1 IDENTITY THEFT IN SOUTH CAROLINA: 2014 UPDATE Marti Phillips, Esq. Director, Identity Theft Unit South Carolina Department of Consumer Affairs
2 This presentation is not meant to serve as a substitute for reading various laws discussed, seeking legal counsel or otherwise requesting Department guidance and/or interpretations. The presentation merely serves as an introduction and overview.
4 SCDCA Organizational Structure Council of Advisors Consumer Services & Education Administration Commission on Consumer Affairs Administrator Advocacy Legal Public Information Identity Theft Unit
5 SCDCA Identity Theft Unit Education Provide education and outreach to SC consumers across the state; increase awareness and knowledge about identity theft & the steps to protect against id theft; and what to do if a victim. Guidance Provide ongoing guidance to SC id theft victims throughout the process of resolving their particular identity theft situation and mitigating negative effects. Enforcement Handle administration and enforcement of SC s FIFITPA and other identity theft-related consumer protection laws, including receipt of security breach notifications and ensuring reporting and notification requirements are met.
6 SCDCA Identity Theft Unit cont First year Accomplishments: Made 34 presentations to over 14,700 people, including consumer groups, state agencies, law enforcement and businesses; Fielded more than 4,200 calls, approximately 50% of which consisted of scam reports; Received 108 intake forms from identity theft victims;
7 SCDCA Identity Theft Unit cont First year Accomplishments cont: Garnered over $110,000 in refunds, credits and adjustments for consumers through identity theft mitigation; Received 43 security breach notices, affecting nearly 600,000 South Carolinians; Reached over 2,000 consumers through an AARP Senior Day at the SC State Fair.
8 SCDCA Identity Theft Unit cont Identity Theft Intake Form
9 SCDCA Identity Theft Toolkit
10 SCDCA Identity Theft Guide Next: ID Theft Numbers
13 How SC Victims Information is Misused Top 3* 32% Government Documents/Benefits Fraud Unlawful use or counterfeit of gov t issued documents 14% Phone or Utilities Fraud Obtaining these services with false info 13% Credit Card Fraud Opening a line of credit with false info * From FTC Consumer Sentinel 2013 Report
14 Data Security Breaches SC residents From July October 28, 2014 SCDCA has received: 157 security breach notices Affecting more than 7,387,958 South Carolina consumers. UP NEXT: FIFITPA & Recent Amendments
15 FIFITPA Legislative Background Bills ~ Comprehensive Result = S. 453, Act Amends several different Code Sections Effective Dates December 31, 2008 & July 1, 2009 (Security Breach Portion) 2013 Amendments: H & Proviso (FY14) Definitions & Security Breach Portion 2014 Budget Proviso (FY15)
16 FIFITPA Effective Dates Eff. December 31, 2008: Consumer Identity Theft Protection , et seq. Personal Identifying Information Privacy Protection , et seq. Crime of Dumpster Diving Credit/Debit Card Receipts Crime of Financial Identity Fraud
17 FIFITPA Effective Dates cont Eff. July 1, 2009: Breach of Security of State Agency Data Breach of Security of Business Data Eff. July 1, 2014 June 30, 2015 (FY15): Budget Proviso (Data Breach Notification State Agency)
18 FIFITPA Effective Dates cont 2013 Amendment = H.3248 eff. April 23, 2013 Amends Broadens scope of Financial Identity Fraud; Revises definition of Personal Identifying Information (PII); Defines Financial Resources; Provides Venue for prosecution of identity fraud offense Conforms language to fin. transaction crime = not a defense that some acts did not occur in this state or within city/city county, local jurisdiction Amends Breach of Security & Business Data Revised definition of PII
19 What s the definition of PII? (D)(3) State Agency Breach Note: Proviso (FY15) (D) Crimes & Offenses (e) Records w/ssns for Public Agencies Note: Pers l Info. also defined. See (1) (D)(3) Business Breach (11)(a) Consumer ID Theft Protection
20 (D) (amended by H eff. 4/23/2013) Personal identifying information (PII) includes but is not limited to : SSNs DL number or state ID card number Checking account numbers Savings account numbers Credit card numbers Debit card numbers PIN numbers Electronic ID numbers Digital signatures Dates of birth Current or former names* *First + Last; Middle + Last; First, Middle, + Last, but only when the names are used in combination with, and linked to other identifying information provided. Current/former addresses when used w/other info in this section Other #s/pwords/info that may be used to access fin. resources, #s, or info issued by govt/reg entity that will uniquely identify individual/financial resources
21 (D)(3) Breach of security of state agency data PII has same meaning as PII in (D) SSNs DL number or state ID card number Checking account numbers Savings account numbers Credit card numbers Debit card numbers PIN numbers Electronic ID numbers Digital signatures Dates of birth Current or former names* *First + Last; Middle + Last; First, Middle, + Last, but only when the names are used in combination with, and linked to other identifying information provided. Current/former addresses when used w/other info in this section Other #s/pwords/info that may be used to access fin. resources, #s, or info issued by govt/reg entity that will uniquely identify individual/financial resources
22 Sidebar: State Agencies & Security Breaches S.C. Code Ann et seq. Title 1 Administration of Government Chapter 11- State Budget and Control Board Section 490- Breach of security of state agency data; notification; rights and remedies of injured parties; penalties; notification of Consumer Protection Division. Effective FY15 Changes ~ Proviso (Effective July 1, June 30, 2015)
23 Sidebar cont Budget Proviso (FY15) Part 1B section 117 X90-GENERAL PROVISIONS Appropriation Act Will discuss more fully State agency breach notification requirements and how proviso amends ; For now just looking at difference in PII definition.
24 FY15 Budget Proviso changes PII definition for state agencies! eff. 7/1/14-6/30/15 PII means: first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of this State, when the data elements are neither encrypted nor redacted or when the data elements are encrypted and encryption also acquired: 1. SSN; 2. Driver's license number or state ID card #; 3. Financial account #, or credit card or debit card # in combination with any required security code, access code, or password that would permit access to a resident's financial account; or 4. Other #s or information which may be used to access a person's financial accounts or #s or information issued by a governmental or regulatory entity that uniquely will identify an individual. (The term does not include information that is lawfully obtained from publicly available information.)
25 (e) Collection of and maintenance & disposition of records containing SSNs by public agencies: (A)(1) Except as provided in Sections and of this article, a public body, as defined in Section (B), may not: (e) intentionally communicate or otherwise make available to the general public an individual's social security number or a portion of it containing six digits or more or other personal identifying information. "Personal identifying information", as used in this section, has the same meaning as "personal identifying information" in Section , except that it does not include electronic identification names, including electronic mail addresses, or parent's legal surname before marriage;
26 (e) Collection/maintenance/disposition of records w/ssns by public agencies cont.: PII has same meaning as PII in (D) SSNs DL number or state ID card number Checking account numbers Savings account numbers Credit card numbers Debit card numbers PIN numbers Electronic ID numbers Digital signatures Dates of birth Current or former names* *First + Last; Middle + Last; First, Middle, + Last, but only when the names are used in combination with, and linked to other identifying information provided. Current/former addresses when used w/other info in this section Other #s/pwords/info that may be used to access fin. resources, #s, or info issued by govt/reg entity that will uniquely identify individual/financial resources
27 (11)(a) Consumer Identity Theft Protection PII has same meaning as PII in (D) SSNs DL number or state ID card number Checking account numbers Savings account numbers Credit card numbers Debit card numbers PIN numbers Electronic ID numbers Digital signatures Dates of birth Current or former names* *First + Last; Middle + Last; First, Middle, + Last, but only when the names are used in combination with, and linked to other identifying information provided. Current/former addresses when used w/other info in this section Other #s/pwords/info that may be used to access fin. resources, #s, or info issued by govt/reg entity that will uniquely identify individual/financial resources
28 (D)(3) Breach of Security of Business Data (2013 Amendment = H.3248 eff. 4/23/13) PII: first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of this State, when the data elements are neither encrypted nor redacted or when the data elements are encrypted and encryption also acquired: 1. SSN; 2. Driver's license number or state ID card #; 3. Financial account #, or credit card or debit card # in combination with any required security code, access code, or password that would permit access to a resident's financial account; or 4. Other #s or information which may be used to access a person's financial accounts or #s or information issued by a governmental or regulatory entity that uniquely will identify an individual. (The term does not include information that is lawfully obtained from publicly available information.) Up Next: Proviso
29 Budget Proviso (FY15) State Agency Data Breach Notification ( et seq.)
30 et seq. Important Definitions (D)(1) Agency means any: agency, department, board, commission, committee, or institution of higher learning --of the State or a political subdivision of it Unchanged by Proviso
31 et seq. Important Definitions cont (D)(2) (emphasis added) Breach of the Security of the System = the unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromise the security, confidentiality, or integrity of PII maintained by the agency, When: illegal use of the information: has occurred or is reasonably likely to occur OR use of the information creates a material risk of harm to the consumer. Unchanged by Proviso
32 et seq. Important Definitions cont (D)(3) Personal Identifying Information has the same meaning as 'personal identifying information in (D). Remember: (D) was amended in 2013 to broader definition (list). Proviso changes PII to the combination definition
33 et seq. Important Definitions cont FY15 Budget Proviso eff. 7/1/14-6/30/15 PII means: first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of this State, when the data elements are neither encrypted nor redacted or when the data elements are encrypted and encryption also acquired: 1. SSN; 2. Driver's license number or state ID card #; 3. Financial account #, or credit card or debit card # in combination with any required security code, access code, or password that would permit access to a resident's financial account; or 4. Other #s or information which may be used to access a person's financial accounts or #s or information issued by a governmental or regulatory entity that uniquely will identify an individual.
34 et seq. Important Definitions cont FY15 Budget Proviso changes definition (eff. 7/1/14-6/30/15) PII means: Cont The term does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.
35 State Agency Security Breach cont Notification Required (Owner of Data): (A) An agency of this State: owning or licensing computerized data OR other data that includes PII shall disclose a any breach of the security of the system following discovery or notification of the breach in the security of the data to a any resident of this State whose unencrypted and unredacted PII : was, or is reasonably believed to have been, acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident. Changes by Proviso indicated above
36 State Agency Security Breach cont (A) Notification Required (Owner of Data) cont Budget Proviso adds: In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, the agency may consider the following factors, among others: (1) indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information; (2) indications that the information has been viewed, downloaded, or copied; or (3) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of reported identity theft.
37 State Agency Security Breach cont Notification Required (Maintainer of Data): (B) An agency maintaining : computerized data or other data that includes PII that the agency does not own shall notify the owner or licensee of the information of a breach of the security of the data immediately following discovery, IF the PII was, OR is reasonably believed to have been, acquired by an unauthorized person Unchanged by Proviso
38 State Agency Security Breach cont Timeliness of Disclosure /Proviso The disclosure must be made: In the most expedient time possible and without unreasonable delay; Consistent with the legitimate needs of law enforcement With measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. (Language not in Proviso)
39 State Agency Security Breach cont Timeliness of Disclosure /Proviso cont Disclosure may be delayed if: A law enforcement agency determines that the notification impedes a criminal investigation. BUT notification must be made after the law enforcement agency determines that it no longer compromises the investigation. Budget Proviso adds = Delay cannot exceed 72 hours after discovery unless agency requests and AG grants (in writing) add l delays of up to 72 hrs each upon a determination that such notification impedes criminal investigation.
40 State Agency Security Breach cont Notification Methods ~ (E)/Proviso (1) written notice; (2) electronic notice, IF: the person/agency s primary method of communication with the individual is by electronic means, the person to whom notice is required has expressly consented to receiving said notice in electronic form, or is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 USC and Chapter 6, Title 26 of the 1976 Code; (3) telephonic notice ; OR (4) substitute notice IF: the cost of providing notice > $250,000 OR >500,000 people affected OR The agency has insufficient contact information. o notice when the agency has an address for the subject persons; o conspicuous posting of the notice on the agency's web site page, if the agency maintains one; or o notification to major statewide media.
41 State Agency Security Breach cont Notification Methods ~ (E)/Proviso cont Proviso adds: Regardless of the method by which notice is provided, such notice shall include: Contact information for the agency making the notification; and A description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization; Including specification of which of the elements of personal/private information were, or are reasonably believed to have been, so acquired.
42 State Agency Security Breach cont Notification Methods ~ /Proviso cont Proviso deletes quasi-safe harbor (F) Agency is in compliance if it maintains its own notification procedures as part of an information security policy and is otherwise consistent with timing requirements and notifies subject persons in accordance with its policies in the event of a security breach.
43 State Agency Security Breach cont Notification to SCDCA & CRAs ~ (H) When: Provide notice to > 1,000 persons at 1 time Without unreasonable delay notify: Department of Consumer Affairs and All consumer reporting agencies (CRAs) that compile and maintain files on a nationwide basis, as defined in 15 USC Section 1681a(p) Notice Must Include: Timing, Distribution, & Content of Notice Unchanged by Proviso Mail To: SCDCA Identity Theft Unit RE: Security Breach Notification P.O. Box 5757 Columbia, SC 29250
44 State Agency Security Breach cont Penalties: Private Cause of Action~ Section (G) A resident of this State who is injured by a violation of this section, in addition to and cumulative of all other rights and remedies available at law, may: (1) institute a civil action to recover damages; (2) seek an injunction to enforce compliance; and (3) recover attorney's fees and court costs, if successful. Administrative Fines ~ Section (H) An agency that knowingly and willfully violates this section is subject to an administrative fine up to $1,000 for each resident whose information was accessible by reason of the breach Unchanged by Proviso
45 State Agency Security Breach cont DCA Informal Interpretation (May 6, 2010) Question 1: Does (consumer notification of breach) apply to the unauthorized access to and acquisition of paper records, consisting mainly of facsimiled documents, containing unredacted personal identifying information? YES Reading Act as a whole ( other data ), definitions ( computerized data ), potential absurd result, etc.
46 State Agency Security Breach cont
47 State Agency Security Breach cont Question 2: What steps must be taken to comply with the notification provision contained in (I) (notify SCDCA & CRAs when >1000 affected)? the date of the breach, date the agency became aware of the breach, date the notice was/will be sent to affected consumers, method of consumer notification (ie: mail, telephone, electronic), number of consumers affected, and the content of the consumer notice (ie: copy of the letter sent to consumers).
48 Security Breach cont Businesses must comply with similar security breach requirements. See Definition of PII = same as included in Proviso for agencies, but permanent through H3248 (2013). UP NEXT: Legislation
49 New SC Legislation: S.148 Protected Consumer Bill Credit Report & Security Freezes for Protected Consumers ; Credit Record Amends FIFITPA to add a class of protected consumers & provide method of creating credit record for purpose of freezing (preemptive) Protected Consumer = Individual under age 16 Incapacitated person w/guardian or conservator Signed by Gov. on April 7, 2014 ~ Eff. Jan. 1, 2015
50 Pending SC Legislation S.1086 would amend: (State Agency Breach) (Breach of Business Data) Require: The breach notice provided to affected consumers describe the breach certain elements* Breach notices include contact information for SCDCA Delete provision(s) that agency/business may adhere to its own policy re notification ( quasi-safe harbor ) Notification delay ~ shall not exceed 72 hours unless AG grants additional delay (state agency only!)
51 *Certain elements: S.1086 cont Clear and conspicuous Description of the incident in general terms Description of the type of PII believed to have been subject to unauthorized access and acquisition Description of general acts of business/agency to protect PII from further access Telephone number for the business/agency a person may call for more info
52 Wrap-Up SCDCA as a Resource ID Theft Scenarios: Security Your Agency Security Breach of a Business Victim of ID Theft Partnerships FIFITPA Guide coming soon!
http://www.michie.com/tennessee/lpext.dll/tncode/12ebe/13cdb/1402c/1402e?f=templates&... Page 1 of 1 47-18-2101. Short title. This part shall be known and may be cited as the Tennessee Identity Theft Deterrence
January 2007 An Overview of U.S. Security Breach Statutes An Overview of U.S. Security Breach Statutes Jeffrey M. Rawitz and Ryan E. Brown 1 This Jones Day White Paper summarizes what is generally entailed
OREGON IDENTITY THEFT RANKING BY STATE: Rank 20, 68.1 Complaints Per 100,000 Population, 2552 Complaints (2007) Updated January 10, 2009 Current Laws: A person commits the crime of identity theft if the
00 -- H 11 SUBSTITUTE A AS AMENDED LC0/SUB A/ STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 00 A N A C T RELATING TO IDENTITY THEFT PROTECTION Introduced By: Representatives Gemma, Sullivan,
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: email@example.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009 Current Laws: A person commits the offense of identity theft
Comparison of US State and Federal Security Breach Notification Laws Current through August 26, 2015 Alaska...2 Arizona...6 Arkansas...9 California...11 Colorado...19 Connecticut...21 Delaware...26 District
CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008 Current Laws: A person commits identity theft when he intentionally
0 -- S 01 SUBSTITUTE B LC000/SUB B/ S T A T E O F R H O D E I S L A N D IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 0 A N A C T RELATING TO CRIMINAL OFFENSES - IDENTITY THEFT PROTECTION Introduced By: Senators
KRS Chapter 61 Personal Information Security and Breach Investigations.931 Definitions for KRS 61.931 to 61.934. (Effective January 1, 2015).932 Personal information security and breach investigation procedures
BUSINESS AND COMMERCE CODE TITLE 11. PERSONAL IDENTITY INFORMATION SUBTITLE B. IDENTITY THEFT CHAPTER 521. UNAUTHORIZED USE OF IDENTIFYING INFORMATION SUBCHAPTER A. GENERAL PROVISIONS Sec. 521.001.AASHORT
APPENDIX PR 12-A FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section
DATA BREACH CHARTS (Current as of December 31, 2015) The charts below provide summary information about data breach notification statutes across the country. California adopted the first data breach notification
COLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008 Current Laws: A person commits identity theft if he or she: Knowingly
SOUTH CAROLINA IDENTITY THEFT RANKING BY STATE: Rank 30, 60.6 Complaints Per 100,000 Population, 2670 Complaints (2007) Updated January 5, 2009 Current Laws: A person commits the crime of financial identity
Indiana Social Security Number Disclosure and Security Breach Legislation Presented by: Joanna Lyn Grama, J.D., Information Security Project Manager Scott Ksander, Senior Inforensics Analyst/Engineer 1
Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,
Mark R. Herring Attorney General Commonwealth of Virginia Office of the Attorney General 900 East Main Street Richmond, Virginia 23219 (804) 786-2071 (Telephone) (804) 786-1991 (Facsimile) Identity Theft
Security Breach Notification Chart Perkins Coie's Privacy & Security practice maintains this comprehensive chart of state laws regarding security breach notification. The chart is for informational purposes
Arizona State Senate Issue Brief September 17, 2015 Note to Reader: The Senate Research Staff provides nonpartisan, objective legislative research, policy analysis and related assistance to the members
RHODE ISLAND IDENTITY THEFT RANKING BY STATE: Rank 34, 56.0 Complaints Per 100,000 Population, 592 Complaints (2007) Updated January 5, 2009 Current Laws: A person commits the crime of identity fraud if
Article 2A. Identity Theft Protection Act. 75-60. Title. This Article shall be known and may be cited as the "Identity Theft Protection Act". (2005-414, s. 1.) 75-61. Definitions. The following definitions
WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, 175.9 Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009 Current Laws: It is unlawful to intentionally use or attempt
00 STATE OF WYOMING 0LSO-00 SENATE FILE NO. SF00 Identity theft protection. Sponsored by: Senator(s) Johnson and Case A BILL for AN ACT relating to consumer protection; providing for notice to consumers
MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009 Current Laws: Identity Crime: A person is guilty of identity
NC s Identity Theft Protection Act What Does it Mean for Local Health Departments? Jill Moore UNC Institute of Government Two Issues Managing security breaches Collection and use of SSNs Security Breaches
HOUSE BILL 1ST LEGISLATURE - STATE OF NEW MEXICO - SECOND SESSION, INTRODUCED BY William "Bill" R. Rehm AN ACT RELATING TO CONSUMER PROTECTION; CREATING THE DATA BREACH NOTIFICATION ACT; REQUIRING NOTIFICATION
North Carolina General Statutes Chapter 75 Monopolies, Trusts, and Consumer Protection Article 2A Identity Theft Protection Act 75-60. Title. This Article shall be known and may be cited as the "Identity
North Carolina General Statutes Article 2A Identity Theft Protection Act 75-61. Definitions. The following definitions apply in this Article: (1) "Business". A sole proprietorship, partnership, corporation,
CHAPTER 226 AN ACT concerning identity theft, amending P.L.1997, c.172 and supplementing various parts of the statutory law. BE IT ENACTED by the Senate and General Assembly of the State of New Jersey:
Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy
PLEASE READ The official text of New Jersey Statutes can be found through the home page of the New Jersey Legislature http://www.njleg.state.nj.us/ New Jersey Statutes Annotated (N.J.S.A.), published by
GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2005 SESSION LAW 2005-414 SENATE BILL 1048 AN ACT ENACTING THE IDENTITY THEFT PROTECTION ACT OF 2005. The General Assembly of North Carolina enacts: SECTION 1.
Prepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented by: Jennifer A.
HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute
OKLAHOMA LAWS RELATING TO IDENTITY THEFT Prepared for VICARS by Legal Aid Services of Oklahoma Introduction: OKLAHOMA LAWS RELATING TO IDENTITY THEFT Identity theft takes place when someone uses your personal
Healthcare Practice Breach Notification Requirements Under HIPAA/HITECH Act and Consumer Identity Theft Protection Act August 2013 Anchorage Beijing New York Portland Seattle Washington, D.C. www.gsblaw.com
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
Reprinted from The Lawyers Weekly, August 15, 2003 California s New Hacker Disclosure Law and its Potential Impact on Canadian Businesses Berkley D. Sells Fasken Martineau DuMoulin LLP A California law
WASHINGTON IDENTITY THEFT RANKING BY STATE: Rank 13, 76.4 Complaints Per 100,000 Population, 4942 Complaints (2007) Updated January 11, 2009 Current Laws: Washington s identity theft law states that no
Data Security: Risks, Compliance and How to be Prepared for a Breach Presented by: Sandy B. Garfinkel, Esq. The Data Breach Reality: 2015 AshleyMadison.com (July 2015) Member site facilitating personal
Privacy, Data Security & Information Use September 16, 2010 Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate by John L. Nicholson and Meighan E. O'Reardon Effective
Scope All [Name of Facility] operations Purpose To describe the measures to be followed when health care is obtained under a fictitious name or in another person s name. This includes situations when a
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT is made and entered into as of the day of, 2013 ( Effective Date ), by and between [Physician Practice] on behalf of itself and each of its
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
Texas Security Freeze Law BUSINESS & COMMERCE CODE CHAPTER 20. REGULATION OF CONSUMER CREDIT REPORTING AGENCIES 20.01. DEFINITIONS. In this chapter: (1) "Adverse action" includes: (A) the denial of, increase
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach
UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH I. PURPOSE: The purpose of this policy is to outline the processes and procedures for determining whether the security or privacy of PHI has been compromised
The Matrix Reloaded: Cybersecurity and Data Protection for Employers Jodi D. Taylor Why Talk About This Now? Landscape is changing Enforcement by federal and state governments on the rise Legislation on
Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health
Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH
I Personal Information Protection Policy Purpose: This policy outlines specific employee responsibilities in regards to safeguarding personal information. To this end, each employee has a responsibility
Doing Business in Oregon Under the Oregon Consumer Identity Theft Protection Act and Related Privacy Risks Privacy Data Loss www.breachblog.com Presented by: Mike Porter March 10, 2009 2 Privacy Data Loss
Identity Theft Prevention and Security Breach Notification Policy Purpose: Lahey Clinic is committed to protecting the privacy of the Personal Health Information ( PHI ) of our patients and the Personal
ILLINOIS IDENTITY THEFT RANKING BY STATE: Rank 11, 80.2 Complaints Per 100,000 Population, 10304 Complaints (2007) Updated November 30, 2008 Current Laws: A person commits the offense of identity theft
IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS Daniel J. Blake, Esq. Vijay K. Mago, Esq. LeClairRyan, A Professional Corporation LeClairRyan, A Professional Corporation One International Place, Eleventh Floor
HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap
FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and
FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance
HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 Orchard Creek Health Care is required by law to maintain the privacy of protected health information (PHI) of our residents. If you feel
Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721 Electronic Information Security and Data Backup Procedures Date Adopted: 4/13/2012 Date Revised: Date Reviewed: References: Health Insurance Portability
PROTECTING YOURSELF FROM IDENTITY THEFT The Office of the Attorney General of Maryland Identity Theft Unit CONTENTS 1) What is Identity Theft? 2) How to Protect Yourself From ID Theft. 3) How to Tell If
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
Responding to New Identity Theft Laws March 2011 Privacy Expectations Today, there is increasing recognition that an individual has a legitimate interest in controlling the collection, use and disclosure/dissemination
HORRY COUNTY PRIVACY AND IDENTITY THEFT PREVENTION POLICY STEPS FOR YOUR DEPARTMENT TO COMPLY WITH POLICY AND THE LAW WHAT IS THE PURPOSE OF THIS POLICY? TO PROTECT THE PRIVACY OF RESIDENTS UTILIZING COUNTY
INTRODUCED BY CONGRESSMAN RANDY NEUGEBAUER (R-TX) AND CONGRESSMAN JOHN CARNEY (D-DE) SECTION-BY-SECTION ANALYSIS Section 1: Short Title The Data Security Act of 2015. Section 2: Purposes The purposes of
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
LAWS OF ALASKA 00 Source SCS CSHB (FIN) am S Chapter No. AN ACT Relating to breaches of security involving personal information, credit report and credit score security freezes, protection of social security
What You Need to Know About the New HIPAA Breach Notification Rule 1 New regulations effective September 23, 2009 require all physicians who are covered by HIPAA to notify patients if there are breaches
COUNCIL POLICY NO. C-13 TITLE: POLICY: Identity Theft Prevention Program See attachment. REFERENCE: Salem City Council Finance Committee Report dated November 7, 2011, Agenda Item No. 3 (a) Supplants Administrative
PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities
IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance
Texas HB 300 HB 300: Background Texas House Research Organizational Bill Analysis for HB 300 shows state legislators believed HIPAA did not provide enough protection for private health information (PHI)
SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT
CALIFORNIA IDENTITY THEFT RANKING BY STATE: Rank 2, 120.1 Complaints Per 100,000 Population, 43,892 Complaints (2007) Updated November 25, 2008 Current Laws: A person who, with the intent to defraud, acquires
BUSINESS ASSOCIATE AGREEMENT TERMS This Addendum ( Addendum ) is incorporated into and made part of the Agreement between SIGNATURE HEALTHCARE CORPORATION ("Covered Entity ) and ( Business Associate"),
Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 4 Policy Title: Information Security Incident Response January 26, 2016 IDENT INFOSEC4 Type of Document:
CYBER RISK MANAGEMENT IN THE BOATING INDUSTRY Carmelo Torraca, Esq. New Jersey Marine Trades Association March 2015 E-commerce has permanently transformed the way business-to-business and business-to-customer
75-63. Security freeze. (a) A consumer may place a security freeze on the consumer's credit report by making a request to a consumer reporting agency in accordance with this subsection. A security freeze
Identity Theft Information Houston Police Department Criminal Investigations Command Financial Crimes Unit 713-308-2500 The information contained on this page is intended to assist the citizens of Houston
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
Federal Trade Commission Privacy Impact Assessment for the: W120023 ONLINE FAX SERVICE December 2012 1 System Overview The Federal Trade Commission (FTC, Commission or the agency) is an independent federal
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. firstname.lastname@example.org www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
Your consent to our cookies if you continue to use this website.