February 5, 2019
With the EU or European Commission adapting the GDPR or General Data Protection Regulation, questions are arising. Will there be a GDPR US equivalent? Does it already affect your business? We are constantly hearing about more breaches amongst large organizations from places like Target to our local hospitals. Data hackers are gaining access to personal data making many people feeling exposed and like their privacy has not been protected. Could there be a change on the horizon for data protection policies for the United States?
As it stands a company that has a website for their business – which is most of us right? Those who do have some research to do to see how you need to fall into compliance for consumer privacy under GDPR regulations. The GDPR comes attached with consent policies and some pretty hefty fines for those found not meeting the regulation. This is also important for US based businesses as some European data could be in your systems from purchases, they have made from your site, or inquiries they have made into your business.
Information protected under the GDPR regulations:
- Phone Numbers
- Biometric Data
- E-Mail Addresses
- Cultural, Racial, or Ethnic Origin data
- Sexual Orientation
- Tagged Photos
- Health, genetic, or mental data
Under the GDPR when data falling into any of these categories is collected, it must be done with explicit consent. Having a company data protection directive in place could help protect you and your consumers.
As it stands right now the US has not taken an all in one approach to data protection. There are different data protection laws, regulations, and policies in place for various types of information. Some of these include:
- HIPAA – The Health Insurance Portability and Accountability Act is in place to protect personal health information or PHI. This applies to any doctor, nurse, hospital, or industry dealing with personal medical information.
- FISMA – The Federal Information Security Management Act which took effect in 2002 making it a requirement for federal agencies or organisations to set up an information security program and to put it into place.
- GLBA – Also known at the GLB or the Gramm-Leach-Bliley Act which was adapted in 1999 requiring financial institutions to protect consumer information
- NIST 800-171 – This is for technological and non-federal originations, requiring them to protect unclassified information.
State authorities of our most northern state, Alaska, just updated their initial notification from an estimate of only 501 individuals having their health department data breached to 700,000!
This brings up two timely questions:
- How could this have happened to our most sacred HIPAA data?
- How could they call themselves authorities?
Per a statement released by CynergisTek, “Alaska DHSS has a history of playing fast and loose with their obligations under the HIPAA Breach Notification Rule to accurately report incidents involving breaches.” This observation is duly supported by the DHSS less than stellar history. For example, in 2009 the Alaska DHSS reported a theft of an unencrypted USB drive potentially containing Medicaid beneficiaries’ health info and in 2012 the DHSS was fined $1.7 million for their part in this HIPAA breach.
If these numbers of breached records hold fast this would be the fourth largest health data breach reported to federal regulators just in 2018. This breach included information on pregnancy status, incarceration status, Medicaid/Medicare billing codes, criminal justice, health billing, Social Security numbers, driver’s license numbers, first and last names, birthdates, phone numbers, and other confidential data, the June statement said. “Hackers may have used the infected computer to steal data,” according to the statement. Upon discovering the hack, the department took immediate action to mitigate further access to the infected computer, the statement added.
It only seems natural, particularly based on our nation’s past history, that it typically takes a crisis for our federal government to take action. If this, as well as the EU’s current activity with GDPR fine collections, does not spur one of our branches of federal government to take action, one must wonder what will.
A logical action for all departments of the government as well as private companies would be to proactively implement a robust application such as the one provided by Spirion to rapidly discover, accurately classify, and automatically protect all of their sensitive data both on-premise and in the cloud.
Though the US does not have a version of the GDPR in place, having policies in place for GDPR readiness may not be a bad idea. As a business you are considered to be a data controller. Being in control of your consumer’s data is a large responsibility.
Many companies that must be GDPR compliant are hiring data protection officers to help meet compliance. Having someone on your team to monitor data transfers, general data, sensitive data, and data privacy in general can help you comply with privacy and protection laws.
Visit GDPR Compliance to learn more.