I have notice a lot of attention paid lately to issues regarding data security and online privacy issues. Today, from a somewhat unlikely source, I read an article regarding some of the laws affecting how to handle data and privacy issues . David Perkins writes at the Insurance Journal about What to Know About Red Flags, Notification Laws and the Hi Tech Act. The article is not exhaustive, but it does offer a primer for the practitioner interested in where privacy laws are now and where they appear to be headed.
Perkins hits on the Hi-Tech Act, enacted as part of the Stimulus package, which establishes a federal layer of protection for patients. On the one hand, the Act mandates electronic transmission of more patient information, ostensibly to modernize the manipulation of medical information, while at the same time tightening up the notification process in the event of data breach.
Perkins also hits on a broad Massachusetts regulation enacted one year ago, 201 C.M.R. 17.00, which applies to persons anywhere who “own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” Protections are expanded under the regulation and fines can be imposed. At least 44 states have enacted their own data privacy and notification laws and regulations, with mechanisms for fines and penalties.
The “Red Flags Rule” also applies broadly to “financial institutions” and “creditors” with “covered accounts” and addresses the establishment of identity theft protection programs.
Coming down the road is the Data Accountability and Trust Act, which appears imminent. The Act contains notice requirements when data breaches occur and sensitive information is tapped.
The article does not deal with the ethical burdens and additional losses occasioned by data breach in the context of a legal practice. Client confidences are akin to patient privacy; in the case of legal representation, the potential downside of a breach may implicate both the data privacy and notice rules and professional codes of ethics.
While much of the data privacy and notice area remains uncharted, it certainly helps to understand the legislated concerns and the mechanics of how our electronic systems operate in order to assess and address the potential risks.