What laws are available to protect my private information?
May 1, 2018 | View PDF
There are several laws, one of which is brand new and becomes effective in Alabama on 1 June 2018 and there is a Federal law in the works and a European Union law set to kickoff on May 25th.
Some of the existing civil and criminal laws that protect us against bad actors that might steal our personal information include criminal theft (various degrees), civil conversion, and the tort of invasion of privacy. Some of the defenses include negligence on the part of the plaintiff, private information that has become publicly known, need of knowledge for public safety and a few others.
A few things are going on now regarding various forms of protecting data. For health data the Health Information Portability and Accountability Act (HIPAA) and subsequent HITECH Act (Health Information Technology for Economic and Clinical Health) has safety and enforcement provisions. The purpose of HITECH was to increase the use of electronic medical records. A breach of data is investigated and penalized by Health and Human Services (HHS). Like many government enforcement arms they begin with very small enforcement budgets. But as fines are assessed and begin to come in, it’s a “eat what they kill” so over time the increased budget allows for an increase in audits of covered entities (health care providers, hospitals, insurance plans, etc.) and business associates of those covered entities. Of interest a cause of action under a HIPAA breach is not a “HIPAA breach” but rather something such as an invasion of privacy should a lawsuit be initiated.
There are a variety of laws that also protect personal protected data which include the Federal Trade Commission Act, the Financial Services Modernization Act, the Fair Credit Reporting Act, The Controlling the Assault of Non-Solicited Pornography and Marketing Act, The Telephone Consumer Protection Act, The Electronic Communications Privacy Act, the Computer Fraud and Abuse Act. Within the Federal Trade Commission Act there was an addition just three months prior to President Trump’s inauguration with a subsequent repeal of certain regulations by President Trump within that Act and it’s amendments.
Of special interest is the Alabama Data Breach Notification Act, which was signed by Governor Ivey on 28 March 2018. The law does not take effect until 01 June 2018 and includes any protected information of Alabama resident whether it is financial, health or otherwise. Only a week earlier, the South Dakota governor had signed their data breach notification act making Alabama the 50th state to do so. In this case any breach will be reported to the Alabama Attorney General’s office. The protected data includes the first and last name of an Alabama resident or the first initial and last name of the resident and the data breach of things such as (1) the full driver’s license number, military ID, state issued ID number, passport number (2) financial numbers with PIN, security phrase or password, (3) email address with password, (4) full social security numbers, (5) health insurance information and of course (6) health information. This is the only state law that requires the notification of an Alabama resident when their personal information has been compromised. There are exceptions when it involves certain criminal activities or the information is already publicly known. So in addition to laws that already exist there may be additional reporting requirements and additional fines. As an example, if health records of five
hundred or more are breached, HIPAA requires the personal notification, notification to HHS and notification to the media. There is a 60-day window. The Alabama window is 45 days with personal notification and to the Alabama Attorney General. When personal notification cost reaches a certain amount then notification can be by certain secondary means. There are certain costs associated with a breach that actually consider the size of the covered entity.
There is a current law in Congress, Data Acquisition and Technology Accountability and Security Act, being considered. This law would supersede all state laws and for this reason, thirty-two state Attorney Generals are contesting this.
Finally, across the “pond” the European Union will begin to enforce GDPR (General Data Protection Regulation) as of 25 May this year. It covers all forms of protected data. The EU resident must sign consent for an entity to store their records and then they have a right to request that the records be destroyed. The destruction will not work in a medical setting. Many companies in non EU countries (such as the United States) have been preparing on how to protect and deal with its EU clients and maybe even patients. A breach involving negligence on the part of the covered entity can be a fine of two million Euro or almost $2.5 million USD. While there is no set law on how the EU would collect from a U.S. company, there have been negotiations over the EU-U.S. Privacy Shield data sharing agreement, which could provide an additional avenue to international courts in fining U.S. companies. U.S. companies should be prepared by this point.
This article is informative only and not meant to be all inclusive. Additionally this article does not serve as legal advice to the reader and does not constitute an attorney- client relationship. The reader should seek counsel from their attorney should any questions exist.
"No representation is made that the quality of legal services performed is greater than the quality of legal services performed by other lawyers."
Ronald A. Holtsford, Esq.
Ronald A. Holtsford, LLC
7956 Vaughn Road, Box #124
Montgomery, AL 36116