The number and complexity of federal and state privacy laws
continue to increase. These laws affect a broad range of public and
private companies, including U.S. companies as well as foreign
companies that conduct business in the United States.
Any company that possesses personal information relating to U.S.
employees, customers, shareholders or others likely is subject to
privacy laws. For purposes of the privacy laws, personal
information typically includes names together with information like
social security numbers, financial account information or
driver's license numbers. Protected health information is
covered by the federal Health Insurance Portability and
Accountability Act (HIPAA) and Health Information Technology for
Economic and Clinical Health (HITECH) Act.
A number of new privacy law compliance deadlines are fast
approaching. Failure to comply with privacy laws could trigger U.S.
regulator and State Attorney General action as well as monetary
penalties. In some cases, there also could be private
lawsuits.
Below is a brief summary of upcoming privacy law compliance
deadlines.
November 1, 2009 – Federal Trade Commission Written Identity Theft Prevention Program
A company that regularly extends, renews or continues credit,
including accepting deferred payments for goods and services, may
need to comply with the Federal Trade Commission's "Red
Flags" Rule. Examples of these companies include utility
companies, telecommunications companies, finance companies,
mortgage brokers, real estate agents, health care providers,
lawyers, accountants, other professionals, automobile dealers,
retailers that offer financing or collect or process credit
applications for third party lenders and third party debt
collectors that regularly renegotiate the terms of a debt. This
Rule requires that a written identity theft prevention program be
in place.
January 1, 2010 – Nevada Requirements for Encryption
A company (except for a telecommunications provider) doing
business in Nevada that deals with personal information must comply
with specific encryption requirements if it does not accept a
payment card (a credit card or similar card) in connection with a
sale of goods or services. This law also requires that a company
that does accept payment cards in connection with a sale of goods
or services comply with the current version of the Payment Card
Industry Data Security Standard (PCI DSS). PCI DSS is an industry
security standard developed by the PCI Security Standards Council
(including American Express, Discover, JCB, MasterCard and Visa)
for the protection of customer account data.
February 17, 2010 – Federal HITECH Act Requirements
Under the federal HITECH Act, health plans, health care
providers and health care clearinghouses (i.e., covered entities),
among other things, must review and update their business associate
agreements, as well as their privacy and security policies and
procedures, regarding (i) marketing, (ii) sale of protected health
information, (iii) minimum necessary standards, (iv) accounting of
disclosures and (v) restrictions on disclosure of services paid
out-of-pocket. Business associates (those who perform functions on
behalf of, or provide services to, covered entities that involve
the use of protected health information) will be directly regulated
under the HIPAA privacy and security rules, and must comply for the
first time with those rules, including, among other things, a
requirement to perform security risk assessments and develop
security policies and procedures to address HIPAA security
standards.
March 1, 2010 (Subject to a Revised Version of This Regulation) – Massachusetts Comprehensive Written Information Security Program
A company that owns or licenses personal information regarding
Massachusetts residents must have a comprehensive written
information security program with encryption requirements in place.
In addition, third-party service providers – by contract
– must implement and maintain appropriate security
measures for personal information. A company that complies with
HIPAA requirements or the Gramm-Leach-Bliley Act also must comply
with this regulation. On September 22, 2009, a public hearing on
this regulation was held. The Massachusetts Office of Consumer
Affairs and Business Regulation expects to issue a revised version
of this regulation in the coming weeks.
We Can Help
The upcoming compliance deadlines just hint at the many applicable
privacy laws that present traps for the unwary. Implementing
policies and procedures is not only advisable, but often times
required under applicable privacy laws. From data breach
notification procedures to record retention policies to social
media policies, we can help you navigate the ever-changing
landscape of privacy laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.