Federal and State Privacy Laws, Compliance Deadlines Fast Approaching
Federal and State Privacy Laws
The number and complexity of federal and state privacy laws continue to increase. These laws affect a broad range of public and private companies, including U.S. companies as well as foreign companies that conduct business in the United States.
Any company that possesses personal information relating to U.S. employees, customers, shareholders or others likely is subject to privacy laws. For purposes of the privacy laws, personal information typically includes names together with information like social security numbers, financial account information or driver’s license numbers. Protected health information is covered by the federal Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act.
A number of new privacy law compliance deadlines are fast approaching. Failure to comply with privacy laws could trigger U.S. regulator and State Attorney General action as well as monetary penalties. In some cases, there also could be private lawsuits.
Below is a brief summary of upcoming privacy law compliance deadlines.
November 1, 2009 – Federal Trade Commission Written Identity Theft Prevention Program
A company that regularly extends, renews or continues credit, including accepting deferred payments for goods and services, may need to comply with the Federal Trade Commission’s “Red Flags” Rule. Examples of these companies include utility companies, telecommunications companies, finance companies, mortgage brokers, real estate agents, health care providers, lawyers, accountants, other professionals, automobile dealers, retailers that offer financing or collect or process credit applications for third party lenders and third party debt collectors that regularly renegotiate the terms of a debt. This Rule requires that a written identity theft prevention program be in place.
January 1, 2010 – Nevada Requirements for Encryption
A company (except for a telecommunications provider) doing business in Nevada that deals with personal information must comply with specific encryption requirements if it does not accept a payment card (a credit card or similar card) in connection with a sale of goods or services. This law also requires that a company that does accept payment cards in connection with a sale of goods or services comply with the current version of the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is an industry security standard developed by the PCI Security Standards Council (including American Express, Discover, JCB, MasterCard and Visa) for the protection of customer account data.
February 17, 2010 – Federal HITECH Act Requirements
Under the federal HITECH Act, health plans, health care providers and health care clearinghouses (i.e., covered entities), among other things, must review and update their business associate agreements, as well as their privacy and security policies and procedures, regarding (i) marketing, (ii) sale of protected health information, (iii) minimum necessary standards, (iv) accounting of disclosures and (v) restrictions on disclosure of services paid out-of-pocket. Business associates (those who perform functions on behalf of, or provide services to, covered entities that involve the use of protected health information) will be directly regulated under the HIPAA privacy and security rules, and must comply for the first time with those rules, including, among other things, a requirement to perform security risk assessments and develop security policies and procedures to address HIPAA security standards.
March 1, 2010 (Subject to a Revised Version of This Regulation) – Massachusetts Comprehensive Written Information Security Program
A company that owns or licenses personal information regarding Massachusetts residents must have a comprehensive written information security program with encryption requirements in place. In addition, third-party service providers – by contract – must implement and maintain appropriate security measures for personal information. A company that complies with HIPAA requirements or the Gramm-Leach-Bliley Act also must comply with this regulation. On September 22, 2009, a public hearing on this regulation was held. The Massachusetts Office of Consumer Affairs and Business Regulation expects to issue a revised version of this regulation in the coming weeks.
We Can Help
The upcoming compliance deadlines just hint at the many applicable privacy laws that present traps for the unwary. Implementing policies and procedures is not only advisable, but often times required under applicable privacy laws. From data breach notification procedures to record retention policies to social media policies, we can help you navigate the ever-changing landscape of privacy laws.
“The Federal Trade Commission (the “FTC”) is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.
The Massachusetts Office of Consumer Affairs and Business Regulation (“MOCABR”) posted the final version of the Massachusetts Privacy Regulation (the “Regulation”). According to MOCABR, this really is the final version!
The Regulation requires a company that owns or licenses personal information regarding Massachusetts residents to have a comprehensive written information security program with encryption and third party service provider requirements in place by March 1, 2010. While this compliance deadline remains unchanged from the August 2009 version of the Massachusetts Privacy Regulation, there are other changes.
Companies that are developing or have developed programs need to revisit what they have done thus far to make sure it complies with the both the Regulation, as well as the Nevada encryption law, if applicable.
Other companies immediately need to determine whether they are covered by the Regulation. Their compliance efforts should begin now if they determine that they are covered.
Finally, companies that determine that they are not covered typically prepare a written summary of their determination.”