Redmon

[email protected]

ct, hi & vt – oh my! what do the latest privacy regulation updates mean to you?

Documents