(PHI).
received by a covered entity and relates
to the past, present, or future physical
or mental health or condition of an
individual; the provision of health care
to an individual; or the past, present or
future payment for the provision of health
care to an individual; and that identifies,
or can identify, that individual.
A breach may result when there is
an impermissible PHI use or disclosure
that compromises security or privacy.
Following a breach, covered entities
must provide notification to affected
individuals, the Department of Health
and Human Services (HHS), and, in
certain circumstances, to the media. This
notification must be made to affected
individuals within 60 days, and to HHS,
within a specific time frame that is
dependent on the size of the breach.
organizations to report cyber incidents
that could have a "material adverse
effect on the business" and "when
necessary in order to make other
disclosures . . . not misleading," but
did not define how organizations should
analyze. Note that this obligation has
little to do with protecting against
identity theft, but rather disclosing
"timely, comprehensive and accurate
information about risks and events that
a reasonable investor would consider
important to an investment decision."
company for violating this guidance (but
has brought enforcement actions relating
to cybersecurity against broker-dealers),
the recently disclosed Yahoo data breach
may present its first test opportunity.
documents to determine whether the
company could have, and should have,
reported a hacking attack cyber incident
sooner that it did.
This regulatory focus on cyber
disclosures is present in Federal Trade
Commission (FTC) enforcement efforts as
well. While not specifically focused on
data breach notification (mainly because
there is no federal data breach law), the
FTC has been active against companies
whose disclosures or omissions mislead
consumers and violate Section 5 of the
FTC Act. For example, in the recent
Ashley Madison settlement, the company
was required to pay $1.6 million
after deceiving consumers by making
assurances that personal information was
private and securely protected, while, in
reality, using "lax" security protections,
including not having an adequate
information security policy or incident
response plan.
on the risk of identity theft (although
one of its stated goals is to protect
NYS residents) or investor decisions,
but on proper disclosure to the NYS
regulator. The regulation applies to
any banks, insurance companies or
other financial services institutions
more employees, or $5 million or more
in revenue, or $10 million or more in
assets. Like with HIPAA, vendors to
covered organizations will be impacted
through required contractual provisions.
Organizations must protect all
nonpublic information, which is
defined as all electronic information
that is not publicly available and is: (i)
business information whose tampering,
unauthorized disclosure, access or
use, would cause a "material adverse
impact"; (ii) any personal identifier in
combination with a SSN, drivers' license
number or non-driver identification card
number, account number, credit card or
debit card number, any security code,
access code, or password that would
permit access to an individual's financial
account, or biometric records; or (iii) any
information, except age or gender, in any
medium created by or derived from a
health care provider or an individual and
that relates to the past, present or future
physical, mental or behavioral health or
condition of any individual or a member
of the individual's family, the provision
of health care to any individual, or
payment for the provision of health care
to any individual. Note that an incident
response plan is explicitly required.
Each organization must notify the
NYSDFS when "any act or attempt,
successful or unsuccessful, to gain
unauthorized access to, disrupt or misuse
an information system or information
stored on an information system" has