Friday, February 13, 2009

Massachusetts Postpones Reporting Law

Massachusetts' Office of Consumer Affairs and Business Regulation announced Thursday that it has revised the state's new identity theft and data breach prevention law. Companies doing business in the Bay State now have until January 1, 2010, to come into compliance with the law's strict security provisions. The law, originally scheduled to take effect in January of this year, had already been delayed to May 1, 2009 while state authorities considered both how to enforce its provisions and how to communicate the state's expectations to the Massachusetts business community.

This Massachusetts legislation will become the strictest such law in America when enforcement begins 11 months from now. In the meantime Pennsylvania and several other states are considering stiffer breach reporting standards and compliance language.

Thursday, February 12, 2009

Medical Identity Theft Part Two

In my last column I talked about medical facilities doing very well as regards the HIPAA requirements to protect patient sensitive and personal information. The thrust of the article however, was to emphasize the value and importance of staff awareness training on identity loss and theft. Below is a short piece that reinforces that point. Although Kaiser is a pioneer in using electronic medical records, and has sophisticated systems to govern how patients' information is used and protected, this relatively unsophisticated crime occurred right under their noses.
Unknown to Kaiser, someone stole the personal information of Kaiser employees! HIPAA doesn't address personnel files, only those of patients. Owing to a compliance mentality the hospital group sought compliance with the law as a risk management tool but did not train the HR or payroll staff on how to protect the employees' files. The protection of personally identifiable information must be a holistic business to include both clients and employees or it is only half a program. It must include awareness training or it will not be effective.

"Kaiser Permanente is notifying nearly 30,000 Northern California employees that a security breach may have led to the release of their personal information. Some employees have reported identity thefts resulting from the breach,Kaiser reported.A law enforcement agency seized a computer file with Kaiser data from a person who was subsequently arrested. The suspect was not a Kaiser employee. The file contained the type of information typically held by a human resources department, according to a written statement issued by Gay Westfall, senior vice president of human resources for Kaiser. "

Tuesday, February 10, 2009

Medical Identity Theft

I just want to weigh in on this for a moment. There are reams of new data on medical identity theft as the nation is just beginning to come to terms with medical identity theft. Just a short couple of years ago it was hard to convince anyone that this kind of identity theft was a problem. National magazines published articles essentially denying the existence of medical identify theft as a plausible threat. Now we can see from new FTC research that there have been approximately 480,000 medical identity theft victims in 2008. That is roughly 6% of the aproximately 8 million identity theft victims for the year. The victims fall into two basic categories. Those who report new medical insurance accounts were opened in their name, and those who report that medical care was administered to unknown persons in their name.
That is a problem.

We do have legislation aimed at protecting your personal medical information. HIPAA, http://www.cms.hhs.gov/hipaaGenInfo/ the (Health Insurance Portability and Accountability Act) passed in 1996 mandates significant changes in the legal and regulatory environments governing the provision of health benefits, the delivery and payment of health care services, and the security and confidentiality of individually identifiable, protected health information. HIPAA is sweeping in scope and also very complex.
I am happy to say that for the most part health organizations such as hospitals, medical groups, clinics, and others have done remarkably well in addressing the requirements. Corporations and businesses that have health plans, and so called "cafeteria" style benefits plans have also done the heavy lifting regarding compliance procedures to protect this type of data, as have medical insurance groups.

Why then is medical identity theft on the rise? There are two things that come to mind. As our economy slips further and more people find themselves in financial troubles, stealing and selling sensitive information with little or no chance of being caught looks pretty lucrative. We can expect that to continue to be on the increase. Estimates are that all forms of identity theft combined are expected to increase by as much as 20 times within the next 12 to 18 months. That is part of what makes the second reason even more compelling. Just as much information is lost by simple forgetful acts and a lack of understanding of the risks as there are outright thefts. Also what is missing is the component that ties all of the privacy requirements addressed in HIPAA together with a general awareness of medical identity theft. That is identity theft training of the employees of these institutions charged with protecting health information. No compliance program can call itself complete and effective without training. A good understanding of the various forms of identity theft and how they affect all of us is a key aspect in reducing this criminal epidemic. It is imperative to empower the medical, payroll, records keeping, and human resources staff with a solid background. How they can respond to identity theft threats, and how to mitigate their own risk along with that of the patients and clients they serve. There is simply no substitute for training, and most importantly training in person where there is discussion and not simply a check-off list for compliance purposes. Discussion prompts interaction which will raise participation and a deeper retention of the information. Catchy huh? After all we want to stop identity theft if we can, not simply comply with an abstract law.

"When we protect the information we hold on others we are protecting them, when others do it they are protecting us."

Monday, February 9, 2009

The States Step up to Fill the Gap

Lacking a Federal statute requiring businesses to report data breaches to individuals at increased risk different states have stepped in to enact their own laws. Pennsylvania State Senator Dominic Pileggi has introduced a bill that would require state agencies to provide public notice of data breaches involving personal information within one week of discovering the incident, the Daily Times reports. Similar legislation was filed in 2008 and passed the Senate, but was not considered by the state's House of Representatives. Pileggi introduced the original bill last year in response to three data breach incidents in 2007 in which nearly 400,000 files were compromised, including about 17,800 Social Security numbers. In a press release announcing the bill, Pileggi said, "The public was not notified of these thefts until two or three weeks after the fact, and that is not acceptable. Potentially affected residents deserve to be notified promptly so that they can take steps to protect themselves from identity theft."

Alongside the legislation recently enacted by Massachusetts lawmakers this indicates clearly the need for strict reporting laws to inform the public in a timely way that they are at increased risk to data fraud and identity theft. Including Puerto Rico and the District of Columbia there are currently 46 State data breach notification laws in effect.

Data Breaches Can Cost your Company Plenty

Until now, lawsuits seeking to recover significant damages based on the loss of sensitive personal information have not been especially successful for the plaintiffs. Two recent cases however show plaintiffs that there is a way to expose companies to claims for damages. The headlines are all too familiar. A well known consumer services company announces that millions of individual records containing names, Social Security numbers, account numbers and other sensitive information were left in a dumpster, saved to a stolen, unencrypted laptop, or stored on a misplaced flash drive. The press is terrible, the company's stock takes a temporary plunge, and sometimes the Federal Trade Commission enters into a consent decree where the company promises it will never happen again. But when affected individuals or groups of consumers tried to sue for damages, they seldom recover significant amounts. These cases have not often succeeded because the plaintiffs have been unable to prove actual pecuniary losses resulting from the security breach. Sure, if identify theft occurs the affected individuals can suffer significant emotional trauma, loss of time, etc. But Courts have been reluctant to award damages for anxiety, fear, and other emotional harm that can result from a data breach, for the risk of future identify theft, or for actual identity theft when the plaintiff could not prove that the theft occurred as a direct result of a data breach at a particular source. Most companies facing claims based on data breaches have been able to settle cheaply by offering to provide credit monitoring services, which most consumers do not use, resulting in only minimal expenses for the company whose data were lost or stolen.
Two recent cases may make such circumstances much more dangerous. In Pinero v. Jackson Hewitt Tax Service, Inc., No. 08-3535 (E.D. La. Jan. 7, 2009), a U.S. federal court refused to dismiss a claim for damages by a consumer whose tax returns were found by a third party in an unsecured dumpster outside a tax preparer's office. No actual identity theft had occurred and the plaintiff had suffered no provable pecuniary loss; so the Court dismissed the usual panoply of breach of contract, emotional distress, negligence, and invasion of privacy claims that often flow from such facts. But the Court left standing Pinero's allegations that using false promises of data protection to lure customers to enter into a consumer services contract was an unfair trade practice under the Louisiana “Little Federal Trade Commission” law. The court also recognized that a claim based on a common law “fraudulent inducement” theory could stand, if properly pled. This case is significant not just because it establishes a basis for an individual consumer to assert a real damages claim, but because it also opens the door to class action lawsuits based on such theories. Since some state unfair and deceptive practices laws provide for statutory treble damages, the doors are now open to substantial recoveries.

The second case, In Department of Veterans Affairs Data Theft Litigation, No. 06-0506, (D. D.C. Jan. 27, 2009), involves the settlement of multiple consolidated class action lawsuits against the U.S. Department of Veterans Affairs. In 2006, an analyst for the agency took home a laptop with Social Security numbers and other sensitive data concerning 26 million veterans and 2.2 million active duty military personnel. The laptop was stolen from the analyst's home during a burglary. The laptop was recovered a short time later, and forensic analysts from the FBI determined that it probably had not been accessed. There have been no press reports with information tying any identity theft incidents to the breach. Nevertheless, lawyers brought a class action suit seeking damages for those who incurred out of pocket expenses.The suit settled in late January with an agreement that the V A would create a $20 million fund to pay the expenses of anyone directly affected by the breach, including credit-monitoring expenses and mental health costs for those who found themselves in extreme emotional distress as a result of the breach. The fund will also be used to pay $5.5 million in attorneys fees and expenses. Any funds not used for these purposes will be paid to veterans' charities.This case is noteworthy because of the size of the settlement and the VA's willingness to pay a large amount even though there would likely never be any actual damages resulting from the breach or any evidence to support a causal connection between any actual damages and the breach. The case is also noteworthy because of the fact that the total amount of the settlement is not just available for payments, but is actually committed. That is, many sources of data breach in the past have escaped significant expenses by offering credit monitoring services that were never accepted or paid for. Here, in contrast, VA will pay the full $20 million to someone. What's the damage? What both cases show is that class action plaintiffs are devising new ways to successfully assert larger damage claims against companies that suffer data privacy and security breaches. Companies should renew their efforts to deploy and implementing effective data privacy and security protections.