Massachusetts Regulator Revises Information Security Requirements (Again)

Posted on November 2, 2009 by Hunton & Williams LLP

On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State.  The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations.  The most recent round of amendments was announced August 17, 2009.

A final version of the latest amendments has not yet been made public, but the BNA has circulated a copy of what is purported to be the final draft, which includes changes to provisions related to service providers.  First, the definition of “service provider” has been modified to (1) clarify that “any person” who “stores” personal information through the provision of services will fall within the definition’s scope (the term “stores” was not included in the prior version’s definition), and (2) remove the express exclusion of the U.S. Postal Service from the term “service provider.”

The “safe harbor” provision with respect to existing service provider contracts also has been revised.  Pursuant to the regulations, businesses that are subject to the regulations generally must require by contract that third-party service providers implement and maintain appropriate security measures for personal information.  While the previous version of the regulation stated that “any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed in compliance . . . notwithstanding the absence in any such contract of [this requirement], so long as the contract was entered into before March 1, 2010,”  the new version provides that “until March 1, 2012, a contract a person has entered into with a third party service provider to perform services . . . satisfies [this provision] even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.”  The revision clarifies that the deadline for updating service provider contracts entered into prior to March 1, 2010 is March 1, 2012, and any contracts entered into after March 1, 2010 must comply with the regulations upon execution.
Tags: , , , , , , , ,

FTC and HHS Issue Final Breach Notification Rules

Posted on August 28, 2009 by Hunton & Williams LLP

On August 17, the Federal Trade Commission ("FTC") issued a final rule ("FTC Final Rule") addressing security breaches of personal health records ("PHRs").  The FTC Final Rule applies to all breaches discovered on or after September 24, 2009, and to “foreign and domestic vendors of personal health records, PHR related entities, and third party service providers” that “maintain information of U.S. citizens or residents.”  The FTC Final Rule does not apply to covered entities or business associates as defined under regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  Full compliance is required by February 22, 2010.

The FTC Final Rule requires PHR vendors and PHR related entities to notify U.S. citizens and residents if their PHR identifiable health information is subject to a security breach, and requires additional notification of the FTC and prominent media outlets for breaches that affect 500 or more individuals.  Third party service providers must notify the PHR vendor, or PHR related entities to which they provide services, of any breaches they discover.  To facilitate the notification process, the FTC has developed a standard form entitled “Notice of Breach of Health Information” that PHR vendors and PHR related entities can complete and send to the FTC.  Both the form and the FTC Final Rule are available on the FTC’s website.
 
On August 19, 2009, as required by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), the Department of Health and Human Services ("HHS") issued an interim final rule ("HHS Interim Final Rule") addressing security breaches of unsecured protected health information ("PHI").  The regulations will apply to all breaches occurring on or after September 23, 2009 that are discovered by covered entities and business associates, but the HHS Interim Final Rule indicates that HHS will not impose sanctions for failure to notify with respect to breaches that are discovered within the first 180 days after the effective date. 

Notably, unlike the FTC Final Rule, the HHS Interim Final Rule includes a harm threshold limiting the breach notification requirement to breaches that present a significant risk of harm.  This disparity may be due to the fact that breaches common to HIPAA-covered entities, such as those involving disclosures to other HIPAA-covered entities, are less likely to result in actual harm than the kinds of breaches suffered by the service providers and vendors covered under the FTC's Final Rule.  Similar to the FTC Final Rule, the HHS Interim Final Rule requires covered entities to (1) notify individuals if their PHI is subject to a security breach, and (2) notify the Secretary of HHS and prominent media outlets in the event of a breach that affects 500 or more individuals.  Business associates must notify the covered entity to which they provide services of any breaches they discover.  Finally, the HHS Interim Final Rule updated the  information security guidance issued by HHS in April 2009 to emphasize encryption and destruction as the only methods for securing PHI in a manner consistent with the HITECH Act’s breach notification provisions.  The HHS Interim Final Rule is available on the HHS website.
Tags: , , , , , , , , ,

Massachusetts Revises Information Security Regulations and Extends Deadline for Compliance

Posted on August 20, 2009 by Hunton & Williams LLP

On August 17, 2009, Massachusetts announced revisions to its information security regulations and extended the deadline for compliance with those regulations.  In the press release announcing the revised regulations, the Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation noted the concerns of small business leaders regarding the impact on their companies, stating that the updated regulations “feature a fair balance between consumer protections and business realities.”

First and foremost, the revisions emphasize a more flexible, risk-based approach to developing an information security program.  Previously the regulations required the adoption of a program incorporating specific elements without regard to the particular concerns of individual businesses.  The revised regulations instead direct businesses to implement an information security program that takes into consideration what is “appropriate to (a) the size, scope and type of business … ; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.” 

Second, the revisions modify several of the information security program requirements to reflect the risk-based approach.  For example, employers that must protect personal information from terminated employees will not be obligated to do so by “immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.”  Rather, the new regulation has a more customizable requirement that such employers “prevent[] terminated employees from accessing records containing personal information.”

Third, the definition of “encrypted” has been amended so as to make the encryption requirement technology-neutral, and there is a general emphasis on technical feasibility with respect to the various technological elements of an information security program.  For example, the revisions qualify that all computer system security requirements, including secure user authentication protocols and secure access control measures, should be implemented “to the extent technically feasible.”  Previously, only encryption was subject to the technical feasibility qualification.

Fourth, the term “service provider” is now specifically defined, and persons who own or license personal information will have to include information security requirements in their contracts with third-party service providers.  This parallels the service provider provision contained in the FTC’s Safeguards Rule promulgated pursuant to the Gramm-Leach-Bliley Act.

Finally, the compliance deadline for these regulations has been extended to March 1, 2010.  This is the third time Massachusetts has extended the deadline, following prior extensions that occurred in February 2009 and November 2008.
Tags: , , , , , ,

FTC Extends Red Flags Compliance Deadline to November 1

Posted on July 30, 2009 by Hunton & Williams LLP

On July 29, 2009, the Federal Trade Commission ("FTC") announced another three-month delay in the enforcement of the provision of Identity Theft Red Flags and Address Discrepancies Rule (the "Rule") that requires creditors and financial institutions to implement an Identity Theft Prevention Program.  The FTC noted that small businesses and entities with a low risk of identity theft remain uncertain about their obligations under the Rule and pledged to "redouble" its efforts to educate businesses about compliance with the Rule.  The new enforcement deadline for creditors and financial institutions is November 1, 2009.  The FTC news release is available here.

Tags: , , , , , , , ,

FTC Delays Enforcement of the Red Flags Rule until August 1, 2009

Posted on May 1, 2009 by Hunton & Williams LLP

At the eleventh hour, the Federal Trade Commission announced that it will once again delay enforcement of the Red Flags Rule.  The Red Flags Rule was promulgated pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACTA").  The previous compliance date was May 1, 2009, which was an extension from the original deadline of November 1, 2008.  The new extension applies only to the provisions of the Rule requiring financial institutions and creditors to implement an identity theft prevention program.  The continuing enforcement delays respond to ongoing uncertainty about the Rule's intended scope.  In announcing this latest delay, the FTC cited "the ongoing debate about whether Congress wrote this provision [of FACTA] too broadly" and stated that extending the compliance deadline would "allow industries and associations to share guidance with their members . . . and give Congress time to consider the issue further."  On March 20, 2009, the FTC published the Red Flags Rule Compliance Guide to assist organizations that must comply with the Red Flags Rule.  The FTC stated in its news release yesterday that it will attempt to address some of the concerns regarding compliance with the Rule by publishing an identity theft prevention program template for low risk entities.  The FTC's news release is available here.

Tags: , , , , , ,