Julia Huddleston, CIPP, CIPM
A brief recap: The California Consumer Privacy Act (CCPA) aims to give California consumers greater control over their personal information by imposing certain obligations on entities covered by the law. The CCPA takes effect January 1, 2020. And as we said in an earlier blog article, you don’t have to be a California-based business to be affected.
The CCPA was amended in September 2018 to include an exemption for protected health information (“PHI”) collected by a covered entity or business associate subject to HIPAA (aka the “HIPAA exemption”). At the same time, the Act was amended to also exempt “Medical Information” already covered by the state’s Confidentiality of Medical Information Act (CMIA). Medical information as defined in the CMIA is identifiable information about a patient’s medical history or condition that is held by a healthcare provider, healthcare service plan, pharmaceutical company, or contractor. This is not your garden variety “contractor” that’s also a business associate under HIPAA. It’s a much narrower definition, and essentially equals a health-related organization that is not a service plan or provider.
Before you celebrate being “HIPAA exempt…”
Where’s the problem? Well – the CCPA regulates the types of personal information that are to be protected, and not the types of businesses to be regulated. The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. Examples of personal information provided in the text of the law include:
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
On the other hand, to the extent that PHI is actually defined in HIPAA, it’s defined as “individually identifiable health information” that’s maintained or transmitted electronically or in any other form or medium. Individually identifiable health information (IIHI) is information that a covered entity creates or receives. IIHI relates to the past, present, or future physical or mental health or condition of an individual; treatment of the individual; or the past, present, or future payment for health care to an individual. IIHI also can be used to identify the individual.
Still wondering “what’s the issue?” Let’s say that you’re a large health system that collects information from people who access your web sites in order to gauge what those visitors use your website(s) to do. Let’s say that you’re a business associate that provides services to a health plan – and its members – through a mobile app. In both of those cases, you’re collecting personal information as the CCPA defines it. And in both cases, you may be hard pressed to make the argument that the information you are collecting is PHI.
What can you do? What should you do?
- Pay attention to California’s General Assembly and Attorney General. The California General Assembly is considering a number of bills that make clarifying changes to CCPA text. To date, none of them address the issue identified above. The California Office of the Attorney General is engaged in a rule-making process, with an initial notice of proposed rule-making anticipated in Fall 2019.
- Start developing an inventory of personal information that you collect that isn’t protected health information.
Check in here for the next CCPA-related post, a more in-depth discussion of personal data and other unexpected challenges the regulation brings.
Talk to Julia Huddleston, CIPP, CIPM about your data privacy concerns, including regulations like the CCPA. You can reach Julia at 503-384-2538.
The first thing to realize about California Consumer Privacy Act (CCPA) compliance is that you don’t have to be a California-based business to be affected. As of 2018, California was the world’s 5th largest economy. You’re better off to ask yourself what the chances that you’re not subject to the CCPA. US-based or global, you have to consider the factors involved, all of which are more likely to make you subject to, rather than exempt from, the CCPA.
If you answer yes to any of these 3 questions, you’re probably subject to the CCPA – and its requirements for personal information protection.
- Does your business’s worldwide annual gross revenues meet or exceed $25 million?
- Do you annually touch the personal information of 50,000 or more California residents? Their households? Or their devices?
- Does half or more of your annual revenue come from selling the personal information of California residents?
Before you gleefully answer “No” to all three, here’s the catch. You need to understand the definitions applied to the qualifiers in the questions.
Start with the definition of personal information – guaranteed to blow your mind. If we include the full definition here, you’ll throw your hands up in disgust and not read any further. Essentially, it’s “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household or device.” That’s extremely broad.
Let’s move on to “touching” personal information. An Internet Protocol, or IP address, can be considered personally identifiable information – yes, you read that correctly. That means a visit to your company website where IP information is automatically collected (think about your handy dandy Google Analytics always running in the background). You’ve just touched personally identifiable information.
To get even more granular: Do you know which of your website visitors are considered California residents?
I know 50,000 annually sounds like a lot of website visitors. Especially if you don’t consider yourself to be enterprise-level. But it breaks down to only 137 visitors from California per day. Now wrap in the personal information definition. It includes households and devices. It’s pretty hard to have a website as a company of any size and not have that number of touches per year.
Then there’s “selling” the personal information. Many wouldn’t consider the everyday interactions with client and consumer data as selling. However, the definition of “selling” in the CCPA stretches all understanding. It can mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
How does a business comply with the CCPA? The very thought of what it will take overwhelms. As both a certified information privacy manager and professional who regularly attends regulatory seminars, I can tell you that every CCPA-related event is thick with corporate legal counsel – a fair number from those great big companies that we all know. We’re all impatient to understand how compliance can happen. Stay tuned as I share more insights and commentary on the CCPA in the weeks to come. Topics include: the “HIPAA Exemption”, the various interpretations of “selling” personal information, the “opt out” option, and more.
Julia Huddleston is a Certified Privacy Manager and a Certified Privacy Professional through the IAPP (International Association of Privacy Professionals). She’s deeply involved in privacy compliance activities with clients and how policies and procedures are implemented to protect data privacy. You can reach her at Apgar & Associates: 503-384-2538.
Resource(s): IAPP CCPA Comprehensive Seminar 2019.
Are you tracking the moving target of your third party vendors’ privacy and security practices? You may want to get on that. If you’re one of the many organizations about to tackle the SOC 2 assessment process, familiarize yourself with the AICPA’s 2017 Trust Service Criteria document (formerly Trust Service Principles). You’ll quickly notice the underlying theme is organizational risk management where vendor risk management figures prominently.
The updated criteria delves into the many joys of maintaining and assuring “commitment” and “competency.” Under the evolving TSPs (yes, still called TSPs), “system and organization controls” expand to include cybersecurity risks, such as those that come with third party vendors.
In fact, nearly every mention of risk profile components includes vendors. Their reliability, the need to assess external threats, the ongoing relationship. So how do you begin to manage the risk they bring to your organization?
Vet them at the outset as part of due diligence prior to contract. Well, of course, you say. Wait for it: vet again, and again, at timely intervals.
All too often, we see the opposite. When going through a proposal process, organizations may be all over the potential vendor partner with a microscope. Once the contract is complete, crickets. As long as the service is fairly smooth, vendor privacy and security audits are rare, if they happen at all.
However, an organization that’s considering any certification (HITRUST, ISO) or a successful SOC report won’t have that option. And increasingly, to be competitive, you need to make the extra effort to demonstrate your data privacy and information security competency. So what’s the plan?
Tips for Third Party Vendor Risk Management
- Vet vendors early and often. Because it bears repeating, make due diligence a repetitive activity. Regular re-assessment of your vendor’s privacy and security practices could be the action that saves your organization from an embarrassing and costly breach.
- Make them prove that they train their workforce on issues you think are important. Isn’t your third party partner part of your operations? Don’t they affect your ability to conduct business successfully? Think about how you can identify your most important training issues and push them to include them in their training. That speaks to assuring competency, by the way. A TSP.
- Mitigate risks immediately. You’ll inevitably identify privacy and security risks during everyday business oversight. When they’re to do with a vendor, take action immediately. The more quickly you address any vulnerability, the less likely it can grow from a manageable security incident to a major security breach.
For those of you who are happy SOC 2 Report achievers, keep up to par on those TSPs. Remember, the AICPA is only one organization honing in on vendor risk management. Whether you’re going for a certification or simply trying to stay on top of regulatory requirements, the risk is real.
Are you considering a certification or readying for an assessment? Chris Apgar and Julia Huddleston have helped numerous clients prep for a successful assessment to achieve certification or a SOC 2 report. Call Apgar and Associates today to learn more: 503-384-2538.
Informational source includes: American Institute of Certified Public Accountants, Inc. “Trust Service Criteria.” Issued by the AICPA Assurance Services Executive Committee (ASEC). Copyright © 2017. Available at https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf
It’s been a tumultuous 2018 for data privacy and information security. New regulations here and abroad show that data privacy will continue to be a hot topic as we move into 2019.
We’re seeing the OCR’s investigations and penalties aren’t limited to large entities or to large breaches. Expect that will continue. Over 60 organizations reported breaches affecting fewer than 1000 individuals, reminding everyone that not all breaches make headlines. Some of them are small organizations in your own backyard.
Buyer Beware re CCPA Cool Tools
The California Consumer Protection Act (CCPA) has reaped much hoopla. And the sales push on the trade show floors shows it. At conferences nationwide, we’ve seen “solutions” for CCPA compliance. Yet the Act isn’t yet in its final codified form.
Our recommendation on CCPA: don’t put the cart before the horse. Spend the time between now and the CCPA’s 2020 date getting your data privacy and security house in order. Go back to basics and pay attention to how the law evolves before spending money – and implementation time – on a “cool tool” that ultimately, may not be what you need.
Not All Certifications are Created Equal
On that note of cool things, are you looking at how your vendors are certified? People will peddle that they’re certified in this or that, like saying “We’re ISO certified.” That’s great. But we can’t stress enough that not all ISO certifications mean the same thing. The ISO 27001 certification is the one that relates to information technology security standards. So if you have a potential vendor touting their certifications, do a quick online search to be sure that it’s the one(s) that matters to your business. Oh, and make sure the certifications are still active. Just because a vendor was certified once doesn’t mean they are still certified.
In fact, just because you’re in the healthcare business doesn’t mean you necessarily need to rush out and buy a regulatory-specific solution or need the certification that your competitor is getting. Examine what type of business you do, where you do it and who your customer is before making a financial and time commitment that may not be needed, or that may not be needed right now.
When it comes to you and your business, be strategic. And keep in mind that not all business strategies call for the same certification. We can help you figure out which certification makes the most sense for your organization (HITRUST, SOC 2 and ISO 27001 are the most commonly pursued).
Now that you have all the information that matters (ho, ho, ho!), kick back and let’s toast 2018 out and 2019 in! We wish you and yours a happy, healthy holiday season and a prosperous new year. Thanks for making 2018 such a great year and for trusting us to help you with your data privacy, security, compliance and certification preparations!
As a follow-up to Chris’s 2018 Privacy & Security Forum update, I’ll focus on policy controls, because the entire world has lasered in on policies thanks to the GDPR effect. But first, a tip of the hat to Professor Solove and Professor Schwartz for their role in designing and running this conference. It was substantial, and rigorous, and there wasn’t an infomercial to be found!
Policy controls and their importance is the hot topic for anyone doing business – healthcare, financial or retail – on either side of the ocean. Keep in mind that policy controls are the basis on which anyone assessing the company’s system is building. Also remember that GDPR uses the term “privacy” interchangeably for what we in the US differentiate into privacy and security. So when they say “policy controls” they’re saying privacy policies (e.g., controls) and those very likely pertain to privacy and security.
Note: This information will be explored in greater detail in our upcoming GDPR Guide for Business Associates. Keep an eye on our website and sign up for our newsletter to receive an alert. The guide should be available by early December.
Related to the topic of policy controls in all of its attendant meanings, I attended several GDPR-focused workshop sessions.
One of the speakers at a session I attended focused on policy writing – European style and United States style. The German IT attorney who spoke about European style policy writing made the following statements (and yes, I’m paraphrasing):
- Data Protection Authorities (DPAs) are likely to read policies
- DPAs are likely to take policies at their word. If an organization is not following its own policies, the DPAs are likely to view that as a breach.
From a United States perspective, substitute OCR/regulators/auditors for DPAs, and the same advice holds true. For instance, consider the following instances of policies and procedural controls related to HIPAA, ISO 27001 and SOC 2.
The HIPAA Security Rule is not prescriptive. Covered entities and business associates must implement controls that are:
- reasonable for the organization’s size,
- the complexity of what it does, and
- the sensitivity of the information with which it deals.
ISO 27001 is not prescriptive. ISO says that you build an Information Management Security System to ensure information privacy. Organizations develop their Information Security Management Systems based on:
- risk assessment,
- risk treatment plans, and
- the Statement of Applicability.
SOC 2 is not prescriptive. Organizations design their own controls to meet the SOC 2 principles that are relevant to the business.
Privacy & Policy Controls Success Tip: Walk the Talk
With all that said, once an organization designs a policy control, it needs to live up to what it says it will do. Auditors are “show me” people. Say one of the controls you assert is in place for your information system includes a well-defined off-boarding system. You say that every step is tracked by a ticketing system, and that management reviews occur at regular intervals to make sure the system is being followed.
You can bet that the auditors will ask to see the written documentation that defines the system, a sample of the tracking tickets, and dated evidence of management review. There may be a call for an organizational chart that depicts that management really is management, too.
You get to design and implement the policy controls that your organization will follow. Follow regulation, and good practice, yes, but also make sure that your business can and will live by the standards that you’ve committed to – whether you’re in Portland, Oregon or Prague, Czech Republic!
For help with the intricacies of certification readiness, including policy controls, contact Julia Huddleston, a Certified Information Privacy Manager and a Certified Information Privacy Professional.
*More information about the 2018 Privacy & Security Forum can be found here.
What happens now that US Organizations who thought they were off the GDPR hook, are so on it.
The onset of the GDPR, at first glance, seemed straightforward. Are you in the EU? Do you employ or do business with anyone in the EU? No? All good on personal data privacy. Except that your one-time, at-a-glance, high level assessment won’t hold up. Blame the GDPR’s broad definition of personal data. And realize that Europeans are far more guarded of their personal data privacy than the US, at a very granular level. Beyond health or financial information, or minor’s personal information, the GDPR goes far deeper.
Examples of GDPR-defined personal data
- Work email address
- Political party
- Religious beliefs
- Racial or ethnic information
GDPR defines “personal data” as:
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
There are also two important functional roles defined under the GDPR: the Data Controller and the Data Processor. A data processor is defined as someone who processes data on behalf of the data controller. That may be a company providing a 3rd party software or platform that stores data. The data controller is the entity that collects the data, such as a health plan collecting member data or a bank collecting customer data.
So how does a US organization, particularly one typically highly adherent to strict compliance standards deal with the GDPR? A company that has attained certification through HITRUST or SOC2 likely feels fairly confident of being able to meet the GDPR’s requirements. Unfortunately, one does not equal the other.
6 Actions You Can Take to Support GDPR Compliance
- Be sure that your Security Risk Analysis encompasses all “personal data” as defined under the GDPR, not just PHI and PII. Remember location data counts, too! If you’re a data controller, you’ll also need to look at impact assessments that relate to GDPR-defined personal data.
- Check that your 3rd party data processor is approved by the data controller. PHI that falls into the GDPR personal data category can only be used and disclosed on instruction from the data controller. That means that what typically would be ok use by a Business Associate under HIPAA isn’t if the data is defined as “personal data” under GDPR.
- Appoint your EU-based representative and designate a Data Protection Officer. This is a major point of compliance with the GDPR. The DPO’s contact info must be publicly published as well as formally shared with the EU’s Privacy Commissioners.
- Be sure you’re authorized to engage in data flow transfers that relate to the individuals, or “natural persons” under the GDPR regs. Validate under your operations management contract that the data transfer is necessary and authorized.
- Modify your security incident response plan to include the GDPR breach notification guidelines. Under the GDPR, data controllers only have 72 hours from the breach discovery to notify the EU Data Protection Authorities. Be sure to test your ability to comply with the requirement.
- Prominently display your privacy practices and the privacy rights of individuals to conform with the GDPR. Individual privacy rights include access to data collected, ability to correct that data, how they can restrict the processing of the data, even to require that you erase the personal data.
Under the GDPR, US companies who discover from their data analysis that they deal with personal data of any kind from people who live in the EU (even non-EU citizens), must comply with its requirements. The cost of non-compliance is huge – up to 20,000,000 EUR. For US healthcare organizations who still struggle to meet HIPAA requirements over two decades after its enactment, the GDPR may well mean that they simply choose not to do business with EU residents.
Are you contemplating how to comply with the GDPR? Contact Apgar & Associates for a data inventory and risk assessment: 503-384-2538.
The OCR announcement of a $4.3 million price tag on MD Anderson’s Cancer Center for noncompliance highlights the cost of unmitigated risk. A 2006 security risk analysis showing that a lack of encryption posed a PHI security threat prompted the Center to develop policies for portable device encryption. Smart. But then an OCR breach investigation uncovered that the policy wasn’t actually enacted for years. Not smart.
Loss of USB devices and a stolen laptop exposed the disconnect between the stated policy and actual application of the policy. What could they have done differently? Followed through on their stated policies. Would a demonstrable attempt at PHI protection by alternate means, although encryption wasn’t implemented, have helped? Perhaps. It’s hard to know.
What likely didn’t help the Center was its 2011 internal Information Security Program report that stated ePHI on mobile devices and other portable storage devices was not yet mitigated – a written acknowledgement of failure to enforce its own policies. The USB device loss and the laptop theft happened in 2012 and 2013. In light of that fact, it’s fortunate that OCR asked for penalties under Tier 2’s Reasonable Cause vs Tier 3’s Willful Neglect, if only from the point of view of preserving (somewhat) MD Anderson’s Cancer Center’s reputation.
In light of the cost of “over-promising and under delivering” now is the ideal time to get a compliance assessment of your policies and procedures on the schedule. Are you in danger of an unmitigated risk? Are your policies realistic? Are they being practiced? Can you prove it?
4 Tips for Policy Follow-Through
- Tie your policies and procedures back to your actual business operation workflow and processes. Implementing an enforcement mechanism such as encryption gives policies “teeth.”
- Make sure you’re following the rules. Policies and practices need to align with the regulations you’re required to follow.
- Be realistic when drafting policies and procedures. “Audits will occur at weekly intervals” may not be a realistic policy to accomplish if you’re already overstretched. (See #1)
- Maintain proof of policy enactment. Document and be able to demonstrate you take action on all of your policies. For example: That information could include the date a policy was enacted, any time there was an internal citation for correction, and documentation of how it was corrected.
Your policies and procedures are essentially marching orders for your staff. Be sure those policies are clear and accurate so you can not only enforce them, but also document that you’ve done so. Then when a breach happens and OCR comes in, you’re better positioned.
Apgar & Associates helps you discover privacy and security vulnerabilities so you can manage risks before a breach occurs. Contact us to schedule your assessment today: 503-384-2583.
From digital startups to financial firms, the ability to demonstrate information security per not only investor demands, but also board members and potential business partners, is widespread. As privacy and security consultants who also prep companies for certification, we’re seeing how the need for privacy and security compliance, long since a demand for healthcare, now stretches across industries.
Take this example. An online company selling a product that’s gained rapid popularity attracts the attention of a multi-national interest. It’s a dream scenario for a start-up. A great concept, proven, that garners the best possible outcome: a well-heeled investor. Then a painful reality sets in during due diligence.
The straightforward request of “Let’s start with a review your policies and procedures” has everyone scrambling. Why? Because they don’t exist – at least in the format and detail that a true commitment to privacy and information security calls for.
A high-dollar investment from an established global entity is going to have requirements attached to it that a digital startup likely didn’t include in their gotta-get-launched-yesterday operational plan. Especially when the investor demand reflects an expected alignment with the standards to which their organization adheres, ISO 27001.
Digital startups are one thing, but what about established businesses? Maybe there are industry-related policies and procedures in place but the type of business never called for compliance with a particular set of security standards. Now there’s an opportunity to expand into government work. To play in the big sandbox, there’s a need not only to implement an information security program, but one that adheres to the NIST cybersecurity framework that was updated in April 2018. That’s a big leap.
There are common denominators for most certifications and regulatory needs. You may be asked to achieve ISO 27001 certification or HITRUST. Or you may need to choose the best assessor for your SOC certification process. Almost certainly, no matter your business, you’ll need a security risk analysis.
Start with the fundamentals. In nearly every state there are breach notification laws that require you to have an information security program in place. If not a specific program, then at minimum you need to be able to demonstrate administrative, technical and physical safeguards of sensitive data – whether that’s PHI or client financial information. Once you take care of the basics, your business will be ready for the next great opportunity, and able to meet investor demands.
Work with a team that knows how to map your path to certifications and regulatory standards regardless of industry. Apgar & Associates’ certification readiness preps you for HITRUST, ISO and more. Call us today to get started: 503-384-2538.
Well, the royal family’s security could be compromised, for one. If you missed it, Heathrow Airport, one of the busiest airports and Britain’s largest, is scrambling to understand how a memory stick (aka thumb drive) with extremely sensitive information ended up on a busy west London street. The documents on the unencrypted drive detailed airport security measures and plans, including the routes typically used for Her Majesty’s route to and from the airport.
The documents were all marked “confidential” or “restricted.” Yet the thumb drive had no encryption and was just lying on the street, available for anyone to pick up and use. The scariest part? This could happen to anyone, to any business, at any time.
How do you prevent this type of blatant risk to sensitive information? Ask yourself the following about your security and privacy policies and procedures:
- What have we done – or can we do – to assure our sensitive data’s security isn’t compromised like this?
- How well does our own senior leadership follow the same strict security measures as line staff?
- Do we allow sensitive data to be stored, or even temporarily used for transport, on unencrypted drives?
- Who is allowed to access sensitive data and in what way can they interact with it? Should they even be able to?
Frightening as this event is, it’s also far too unsurprising. Before you decide that portable media is fine for transporting or storage of your sensitive data, think twice, then think again. Convenience should not override the need for data protection.
Apgar and Associates’ HIPAA privacy, information security, HITECH and regulatory compliance consulting services support the health care industry and the vendors that work with them. The firm works across industry sectors to help businesses prepare for ISO, SOC II and HITRUST certifications, as well.
As CFO and COO of our privacy and security compliance consulting firm, every year I’m on the receiving end of email promotions and pop-up ads for tax preparation software. DIY, guaranteed, “We’ll take the hit for the audit if it happens” software. I have to admit, if privacy and security compliance software were as comprehensive, interactive and penalty-proof, we’d do a lot of thumb twiddling. Thankfully (for us) the apps aren’t there yet.
What makes tax preparation software so workable is that it’s highly interactive and intuitive. You’re told if you made a mistake, or if a deduction is in the wrong place, even if you should itemize vs taking the standard deduction. You’re guided by the hand start-to-finish, with triggers and excellent logic branches throughout.
On the compliance software side, there remains a challenge. That said, Chris and I are very much in favor of automation both to support your compliance program activities, and to provide transparency between you and your business partners. We work with several vendors whose digital apps are solid, supportive and easy to use, from privacy and security task management to documentation management.
The caveat is this: Technology cannot be your compliance program. For example:
- You can document that you’re on-task, but you also need to be able to demonstrate that you’ve completed the actions that you checked off.
- You can establish a password protocol, but how do you know it’s a good password protocol?
- You can assure an auditor that you know who has access to what, but where is the audit trail to back it up and assure appropriate access?
- And most importantly – you can firmly believe that you’ve completed a security risk analysis for meaningful use – but your online risk assessment is not the HIPAA Security Risk Analysis the auditors want to see.
If you still aren’t convinced, answer this question honestly, “Are you ready for Round 2 HIPAA Audits?” Because until privacy and security technology can make the leap to intuitive hand-holding through the myriad compliance requirements, the best path to compliance remains a combination of supportive automation and old-fashioned, subjective, ongoing people work. Who knows, maybe the ideal technology will arrive just in time for my retirement. A consultant can dream.
Julia Huddleston, CIPP/CIPM, is CFO / COO Apgar & Associates and a Certified Information Privacy Manager as well as a Certified Information Privacy Professional. She works with clients on compliance assessments, security risk analysis and policy and procedure review and implementation. Apgar and Associates can help you with questions and concerns about your privacy and security compliance program at 877-376-1981.