Melissa Krasnow
Partner
(612) 492-6106

October 20, 2009

Federal and State Privacy Laws – Compliance Deadlines Fast Approaching

The number and complexity of federal and state privacy laws continue to increase. These laws affect a broad range of public and private companies, including U.S. companies as well as foreign companies that conduct business in the United States.

Any company that possesses personal information relating to U.S. employees, customers, shareholders or others likely is subject to privacy laws. For purposes of the privacy laws, personal information typically includes names together with information like social security numbers, financial account information or driver’s license numbers. Protected health information is covered by the federal Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act.

A number of new privacy law compliance deadlines are fast approaching. Failure to comply with privacy laws could trigger U.S. regulator and State Attorney General action as well as monetary penalties. In some cases, there also could be private lawsuits.

Below is a brief summary of upcoming privacy law compliance deadlines.

November 1, 2009 – Federal Trade Commission Written Identity Theft Prevention Program
A company that regularly extends, renews or continues credit, including accepting deferred payments for goods and services, may need to comply with the Federal Trade Commission’s “Red Flags” Rule. Examples of these companies include utility companies, telecommunications companies, finance companies, mortgage brokers, real estate agents, health care providers, lawyers, accountants, other professionals, automobile dealers, retailers that offer financing or collect or process credit applications for third party lenders and third party debt collectors that regularly renegotiate the terms of a debt. This Rule requires that a written identity theft prevention program be in place.

January 1, 2010 – Nevada Requirements for Encryption
A company (except for a telecommunications provider) doing business in Nevada that deals with personal information must comply with specific encryption requirements if it does not accept a payment card (a credit card or similar card) in connection with a sale of goods or services. This law also requires that a company that does accept payment cards in connection with a sale of goods or services comply with the current version of the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is an industry security standard developed by the PCI Security Standards Council (including American Express, Discover, JCB, MasterCard and Visa) for the protection of customer account data.

February 17, 2010 – Federal HITECH Act Requirements
Under the federal HITECH Act, health plans, health care providers and health care clearinghouses (i.e., covered entities), among other things, must review and update their business associate agreements, as well as their privacy and security policies and procedures, regarding (i) marketing, (ii) sale of protected health information, (iii) minimum necessary standards, (iv) accounting of disclosures and (v) restrictions on disclosure of services paid out-of-pocket. Business associates (those who perform functions on behalf of, or provide services to, covered entities that involve the use of protected health information) will be directly regulated under the HIPAA privacy and security rules, and must comply for the first time with those rules, including, among other things, a requirement to perform security risk assessments and develop security policies and procedures to address HIPAA security standards.

March 1, 2010 (Subject to a Revised Version of This Regulation) – Massachusetts Comprehensive Written Information Security Program
A company that owns or licenses personal information regarding Massachusetts residents must have a comprehensive written information security program with encryption requirements in place. In addition, third-party service providers – by contract – must implement and maintain appropriate security measures for personal information. A company that complies with HIPAA requirements or the Gramm-Leach-Bliley Act also must comply with this regulation. On September 22, 2009, a public hearing on this regulation was held. The Massachusetts Office of Consumer Affairs and Business Regulation expects to issue a revised version of this regulation in the coming weeks.

We Can Help
The upcoming compliance deadlines just hint at the many applicable privacy laws that present traps for the unwary. Implementing policies and procedures is not only advisable, but often times required under applicable privacy laws. From data breach notification procedures to record retention policies to social media policies, we can help you navigate the ever-changing landscape of privacy laws. For additional information and updates, please contact Melissa Krasnow at krasnow.melissa@dorsey.com.