Trends in Regulation and Compliance: Data Breach and PrivacyPatrick C. Lynch | Patrick Lynch Group

State AGs as Cybersecurity Regulators

State AG Offices Dedicated to Privacy and Cybersecurity

1999: NY Internet Bureau

2001: CA Office of Privacy Protection

2012: CA Privacy Enforcement & Protection Unit

2013: MD Internet Privacy Unit (first unit dedicated to Internet-related privacy/data issues)

2015: CT Privacy and Data Security Department

Rise of AG Multi-State Investigations into Data and Cybersecurity

Increasing inter-state collaboration on data and cybersecurity matters at staff level

NAAG’s ongoing Privacy Working Group

Several multi-state enforcement actions with substantial fines

More training for AAGs on data and cybersecurity issues

Recent State AG Cybersecurity Enforcement

AG Multi-State Investigations - Settled

2009 – TJX Data Breach

TJX owns popular retailers Marshalls, TJ Maxx, and HomeGoods. Allegation of massive data breach and a review of TJX’s data security polices and procedures.

41 AGs

$9.75 million + agreement to improve data security protocols

2014 – TD Bank Data Breach

In October 2012, TD Bank self-reported a March 2012 breach involving the Bank’s loss of unencrypted backup tapes containing the personal data of 260,000 customers nationwide.

9 AGs

$850,000 + agreement to strengthen security policies, including the use of data encryption

2015 – Zappos Data Breach

Allegations that a January 2012 breach of a Zappos computer server exposed the personal data of 24 million customers, including names, billing and shipping addresses, telephone numbers, the last four digits of credit card numbers, and login credentials of customers.

9 AGs

$106,000 + agreement to strengthen security policies

Recent State AG Cybersecurity Enforcement

AG Multi-State Investigations – Active (and known)

2015 – Target, Home Depot, Staples

Multi-state investigations ongoing involving a number of states

Healthcare

Accretive Health – FTC and MN AG

The FTC alleged in a complaint against Accretive that the company failed to provide reasonable and appropriate security measures and procedures to protect consumers' personal information, including sensitive personal health information. The failure to adequately safeguard the data led to a July 2011 incident in Minneapolis, Minn., when an Accretive employee’s unencrypted laptop computer containing data on 23,000 patients of the company’s hospital clients was stolen from the worker’s car.

Anthem – Multistate investigation ongoing

Information included data about current and former customers: names, birthdays, medical IDs, Social Security numbers, street addresses, email addresses, employment information and some income data.

What does this mean for Argentum Members?

• As senior living companies are holders of sensitive and private data from both residents and employees, it is imperative that these companies enact measures to protect against potential hackings.

• Senior living companies should collaborate on best practices to ensure appropriate safeguards are established to protect sensitive data.

• Senior living companies should establish response plans that can be immediately implemented in the event of a data breach.

Best Practices for Argentum Members to Consider

• 2016 California Attorney General data breach report provides a good perspective on the data breach environment and common sense steps companies should take to protect their data.

• Develop data breach policies and procedures and staff trainings.

• If a breach happens, know your responsibility and have a plan.

• Each state has a different data breach notification law and process.

• AGs work together and communicate on multistate data breach efforts – reporting in a concise and timely manner is important.