PRIVACY POLICIES REQUIRED

 

Think it doesn’t apply to you? Connecticut’s privacy law doesn’t just apply to the highly-regulated industries we’re accustomed to hearing about – like banking, healthcare, retail, publicly-traded companies and the government sector, who’re all regulated under a variety of strict, federal privacy and security laws. The Connecticut legislature (as well as many other states) saw fit to require anyone doing businesses in the state to safeguard personal information and requires that privacy policies be posted (See Conn. Gen. Stat.42-471). privacy policy picThis applies with the same force and effect to businesses both public and private. I can think of few, if any, businesses that don’t use, store, transmit or collect some type of “personal information” whether for payroll, offering health or other benefits, collecting social security numbers, conducting employment screenings, maintaining important customer and banking information – just to name a few of the areas covered by this law. Connecticut law requires more than just developing privacy policies – they must be publicly posted.

These privacy protections much like their federal counter-parts extend to any “personally identifying information” such a full name, social security number, address – essentially any information that either does or could reasonably lead to identifying someone. The definition of “personal information” under the Connecticut follows the definitions of other federal and state laws to include “information capable of identifying a particular individual by one or more identifiers – name, social security number, driver’s license, account numbers, photos, biometric information, health insurance information, credit or debit card numbers” and the like. Financial institutions that have complied with the privacy and security standards required under Gramm-Leach-Bailey (15 U.S.C. 6801) will be in compliance with this Connecticut law. Healthcare providers and business associates regulated under HIPAA/HITECH regulations (45 C.F.R. Sec. 160, et seq.) that have complied with the requirements of the 2013 Final Omnibus Rule will also likely avoid trouble.

To say the least, it’s a complex area. Depending upon the context and type of information collected, used or stored, businesses may also be required to comply with a variety of other privacy laws, in addition to this Connecticut law. While there are more than 30 federal laws governing privacy, and the list is growing, below is a summary of other, key federal laws that frequently apply to businesses (and their vendors) who are using, accessing, storing or transmitting “sensitive” information:

  1. HIPAA/HITECH covers past, present, or future physical, mental health conditions of a person;
  2. Financial information regulated under Gramm-Leach-Bliley Act (GLBA and FMSA);
  3. Credit card payments regulated under PCI-DSS industry standards;
  4. Computer Fraud and Abuse Act (CFAA) ;
  5. Children’s Online Privacy and Protection (COPP);
  6. Fair Trade Communications Act – FTC Privacy; and
  7. Electronic Communications Privacy Act (ECPA) regulating computer crimes.

With cyber hacking and data breach incidents rising throughout the healthcare, retail, banking and government sectors, Connecticut employers and businesses, who haven’t taken steps to evaluate the regulated information they use or possess along with developing written privacy and security policies to keep “personal information” safe from misuse – are making a high stakes gamble. Many of us who regularly work in this area know it’s really not a question of if – it’s a question of when information that wasn’t adequately protected may fall prey. Why chance what will be costly, embarrassing event?  Developing, implementing and posting privacy policies is a must.

Where do you start? For many companies, compliance with this Connecticut law (and other state and federal laws) can be accomplished by conducting security assessments, training employees on the importance of protecting data, developing and enforcing security policies – and most importantly posting these privacy policies. In the past year, dozens of bills have been introduced to protect consumers from the real and increasing threats of identity theft and fraud. And more are likely to follow. Those not in compliance with the important intent of this law – to safeguard personal information – face the real and ever present risk of harm to innocent victims, significant regulatory fines or worse. Why chance it. Call us today for practical guidance on avoiding these risks.

With over a decade of experience as Legal Counsel & Chief Compliance Officer to a variety of highly-regulated industry clients, our firm has the dedication and experience to help clients assess security vulnerabilities, train employees and develop the all important privacy and security policies needed in today’s Internet of Things world.

Please contact us today for more information. Let us know if you’d like a speaker on these important topics at your next business event.