Global Privacy Japan Sets its Rules for Personal Data
|
|
- Matilda Murphy
- 8 years ago
- Views:
Transcription
1 Global Privacy Japan Sets its Rules for Personal Data Global companies must comply with differing privacy rules. The great divide between the EU and the USA is well-known. See Global Privacy Protection - No One Set of Rules. The EU is an opt-in system, insisting generally on express agreement by individuals before a company can share or use their personal data. By contrast, the USA is largely an opt-out regime, using a mix of sector-specific rules plus public declaration. In some areas in the US, express opt-in is required (e.g., medical records), in others privacy notices about company rules are sufficient, and in yet other areas the rules are not clear or are flexible. Canada follows a third approach. See Canada and Privacy. Japan s Law Concerning the Protection of Personal Information ( Privacy Law ) took effect April 1, Japan s approach is in some respects more stringent than the EU standard, and more difficult to apply than the US or Canadian rules. Immediate attention should be given to the Japanese requirements by any large company that gathers, maintains or uses personal data about Japanese nationals. Smaller companies may be exempt from the Privacy Law, as discussed below. Japan relies on a detailed regulatory framework plus private sector self-regulation. The Japanese Privacy Law is similar to the EU Directive, in the sense that it establishes a required framework for Japan s ministries to implement through detailed regulations in all sectors of Japanese life. The Prime Minister issued a Basic Policy in April 2004, which a year later became the basis for Japan s Privacy Law. Different ministries developed specific regulations that conform to the Basic Policy, and now to the Privacy Law. For example, the Ministry of Justice issued regulations regarding personal data involved in loan servicing and universities, and the Ministry of Internal Affairs and Communications issued the rules affecting telecommunications and broadcasting. Handling of Personal Information in Japan The Privacy Law defines personal information very broadly. It covers all the data or all living persons that can be used to identify specific individuals by name, date of birth, or other description. It includes publicly available information (phone numbers) as well as business contacts, HR data and patient records. It is hard to think of facts about a person that do not qualify as personal information. Businesses that use personal information have specific prescribed duties as to personal information. Virtually any business with a Personal Information Database is covered, as long as at least 5,000 individuals are in the database. A company database involving fewer than 5,000 people is exempt from the Privacy Law, based on a government ordinance declaring that such a limited database is not a threat to individual rights. Smaller businesses, however, should consider conforming to the basic rules affecting their industry, or run the risk of failed employee expectations or worse. Businesses with Personal Information Databases of more than 5,000 people must take the following steps: 1. Specify the purposes for which personal information will be used; 2. Restrict usage to necessary measures; 3. Obtain the information in a fair manner;
2 4. Provide notice to persons about the reasons for use, and obtain consent before sharing information with third parties; 5. Keep data secure, including adoption of security control measures; 6. Carry out effective supervision of those who handle personal information; 7. Allow persons to access and revise information about them; and 8. Have a complaint handling system. Individuals must be told why and how their personal data will be used. This can be done by notice, without specific opt-in (e.g., by website or letter). The form of notice differs depending on the situation. Employees, for example, must be told in detail enough information so that they can understand the ultimate uses of their data. Financial Services Agency (FSA) regulations require businesses to identify by name those third parties that might receive information (generic description is insufficient). For each particular type of intended use, applicable Ministry regulations must be followed to design the notice properly. If the purpose of stated usage changes (e.g., an employer decides after the initial notice that it will provide personal information for the purpose of setting up a 401(k) plan to a third party administrator), a new notice must be sent. The level of detail for notices goes beyond EU and US requirements. Thus, Japanese privacy notices will require more detailed drafting, and probably more updating, than is the case outside Japan. Third Party Disclosures Third party disclosure follows an opt-in regime, like Europe and unlike the US. Affiliates of companies are considered third parties. Thus, if a Japanese subsidiary of a US company wants to send home addresses of Japanese employees to the US parent (so that holiday cards might be sent from the US CEO), this requires advance permission of the Japanese individuals. The originating business, under several ministry regimes, will remain accountable for what third parties do with the data. As a result, the sending business must obtain assurances from third parties regarding proper use and restrictions regarding the data to be shared. There is a joint use exception that allows sharing of personal information with third parties without express consent, but this depends on obtaining individuals express agreement to this at the time the privacy notice is sent to the individuals with a clear description that joint use is intended. The joint use must be stated in a detailed manner for it to be lawful later. For some uses, an opt-out exception is provided for the sharing of personal data. Most businesses may share data without an express opt-in by an individual if they have provided prior notice to the person that (1) use of the data includes providing information to specified third parties; (2) specific information can be shared with third parties; (3) transfer of the data will occur by specified methods; and (4) the individual may stop transfer upon request. Financial services businesses cannot use the opt-out exception, and are instead required to get express agreement from individuals before sharing personal data, even with affiliates. Other Requirements Under Privacy Law Financial services businesses face other requirements, including appointment of a Chief Privacy Officer, internal inspection and external audits and specific ledger books about protection and use of personal data. By contrast, the Ministry of Economy, Trade and Industry Guidelines provide standards for security controls, leaving the specific method of achieving them to affected businesses (e.g., consumer credit companies). In general, Japan s Privacy Law requires more specific and detailed measures for data security than are present in other countries. Japan s Privacy Law requires that individuals have access to personal information kept about them and that businesses respond promptly to access requests, with limited exceptions. If a person looks at data and demands a correction, the business is required to make a proper correction and notify the person of action taken (including why a request was denied).
3 Unlike European countries, Japan does not have specific rules about moving personal data outside of Japan. This is because Japan makes no distinction between moving data to third parties inside or outside of Japan. In either case, third-party disclosure and joint use rules apply. The Privacy Law is not optional. It is backed by the potential of large fines and up to six months imprisonment, not to mention adverse publicity that surrounds failures in the handling of personal data. Compliance with Japan s Privacy Law must be part of a global strategy for data handling. Measures will vary depending on the nature of the business and personal data information involved. Affected businesses should be clear about the particular guidelines or rules that govern them and devise a system to meet the requirements. After that, ongoing steps must be taken to ensure the system works as designed. These measures should address what happens in the event of a breach of the privacy program that is established. Fair Credit Reporting Act Enacted in 1970, the Fair Credit Reporting Act ( FCRA ) was designed to ensure fairness and accuracy in the creation and use of consumer reports for lending, insurance, and employment purposes. The FCRA attempts to achieve that fairness and accuracy by providing consumers with notice of and access to the information that credit bureaus and other consumer reporting agencies compile and provide to third parties for use in making decisions about providing credit and other services. The FCRA requires that certain notifications be made to consumers before a credit reporting agency may communicate any oral or written information about the individual to a creditor, insurer, or employer. There are two types of reports that can be requested under the FCRA. A consumer report is a report which contains information bearing on an individual s credit worthiness, credit capacity, character, general reputation, and mode of living. An investigative consumer report is a report containing the same types of information, but gathered through personal interviews with friends, neighbors, or associates. The FCRA has recently been amended by the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"). The focus of the FACT Act amendments is the prevention of consumer fraud and identity theft. Those amendments include the provision of free credit reports to consumers, providing victims of identity theft with access to information concerning the theft, allowing consumers to flag or place alerts on their accounts when theft or misuse is suspected, limiting the printing of full credit card numbers on receipts, and elimination of sensitive medical information from consumer reports. One of the FACT Act amendments, called the "Disposal Rule," is of particular note to lenders, insurers, and employers who obtain and possess consumer information through credit and background checks. The Disposal Rule requires any entity that possesses consumer information about consumers to dispose of that information by taking "reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." The Federal Trade Commission ("FTC"), the body responsible for enforcing the FCRA and implementing the Disposal Rule, has proposed several examples of disposal methods that comply with the rule. For paper documents, the FTC suggests implementing and monitoring a program of burning, pulverizing, or shredding documents so that the consumer information therein cannot be reasonably reconstructed. For electronic materials, organizations need to develop and implement policies and programs that ensure that consumer information on electronic media is permanently erased and cannot be reasonably or practically reconstructed. The FTC also permits affected organizations to comply with the Disposal Rule by hiring third-party document destruction specialists to dispose of consumer information. It is vital to note that the Disposal Rule does not establish a deadline or timeframe for the disposal of consumer information, it only dictates the procedures that must be taken when an organization decides to dispose of such information. Prior to disposing of any such records, however, lenders, insurers,
4 employers, and others should consult with legal counsel to determine whether recordkeeping or other legal obligations require the preservation of such records. Action Guide for Data Security Breaches In recent months, frequent reports of data security breaches involving personal information of individuals in the United States have made headlines. Beginning with news reports in February 2005 of the disclosure of a massive data loss at ChoicePoint, one of the largest US data brokers, reports of similar data security breaches continued through the spring months involving Bank of America, Household Bank, DSW Shoe Warehouse, and LexisNexis. Most recently, MasterCard and VISA reported a data security breach involving a third-party processor that affected thousands of cardholders. While it is logical to deduce from these reports that the security measures being used to protect Americans personal information are deficient, in fact the recent news reports and the massive publicity surrounding such breaches can be attributed to a California law that was passed in 2002 and became effective July 1, This law requires that companies that do business in California must notify affected consumers if personal information maintained in computerized data files have been compromised by unauthorized access. According to Beth Givens, Director of the Privacy Rights Clearinghouse: "In the past, companies usually did not notify their customers when their electronic data had been compromised, subsequently leaving them at risk for identity theft or financial fraud. Now individuals can take the appropriate proactive steps to safeguard their financial health when they learn that their information may have been accessed by hackers or unauthorized employees." The California law applies to companies doing business in California, and its scope is quite broad. Since there is no definition of what constitutes doing business, and California case law on the issue is not definitive, most companies have taken a conservative approach and have decided to notify if they have California residents as customers, even if they have no physical presence in the state. Personal information is defined as an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social Security number, (2) Driver's license number or California Identification Card number, (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. Notification must be sent in written form to the consumer, either by U.S. mail or electronically, unless the cost of such notice is too great, in which case the statute permits certain substitute notice procedures, including publication of notice in statewide media and conspicuous posting on the company s web site. Additional best practices guidance is available from the California Office of Privacy Protection ( Notifying only California residents of a data security breach may be a consideration, but given the publicity that often follows such a notification, good business sense dictates notification of all affected consumers, no matter what their state of residence. Further, while California has been at the forefront in enacting consumer privacy protection measures, other states have begun to enact such measures as well. In recent months Georgia, Minnesota, Montana, and North Dakota have enacted laws requiring both businesses and government agencies to report a breach of computer security to those individuals affected. These laws have become effective or will be effective within the next six months. Further, pending legislation in many other states would require such notification measures to be taken. Additionally, numerous bills have been introduced during this session of the US Congress that would address the problem of unauthorized disclosure of consumer information, and attempt to provide further protections against identity theft. Some impose restrictions on the disclosure and use of Social Security numbers; others would regulate information brokers and protect individual rights with respect to personally identifiable information; still others would either prohibit or regulate the distribution of personal information outside the United States without the individual s prior consent. Most notable is the Notification of Risk to Personal Data Act (S751), introduced by Senator Dianne Feinstein, which is patterned after the California law and would require notification to consumers of a security breach. It is a good bet that one or more of these bills will be passed this year.
5 The federal banking regulators have also been proactive on the issue of notification of consumers of a security breach involving regulated financial institutions. An Interpretative Guidance (the Guidance ) recently issued by the banking regulatory agencies is instructive as to the appropriate response by an organization when faced with an unauthorized disclosure of its customers information. Pursuant to Section 501(b) of the Gramm-Leach-Bliley Act, the federal banking regulators previously issued the Interagency Guidelines Establishing Information Security Standards (the Security Guidelines, formerly known as the Interagency Guidelines Establishing Safeguards for Customer Information ). These Security Guidelines direct every financial institution to develop an information security program, which shall include an assessment of risks to its information security. In furtherance of the Security Guidelines, the Guidance was issued to assist financial institutions in developing their security programs. The Guidance states that a financial institution has an affirmative duty to protect its customers information against unauthorized access, and that notifying its customers of unauthorized access to or use of the customer s information is a key part of that duty. To that end, as part of its security program, the financial institution must design a response program, including customer notification procedures, which a financial institution can follow in the event of unauthorized access to or use of nonpublic customer information. The Guidance uses a two part test: 1) Is the information sensitive customer information? and 2) Is misuse of the information reasonably possible? With the goal to preventing substantial harm or inconvenience to customers, the Guidance places the following types of information within the definition of sensitive customer information : a customer s name, address, or telephone number, in conjunction with the customer s social security number, driver s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer s account. The definition also includes any combination of the aforementioned components of customer information that would allow someone to access the customer s account. This definition is notably similar to the definition of personal information in the California notification law, the unauthorized disclosure of which requires notification. The Guidance permits the institution to assess the potential impact of the unauthorized disclosure or access in deciding its course of action. It states that if the institution can determine that the misuse of the information is reasonably possible, it should notify all customers in the group. However, if the institution can reasonably determine that the potential for misuse of the disclosed information is limited to a particular subgroup of the affected customers, it may limit its disclosure to those specific customers. In contrast, the California law speaks in terms of a breach of the security system, and describes this as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency. The California standard would appear to provide less latitude, since it bases the requirement for notification on the actual compromise or breach of the security, without allowing for the further analysis of whether there is a potential for misuse of the information. The Guidance also requires that the notice be given in a clear and conspicuous manner, that it describe the incident generally and the type of customer information that was disclosed, and include an explanation as to what the institution has done to protect the customers information from further unauthorized access. The telephone number of a contact at the institution should be included as well in the event the customer may desire further assistance. Finally, the notice should remind customers of the need to remain vigilant over the next twelve to twenty-four months and to report any incidents of suspected identity theft to the institution. Other points that the Guidance suggests may be addressed in the notice include: Recommending that customers review their account statements and immediately report any suspicious activity to the financial institution Describing fraud alerts and explaining how the customer may place one on his or her credit report Recommending that the customer periodically obtain credit reports from all three nationwide credit reporting agencies and a reminder that the customer may obtain a credit report free of charge annually
6 Reminding customers of the availability of the FTC s online guidance regarding what a consumer can do to protect against identity theft, along with the FTC s web site address and toll-free number Finally, the Guidance recommends that the notice be delivered in a timely manner, and by any means designed to ensure receipt, whether by telephone, (if the institution has a valid address and the customer has agreed to receive notice electronically), or regular U. S. Mail. As noted above, the California law also provides for notice by U.S. or electronic mail, but provides for other alternatives if the cost is prohibitive. Dealing with an unauthorized disclosure of consumer information can be a tumultuous experience for a business, particularly where the business believes it has been vigilant as to its security program and the preventive measures it has adopted to buttress that security. But, as many businesses have learned and continue to learn, no security program is airtight. A response program should always be a part of a business s security program, and is in fact required of any financial institution subject to the Gramm- Leach-Bliley Act. In the event of an unauthorized disclosure, a response program can provide structure and guidance that will facilitate a prompt and appropriate reaction, including notification where warranted. While the Guidance discussed above is binding only upon financial institutions subject to regulation by the Office of the Comptroller of the Currency, the Federal Reserve, the Federal Deposit Insurance Corporation, or the Office of Thrift Supervision, it nevertheless provides a template for other types of businesses in structuring their own response programs. Additionally, a business also needs to review where its customers reside, in the event other state laws may be applicable. Prompt and appropriate action in the wake of an unauthorized disclosure makes good business sense it may reduce a business s legal risk, and it is important to remember that every communication with a customer presents an opportunity. The HIPAA Security Rules Are Here The Health Insurance Portability and Accountability Act of 1966 (HIPAA) Security Standards for the protection of electronic health information became effective on April 20, 2005 for health care providers, health care clearinghouses, and health plans with annual receipts of more than $5 million ("Covered Entities"). The Security Rules become effective for health plans with annual receipts of $5 million or less on April 20, The Rules are published in the United States Code Federal Regulations beginning at 45 CFR HIPAA's security standards for Covered Entities are based on four general principles. Covered Entities must: 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the Covered Entity creates, receives, maintains, or transmits. 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. 3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the HIPAA Privacy Rules. 4. Ensure that its workforce complies with the Security Rules. The Security Rules do not provide specific measures that Covered Entities must implement. Instead, Covered Entities may use any security measures that allow the Covered Entity to reasonably and appropriately implement the standards and implementation specifications of the Security Rules. In deciding which security measures to use, a Covered Entity takes into account factors such as the size, complexity, and capabilities of the Covered Entity; the Covered Entity's technical infrastructure, hardware and software security capabilities; the costs of security measures; and the probability and criticality of potential risks to electronic protected health information.
7 Some of the Rule's implementation specifications are mandatory. For example a Covered Entity must conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the Covered Entity. On the other hand, some of the implementation specifications are only "addressable," meaning that a Covered Entity must determined whether an implementation specification is a reasonable and appropriate safeguard in its environment when considered with reference to its likely contribution to protecting the Covered Entity's electronic protected health information. If a Covered Entity determines that an implementation specification is not reasonable and appropriate, it must document the basis for the determination and it must implement an equivalent alternative measure if there is a reasonable and appropriate alternative. The Security Rules require Covered Entities to implement administrative, physical, and technical safeguards and to meet other organizational and procedural requirements. The administrative safeguards require Covered Entities to put into place a security management process, which includes risk analysis, risk management, and a sanction policy. In addition, Covered Entities must implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. To comply with the physical safeguard requirements, a Covered Entity must implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed. Covered Entities must implement a data recovery process, work station security rules, and establish procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information. Covered Entities must also develop policies and procedures to address the disposal or reuse of hardware or electronic media on which electronic protected health information is stored. A Covered Entity must implement procedures to allow access to electronic protected health information only to those persons or software programs that have been granted access rights to the information. Finally, the Covered Entity must put in place mechanisms to assure that electronic protected health information has not been altered or destroyed in an unauthorized manner. Covered Entities should also revise their existing Business Associate Agreements. In addition to the requirements imposed by the HIPAA Privacy Rules, the Security Rules provide that the contract between a Covered Entity and a Business Associate must provide that the Business Associate will: (i) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity; (ii) ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; and (iii) report to the Covered Entity any security incident of which it becomes aware. The Security Rules require Covered Entities to maintain their policies and procedures implemented to comply with the Security Rules in written form and to retain the documentation for six years from the date of its creation or the date when it was last in effect, whichever is later. If you need more information about the HIPAA Security Rules please contact any member of the Frost Brown Todd Health Law Practice Group. You may also find information at the United States Department of Health and Human Services website:
Summary. Background and Justification
Supporting Statement for the Recordkeeping and Disclosure Requirements Associated with the Guidance on Response Programs for Unauthorized Access to Customer Information (FR 4100; OMB No. 7100-0309) Summary
More informationMASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009
MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009 Current Laws: Identity Crime: A person is guilty of identity
More informationSCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
More informationMASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2
MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...
More informationClient Advisory October 2009. Data Security Law MGL Chapter 93H and 201 CMR 17.00
Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationSECTION-BY-SECTION ANALYSIS
INTRODUCED BY CONGRESSMAN RANDY NEUGEBAUER (R-TX) AND CONGRESSMAN JOHN CARNEY (D-DE) SECTION-BY-SECTION ANALYSIS Section 1: Short Title The Data Security Act of 2015. Section 2: Purposes The purposes of
More informationTape Vaulting Audit And Encryption Usage Analysis
Tape Vaulting Audit And Encryption Usage Analysis Prepared for Public Presentation (includes SB 1386, Gramm Leach Bliley, and Personal Data Protection and Security Act of 2005 Customer Information Protection
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationCalifornia State University, Sacramento INFORMATION SECURITY PROGRAM
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
More informationAdverse Action Guide for Employers
The right employment screening partner This information presented here is not legal advice and is presented for general education purposes ONLY. BackTrack recommends that you consult with legal counsel
More informationSection 10: Fair Credit Reporting Act (FCRA) Policy
Section 10: Fair Credit Reporting Act (FCRA) Policy Summary of Regulation The Fair Credit Reporting Act (FCRA) regulates Consumer Reporting Agencies (CRAs), users of consumer reports, and furnishers of
More informationPROGRAM TO PREVENT, DETECT & MITIGATE IDENTITY THEFT
Office of Employee Benefits Administrative Manual PROGRAM TO PREVENT, DETECT & MITIGATE IDENTITY THEFT 150 EFFECTIVE DATE: AUGUST 1, 2009 REVISION DATE: PURPOSE: Ensure that the Office of Employee Benefits
More informationFair Credit Reporting Act Compliance Guide
Fair Credit Reporting Act Compliance Guide FAIR CREDIT REPORTING ACT TABLE OF CONTENTS Page I. INTRODUCTION...1 A. Increased Applicant and Employee Rights...1 B. What is a "Consumer Report?"...1 C. What
More informationResponding to New Identity Theft Laws
Responding to New Identity Theft Laws March 2011 Privacy Expectations Today, there is increasing recognition that an individual has a legitimate interest in controlling the collection, use and disclosure/dissemination
More informationACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg.
ACCG Identity Theft Prevention Program ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg.org July 2009 Contents Summary of ACCG Identity Theft Prevention Program...
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More information2005 -- H 6191 SUBSTITUTE A AS AMENDED ======= LC02663/SUB A/2 ======= STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.
00 -- H 11 SUBSTITUTE A AS AMENDED LC0/SUB A/ STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 00 A N A C T RELATING TO IDENTITY THEFT PROTECTION Introduced By: Representatives Gemma, Sullivan,
More informationFair and Accurate Credit Transactions Act: More Protection for Consumers
Fair and Accurate Credit Transactions Act: More Protection for Consumers Businesses must heed FACTA requirements for protecting consumers credit records or face criminal or monetary consequences Stacey
More informationSecurity Breaches Under the NC Identity Theft Protection Act: Basic Information for Local Health Departments
Security Breaches Under the NC Identity Theft Protection Act: Basic Information for Local Health Departments Jill Moore UNC Institute of Government April 2007 In 2005, the N.C. General Assembly passed
More informationProtecting. Personal Information A Business Guide. Division of Finance and Corporate Securities
Protecting Personal Information A Business Guide Division of Finance and Corporate Securities Oregon Identity Theft Protection Act Collecting, keeping, and sharing personal data is essential to all types
More informationCOUNCIL POLICY NO. C-13
COUNCIL POLICY NO. C-13 TITLE: POLICY: Identity Theft Prevention Program See attachment. REFERENCE: Salem City Council Finance Committee Report dated November 7, 2011, Agenda Item No. 3 (a) Supplants Administrative
More informationJanuary 2007. An Overview of U.S. Security Breach Statutes
January 2007 An Overview of U.S. Security Breach Statutes An Overview of U.S. Security Breach Statutes Jeffrey M. Rawitz and Ryan E. Brown 1 This Jones Day White Paper summarizes what is generally entailed
More informationCHAPTER 226. C.56:11-44 Short title. 1. This act shall be known and may be cited as the "Identity Theft Prevention Act."
CHAPTER 226 AN ACT concerning identity theft, amending P.L.1997, c.172 and supplementing various parts of the statutory law. BE IT ENACTED by the Senate and General Assembly of the State of New Jersey:
More informationDATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT
Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security
More informationPrivacy Law Basics and Best Practices
Privacy Law Basics and Best Practices Information Privacy in a Digital World Stephanie Skaff sskaff@fbm.com What Is Information Privacy? Your name? Your phone number or home address? Your email address?
More informationOklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention
Oklahoma State University Policy and Procedures Rules and Identity Theft Prevention 3-0540 ADMINISTRATION & FINANCE July 2009 Introduction 1.01 Oklahoma State University developed this Identity Theft Prevention
More informationCONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008
CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008 Current Laws: A person commits identity theft when he intentionally
More informationIdentity Theft Prevention Program Derived from the FTC Red Flags Rule requirements
Identity Theft Prevention Program Derived from the FTC Red Flags Rule requirements 1.0 Introduction In 2003, Congress enacted the Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C. Section 1681,
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationIDENTITY THEFT DETECTION POLICY
IDENTITY THEFT DETECTION POLICY Approved By: President s Cabinet Date of Last Revision: May 5, 2009 Responsible Office/Department: Business and Finance Policy Statement Grand Valley State University (GVSU)
More informationCOLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008
COLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008 Current Laws: A person commits identity theft if he or she: Knowingly
More informationCSR Breach Reporting Service Frequently Asked Questions
CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could
More informationBreach Notification Policy
1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists
More information787 Wye Road, Akron, Ohio 44333 P 330-666-6200 F 330-666-7801 www.keystonecorp.com
Introduction Keystone White Paper: Regulations affecting IT This document describes specific sections of current U.S. regulations applicable to IT governance and data protection and maps those requirements
More informationSTANDARD ADMINISTRATIVE PROCEDURE
STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019
More informationModel Business Associate Agreement
Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationPrivacy Legislation and Industry Security Standards
Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,
More informationWe will not collect, use or disclose your personal information without your consent, except where required or permitted by law.
HSBC Privacy Notice HSBC's Privacy Principles HSBC Bank Canada is a subsidiary of HSBC Holdings plc which, together with its subsidiaries and affiliates, is one of the world s largest banking and financial
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More information[FACILITY NAME] IDENTITY THEFT PREVENTION PROGRAM. Effective May 1, 2009
[FACILITY NAME] IDENTITY THEFT PREVENTION PROGRAM Effective May 1, 2009 Because [FACILITY NAME] offers and maintains covered accounts, as defined by 16 C.F.R. Part 681 (the Regulations ), [FACILITY NAME]
More informationCredit Union Code for the Protection of Personal Information
Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve
More informationFACTA Identity Theft Red Flags Program. www.chs.acfei.com
1 FACTA Identity Theft Red Flags Program Module 1 Fair and Accurate Credit Transactions Act Overview Identity thieves use individual s personal identifiable information to open new accounts and misuse
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address
More informationHealth Partners HIPAA Business Associate Agreement
Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as
More informationBUSINESS ASSOCIATE ADDENDUM
BUSINESS ASSOCIATE ADDENDUM This BA Agreement, effective as of the effective date of the Terms of Use, adds to and is made part of the Terms of Use by and between Business Associate and Covered Entity.
More informationCROSS-BORDER HANDBOOKS www.practicallaw.com/dataprotectionhandbook 1
Data Protection 2009/10 United States United States Ieuan Jolly, Loeb & Loeb LLP www.practicallaw.com/2-385-9889 REGULATION 1. What national law(s) apply to the collection and use of personal data? If
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More information2015 -- S 0134 SUBSTITUTE B ======== LC000486/SUB B/2 ======== S T A T E O F R H O D E I S L A N D
0 -- S 01 SUBSTITUTE B LC000/SUB B/ S T A T E O F R H O D E I S L A N D IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 0 A N A C T RELATING TO CRIMINAL OFFENSES - IDENTITY THEFT PROTECTION Introduced By: Senators
More informationNOTICE TO USERS OF CONSUMER REPORTS: OBLIGATIONS OF USERS UNDER THE FCRA I. OBLIGATIONS OF ALL USERS OF CONSUMER REPORTS
All users of consumer reports must comply with all applicable regulations. Information about applicable regulations currently in effect can be found at the Consumer Financial Protection Bureau s website,
More informationCredit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information
Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable
More informationDEPARTMENT OF TAXATION AND FINANCE SECURITY OVER PERSONAL INFORMATION. Report 2007-S-77 OFFICE OF THE NEW YORK STATE COMPTROLLER
Thomas P. DiNapoli COMPTROLLER OFFICE OF THE NEW YORK STATE COMPTROLLER DIVISION OF STATE GOVERNMENT ACCOUNTABILITY Audit Objectives... 2 Audit Results - Summary... 2 Background... 2 Audit Findings...
More informationBy Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN
Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the
More informationDavid Coble Internal Control Officer
WESTERN WASHINGTON UNIVERSITY S RED FLAGS IDENTITY THEFT PREVENTION PROGRAM IMPLEMENTING SECTIONS 114 AND 315 OF THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003 David Coble Internal Control Officer
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ), effective as of May 1, 2014 (the Effective Date ), by and between ( Covered Entity ) and Orchard Software Corporation,
More informationPacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009
Pacific University Policy Governing Identity Theft Prevention Program Red Flag Guidelines Approved June 10, 2009 Program adoption Pacific University developed this identity Theft Prevention Program ( Program
More informationKANSAS STATE UNIVERISTY
KANSAS STATE UNIVERISTY DISCLOSURE AND AUTHORIZATION [IMPORTANT PLEASE READ CAREFULLY BEFORE SIGNING AUTHORIZATION] DISCLOSURE REGARDING BACKGROUND INVESTIGATION PER 59(1/2013) Kansas State University
More informationAVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
More informationGramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationNC General Statutes - Chapter 75 Article 2A 1
Article 2A. Identity Theft Protection Act. 75-60. Title. This Article shall be known and may be cited as the "Identity Theft Protection Act". (2005-414, s. 1.) 75-61. Definitions. The following definitions
More informationPrivacy of Consumer Financial Information
Background and Overview Introduction Title V, Subtitle A of the Gramm-Leach-Bliley Act ( GLBA ) 1 governs the treatment of nonpublic personal information about consumers by financial institutions. Section
More informationRegulation P Privacy of Consumer Financial Information
Regulation P Privacy of Consumer Financial Information BACKGROUND AND OVERVIEW Title V, Subtitle A of the Gramm-Leach-Bliley Act ( GLBA ) governs the treatment of nonpublic personal information about consumers
More informationRe: Big Data Request for Information
March 31, 2014 Attn: Big Data Study Office of Science and Technology Policy Eisenhower Executive Office Building 1650 Pennsylvania Avenue NW Washington, D.C. 20502 Ladies and Gentlemen: Re: Big Data Request
More informationEverett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law
Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationHIPAA Privacy Breach Notification Regulations
Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification
More informationBREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS
BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationIDENTITY THEFT RED FLAGS, ADDRESS DISCREPANCIES, AND CHANGE OF ADDRESS REGULATIONS Examination Procedures
Federal Deposit Insurance Corporation 550 17th Street NW, Washington, D.C. 20429-9990 Financial Institution Letter FIL-105-2008 October 16, 2008 IDENTITY THEFT RED FLAGS, ADDRESS DISCREPANCIES, AND CHANGE
More informationFORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT
FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and
More informationState of Illinois Department of Central Management Services ACTION PLAN FOR NOTIFICATION OF A SECURITY BREACH
State of Illinois Department of Central Management Services ACTION PLAN FOR NOTIFICATION Effective August 31, 2007 Publication Name(s): Version #(1): ILLINOIS DEPARTMENT OF CENTRAL MANAGEMENT SERVICES
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
More informationRisk Management Examiners
Risk Management Examiners Introduction to Red Flags Examination Procedures Section 615(e) requires the federal banking agencies and the NCUA (the Agencies) as well as the FTC to prescribe regulations and
More informationUpdated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview
Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More information(1) regulate the storage, retention, transmission, and security measures for credit card, debit card, and other payment-related data;
Legal Updates & News Legal Updates Pending Changes to California s Data Breach Law: New Burdens for Retailers? September 2007 by Christine E. Lyon, William L. Stern Related Practices: Privacy and Data
More informationData Security Breach Notice Letter
View the online version at http://us.practicallaw.com/3-501-7348 Data Security Breach Notice Letter DANA B. ROSENFELD & ALYSA ZELTZER HUTNIK, KELLEY DRYE & WARREN LLP A letter from a company to individuals
More informationFeatured Article Federal Red Flag and Related Identity Theft Prevention Rules: Is Your Organization in Compliance?
Featured Article Federal Red Flag and Related Identity Theft Prevention Rules: Is Your Organization in Compliance? Article contributed by: Nancy L. Perkins, Arnold & Porter LLP As of November 1, 2008,
More informationPage 1 of 15. VISC Third Party Guideline
Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability
More informationMARYLAND IDENTITY THEFT RANKING BY STATE: Rank 10, 85.8 Complaints Per 100,000 Population, 4821 Complaints (2007) Updated January 29, 2009
MARYLAND IDENTITY THEFT RANKING BY STATE: Rank 10, 85.8 Complaints Per 100,000 Population, 4821 Complaints (2007) Updated January 29, 2009 Current Laws: A person may not knowingly, willfully, and with
More informationASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010
ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 OBJECTIVE This Security Plan (the Plan ) is intended to create effective administrative, technical and physical safeguards for the protection
More informationMONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)
MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,
More informationData Leakage: What You Need to Know
Data Leakage: What You Need to Know by Faith M. Heikkila, Pivot Group Information Security Consultant Data leakage is a silent type of threat. Your employee as an insider can intentionally or accidentally
More informationYOUR DUTIES UNDER THE FAIR CREDIT REPORTING ACT
YOUR DUTIES UNDER THE FAIR CREDIT REPORTING ACT The Staff of the Consumer Financial Protection Bureau (CFPB) has prepared the following required notices in compliance with the Fair Credit Reporting Act
More informationFrequently Asked Questions: Identity Theft Red Flags and Address Discrepancies
Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies The staff of the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National
More informationOffice of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers
Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationInformation Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)
Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act) The GLB Act training packet is part of the Information Security Awareness Training that must be completed by employees. Please visit
More informationFair Credit Reporting Act (FCRA) Basics. A Primer for U.S. Employers from Littler Mendelson, the Nation s Largest Workforce Law Practice
Fair Credit Reporting Act (FCRA) Basics A Primer for U.S. Employers from Littler Mendelson, the Nation s Largest Workforce Law Practice Fair Credit Reporting Act (FCRA) Basics A Primer for U.S. Employers
More informationHealth Information Privacy Refresher Training. March 2013
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
More informationSENATE FILE NO. SF0065. Sponsored by: Senator(s) Johnson and Case A BILL. for. AN ACT relating to consumer protection; providing for
00 STATE OF WYOMING 0LSO-00 SENATE FILE NO. SF00 Identity theft protection. Sponsored by: Senator(s) Johnson and Case A BILL for AN ACT relating to consumer protection; providing for notice to consumers
More informationPACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )
PRIVACY POLICY (Initially adopted by the Board of Directors on November 16, 2007) PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation ) The Corporation is committed to controlling the collection,
More information