Have questions or need help?

Call us toll free 800-356-4282 or email at info@zanderins.com.

"A breach of 1500 client files with personal information can cost an excess of $300,000 in notification, resolution and legal costs."

"According to the ID Theft Resource Center data breaches are up 47% from 2008"

"71% of businesses surveyed say their organization does not have an accurate inventory of where personal data for employees and customers is stored."
Price Waterhouse Coopers 2008 Global State of Information Security Study

The Legislative Landscape

HIPAA and Medical Privacy

Effective September 23, 2009 new data breach regulations will strongly impact the healthcare industry requiring all HIPAA covered entities to provide notification to affected individuals and to the Secretary of HHS following the discovery of a breach of unsecured protected health information. Some cases also require notification to the media.

These regulations apply to Covered Entities under HIPAA such as all healthcare providers, health plans (including health insurers and self insured employee benefit plans), and healthcare clearinghouses that assist providers in billing healthcare claims. The regulations also apply to Business Associates of the covered entities. These are organizations that need “Protected Health Information” to perform a service for a healthcare provider, health plan, or healthcare clearinghouse.

State Laws on Identity Crime

Currently, 45 states have laws requiring that an organization notify every person whose privacy was compromised when customer or employee data is lost or leaked. While the requirements vary by industry and jurisdiction, failure to notify will put most organizations at risk of legal and financial penalties.

FACTA and the Red Flag Rule

Under the terms of the Red Flag Rule of FACTA, as of November 2009, virtually every U.S. business larger than a sole proprietorship will be required to have a program in place to prevent and mitigate the effects of identity theft. A “red flag” is a specific activity that indicates the possible existence of identity theft. The FTC has published guidelines on recognizing identity theft and established 26 red flags that companies should consider when creating their mandatory identity theft programs.

Identity Theft Enforcement and Restitution Act of 2008

The newest federal law, and the first to exclusively target identity crime, is the Identity Theft Enforcement and Restitution Act of 2008. According to The Washington Post, this legislation “lowers the bar prosecutors need to clear before bringing hacking and other cyber crime charges against an individual. Under current federal cyber crime laws, prosecutors must show that the illegal activity caused at least $5,000 in damages before bringing charges for unauthorized access to a computer. The new law eliminates that requirement.” In addition, this law makes it possible to bring felony charges against multiple offenders, allows crimes committed within a single state to be prosecuted in federal courts, and directs the U.S. Sentencing Commission to review its guidelines and consider increasing the penalties for those convicted of identity theft, computer fraud, illegal wiretapping, or breaking into computer systems.

GLBA and Financial Services

Information that many would consider private — including bank balances and account numbers — is regularly bought and sold by banks, credit card companies, and other financial institutions. The Gramm-Leach-Bliley Act (GLBA) provides limited privacy protections against the sale of private financial information. According to the Electronic Privacy Information Center, the GLBA includes three simple requirements to protect the personal data of individuals: “First, banks, brokerage companies and insurance companies must securely store personal financial information. Second, they must advise consumers of their policies on sharing of personal financial information. Third, they must give consumers the option to opt- out of some sharing of personal financial information.”