Privacy and IT Transformation

The technology revolution has enabled organizations across all sectors to electronically collect and store unprecedented amounts of personal information. But as business demands continue to grow and outpace integrated IT solutions, managing the security and privacy of that information often occurs as an afterthought and results in a patchwork of existing and legacy systems. To address these challenges, as well as other increasing demands on enterprise systems, many organizations are seeing themselves forced to undertake large-scale IT transformations.

Simply put, Privacy cannot be a secondary consideration. It needs to be included as a fundamental part of any IT transformation. Effectively managing the risk that privacy issues can pose is paramount for organizations aiming to generate additional value and improve performance through the safeguarding of their reputations and their brands.

So, If you’re feeling the impacts of patched up systems trying to meet your privacy needs here are five “best practice” steps to integrating privacy into IT transformations.

Create a Systems Inventory

  • Conduct full system  inventory.
  • Profile active system inventory (e.g., region, department, function, est. decommission date).
  • Identify portion of population classified as high regulatory impact systems (e.g., PII, PCI, SOX, HIPPA and business criticality).

Develop a business case

  • Assess operational impact (e.g., volume of user activity, current level of control automation).
  • Calculate current-state operating costs, cost of compliance, potential savings, ROI, NPV, etc.

Conduct an in-depth assessment

  • Define application scope.
  • Conduct deep-dive assessment of current-state systems/processes (e.g., privacy impact assessments).
  • Assess cross-functional control weaknesses, duplications and process inefficiencies.

Consolidate systems

  • Consolidate Administrative processes and technical controls to address duplication and inefficiencies.
  • Sunset systems that are no longer needed.

Standardize and automate

  • Standardize processes and supporting structures.
  • Employ standard policies and procedures.
  • Consider process automation for systems with high volume and high impact.
  1. What personal information about customers and employees does your business collect and retain?
  2. What personal information do you need and use to conduct sales, marketing, fundraising, and customer relations activities?
  3. What personal information do you obtain from or disclose to affiliates or third parties, for example, in payroll outsourcing, credit processing, and in accordance with business agreements?
  4. What legal and/or customary obligations does your business have to protect the privacy of personal information?
  5. What do your competitors and other business associates do about privacy? What is the “standard”?
  6. To what degree are senior managers or owners actively involved in the development, implementation, and promotion of privacy measures within your business?
  7. Have you assigned someone (for example, a privacy officer) the responsibility for privacy issues?
  8. Does the individual responsible for privacy issues have clear authority to oversee the business’s privacy policies and practices?
  9. Are your privacy policies clearly written and enforceable, and do they address issues related to the collection, use, disclosure, and retention of personal information?
  10. Do your privacy policies and practices meet the needs of your business and customers?
  11. How do you communicate to employees your policies and practices for managing personal information?
  12. How do you train employees to protect the privacy of personal information?
  13. How do you communicate your privacy policies and practices to your customers and others, including procedures to make inquiries and file complaints?
  14. Have you set specific privacy-related objectives? What are they?
  15. Have you addressed all privacy-related laws and regulations that apply to your business?
  16. How do your privacy policies and practices compare to those of your competitors and other similar businesses?
  17. Have you established procedures to monitor compliance with your policies and practices? What are they?
  18. What procedures do you have for dealing with inquiries and complaints regarding your business’s collection, use, disclosure, and retention of personal information?
  19. How would your business benefit from a comprehensive, independent assessment of the risks, controls, and business disclosures associated with personal information privacy?
  20. Do you want to add value to your business by employing good privacy practices?

These questions were adapted from “20 Questions Directors Should Ask About Privacy,” published by the Canadian Institute of Chartered Accountants (CICA).

On June 20, 2014, the “Florida Information Protection Act of 2014” (FIPA) was signed into law by Florida Governor Rick Scott, after it received unanimous support by the legislature. FIPA will take effect on July 1, 2014 and will replace Florida’s existing data breach notification law. FIPA dramatically increases the breadth of Florida’s data breach notification law. This Alert highlights these new requirements.

Shorter timeline to notify With the passage of FIPA comes a shorter timeline to notify affected Florida residents. Florida’s prior breach notification law allowed notice within 45 days. Now, FIPA requires that Florida residents be notified within 30 days after the determination of a breach (or reason to believe a breach occurred). In addition, FIPA contains certain content requirements for written breach notification letters to Florida residents.

Expanded definition of “Personal Information” FIPA expands the definition of “Personal Information” to also include an individual’s first name or first initial and last name in combination with any of the following:

  • Passport number
  • Medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual

FIPA also includes in its definition of “Personal Information” a user name or email address coupled with a password or a security question and answer that would permit access to an online account. This addition, which was first added by California, makes vulnerable any entity that stores login information for individuals. Thus, a breach can occur even though traditionally thought of sensitive information has not been compromised. This expanded definition will pull in far more entities than previously subject to Florida’s data breach law.

Social Security number, driver license number, account number, and credit or debit card number remain in the definition of Personal Information.

FIPA applies to “covered entities” – healthcare or not Although confusing at first, FIPA borrowed the term “covered entity” from HIPAA and obligates any company, association or commercial (or governmental) entity that acquires, maintains, stores or uses personal information of Florida residents to comply with Florida’s new law. In addition, FIPA’s expanded definition of “Personal Information” affects not only commercial businesses, but healthcare providers and health plans (i.e., the more well-known “covered entities”). Specifically, HIPAA covered entities may now have to comply with Florida’s state breach notification law in addition to HIPAA’s notification requirements. Although FIPA includes a provision that exempts a HIPAA covered entity if it complies with federal regulatory notification requirements, there are some circumstances in which a HIPAA covered entity may fall inside the scope of FIPA but outside the scope of the HIPAA breach notification rule (see explanation regarding the Federal Regulatory Exemption below). Consequently, a HIPAA covered entity that is under the presumption that it has 60 days to notify may be shocked to find that it may have just 30 days to notify under FIPA.

Mandatory notice to Florida Attorney General and production of proactive measures FIPA has also added a requirement that if a covered entity experiences a breach affecting 500 or more individuals in Florida, written notice of the breach is required to the Florida Department of Legal Affairs, within 30 days (with an additional 15 days upon a showing of good cause). In addition, upon request by the Attorney General, the entity must provide:

  • A police report, incident report, or computer forensics report;
  • A copy of the policies in place regarding breaches; and/or
  • Steps that have been taken to rectify the breach.

If the covered entity fails to comply with the AG’s request, the same penalties for failure to notify individuals and the Department of the breach can be imposed against the covered entity. Specifically, in the first 30 days of non-compliance, a covered entity can be fined $1,000 per day for the first 30 days, and then $50,000 for each subsequent 30-day period for up to six (6) months (with a cap of $500,000).

Even if the covered entity determines that the breach has not and will not likely result in identity theft or financial harm to the individuals whose personal information has been accessed, the Florida Attorney General still wants written notice of this determination within 30 days.

Proactive measures are now required FIPA now explicitly requires covered entities to take reasonable measures to protect and secure personal information. Covered entities (and third-party vendors) must take reasonable measures to protect and secure electronic personal information. Florida’s prior breach notification law did not impose this requirement. Florida’s legislature is now making it clear that it expects covered entities to take proactive measures to protect its residents’ personal information. Moreover, organizations are required to take all reasonable measures to dispose of customer records containing personal information (regardless of the physical form – electronic or hardcopy).

Even though FIPA does not specifically designate a penalty for failure to implement proactive measures, the Department can utilize the Unfair and Deceptive Trade Practices statute to punish dilatory entities (see below).

Federal regulatory exemption

FIPA provides that a covered entity is not required to provide notification to individuals if the covered entity provides notification in accordance with the rules, regulation, procedures, or guidelines established by the covered entity’s primary or functional federal regulator. Under this exemption, HIPAA covered entities appear to be exempt from FIPA if they comply with HIPAA. A closer reading, however, demonstrates that this exemption is not always applicable.

FIPA’s exemption to notifying individuals if a HIPAA covered entity complies with federal regulatory notification requirements applies only if the covered entity actually notifies the individuals. Thus, if a covered entity does not notify an individual in accordance with HIPAA, then FIPA’s exemption does not apply. This may occur when a covered entity determines that notification under HIPAA is unnecessary, yet notification under FIPA is still required. Loophole closed!

If a HIPAA covered entity does notify under the HIPAA breach notification rule, the Florida Attorney General still must receive notice of the breach.

Third-party vendor notification

Under FIPA, third-party vendors that experience a breach must now notify the covered entity of the breach within 10 days following determination of the breach or reason to believe the breach occurred. Vendors are statutorily obligated to provide the covered entities with all information it has regarding the breach so that the covered entity can comply with its notice requirements.

The vendor may provide notice to the Florida residents on behalf of the covered entity. However, if the vendor violates any part of FIPA’s notice requirements, the covered entity is still held responsible.

Unfair and deceptive trade practices Florida’s prior breach notification law only permitted the Department of Legal Affairs to levy fines against covered entities as set forth in the statute. Now, the Department has another arrow in its quiver – Florida’s Unfair and Deceptive Trade Practices statute. As briefly mentioned above, FIPA now authorizes the Department of Legal Affairs to bring an action under Fla. Stat. § 501.207 for unfair and deceptive trade practices against covered entities and third-party vendors when such entities experience a data breach. Indeed, FIPA provides that a violation of FIPA “shall be treated as an unfair or deceptive trade practice.”

Under Florida’s Unfair and Deceptive Trade Practices statute, the Department of Legal Affairs can seek a $10,000 fine for each willful violation, along with attorney’s fees and costs in connection with the litigation. Importantly, although FIPA provides that it does not create a private cause of action, Florida’s Unfair and Deceptive Trade Practices statute states that any aggrieved person may bring an action for appropriate relief. That relief can come in the form of actual damages, attorney’s fees, and costs. Consequently, even though a private cause of action cannot be maintained under FIPA, Florida’s Unfair and Deceptive Trade Practices statute explicitly permits such a lawsuit. And, because FIPA identifies a FIPA violation as an unfair and deceptive trade practice, plaintiffs will likely latch onto that language to bring a cause of action under the Unfair and Deceptive Trade Practices statute. In sum, this provision may result in increased fines levied by the Department of Legal Affairs and lawsuits filed by individual plaintiffs.

Takeaways The following are just a few recommended proactive steps you should take today:

  • Perform risk analysis to assess potential risks and vulnerabilities to the confidentiality, integrity and availability of all personal information
  • Implement/update privacy and security policies and procedures
  • Implement policies and procedures to identify and respond to data privacy incidents, including your Incident Response Plan
  • Identify and review all vendor and business associate relationships and ensure that appropriate vendor or business associate agreements are in place
  • Train members of the workforce
  • Encrypt personal information
  • Avoid unnecessary disclosures of personal information
  • Obtain (or at least determine the feasibility of) cyber insurance

 

 

These points were adapted from a McDonlad Hopkins alert.