Losing data is disruptive. Exposing personal data can be embarrassing. Worse, loss of identity data can result in legal problems. As stated in Animal Health Solution, “compliance with the identity theft prevention laws is not a choice, it is a legal requirement.”
Actually, there are many laws that address data security, and they apply to all kinds of businesses.
Data security is the situation that we describe in our article entitled, “Secure Your Data,” appearing in the July 2015 issue of Trends magazine, published by the American Animal Hospital Association. This blog is the third in a series, now focusing on the law.
In 2003 the Fair and Accurate Transactions Act (FACTA) was passed. The veterinary industry was ultimately deemed exempt from much of the act, including the Red Flags Rule. However, Adrian Hochstadt, attorney for the American Veterinary Medical Association (AVMA), cautioned that this was not cause for being lax or carefree. In the Journal of the American Veterinary Medical Association (JAVMA) he wrote, “you still have a risk management issue. You still have the expectations that clients will be protected.”
One requirement under the act that applies to veterinary practices is known as the Credit Card Truncation Act. This act requires that businesses accepting credit cards have in place a credit card machine that will remove all but the last 4 or 5 digits of a card number and the expiration date from the sales receipt.
Speaking of credit cards, veterinary practices that accept credit cards (either directly or through a third-party vendor) must comply with the Payment Card Industry Data Security Standards. Five credit card companies have set standards and approve credit card software. They also may impose a fine in the event of a breach – as much as $500,000.
The Health Insurance Portability and Accountability Act, better known as HIPAA, does not apply to veterinarian animal health records, but it does include provisions to protect the Personal Identification Information of the employees.
The FTC exists to protect commerce and might become involved in a large breach. The Federal Trade Commission Act, Section 5 says that a business cannot engage in unfair or deceptive practices. That’s a broad statement, but if an unscrupulous nighttime cleaner found a credit card number left on a post-it note, that might lead to a breach and ultimately to an FTC fine.
State laws are also important. Forty-seven states (plus Puerto Rico, Washington, D.C. and the Virgin Islands) require notice to clients after unauthorized access to private information. Many also require notification of the state attorney general, state consumer protection agencies and credit monitoring agencies. States have differing laws outlining what information is protected and the notification procedures. Given that each state is different and the laws are constantly being updated, it is wise to seek the aid of a privacy lawyer or other consultant to interpret the applicable laws.
Consultation and Training
James Iafe, VMD, is one source for consultation and training. He is a 1993 graduate of the University of Pennsylvania School of Veterinary medicine and has been practicing small animal medicine in Pittsburgh PA for the past 8 years. After becoming a victim of identity theft, and receiving a breach notification letter from his mortgage lender, he determined to help victims of data breach, particularly veterinary practices. In 2004 he became a Certified Identity Theft Risk Management Specialist (CITRMS) through the institute of Fraud Risk Management and, with Ken Kirschner, CITRMS, formed PrivacyEdge.
That’s it for today.
John and Carolyn
Leave us your comments.
“Like” us on Facebook.