Last month, Massachusetts Attorney General Martha Coakley reached across the border into Rhode Island to obtain a $150,000 settlement for violations of Massachusetts and federal data security laws.
The consent agreement with Women & Infants Hospital of Rhode Island illustrates a point often missed in the focus on federal enforcement of privacy and data security laws: State law and state agencies play a substantial role in this area. In fact, for employers, state law often imposes the more significant data security obligations.
There are four ways in which the WIH settlement illustrates the control of state data security laws and state enforcement authority over employers.
1. Covered employers risk HIPAA enforcement by state attorneys general
The WIH case may seem like a classic example of the risks and regulations unique to the health industry, but a similar security incident could involve employee data.
The allegations in the WIH case stemmed from a data breach in which WIH lost 19 unencrypted back-up tapes containing the names, Social Security numbers and ultrasound images of more than 12,000 Massachusetts residents.
Like the hospital, many employers collect individually identifiable health information. Also like the hospital, many of these are deemed “covered entities” under the Health Insurance Portability and Accountability Act, or HIPAA. Any employer that provides a self-insured employer-sponsored health plan, for example, is subject to essentially the same privacy and security rules regarding health information as a hospital.
As does WIH and other covered entities, employers face the risk of HIPAA enforcement not only from the Department of Health and Human Services, or HHS, but also from state AGs.
Before 2009, only HHS could enforce HIPAA. But the HITECH Act granted AGs the authority to bring civil actions on behalf of state residents for violations of HIPAA.
That expansion of enforcement authority increases risk for employers. As the WIH settlement demonstrates, AGs do make use of their enforcement power. Moreover, a state AG may be more interested in enforcing HIPAA against a high-profile local employer than HHS, which focuses on the health industry and, to a lesser extent, on group health plans.
2. Massachusetts regulations effectively heighten data security standards nationwide
Massachusetts set a new standard in data security laws when it issued 201 C.M.R. 17, its data security regulation, in 2009. The centerpiece of the Massachusetts regulations is the requirement that all companies engaged in handling the personal information of Massachusetts residents maintain a comprehensive written information security policy, or WISP.
The WISP requirement applies not only to businesses that maintain the personal information of customers, but also to all employers who employ Massachusetts residents because all such employers store the Social Security numbers of Massachusetts residents.
The regulations are highly prescriptive. They cover points as detailed as safe password protocols, for example. Key provisions include the requirements that companies: 1) include information security provisions in contracts with service providers; 2) maintain security incident procedures; 3) conduct annual security reviews; 3) train employees on data security; and 4) encrypt personal information in mobile devices and in transit over public networks.
The deadline to comply with the WISP requirement passed on March 1, 2010, but many companies that handle the personal information of Massachusetts residents have yet to comply. The risks in failing to comply are real. With the addition of the WIH settlement, Coakley has now obtained six settlements based on violation of the state’s data security law. These agreements have averaged $200,000, including one payout of $775,000.
The Massachusetts law has had a significant impact on data security across the country. Many national companies have a footprint in Massachusetts, a state that ranks among the top 15 in terms of the size of its population and economy.
For most organizations, treating Massachusetts data differently than data from elsewhere is simply impracticable. Consequently, a large number of national companies have upgraded their information security safeguards enterprise-wide to meet the Massachusetts standards.
The settlement with WIH illustrates the out-of-state impact of the Massachusetts law. WIH is a Rhode Island hospital. Nevertheless, WIH had to comply with the Massachusetts law because it possessed the personal information of Massachusetts residents.
3. Many states impose broad data security obligations on employers
Massachusetts has the most demanding data security laws, but its broad data security laws are hardly unique among states.
Unlike federal data security laws, which typically regulate specific industries such as the health and financial industries, state data security laws apply across all industries. In this regard, state data security laws resemble the broad privacy directives in Europe and other countries.
Almost every U.S. state has data security laws that apply to all organizations engaged in handling personal information. “Personal information” is generally defined as an individual’s name in combination with his or her Social Security number, driver’s license or financial account numbers. Some states sweep individually identifiable health information under the definition too. Few employers do not maintain some of this information about employees.
The extent of obligation varies by state. As of this year when Kentucky joined the others, 47 states had laws requiring notification of the breach of personal information to affected individuals.
Two-thirds of states impose restrictions on the handling of Social Security numbers; more than half requires companies to take reasonable steps to destroy personal information when disposing of records.
On the more prescriptive end of the spectrum, at least 14 states — Arkansas, California, Connecticut, Florida, Illinois, Indiana, Maryland, Massachusetts, Michigan, Nevada, Oregon, Rhode Island, Texas and Utah — require companies to implement reasonable safeguards to protect some form of personal information.
Thus, employers in many states could be liable not only for failing to report a breach, but also for the lack of safeguards that led to the breach.
Indeed, a company could theoretically face liability for failure to apply reasonable security measures even without a breach.
Reflecting the variation in data security laws among states generally, the states that require reasonable safeguards differ in the burdens they impose. Massachusetts has the strictest law, but Massachusetts is not alone in requiring a WISP. Oregon also requires such written policies, though in less prescriptive terms.
The other states do not require written policies and some laws are narrower in scope. For example, in Rhode Island, the law requires safeguards only for electronic, unencrypted personal information.
Realistically, state agencies are unlikely to crack down on companies solely for failing to maintain a WISP, or even for lacking the required safeguards. But a company that maintains neither and experiences a data breach is vulnerable to an enforcement action.
That is what occurred in the case of the Rhode Island hospital. After WIH reported the breach, Coakley commenced an investigation. The investigation led to a complaint alleging that the WIH had failed to implement key safeguards in violation of HIPAA and the Massachusetts data security regulations — and the $150,000 settlement.
Even in states that do not require some form of information security safeguards, employers should consider maintaining written policies. One need only read the news to see that data breaches are frequent and can be embarrassing and costly. A written policy may help a company systematize security policies and avoid a breach of personal information in the first place.
4. State data security laws cover most Americans
More than one-third of Americans live in states that require companies to implement personal information safeguards. When you add the states that require safe disposal of this information and impose restrictions on handling Social Security numbers, the overwhelming majority of U.S. citizens live in a jurisdiction that requires some form of protection for personal information.
Just identifying these states underestimates the true reach of state regulation in this area. Given today’s highly mobile workforce, employers cannot simply look to the states where they have offices to determine their data security obligations. As more people work remotely or on a contingent basis, even small employers may employ workers residing in states across the country. As the WIH case illustrates, state authorities from those states may not hesitate to reach across state lines to protect their residents.
Takeaways for employers
Employers that collect the Social Security numbers, driver’s license numbers, financial account numbers, or health information of employees should consider taking the following steps:
• Implement a security policy that provides administrative, technical and physical safeguards for personal information.
• If a comprehensive security policy is not yet in place, address at least the following high-risk items:
o Encrypt mobile devices;
o Conduct awareness training among employees;
o Shred paper documents before disposal; and
o Permanently wipe the memory of any electronic devices such as computers, flash drives and photocopiers before disposal.
• Draft a written information security policy, especially if personal information from residents of Massachusetts or Oregon is collected.
• Consult with counsel upon the occurrence of a security incident.
Zoe M. Argento, an associate at Littler Mendelson in Denver, represents and counsels clients on all aspects of workplace privacy and information security.