one voice one vision one firm - PowerPoint PPT Presentation

Loading...

PPT – one voice one vision one firm PowerPoint presentation | free to view - id: 1ea017-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

one voice one vision one firm

Description:

Computer Fraud and Abuse Act ('CFAA') Electronic Communications Privacy Act ('ECPA') Children's Online Privacy Protection Act ('COPPA') D E W E Y B A L L A N T I N ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 19
Provided by: denniswill
Category:
Tags: act | firm | one | privacy | vision | voice

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: one voice one vision one firm


1
D E W E Y B A L L A N T I N E L L P
one voice one vision one firm
2
Issues in Privacy and Outsourcing
  • Jennifer Danner Riccardi
  • Dewey Ballantine LLP
  • 202/862-3695
  • jriccardi_at_dbllp.com
  • June 21, 2004

3
Liability Under Privacy Rules and Regulations Is
a Current Issue
  • Medical Records in Pakistan
  • Personal Financial Data in the Ukraine
  • NASSCOM Seeks to Be Proactive

4
Privacy Issues Are Multi-layered and Complex
  • U.S. Federal statutes and regulations
  • U.S. state statutes and regulations
  • Non-U.S. statutes and regulations (EU, Canada,
    Australia)

5
Selected Federal Statutes and Regulations
  • Health information
  • Health Insurance Portability and Accountability
    Act (HIPAA) and Implementing Regulations
  • Financial information
  • Gramm-Leach-Bliley Act (GLBA)
  • Electronically transmitted or stored information
  • Computer Fraud and Abuse Act (CFAA)
  • Electronic Communications Privacy Act (ECPA)
  • Childrens Online Privacy Protection Act
    (COPPA)

6
HIPAA What's Covered
  • Applies to covered entities that transmit
    information in an electronic form in connection
    with a covered HIPAA transaction
  • Protects from disclosure protected health
    information (PHI)
  • Requires mechanisms to insure both privacy and
    security of PHI
  • Disclosure generally requires consent or
    authorization
  • Duty to mitigate any harmful effects caused by
    unauthorized disclosure
  • Duty to maintain data safeguards

7
HIPAA Business Associate Contracts
  • Covered entities may disclose PHI without consent
    to a business associate pursuant to a written
    agreement
  • Business associate receives PHI in order to
    perform, for the covered entity, legal,
    management, administrative or related services
  • A written agreement must obligate the business
    associate to abide by the same restrictions to
    which the covered entity is subject and to the
    covered entitys privacy practice

8
HIPAA Privacy Rule BA Contracts
  • Required since April 2004
  • Express agreement BA will use appropriate
    safeguards to prevent use or disclosure of PHI
  • Expressly require BAs subcontractors and agents
    to be bound by the same standards
  • Specify standards of training for BAs employees
    and agents
  • Require immediate notification if rules and
    standards are breached
  • Stipulate violation permits termination
  • End of contract issues return or destruction of
    PHI

9
HIPAA Security Rule BA Contracts
  • Required from April 2005
  • Express agreement BA will implement
    administrative, physical, and technical
    safeguards to protect electronic PHI
  • Expressly require BAs subcontractors and agents
    to be bound by the same standards
  • Require immediate notification if rules and
    standards are breached
  • Require implementation policies to be provided to
    HHS
  • Authorize termination of contract for breach of a
    material term

10
HIPAA Penalties for Violation
  • Civil penalties HHS may impose penalties of up
    to 100 per failure to comply with a Privacy Rule
    requirement
  • Criminal penalties Fines of between 50,000 to
    250,000 and imprisonment between one year and
    ten years
  • knowledge
  • false pretenses
  • for profit or malicious harm.
  • Civil liability No direct civil liability to
    parties harmed by disclosure, but potential
    liability under other causes of action based on
    violation of HIPAA

11
GLBA What's Covered
  • Applies to any enterprise that is engaged in
    activities that are financial in nature
  • Requires notice to customers of privacy policy
    and the opportunity to opt-out of having
    information shared with non-affiliates
  • Limits the uses/right to disclose nonpublic
    personal information
  • The Safeguard Rule

12
GLBA Safeguard Rule
  • Plans must focus on three specific areas
  • 1. employee management and training
  • information systems and
  • managing system failures.

13
GLBA Safeguard Rule
  • Financial institutions must develop a written
    information security plan, which must include
  • Designation of at least one employee to
    coordinate the safeguards
  • Identify and assess the risks to customer
    information, and evaluate the effectiveness of
    the current safeguards for controlling these
    risks
  • Design and implement a safeguards program, and
    regularly monitor and test it
  • Select appropriate service providers and contract
    with them to implement safeguards and
  • Evaluate and adjust the program in light of
    relevant circumstances, including changes in the
    firm's business arrangements or operations, or
    the results of testing and monitoring of
    safeguards.

14
European Union (EU) Data Protection Directive
  • Mandates certain minimum standards for the
    collection, disclosure, and transmission of
    personal data
  • Restricts the flow of personal data within the
    EU, as well as from member states to countries
    outside the EU that the European Commission
    determines do not provide adequate protections
  • In May 2000, the U.S. and EU developed safe
    harbor principles

15
EU Directive Safe Harbor
  • U.S. Companies are deemed in compliance with the
    directive if they annually certify to the U.S.
    Department of Commerce and publicly state that
    they adhere to the safe harbor principles
  • Notice
  • Choice
  • Onward Transfer
  • Security
  • Data Integrity
  • Access
  • Enforcement

16
State Law Regulation
  • Possible basis of liability
  • Numerous states have or are contemplating privacy
    statutes/regulations
  • Preemption issues

17
Best Practices
  • Outsourcing does not absolve the personal
    information generator from liability
  • Integrate privacy concerns into your vendor
    selection process
  • Memorialize privacy policies and procedures into
    contracts
  • Retain ability to terminate contract for material
    breach of privacy policies
  • Mandatory disclosure of breaches of security
    policy
  • Audit for compliance
  • Due diligence in vendor selection
  • Insurance and bonding issues

18
For Further Information
  • Jennifer Danner Riccardi
  • Dewey Ballantine LLP
  • 1775 Pennsylvania Avenue, N.W.
  • Washington, DC 20006
  • 202/862-3695
  • jriccardi_at_dbllp.com
  • www.deweyballantine.com
About PowerShow.com