Human Resources News & Insights

Feds raise the stakes on protecting employee data

Internet Computer Usage

HR holds a lot of personal information about employees . And a federal bill could put a tougher burden on employers to protect that data.

The Personal Data Privacy and Security Act of 2009 is gaining steam and is going to set new, more precise rules for the management and safekeeping of corporate and government data.

The new act has just cleared a major hurdle, the Senate Judiciary Committee, with an overwhelming bipartisan vote.

The details are likely to change as the bill progresses, but there is no doubt that new, tougher rules on handling data breaches are on the way. Among the provisions likely to be included:

  1. New stiffer federal penalties for identity theft.
  2. The establishment of an Office of Federal Identity Protection will be established as part of the Federal Trade Commission (FTC), which will monitor data breaches and enforce identity theft laws.
  3. A new standard for breach notification. Companies will have to notify all individuals whose data has been compromised. In some cases, credit rating agencies and the U.S. Secret service will also need to be notified.
  4. New standards for data protection including encryption and safe data storage will allow for some exemptions form the notification requirements, and
  5. Executives of companies that willfully avoid notification may be subject to criminal penalties.

While the new rules might be harsh, they will likely replace a patchwork of 45 state regulations currently on the books, allowing companies to follow one single set of procedures and safeguards nationwide.

For more info look here, and here.

HIPAA violations get more expensive

In other news, a recently passed law, the Health Information Technology for Clinical and Economic Health (HITECH) Act, significantly increases the penalties the feds can level against employers and health care providers for HIPAA violations.

Before the HITECH Act, Department of Health and Human Services (HHS) could hand out a maximum fine of $100 for a single violation and $25,000 for all identical violations of the same provision. Now, the rules spell out a series of tiered minimum fines for individual claims, and a $1.5 million maximum when a group of employees are affected.

In addition to the uptick in fines, employers were also handed more responsibility in reporting breaches of health info. After discovering a security breach, companies will have to notify affected individuals, the HHS and, in some cases, “prominent media outlets.” Notice must be provided as soon as possible, no more than 60 days after the discovery.

What constitutes a breach? To trigger the notification requirements, the information leak must involve “personal health information” that’s lost or stolen and readable by whoever ends up with it (i.e. the data’s not encrypted).

The reporting rules go into effect on Feb. 22. The read the text of the rule, click here.

Print Friendly

Subscribe Today

Get the latest and greatest Human Resources news and insights delivered to your inbox.
  • Bentley McD.

    Office of Federal Identity Protection?? Are you kidding, these guys (U.S. Government) cannot even manage the Do NOt Call List! This is as dumb as the military asking for screen doors on submarines. Our “elected officials” forget whom they serve…………..

  • Jim

    Bravo! There is nothing worse than having all the HR records falling into the wrong hands.
    This can be especially important when companies fold up, IRS takes over, a landlord takes over the records, etc. There should be a flow down clause that whatever entity takes over another’s records they assume responsibility for such and will dispose of it properly. Otherwise, landlords could set the paperwork on the front of the building for all to pick over.

  • Sean Smith

    Typical government. They explain exactly what the penalties are and how much they are going to cost but again fail to give any sort of guidance on what they feel are “reasonable” measure on protecting the information itself.

    HIPAA is over 1200 pages of blah blah blah that resulted in nothing but billable hours for lawyers and politicians. The whole act could have been summed up in one line and said the exact same thing. “You must take reasonable precautions to protect patient data and must allow it to be used for treatment of the patient as needed.”

    If you read the 1200 some page act, that’s ALL it says, over and over and over in lots of thick legalspeak. Nothing about what they consider reasonable, just that we must do something.