The breaking news here today of a data breach at Premera Blue Cross following on the heals of the recent announcements of large-scale data breaches at Anthem, is another reminder that employers and other health plan sponsors, fiduciaries, insurers specifically, and U.S. businesses need to take immediate steps to assess and tighten up their privacy, data security and data breach compliance and risk management. Health plans and their employers, administrators, insurers, and other vendors and service providers need to take immediate steps to conduct documented investigations, provide mandated breach notifications and take other actions that the Privacy, Security & Breach Notification Rules imposed by the Health Insurance Portability & Accountability Act and other potentially applicable laws. Depending on the scope of data affected and their involvement with the affected plans, employer or other plan sponsors, fiduciaries, administrators and service providers also may be subject additional responsibilities under the fiduciary responsibility requirements of the Employee Retirement Income Security Act of 1974 (ERISA), the Internal Revenue Code, and a host of other laws. Insurance industry or other vendors providing services to these plans also may face specific responsibilities under applicable insurance, health care, federal or state identity theft, privacy or data security, or other federal or state laws.
The need for prompt assessment and action is not necessarily limited to health plans and organizations sponsoring, administering or doing business with the plans involved in the Premera or Anthem breaches. The report of these and other health plan breaches, as well recent reports of identity theft and other fraud impacting federal tax returns and other large data breach reports involving retailers and other prominent businesses are spurring recognition of the large risks and need for greater scrutiny and accountability to business collection, use, and protection of sensitive personal and other data.
Of course, as in the case of health plan, the risk is exploding largely in response to the continued evolution of electronic payment and other business operating systems coupled with the emergence of data harvesting and other capabilities fuel a host of new mandates, opportunities and risks for virtually every U.S. business. Cyber criminals seem to always be one step ahead of business and government in leveraging these emerging opportunities for their criminal purposes.
With everyone from the Internal Revenue Service and other federal and state government agencies to private business partners pushing to leverage the efficiencies and other opportunity of electronic transactions and data, businesses in the US and around the world increasing are encouraged if not required to conduct more and more transactions containing business and individual tax information, personal financial information, personal health information, confidential business and personal information electronically. Meanwhile big data and other business and marketing gurus also encourage business to leverage their own opportunities to use data collected for these business mandates and expanding technology also to collect, use and repurpose customer, prospect or other business information collected in the course of business to benefit their business’ marketing, transactional and other opportunities.
As these practices have taken hold and expanded over the past decade, data breaches and other cyber crime events, the legal requirements and risks of collection and use of data also are growing. Privacy, identity theft and other cyber crime and other concerns have led federal and state lawmakers to enact an ever-growing list of notice, consent, disclosure, security and other laws and regulations including but not limited to the Fair & Accurate Credit Transaction Act (FACTA),the Gramm-Leach-Bliley Act, the Privacy & Security Rules of the Health Insurance Portability & Accountability Act, state identity theft, data security and data breach and other electronic privacy and security laws and an ever-growing plethora of others.
As the cyber crime epidemic continues to grow and notorious breeches and schemes involving the Internal Revenue Service, Veterans Administration, retail giants like Target, Home Depot, and others, insurance giants like Anthem, and others, government and private enforcement is rising and the judgments, penalties and other costs soaring even as federal and state regulators are looking at the need for expanded rules and penalties. See Cybercrime Enforcement Statistics; DOJ Enforcement Priorities & Statistics. In response to widening data privacy and security concerns from incidents like the recent reports of breaches at Anthem and elsewhere have prompted Congress and State regulators to hold hearings to consider the need for added reforms, see, McCaul to Hold Hearing on President’s Cybersecurity and the Federal Trade Commission has just announced plans to host a workshop on Nov. 16, 2015, to look at the privacy issues around the tracking of consumers’ activities across their different devices for advertising and marketing purposes.
While these and other legal and enforcement developments promise new liabilities and expenses, the business losses and customer and business partner implications experienced by Target, Anthem and other businesses already impacted illustrate the severe business consequences that inevitably result if a business appears to have failed to take customer privacy or other data security concerns seriously.
The now notorious Target hacking data breach event is illustrative. Target reported in late 2013 that credit and debit card thieves stole the name, address, email address and phone number from the credit and debit card records of around 70 million Target shoppers between November 27 and December 15, 2013. After announcing the breach, Target reported a 46% drop in profits in the fourth quarter of 2013, compared with the year before despite having announced plans to invest $100 million upgrading their payment terminals to support Chip-and-PIN enabled cards and millions of dollars more in rectification efforts. See The Target Breach, By the Numbers. Subsequently, Target’s losses have continued to mount even as it now faces lawsuits and other enforcement actions as a result of the breach. See Banks’ Lawsuits Against Target for Losses Related to Hacking Can Continue. Meanwhile, the enforcement and other fallout continues to evolve.
In the face of these developments, businesses need to be diligent about the adequacy and defensibility of their current data collection, use and security practices while remaining ever vigilant for new requirements, as well as weaknesses in their own practices. Businesses need to build their defenses in anticipation of these events both to withstand government and private litigation and enforcement, and the judgment of public opinion.
For Help With Risk Management, Compliance & Other Management Concerns
If you need assistance in auditing or assessing, updating or defending your organization’s compliance, risk management or other internal controls practices or actions, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469) 767-8872.
Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization,recognized as a “Top 100” lawyer in labor and employment, employee benefits and health care law, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 20 years of work on data security and privacy, and other internal controls and management. Scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights, a faculty and steering committee for the Southern California ISSA-HIMSS Health Care Privacy Program, Ms. Stamer is nationally recognized for her work, publications, public speaking and education and other leadership on privacy and data security and other risk management and compliance.
A management attorney who works with businesses and government to manage and redress people, process and risk, Ms. Stamer has worked extensively on data and other privacy risk management and compliance, Throughout her career, she has conducted investigations and advised, and assisted health care, insurance, retail and a broad range of other public and private organizations with privacy and data security audit and risk management, contracting, investigation, defense and remediation throughout her more than 25 year career.
Past Chair of The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on cyber crime and other privacy, management, reengineering, investigations, human resources and workforce, employee benefits, compensation, internal controls and risk management, federal sentencing guideline and other enforcement resolution actions, and related matters. She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters.Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.
About Solutions Law Press
Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources at www.solutionslawpress.com.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.
©2015 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press. All other rights reserved.