Compliance and Privacy Laws
Cloud cyber risk goes hand in hand when storing data on the Cloud. New compliance and privacy laws have been enacted to protect this cloud-based private information. The State of Illinois has passed a privacy law that specifically addresses how companies gather and store private data.
The Illinois Policy Group, an independent organization that generates public policy, explained that in 2008, Illinois enacted the BIPA, the most stringent law of any state regarding the consent, notice and disclosure procedures private entities must follow when collecting, storing or using people’s biometric information, such as fingerprints, iris scans and face prints. This law forces companies into compliance and makes them more responsible for the collection and storage of private data ultimately, decreasing exposure to cyber risk.
Data Experts Lee Neubecker and John Blair say because of BIPA companies are now more aware of how they secure and store data. They discuss other data compliance and privacy laws such as; California Consumer Privacy Act (CCPA) and Health Insurance Portability and Accountability Act (HIPAA) and how these laws help regulate the healthcare industry and other organizations when storing consumer data, and vendor data in the cloud ultimately protecting the consumer. Watch this video interview to learn more.
View Part 2 of our 3-Part Series on Cloud Data
Lee Neubecker: Hi I am back again with John Blair. We’re continuing our discussion on cloud security and helping to minimize your cyber risk of having data in the cloud. And today, we’re going to be talking more about some of the compliance and regulatory issues and legal issues that companies face that are having their data and customer data, vendor data in the cloud. So, John, can you tell me a little bit about some of the regulations that impact the healthcare sector specifically?
John Blair: Yeah, the primary one is going to be HIPAA and associated as subsequent acts like HITECH and things like that that augment HIPAA and some of them more clearly defined some of the rules and regulations, primarily Security Rule and Privacy Rule. So those are going to be the ones that primarily come into play, but there are also individual state versions of healthcare acts that you need to abide by and each state has one so you also need to abide by the state regulations as well.
LN: Interesting. So it really, if a company’s operating in multiple states, they have a lot of issues to be looking at.
JB: They have a lot of regulations to be aware of and to be compliant with, yep.
LN: So I know here in Illinois, we have the Illinois Biometric Information Protection Act, otherwise known as BIPA and that’s been creating a lot of stir with Facebook recently had a settlement.
LN: And apparently Illinois Residents that have Facebook accounts might be entitled to around $200 per person.
LN: If you are in Illinois and have Facebook, so possibly you will be notified.
JB: Yeah, Illinois is the only one.
LN: And do you think it will be through Facebook Messenger?
JB: I do not but Illinois because of that law, Illinois residents are the only ones that are getting anything out of that lawsuit because of that, specifically because of that law.
LN: Got it.
JB: So I don’t know the details of the law but on the surface, it seems to be headed the right direction.
LN: Right, essentially they took the position that your biometric information, unlike your cell phone or your social security number, you can’t change it.
LN: So if that data becomes compromised such as your facial vector map,
LN: Or your fingerprint or your DNA, that you can’t swap it, it’s part of who you are.
JB: Right and those, you know, we’re finally headed in the right direction where it’s being considered personal.
JB: So which I totally agree with.
LN: We also had just last month the California Consumer Privacy Act, known as CCPA went into effect and that’s got a huge impact on anyone who does business with California residents.
JB: Yeah, that is yet to, I think people were preparing for that prior to that but it’s going forward, I’m sure there’s going to be a lot of repercussions from that because there’s going to be obviously companies and entities that don’t prepare well for that and are going to get caught up in it because it covers, California is a huge state, a lot of people so there’s going to be some lawsuits.
LN: So it’s also been such that if you’re making medical devices for consumers and you have that information, relaying over 3G, 4G networks, we’ve got CPAP machines, pacemakers, all other types Of information. LN: All kinds of monitors
LN: And that information going to the cloud, if you’re a California resident and that information gets breached, it could be used by marketers or it could be used In other ways to target people.
JB: Yeah hospitals are going to need to really step up their game with respect to that particular regulation. Hospitals traditionally are a little bit behind technically speaking from an IT point of view, they’re very much on the bleeding edge from a medical device IT point of view but they tend to lag behind because you can’t, it’s hard to afford both
JB: But this is going to, you know, how they allow individuals or access to their networks, what they allow in and what they allow out because that’s the channel these medical devices use is going to be very, very important that they get more control over those things.
LN: So as it relates to healthcare, what are some of the concerns about when a data incident is discovered to actually turn out to be a data breach, what types of reporting and notification requirements are unique to the healthcare sector?
JB: Well, first and foremost, you need to evaluate the situation and then have in conjunction with your legal team and compliance teams, establish whether or not you do officially declare it a breach which means you need to investigate it, you need to involve any vendors that were involved with that data because it may have been the vendor that you’ve contracted with that actually had the breach of the disclosure and not you but since they’re your vendor, you’re also on the hook and that flows all the way up from business associates, which is what those two entities will be up to the covered entity who actually owns the data. So after a thorough investigation and consultation with legal and compliance, a determination needs to be made whether or not you’ve formally declared a breach. And if so, then there’s all kinds of HIPAA standards that come into play about notification to the government, notification to each individual affected by the breach, what needs to take place with respect to that notification, there’s a timeline involved that needs to be met. So there’s all declaring it a breach is a very formal and arduous task.
LN: Yeah, not a pleasant one.
LN: In our next segment on securing data in the cloud, we’re going to be talking more about when a breach is discovered, some of the issues related to reporting the breach and what that can mean to an entity, especially if it’s not handled correctly. So thanks for being on the show again.
JB: Thanks, Lee.