Notification Laws, the HITECH Act and Red Flags Rule
New regulations are increasing at a rapid rate making it vital for business owners and managers to become familiar with current regulations and compliance dates.
State notification laws require businesses to notify customers or patients in a timely manner of any data breach that might affect them. Each state has its own requirements and failure to notify per your state’s notification laws could lead to fines and penalties.
The legalese simplified
The HITECH Act, which is part of the 2009 American Recovery and Reinvestment Act, creates a federal notification requirement for the breach of protected health information. The HITECH Act also provides incentives for physicians to put into practice meaningful use of an electronic health record system.
The Red Flags Rule applies to financial institutions and creditors with covered accounts. This rule was created in November 2007 as an addition to the Fair Credit Reporting Act.
The Massachusetts Office of Consumer Affairs & Business Regulation issued a regulation known as Massachusetts 201 CMR 17.00 in September of 2008. This regulation was intended to protect the unauthorized disclosure of personal information for Massachusetts residents. The importance of this wide sweeping law applies to any person or business that holds personal information on a resident of Massachusetts. Penalties for non-compliance may be subject to a finanial civil penalty for each violation of each person affected.
So what’s next? H.R. 2221, the Data Accountability and Trust Act is pending. If passed, it will require businesses to notify customers when outside parties gain access to sensitive information due to a security breach.
How businesses can protect themselves from exposures
Cyber liability or security and privacy insurance has been developed by insurance carriers to provide coverage for these exposures. First-party coverages include business income and extra expense, crisis management expenses, cyber extortion, credit monitoring expenses and notification costs. Third-party coverages include network security and privacy liability, Internet and media liability, and regulatory defense coverage (including penalties and fines).
Finally, remember that there is no standard policy form in the marketplace. Each policy form will require extensive review and analysis by a Cyber Insurance specialist.
Source: David Perkins, September 7, 2009 www.insurancejournal.com