I recieved a copy of a report this morning written by Kirk Nahra, a partner in the law firm Wiley Rein LLP. Mr. Nahra is internationally recognized as an expert in privacy issues, particularly in health care compliance. He is the co-chair of Confidentiality, Privacy and Security Work group, a panel of government and private sector privacy and security experts advising the American Health Information Community (AHIC), and Chair of the International Association of Privacy Professionals (IAPP).
In his report he outlines the trends he sees as our new administration digs in on privacy, data protection and identity theft policy. Rather than to paraphrase below are excerpts from the report.
"In the Obama Administration, enforcement of privacy laws is likely to be a significant priority. Additional enforcement resources for the FTC were a component of the Obama platform. There is a virtual guarantee that the new Administration will take a more aggressive approach on enforcement of the HIPAA rules."
The "Red Flags" rule is far and away the most broadly applicable and challenging additional regulation on the horizon. ...the FTC has taken a surprisingly broad view of its' own rule such that any company - in any industry that provides services in advance of payment may face obligations under this rule."
"Companies in virtually all industries face the possibility of being identified as creditors subject to the Red Flags rule."
"In addition, we are seeing increased focus on a newer form of identity theft - medical identity theft. Companies need to continue an aggressive fight against identity theft and should broaden their scope of review to include not only credit related risks but other forms of identity theft as well."
"One of the primary conclusions from recent identity theft cases is that many identity theft schemes result from improper activities by insiders."
"What can we expect on the litigation front? First, we will likely see an increased use of negligence theories to bring cases, relying on existing regulatory or industry standards.
Watch for the breakout case, which could open the litigation floodgates."
I'll conclude with the following two statements which together paint a very clear picture for every business.
"For many years, a reasonable and appropriate information security program has been a requirement for any company that maintains personal information - essentially, every company."
"Make sure your employees are trained well."
Businesses have until May 1st of this year to put into practice an identity theft prevention program and response plan that is appropriate for the company. This is really a wakeup call for any company. From a strictly company point of view and disregarding the agony suffered by identity theft victims for a moment, no business can afford the very real costs of data breaches which run into the tens of billions of dollars each year.