Think there's nothing new in the world of state breach notification laws and regulations? Think again. On a Wednesday in August, the State of Connecticut Insurance Department issued Bulletin IC-25 to all regulated entities in Connecticut, including insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants, casualty claim adjusters, property and casualty insurers, life and health insurers, health care centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers, and medical discount plans, requiring that ALL licensees and registrants notify the Department of any information security incident which affects any Connecticut residents. This is in addition to, and goes beyond, the existing breach notification requirements under Conn. Gen Stat. 36a-701(b). The procedural requirements set forth in the Bulletin are extensive, detailed, and will require covered organizations to act VERY quickly when they learn of a potential incident. Here are the basics.
Dave and I recently spoke with BNA's Daily Report for Executives about the importance of due diligence and planning for organizations entering into (or considering) enterprise cloud computing arrangements. You can find the article, "'Cloud' Customers Facing Contracts With Huge Liability Risks, Attorneys Say," here.
Manufacturers that fail to comply with the data security notification requirements may receive a civil penalty of up to $1,000 for a first violation; up to $2,500 for a second violation; and up to $5,000 for the third and any following violations within a 12-month period.
German state data protection authorities have recently criticized both cloud computing and the EU-US Safe Harbor Framework. From some of the reactions, you would think that both are in imminent danger of a European crackdown. That's not likely, but the comments reflect some concerns with recent trends in outsourcing and transborder data flows that multinationals would be well advised to address in their planning and operations.
Individuals or their representatives may inquire directly with the Attorney General's office to learn if any abandoned records containing their PI are being held by downloading an Abandoned Records Request Form," or by calling the Attorney General's Consumer Protection Division at (800) 382-5516 to request a form be mailed.
Many of us have watched over the past few years as dozens of proposed federal data security and breach notification bills have been introduced, often with bipartisan support, but have failed to become law. This year has seen many of the usual proposals. For those of you keeping track, this year's bills include: Rep. Rush's Data Accountability and Trust Act -- HR 2221; Sen. Leahy's Personal Data Privacy and Security Act - S. 1490; Sen. Feinstein's Data Breach Notification Act - S. 139; and Sens. Carper's and Bennett's "Data Security Act of 2010" - S. 3579. However, 2010 has also seen new and expansive proposals for broad and far-reaching data privacy legislation, including Rep. Boucher's "discussion draft" and Rep. Rush's "Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (or "BEST PRACTICES Act"). Most recently, on August 5, Sens. Pryor and Rockefeller introduced the "Data Security and Breach Notification Act of 2010" - S. 3742 (hereinafter "S. 3742" or the "Act"). S. 3742 is much more akin to the more traditional proposed breach notification and data security legislation mentioned above, and not nearly as ambitious as the draft Boucher Bill or the BEST PRACTICES Act. This post summarizes the key provisions in S. 3742.
An odd result -- we know. We previously reported on the lawsuit filed by Experi-Metal, Inc. ("EMI") and the subsequent motion for summary judgment (and briefs) filed by Comerica Bank to have the case dismissed. As reported in July, the U.S. District Court for the Eastern District of Michigan has issued a ruling on Comerica's motion for summary judgment. To make a long story short, the Court denied Comerica's motion and this case appears headed toward trial (or potentially settlement). In the course of its ruling the Court found that Comerica had utilized commercially reasonable security procedures. However, that ruling had more to do with the language in Comerica's contracts than an actual substantive analysis of the reasonableness of Comerica's security. In this blogpost, we take a look at the Court's ruling.
The attorneys of InfoLawGroup have been very busy this summer, and August is no exception. In addition to our regular day-to-day work, we will (somehow) find the time to attend some great events in August. If you will be in San Francisco and/or Seattle later this month, please join us, we would love to see you.
We recently published the first part of our FAQ series on Congressman Bobby Rush's new data privacy bill known as "Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act (a.k.a. "BEST PRACTICES Act" or "Act"). In Part One we looked at some of the key definitions and requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two will focus on the "Safe Harbor" outlined in the Act, various exemptions for de-identified information and application and enforcement.
Be forewarned: if you are going to challenge a forum selection clause used by a website named "CrankyApe.com" you may be the one that winds up looking like a monkey at the end of the day.
Mexico has joined the ranks of more than 50 countries that have enacted omnibus data privacy laws covering the private sector. The new Federal Law on the Protection of Personal Data Held by Private Parties (Ley federal de protección de datos personales en posesión de los particulares) (the "Law") was published on July 5, 2010 and took effect on July 6. IAPP has released an unofficial English translation. The Law will have an impact on the many US-based companies that operate or advertise in Mexico, as well as those that use Spanish-language call centers and other support services located in Mexico.
Congressman Bobby Rush has introduced a new data privacy bill to Congress known as the "Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (a.k.a. "BEST PRACTICES Act" or "Act").We have put together a summary of the Act in "FAQ" format. In Part One we look at some of the key definitions, requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two will focus on the "Safe Harbor" outlined in the Act, various exemptions for deidentified information, and provisions concerning the application and enforcement of the Act.
This post is Part Two of my FAQ on the proposed modifications to the HIPAA Rules issued by HHS last week. Part Two focuses on the proposed modifications to the Privacy Rule.
As reported last week, on Thursday the Department of Health and Human Services ("HHS") issued its long-anticipated Notice of Proposed Rulemaking ("NPRM") on Modifications to the Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act (the "HITECH" Act). For those of us who subscribe to numerous technology and law listservs, this meant emailboxes flooded with opinions, criticism, speculation, and flat-out fear mongering. We thought people might like to know what the proposed modifications actually say, and what they mean. So, this post provides Part One of a FAQ on the 234 page NPRM. This post, Part One, addresses general issues (including significant changes involving subcontractors) and proposed modifications to the HIPAA Security and Enforcement Rules. Part Two, later this week, will address the proposed modifications to the HIPAA Privacy Rule.