Photo of Amy C. Pimentel

Amy C. Pimentel focuses her practice on privacy and data security and general health law. Her clients operate in a variety of industries, including health care, consumer products, retail, food and beverage, technology, banking and other financial services. Read Amy Pimentel's full bio.

The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.

Critical provisions

The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.

The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).

The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers). Continue Reading GDPR 6 Months After Implementation: Where are We Now?

The European Commission recently determined that the Privacy Shield Framework is adequate to legitimize data transfers under EU law, providing a replacement for the Safe Harbor program. The Privacy Shield is designed to provide organizations on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Organizations that apply for Privacy Shield self-certification by September 30, 2016, will be granted a nine-month grace period to conform their contracts with third-party processors to the Privacy Shield’s new onward transfer requirements.

Read the full article here.

On September 29, 2015, the U.S. Department of Health and Human Services Office of the Inspector General (OIG), Office of Evaluation and Inspections, released two studies calling on the HHS Office for Civil Rights (OCR) to strengthen its efforts in both general enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Standards and enforcement of security breach reporting requirements. OIG commissioned both studies out of concern for the increased risk of an invasion of privacy and exposure to fraud, identity theft and other harm that patients face in an ever-expanding digital health environment.

Read the full On the Subject.

Recent cyber-attacks on health insurers have heightened awareness that sensitive participant and beneficiary information may not be adequately secure. There will undoubtedly be other attacks on databases maintained by service providers to employee benefit plans, which raises an important question for Employee Retirement Income Security Act of 1974 (ERISA) fiduciaries: what should be done now to protect participant and beneficiary information entrusted to service providers against future attacks and unauthorized disclosure? While the extent of a fiduciary’s responsibility to protect personal identifiable information of participants and beneficiaries is unclear, the fiduciary provisions of ERISA can be interpreted to impose a general duty to protect this information when it is part of a plan’s administration. In addition, plan fiduciaries also may have obligations under other federal and state laws governing data privacy and security that are not preempted by ERISA. This article addresses the nature of the problem, identifies the types of data breaches that can occur with employee benefit plans, provides an overview of relevant law that may apply, and sets forth practical steps that can be taken by plan fiduciaries with service providers to address privacy and security concerns.

Click here to read the full article from Benefits Law Journal.

In the first few months of 2015, a number of states have introduced data breach notification bills and proposed legislative amendments designed to enhance consumer protection in response to increasingly high profile data breaches reported in the media.  This activity at the state level seems to indicate  that protecting consumers from data breaches is one area where democrats and republicans can find common ground.

From the text of these bills, some of which have already become law, we see two emerging trends:  (1) an expansion of the definition of personal information to include more categories of data that, if compromised, would trigger a notification requirement, and (2) the addition of a requirement to notify state agencies (such as attorneys general and state insurance commissioners) where none previously existed.

Here are developments in three states reflecting these emerging trends:

Wyoming

In late February, Wyoming passed two bills that amend its existing data breach notification law by specifying the content required in notices to Wyoming residents, modifying the definition of personal information, and providing for covered entities or business associates that comply with HIPAA to be deemed in compliance with the state individual notice requirements.

In particular, Wyoming’s definition of personal information will now include the following:

  • Shared secrets or security tokens that are known to be used for data-based authentication;
  • A username or email address, in combination with a password or security question and answer that would permit access to an online account;
  • A birth or marriage certificate;
  • Medical information (a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional);
  • Health insurance information (a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claims history);
  • Unique biometric data (data generated from measurements or analysis of human body characteristics for authentication purposes); and
  • An individual taxpayer identification number.

These changes to Wyoming law will become effective July 1, 2015.

Montana

Beginning October 1, 2015, amendments to Montana’s breach notification law will require entities that experience a data breach affecting Montana residents to notify the Montana Attorney General and, if applicable, the Commissioner of Insurance.  Notification must include an electronic copy of the notice to affected individuals, a statement providing the date and method of distribution of the notification, and an indication of the number of individuals in the state impacted by the breach.  Entities must provide notice to state regulators simultaneously with consumer notices.

The recent amendments to the Montana law also expand the definition of personal information to include medical record information, taxpayer identification numbers and any “identity protection personal identification number” issued by the IRS.  The law specifies that medical information is that which relates to an individual’s physical or mental condition, medical history, medical claims history or medical treatment, and is obtained from a medical professional or medical care institution, from the individual, or from the individual’s spouse, parent or legal guardian.

Alabama

Alabama is one of three U.S. states (New Mexico and South Dakota are the other two) that have not yet enacted a data breach notification law.  This may change, however, if Senate Bill 206, the Alabama Information Protection Act of 2015, gains momentum in the state legislature.

The bill would create an obligation to notify individuals and the Alabama Attorney General (for breaches affecting more than 500 individuals) within 30 days of discovering a breach of personal information, and all consumer reporting agencies (for breaches affected more than 1,000 individuals) of the timing, distribution and content of the notices.

Under the Alabama Information Protection Act, personal information will include a person’s first name or first initial and last name in combination with any of the following data elements:

  • A social security number;
  • A number issued on a government document used to verify identity (such as a driver’s license, identification card number, passport number or military identification number);
  • A financial account number or credit/debit card number, in combination with any required security code, access code or password necessary to permit access to an individual’s financial account;
  • Any information regarding an individual’s medical history, physical or mental condition, or medical treatment or diagnosis by a health care professional; and
  • An individual’s health insurance policy number, subscriber identification number or any unique identifier used by a health insurer to identify an individual.

Like California and Florida’s new requirements, the proposed definition of personal information would also include a username or e-mail address in combination with a password or security question and answer that would permit access to an online account.

Importantly, entities that are providers of health care, a health care service plan, a health insurer or a covered entity governed by the HIPAA Security and Privacy Rules will be deemed to be in compliance with the law.  The Act will not apply to financial institutions subject to and in compliance with the Gramm-Leach-Bliley Act.

Key Takeaways for Businesses

What this means for businesses is that incident response planning is key.  Organizations need to have an incident response plan that considers who must be notified, when they must be notified and what these required notices must contain.  In addition, organizations need to keep in mind that as we continue to increase the scope of what is considered “personal information,” so will we increase the frequency that a particular security incident might trigger notification requirements.

Data security breaches affecting large segments of the U.S. population continue to dominate the news. Over the past few years, there has been considerable confusion among employers with group health plans regarding the extent of their responsibility to notify state agencies of security breaches when a vendor or other third party with access to participant information suffers a breach. This On the Subject provides answers to several frequently asked questions to help employers with group health plans navigate the challenging regulatory maze.

Read the full article.