By Dave Glickman

CEO, Presagia

Due in no small part to advances in technology, the professional environment of integrated absence management (IAM) has changed dramatically over the last 20 years. While new technologies have made our lives easier and safer in many ways, they have brought with them new issues, new risks, and a growing number of regulations to contend with.

Unfortunately, this is no longer an academic topic for IAM practitioners. Nearly all your work processes are constrained by privacy and security considerations and you can face civil or even criminal charges for certain acts or omissions. This column will outline the regulatory environment and recommend best practices.

Federal Regulations

Unfortunately, rather than a single federal law to regulate the collection and use of personal data, there are many federal and state regulations that vary depending on a company’s industry and the type of data it deals with. The broadest law is the Federal Trade Commission (FTC) Act, which prohibits unfair or deceptive practices and allows the FTC to pursue companies that fail to comply with posted privacy policies or that change their privacy policies without adequate notice.

Within the IAM space, the most relevant regulation is HIPAA, which governs the collection and use of protected health information (PHI) and provides standards for protecting and transmitting data. Under HIPAA, individuals have the right to know what PHI is being held and who has accessed it, and to modify incorrect data. The act also requires health care providers, health plans, and other covered entities to sign a business associate agreement before providing PHI to a service provider. The Security Breach Notification Rule requires any organization that handles medical information to provide notification to affected individuals following discovery of a breach.

State Regulations

Many states have implemented security and privacy regulations that govern interactions with their residents. As an example, 47 states, the District of Columbia, the U.S. Virgin Islands, Guam, and Puerto Rico have all enacted security breach notification laws. As a result, organizations have to comply with multiple and sometimes conflicting regulations. For example, California requires companies to detail what type of breach occurred and what information was disclosed, whereas Massachusetts prohibits such disclosures. Massachusetts and several other states have implemented prevention-oriented laws prescribing the technical, physical, and administrative security protocols that organizations must implement to protect personal information in both electronic and paper format. Many states also impose obligations regarding the use of Social Security numbers.

Penalties

The FTC Act provides for civil penalties of up to $16,000 for each offence, in addition to consumer restitution and repayment of investigation and prosecution costs. Criminal penalties can include imprisonment for up to 10 years. HIPAA authorizes civil penalties of up to $1.5 million and criminal penalties of up to 10 years. Some state and federal laws also allow individuals to sue for privacy violations, which can be even more significant. In 2014, the Ponemon Institute calculated the average cost of a security breach at $3.5 million.

Standards

In addition to regulations, there is a wide variety of industry and governmental “standards” that promote best practices in terms of data privacy and security, including SOC, PCI DSS, and OWASP (which we will visit in later columns). Even though such standards are not legally enforceable, most employers expect their internal intelligence technology departments and suppliers to adhere to them.

Over the coming months, we’ll review these regulations and standards in more detail and discuss how they impact employers — and you — through the delivery of outsourcing and technology offerings.