Trends in Regulation and Compliance: Data Breach and Privacy Patrick C. Lynch | Patrick Lynch Group
State AGs as Cybersecurity Regulators
State AG Offices Dedicated to Privacy and Cybersecurity
1999: NY Internet Bureau 2001: CA Office of Privacy Protection 2012: CA Privacy Enforcement & Protection Unit 2013: MD Internet Privacy Unit (first unit dedicated to Internet-related privacy/data issues) 2015: CT Privacy and Data Security Department Rise of AG Multi-State Investigations into Data and Cybersecurity
Increasing inter-state collaboration on data and cybersecurity matters at staff level NAAG’s ongoing Privacy Working Group Several multi-state enforcement actions with substantial fines More training for AAGs on data and cybersecurity issues
Recent State AG Cybersecurity Enforcement AG Multi-State Investigations - Settled 2009 – TJX Data Breach TJX owns popular retailers Marshalls, TJ Maxx, and HomeGoods. Allegation of massive data breach and a review of TJX’s data security polices and procedures. 41 AGs $9.75 million + agreement to improve data security protocols
2014 – TD Bank Data Breach In October 2012, TD Bank self-reported a March 2012 breach involving the Bank’s loss of unencrypted backup tapes containing the personal data of 260,000 customers nationwide. 9 AGs $850,000 + agreement to strengthen security policies, including the use of data encryption
2015 – Zappos Data Breach Allegations that a January 2012 breach of a Zappos computer server exposed the personal data of 24 million customers, including names, billing and shipping addresses, telephone numbers, the last four digits of credit card numbers, and login credentials of customers. 9 AGs $106,000 + agreement to strengthen security policies
Recent State AG Cybersecurity Enforcement AG Multi-State Investigations – Active (and known) 2015 – Target, Home Depot, Staples Multi-state investigations ongoing involving a number of states
Healthcare Accretive Health – FTC and MN AG The FTC alleged in a complaint against Accretive that the company failed to provide reasonable and appropriate security measures and procedures to protect consumers' personal information, including sensitive personal health information. The failure to adequately safeguard the data led to a July 2011 incident in Minneapolis, Minn., when an Accretive employee’s unencrypted laptop computer containing data on 23,000 patients of the company’s hospital clients was stolen from the worker’s car. Anthem – Multistate investigation ongoing Information included data about current and former customers: names, birthdays, medical IDs, Social Security numbers, street addresses, email addresses, employment information and some income data.
What does this mean for Argentum Members?
•
As senior living companies are holders of sensitive and private data from both residents and employees, it is imperative that these companies enact measures to protect against potential hackings.
•
Senior living companies should collaborate on best practices to ensure appropriate safeguards are established to protect sensitive data.
•
Senior living companies should establish response plans that can be immediately implemented in the event of a data breach.
Best Practices for Argentum Members to Consider
•
2016 California Attorney General data breach report provides a good perspective on the data breach environment and common sense steps companies should take to protect their data.
•
Develop data breach policies and procedures and staff trainings.
•
If a breach happens, know your responsibility and have a plan.
•
Each state has a different data breach notification law and process.
•
AGs work together and communicate on multistate data breach efforts – reporting in a concise and timely manner is important.