You may not realize how much personal information your insurance company has about you. Scarier still is that much of this data is sensitive and valuable to hackers – such as your Social Security number, financial information, medical history, even itemized schedules of your most expensive personal property. As data breaches affecting insurers have piled up in the past couple of years (Anthem, Premera Blue Cross and Blue Shield, Excellus Health Plan, UCLA Health System just to name a few), so too have calls for stronger data security protections applicable to insurance data. In response, the CyberSecurity Task Force of the National Association of Insurance Commissioners (“NAIC”), the standard-setting organization in the U.S. insurance industry created and governed by the chief insurance regulators from the 50 states, the District of Columbia, and five U.S. territories (“Task Force”) is racing to finish its Insurance Data Security Model Law (“Model Law” or “Law”) by the end of this year so that states can begin the adoption process as early as 2017. Continue Reading Insurance Regulators Fine Tuning Cybersecurity Guidance
Julia Siripurapu is a Member in the firm’s Boston office and a Certified Privacy Professional (CIPP). She focuses her practice on commercial transactions involving technology and intellectual property and data privacy and security. Julia regularly advises clients of all sizes, from start-ups to large private and public companies, in the structuring, drafting, and negotiation of complex domestic and cross-border transactions involving technology licensing and development, systems integration and implementation, cloud computing, outsourcing of IT systems and business processes, strategic collaborations, and other business transactions directed to the use, transfer, and development of technology and other intellectual property assets.
It is easy to see networks all around us. The printers at the office, your child’s videogame, the food ordering app on your phone, the fitness band or smart watch on your wrist, the electricity grid for your city, the self-driving cars being tested on our roads, all rely at least in part on networked solutions. The ubiquity of networks is already staggering and the pace of research and development in this area is poised to increase for years to come. As the things in our world get smarter and the network of these smart things grows larger, a little-known agency in the U.S. Department of Commerce, the National Institute of Standards and Technology (“NIST” or “Agency”), decided it was time that stakeholders smartened up about the way they discuss networks, connected “smart” things, and the privacy and security challenges associated with them. Continue Reading Let’s talk about Networks of Things, baby. Let’s talk about you and me.
Colorado is the latest state to revisit, and expand upon, its laws pertaining to the use and protection of student data. Colorado Governor John Hickenlooper recently signed into law House Bill 16-1423 (the “Bill”) designed to increase the transparency and security of personal information about students enrolled in Colorado’s public education system (K-12). Described by its sponsors and the media as “nation-leading” with respect to the extremely broad scope of the definition of “student personally identifiable information”, the Bill imposes additional, detailed requirements on the Colorado Department of Education, the Colorado Department of Education, the Colorado Charter School Institute, school districts, public schools, and other local education providers (each, a “Public Education Entity”) and commercial software providers (including education application providers) with respect to the collection, use, and security of student data. In this blog post, we focus only on the duties of commercial software or education application providers. Continue Reading Colorado Student Data Privacy Bill – What EdTech software providers need to know
Last week, the Federal Trade Commission (FTC) announced (press release) that Practice Fusion, the largest cloud-based electronic health company in the United States, has agreed to settle FTC charges over deceptive practices involving the public disclosure of healthcare provider review information collected from consumers that included sensitive personal and medical information. Below is our review of the circumstances of the basis of the FTC complaint, a summary of the terms of the settlement, and a few pointers on how to avoid a similar situation. There are many lessons to be learned from this FTC complaint for all online providers, not only EHR providers. Read on ….. Continue Reading Practice Fusion and FTC Settle Complaint Over Deceptive Statements About the Privacy of Consumer-Generated Online Content
Sophisticated phishing scams and muscular hacking efforts continue to compromise personal and sensitive information held by insurers, hospital systems, and businesses large and small. In response, many states have strengthened their data breach notification and have enacted data security laws to enhance data protection obligations imposed on data collectors and to ensure that residents and state regulators receive prompt and adequate notice of security breaches when they do occur. By mid-summer, a range of new measures will be going into effect in Nebraska, Nevada, Rhode Island and Tennessee. Be sure to review the latest edition of the Mintz Matrix for these new measures. Continue Reading Illinois Joins the Fray: Strengthens its Laws Around Data Breach Notification and Data Security
The Payment Card Industry Security Standards Council (PCI SSC) has released a new version of its data security standard for the protection of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. PCI DSS is administered by the PCI SSC, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
The newly published version, PCI DSS version 3.2 (PCI DSS 3.2), contains the following three types of changes: Continue Reading PCI DSS 3.2: It’s here, what does it mean for you?
Yesterday, we reviewed the staggering numbers in California Attorney General Kamala Harris’ 2016 Data Breach Report.
In addition to providing a comprehensive analysis of four years of data breaches, the report provides what is an answer to the vexing question of what her office considers to be “reasonable security.”
California Attorney General Kamala Harris has released a report of the data breaches that have been reported to her office from 2012 until 2015. Although the California data breach notification law took effect in 2003, beginning in 2012, businesses and government agencies have been required to notify the Attorney General of data breaches affecting more than 500 California residents.
The number of personal records that were compromised is staggering; 178 breaches were reported during 2015 and 24 million personal records were compromised.
The recent data breach of Hong Kong-based electronic toy manufacturer VTech Holdings Limited (“VTech” or the “Company”) is making headlines around the world for good reason: it exposed sensitive personal information of over 11 million parents and children users of VTech’s Learning Lodge app store, Kid Connect network, and PlanetVTech in 16 countries! VTech’s Learning Lodge website allows customers to download apps, games, e-books and other educational content to their VTech products, the Kid Connect network allows parents using a smartphone app to chat with their children using a VTech tablet, and PlanetVTech is an online gaming site. As of December 3rd, VTech has suspended all its Learning Lodge sites, the KidConnect network and thirteen other websites pending investigation. Continue Reading Happy Holidays: VTech data breach affects over 11 million parents and children worldwide
California again has provided a model of privacy legislation for other states to follow. New Hampshire Governor Maggie Hassan recently signed into law House Bill 520 (the “Bill”), a bipartisan effort to establish guidelines for the protection of student online personal information.
Who is covered by the Bill?
Modeled after California’s Student Online Personal Information Protection Act (SOPIPA), the Bill applies to operators of Internet websites, online services (including cloud computing services), and mobile applications with actual knowledge that their website, service or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes (“Operators”). Like SOPIPA, the Bill imposes certain obligations and restrictions on Operators with respect to the collection, use, storage and destruction of student personal information and becomes effective on January 1, 2016. We discuss SOPIPA in more detail here and provide recommendations for preparing to comply with the SOPIPA requirements.
The Bill does not apply to general audience websites, online services, and mobile applications, even if login credentials created for a covered site, service, or application may be used to access the general audience sites, services, or applications. The Bill also makes it clear that it is not intended to:
- limit Internet service providers from providing Internet connectivity to schools or students and their families;
- prohibit operators of websites, online service, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of “Covered Information” under the Bill;
- impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with the Bill on those applications or software;
- impose a duty upon a provider of an interactive computer service, as defined in 47 U.S.C. section 230, to review or enforce compliance with the Bill by third-party content providers; or
- impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents.
What information is covered by the Bill?
The Bill defines “Covered Information” very broadly to include personally identifiable information or materials, in any media or format, created or provided to an Operator by either a student (or his/her parent or guardian) while using the Operator’s site, service, or application or by an employee or agent of the K-12 school, school district, local education agency, or county office of education, as well as information gathered by the Operator that is related to the student, such as information that is “descriptive of a student or otherwise identifies a student, including, but not limited to, information in the student’s educational record or email, first and last name, home address, date of birth, telephone number, unique pupil identifier, social security number, financial or insurance account numbers, email address, other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, other student identifiers, search activity, photos, voice recordings, or geo-location information.”
What do you have to do to comply with the Bill?
Avoid the following prohibited activities:
- Using any information (including persistent identifiers) created or collected through your site, service, or application to create a profile about a K-12 student;
- Engaging in targeted advertising (either on your site, service, or application or any other site, service, or application) when the targeting is based on any information (including covered information and persistent identifiers) that you have acquired as a result of the use of your site, service, or application;
- Selling, leasing, renting, trading, or otherwise making available a student’s information (including covered information), except in connection with a sale of your business provided that the buyer continues to be bound by this restriction with respect to previously acquired student information; or
- Disclosing protected information, except where the disclosure is mandated to “respond to or participate in judicial process”.
Implement and maintain the following security and deletion requirements:
- reasonable security procedures and practices (appropriate to the nature of the Covered Information) to protect Covered Information from unauthorized access, destruction, use, modification, or disclosure, and
- delete covered information if the school or district requests deletion of data under the control of the school or district.
What can you do with Covered Information?
Although, as discussed above, there are many restrictions on the use of Covered Information, Operators are permitted to:
- Use de-identified Covered Information within their sites, service, or application (or other sites, services, or applications owned by the Operator) to improve educational products and to demonstrate the effectiveness of their products or services (including in their marketing), and
- Share aggregated de-identified Covered Information for the development and improvement of educational sites, services, or applications.
Although the effective date is January 1, 2016, if you are an “Operator” under the Bill, this is the time to begin thinking about what kind of changes you may need to make in your processes and procedures and to put in place an implementation plan to be compliant with the Bill by its effective date.