Posts Tagged ‘regulations’

At the end of July, the Federal Trade Commission (FTC) put out a press release announcing that they would be extending the enforcement of the “Red Flags” Rule by another three months. This extension was granted based upon continued confusion from businesses about this new rule, particularly small businesses and entities.

The Federal Trade Commission staff will redouble its efforts to educate them about compliance with the “Red Flags” Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.

The “Red Flags” Rule, which went into effect on January 1, 2008, requires many businesses and organizations (”creditors” and “financial institutions”) to implement a written Identity Theft Prevention Program. This program should detect early warning signs (red flags) of identity theft, take steps to prevent the crime, and mitigate damage that could be caused by it. The Red Flags Rule applies to “financial institutions” and “creditors,” though those terms apply more broadly than in typical use.

Check out the FTC site to determine if the Red Flags Rule applies to your organization, to get practical tips on spotting identity theft, and to learn how to put your ID Theft Prevention program into place. Based on this revised effort, the FTC will begin enforcement of the “Red Flags” rule on November 1, 2009.

Hat tip to Hunton & Williams

The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was signed into law in February 2009, will come into effect on February 17, 2010. This new Act, in addition to encouraging doctors and hospitals to use electronic health care records systems, changes privacy requirements. The new privacy requirements strengthen those requirements already mandated by HIPAA.

Some of the changes that HITECH will mandate, in regards to privacy requirements, include:

• Definition of Personal Health Information (PHI) expanded
• Stronger data breach notification requirements
• Increased penalties for HIPAA violations and more aggressive enforcement, including criminal cases
• Subjects business associates to civil and criminal penalties for violating HIPAA requirements
• Defined guidelines on how to protect PHI

In terms of data breaches, HITECH will require that individuals be notified if their PHI has been accessed and that information was unsecured, unencrypted or not deleted from a computer using an a method that meets the standard (such as the Computrace Data Delete feature). The act requires that vendors notify the individual of the breach even if identity theft is not probable, which is a much stronger requirement than many State notification requirements.

Though the effective date for HITECH is not until February, 2010, in August of this year the US Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) will synchronize their respective regulations and issue interim final regulations.

Healthcare organizations will need to address these new HITECH requirements by strengthening their data security measures. Computerworld has put together 5 Steps to HITECH Preparedness that’s very worth the read.

Image: clipart

There are two pieces of news to report in terms of various consumer data protection acts at the state and national levels.

This month, President Bush signed into law a bill that will make it easier for prosecutors to go after cybercriminals, and for identity theft victims to be compensated. The Identity Theft Enforcement and Restitution Act of 2008 [HR 5938], which passed the Senate in July, would remove the $5000 damages floor that was previously required for prosecutors to charge individuals under the federal cybercrime laws.

Identity Theft Enforcement and Restitution Act (HR 5938) would:

• Give identity theft victims the ability to seek restitution
• Ensure cyber criminals posing as businesses can be prosecuted
• Make it a felony to employ spyware or keyloggers that damage 10+ computers
• Extend cybercrime definitions to include cyberextortion cases
• Allow prosecution when cybercriminal and victim live in the same state

In other legislative news, the Massachusetts Office of Consumer Affairs and Business Regulation has released a new set of rules requiring companies to encrypt personal data on laptops and monitor employee access to data. These new rules apply to credit card information and Social Security Numbers. Companies and government agencies are required to comply with the new regulations by January 1, 2009.

In August, Governor Patrick signed an identity theft prevention law that requires the reporting of data breaches to the Office of Consumer Affairs and Business Regulation. Since then, 320 breaches have been reported, affecting 625,365 Massachusetts residents. A report outlining the incidents has been released here [PDF].

Via i’ve been mugged, 2, boston globe, washington post ; Image: clip art