By David J. Lineman
One of the challenges to managing a business today is the growing list of regulations. With the dramatic rise in identity-theft and cybercrime in general, data protection laws have been popping up at the Federal level and in all 50 states. Because many of these laws are new, few businesses are aware of their compliance requirements. Here is a short description of key regulations that Texas businesses should be concerned about.
Texas Identity Theft Law
The Identity Theft Enforcement and Protection Act is a Texas state law designed to protect individuals from identity theft. The law requires businesses to have a written information security program to protect personal information of Texas residents. For example, provisions of Chapter 35 of the Business and Commerce Code require businesses to develop retention and disposal procedures for their clients’ personal information.
Penalties against businesses that violate Texas’ identity theft provisions are substantial. The law provides for fines of up to $500 for each record that could potentially land in the wrong hands. Additionally, businesses that give consumers specific assurances about how patient privacy is protected could face penalties up to $20,000 per violation if they fail to implement these programs. The Texas Attorney General has brought enforcement actions against numerous businesses for improperly disposing of customer records, including a major suit against Radio Shack.
Some of the most significant data breaches of the last few years have involved electronic health records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the federal law that requires businesses to protect personal medical information. The law requires a written information security and data privacy program. Hospitals and insurance companies could be fined as much as $25,000 per record for breaches of patient data.
While HIPAA was passed in 1996, it didn’t get much enforcement from the Feds. In 2010, a major update to HIPAA (called HiTECH) was passed as part of the Stimulus Bill. In short, this extended HIPAA requirements to ANY business that handles personal health information. While this is a Federal law, states have started taking action. In January 2012, in the wake of the theft of an unencrypted laptop computer containing approximately 23,500 patients’ records, the Minnesota attorney general brought the first formal enforcement action against a business associate, Accretive Health, Inc., for an alleged violation of HIPAA.
Texas Health Privacy Law
In 2011 the State of Texas also adopted a new law specifically targeting patient data privacy. The law, which will become effective on September 1, 2012, incorporates the expanded definition of the term “covered entity” in Texas’ existing health privacy law and could have a broad impact on many non-HIPAA covered entities. Among other provisions, the law requires all employees of covered businesses to undergo training on HIPAA and Texas’ health privacy law within 60 days of hiring (and at least once every two years.
The law also authorizes the Texas Attorney General, Texas Health Services Authority or Texas Department of Insurance to conduct compliance audits of covered entities that have consistently violated the Texas law.
PCI-DSS (Payment Card Industry Data Security Standard)
For businesses accepting or processing credit card data, they are subject to the requirements of PCI-DSS. PCI requires that business take definitive measures to protect credit card information. Unlike state or Federal law, PCI is instead an industry-specific standard imposed by a consortium of the major credit card companies. The good news about PCI-DSS is that the requirements vary depending on the size and scope of a business.
Massachusetts State Data Protection Law
What? Why do we care about some Yankee, East Coast data protection law? According to this state statute, ANY business that handles personal information about Massachusetts residents (“of The Commonwealth”) must take specific measures to protect the data – no matter where it resides. So if a company is based in Texas, but collects personal information from residents in other states, it is likely subject to the state laws of each citizen.
CA SB-1386 (California Senate Bill)
Yes, the other Coast is out to get us as well. California doesn’t have enough to do, so they created the first “data breach” law, requiring companies to notify California residents in the event of a data breach that may impact the personal information of California residents. In all fairness, at least 35 other states have enacted similar laws. Common wisdom is that some day there will be a Federal-level law that takes the place of these individual mandates.
What is required?
If there is any good news for business it is this: All of the various data protection laws require the same set of data protection principles. At the highest level, a business must be able to identify sensitive customer data and then protect it. This involves several key areas including protecting access (both logical and physical), educating and training personnel, and being prepared when and if controls fail. The key is documenting these in written information security policies and then backing these up with business processes.
The dramatic rise in identity theft and legislative backlash is here to stay. Businesses must not only be aware of state and federal laws, but also laws that protect customers in other states. The good news is most of the provisions in these laws are very similar. At the minimum, however, businesses must implement a written information security program, including information security policies.
David Lineman is President of Information Shield, based in Houston. Information Shield provides information security policies, training and consulting to help organizations reduce risk and comply with regulations. Visit www.informationsheild.com for more information on complying with these regulations.
Episode 3 of our podcast, #AskaCEO, is out now! What, exactly, is leadership? And how do you master it? @TheAmericanCEO has three factors for getting there. podcasts.apple.com/us/podcast… pic.twitter.com/gNbN0UD6gi
San Antonio #CEOs and leaders: Join us tomorrow at @Geekdom for lunch with 4 local civic- and safety-minded entrepreneurs! (feat. CEO/founders of @cityflag_, @RubrixAID, @Mach1Services & RMS Innovations) Start time: 11am eventbrite.com/e/the-frontlin…