HR holds a lot of personal information about employees . And a federal bill could put a tougher burden on employers to protect that data.
The Personal Data Privacy and Security Act of 2009 is gaining steam and is going to set new, more precise rules for the management and safekeeping of corporate and government data.
The new act has just cleared a major hurdle, the Senate Judiciary Committee, with an overwhelming bipartisan vote.
The details are likely to change as the bill progresses, but there is no doubt that new, tougher rules on handling data breaches are on the way. Among the provisions likely to be included:
- New stiffer federal penalties for identity theft.
- The establishment of an Office of Federal Identity Protection will be established as part of the Federal Trade Commission (FTC), which will monitor data breaches and enforce identity theft laws.
- A new standard for breach notification. Companies will have to notify all individuals whose data has been compromised. In some cases, credit rating agencies and the U.S. Secret service will also need to be notified.
- New standards for data protection including encryption and safe data storage will allow for some exemptions form the notification requirements, and
- Executives of companies that willfully avoid notification may be subject to criminal penalties.
While the new rules might be harsh, they will likely replace a patchwork of 45 state regulations currently on the books, allowing companies to follow one single set of procedures and safeguards nationwide.
For more info look here, and here.
HIPAA violations get more expensive
In other news, a recently passed law, the Health Information Technology for Clinical and Economic Health (HITECH) Act, significantly increases the penalties the feds can level against employers and health care providers for HIPAA violations.
Before the HITECH Act, Department of Health and Human Services (HHS) could hand out a maximum fine of $100 for a single violation and $25,000 for all identical violations of the same provision. Now, the rules spell out a series of tiered minimum fines for individual claims, and a $1.5 million maximum when a group of employees are affected.
In addition to the uptick in fines, employers were also handed more responsibility in reporting breaches of health info. After discovering a security breach, companies will have to notify affected individuals, the HHS and, in some cases, “prominent media outlets.” Notice must be provided as soon as possible, no more than 60 days after the discovery.
What constitutes a breach? To trigger the notification requirements, the information leak must involve “personal health information” that’s lost or stolen and readable by whoever ends up with it (i.e. the data’s not encrypted).
The reporting rules go into effect on Feb. 22. The read the text of the rule, click here.