Could your law firm or hedge fund be faced with fines for failure to protect client data? In last week’s post, we discussed an incident in which a hospital was fined $100,000 for a HIPAA breach after an unencrypted personal laptop containing patient information was stolen. There are laws which penalize companies in other industries for failure to protect confidential data as well.
- Financial companies that don’t adequately protect “Personally Identifiable Information” (PII) face fines (up to $100,000 for each violation) and other penalties (including imprisonment for up to 5 years) for violation of The Gramm-Leach-Bliley Act (GLBA).
- Lawyers have ethical and legal obligations to protect client data, and, due to the types of information they handle and store, they are attractive targets for hackers. While law firms are exempt from some U.S. privacy and information security laws (including GLBA and the FTC’s Identity Theft Red Flags Rule), most privacy and information security laws apply to them.
- The NY Social Security Number Protection Law imposes penalties (a maximum of $1,000 for each violation) on companies that don’t protect the confidentiality of social security numbers.
- The Payment Card Industry Data Security Standard (PCI DSS) ensures that all companies protect the credit card information that they process, store, or transmit. The consequences for noncompliance range from $5,000 to $100,000 per month.
- Nearly every state in the U.S. has laws regarding breach notification. New federal legislation, if passed, will standardize breach notification. The Personal Data Notification and Protection Act will require companies to inform customers within 30 days if their personal information has been compromised as the result of a breach. Additional notification is required to government and reporting agencies. A data breach can cost millions of dollars in direct costs – such as notifying victims – and in indirect costs – such as reputation.
PII that needs to be protected includes an individual’s name when linked with a social security number, driver’s license or financial account /credit card information. (The definition of PII will be expanded in the proposed federal breach notification law to include the name linked with a home address, mother’s maiden name or full birth date. It will also include biometric data such as a finger print. In addition, it will include a user name or email address in combination with a password or security question / answer to permit access to an online account.) Confidential personal data applies to patient, client or customer information as well as personnel records. Sensitive information that needs protection also includes corporate secrets.
The encryption exception that applies to HIPAA also applies to the proposed federal 30-day breach notification legislation. It exempts businesses from the requirement of individual notice if a risk assessment concludes that there is no reasonable risk that the breach will result in harm to the individuals whose PII was breached. If the data is encrypted – rendered unusable, unreadable, or indecipherable – it is presumed that there is not a reasonable risk. Individual documents which contain confidential data can be encrypted. Portable devices can be encrypted to protect the data that is accessed or stored on the devices. Encrypted email should be used if email is used to discuss or share sensitive data. Encryption protects sensitive information by making it difficult, if not impossible, to access.
Stemp offers technology solutions to keep our clients’ data secure as well as HIPAA and PCI compliant. These solutions include:
- Laptop and workstation encryption
- Mobile device (smartphone) management and encryption
- Email encryption
- Encrypted backups
- Virtual private networks
- Risk Assessments required by HIPAA and PCI
- Staff security training
- HIPAA compliant technology recycling
We also send security alert emails to our clients about incidents in the news that might affect them, such as current phishing scams, and we publish blogs like this one. We are diligent about protecting the security of our clients’ data. How confident are you that your data is secure? Call Stemp Systems for a free assessment.