Cyber Security, Data Breach, Education, GDPR, General Data Protection Regulation, HIPAA / HITECH Enforcement, Risk Analysis/Risk Management, State Laws, Tip of the Week

Landmark policy constituting the most stringent data protection in the United States


Note: After having various conversation with a few students learning about HIPAA, State Laws, and GDPR, we thought it would be useful to post a handout provided to the class.

California Consumer Privacy Act (CCPA) of 2018 

Assembly Bill (AB) No. 375: Chapter 55

Beginning January 1, 2020, the bill would grant a consumer the right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer. 

Consumer Privacy Law for companies that deal with personal data and those operating in the digital space.  Companies that collect web browsing data and generate revenue from targeted advertising over internet platforms or service providers will be affected:

  • Facebook
  • Twitter
  • Google
  • AT&T
  • Verizon


CCPA applies to for profit entities that both collect and process the personal information of California residents and do business in the State of California. However, a physical presence in California is not a requirement, and it appears that making sales in the state would be enough. Additionally, the business must meet at least one of the following criteria for the CCPA to apply (see blue box). Nonprofit businesses, as well as companies that don’t meet any of the mentioned thresholds, are not required to comply with the CCPA.


Historical Background: SB 1386, Peace. Personal information: Privacy

On September 25, 2002, the California Senate Bill No. 1386 Chapter 915 was approved by Governor September 25, 2002 and filed with the Secretary of State September 26, 2002.

“Existing law regulates the maintenance and dissemination of personal information by state agencies, as defined, and requires each agency to keep an accurate account of disclosures made pursuant to specified provisions. Existing law also requires a business, as defined, to take all reasonable steps to destroy a customer’s records that contain personal information when the business will no longer retain those records. Existing law provides civil remedies for violations of these provisions.
This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The bill would permit the notifications required by its provisions to be delayed if a law enforcement agency determines that it would impede a criminal investigation. The bill would require an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data, as specified. The bill would state the intent of the Legislature to preempt all local regulation of the subject matter of the bill. This bill would also make a statement of legislative findings and declarations regarding privacy and financial security.”   
About 16 Years Later

The new privacy law (CCPA) Assembly Bill No. 375, will allow California residents to delete their data or bring it with them to alternative service providers. Data brokers who generate profits by collecting consumer data & profit by selling it to a third party are affected too:

  • Acxiom
  • Epsilon
  • Experian
  • Oracle

The Privacy Act contains a broad definition of “personal information”, as defined below.

The state’s attorney general will be the enforcer of this law. However, consumers will maintain a private right of action should companies fail to maintain reasonable security practices, resulting in unauthorized access to their personal data.

California residents will have a multitude of new Rights:

  • To know what personal information is being collected about them
  • To know whether their personal information is sold or disclosed and to whom
  • To say no to the sale of personal information
  • To access their personal information
  • To have equal service and price, even if they exercise their privacy rights
  • To receive financial incentives from businesses for providing their personal information
  • To prohibit a business from selling the personal information for under 16 years old consumers

For more information see AB 375 CCPA

“Personal information” is defined under the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The addition of the term “household” adds a dimension to a privacy law that is largely uncharted territory. Specifically, information collected by a business does not have to be associated with a name or specific individual, but rather can identify a household.

The definition of “personal information” under the CCPA also lists a wide range of standard examples that includes Social Security numbers, drivers’ license numbers and purchase histories, but also “unique personal identifiers” such as device identifiers and other online tracking technologies.

Note: CCPA excludes information that is publicly available.

Europe’s General Data Protection Regulation (GDPR) Entered the U.S.

Brief Explanation: Global privacy regulation (EU Regulation 2016/679)

Healthcare businesses (providers, digital health/health IT companies, and their vendors) that “control” and/or ”process” health data in the U.S. that may include data from EU “data subjects” will be required to comply with the new EU General Data Protection Regulation (GDPR).

  • Applicable as of May 25th, 2018 in all member states to harmonize data privacy laws across Europe
  • GDPR is broader in scope than HIPAA, as its protections extend to all broadly defined “personal data,” not just Protected Health Information (PHI)
  • Replaced the 1995 Data Protection Directive from the European Union, which only impacted U.S. companies that transferred the data of EU data subjects out of the EU
  • GDPR affects all companies that do business with EU data subjects, whether or not they have a presence in the EU
  • Any company that uses, collects, or retains any personal data from any European citizen, either knowingly or unknowingly, will have to comply with the GDPR – even if that citizen is physically located in the U.S


Consumer confidence has been miserable and distressful post Equifax and Cambridge Analytica style compromising of our trust, leading to real consequences in personal identity theft , abuse and data privacy.  Companies who were doing business in Europe under EU terms have had to deal with protecting privacy. California laws such as the two mentioned above SB 1386 and AB 375 are setting examples and we should not be surprised when other states follows to improve consumers security controls over the use of their data.

It is very simple, GDPR is similar to the U.S. State laws. HIPAA has many requirements corresponding to the GDPR requirements such as having policies, Data protection impact assessment, Technical vulnerability assessment, training, Data Protection Officer (DPO), etc.

Brief Explanation: HIPAA


Health Insurance Portability and Accountability Act of 1996

Public Law 104-191

Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ Protected Health Information (PHI), whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.

To improve the efficiency and effectiveness of the health care system, HIPAA included Administrative Simplification provisions that required the U.S. Department of Health & Human Services (HHS) to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Therefore, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for Individually Identifiable Health Information (IIHI).

Be Proactive not Reactive!

While numerous businesses are struggling to implement data strategies to assist them to meet regulatory requirements, it is not too late to start if you have not. With the potential risks and loss of customer trust that you jeopardise by not safeguarding your customers’ data, this is the perfect opportunity to act.

The CCPA has already been amended once and may go through additional updates before it takes effect, but businesses should start to prepare now. Privacy notices, other policies and procedures, and websites will need to be updated before the CCPA takes effect. At the very least, a business should start mapping the personal information that it collects and locations where personal information is stored so it can promptly meet any request under the CCPA.

Our team at RISC Management and Consulting are ready and able to assist your organization from all your Data privacy and information security requirements to State Laws and GDPR to protect your client’s Protected Health Information (PHI) and/or Personal information. We are committed to the success of our clients.

Cyber Security, Data Breach, Education, Identity Theft, Tip of the Week

Identity Theft

According to a Consumer Report, there are millions of Americans becoming victims of identity theft.

Identity Theft
Javelin Strategy & Research, in 2017 & Federal Trade Commission

Identity theft Video: 7 Ways to protect yourself from cybercriminals

Types of Identity Theft and Fraud

  1. Driver’s license theft: most common
  2. Mail theft: oldest ways for criminals to steal your information
  3. Debit Card fraud or Credit Card fraud: called “card-not-present fraud”
  4. Online shopping fraud: purchase items using stolen card and shipped to their own address mostly overseas called “eCommerce fraud”
  5. Social Security Number theft: usually occurs from a data breach or tax id theft
  6. Account Takeover fraud: criminals gain access to your bank or credit card from data breach, phishing scams, malware attacks then starts using the credit card for their own gains
  7. Senior Citizen identity theft: very common since checking financial accounts or credit report is not important for most of them, scams happens when they trust the wrong person (Scam Video)
  8. Child Identity theft: not as common but their Social Security Numbers (SSN) can be use to apply for government benefits, take out a loan, etc. often the child does not realize this theft until they are of age and applying for a student loan or car loan
  9. Tax Identity theft: Bad guys will file your income tax before you do and use a fax address to receive the funds
  10. Biometric ID theft: Fingerprint or voice recognition are the best example such as when “Alexa” (Amazon’s hands free speaker controlled with your voice) can be copied and recorded, but it doesn’t end there (parks such as Six Flags and Disney are using fingerprint to identify who you are for easy access to the park!)
  11. Criminal Identity theft: happens when criminals would provide your own data (stolen or lost ID) when arrested/ you would not know until you need a background check for a new job or a warrant is issued for you arrest
  12. Synthetic Identity theft: fastest growing type of ID fraud – real and fake information is merged to create a new identity using SSN, names, addresses, birthdays bought from the “dark web”
  13. New Account Takeover: criminal opens a new account with your information and have the ability to impersonate you to access a higher credit limit
  14. Medical Identity theft: more difficult to discover, but usually used to obtain medical services in your name/check your statement of benefits often
  15. Loan Stacking fraud: multiple loans are taken out by borrowers who slide through today’s automated approval process from loopholes in online lending marketplaces
  16. Mortgage Fraud: borrower, broker, or an appraiser lies about information on the application for a mortgage loan/it’s done to get approved for a bigger loan or to get the mortgage approved!
  17. Auto Lending fraud: similar to mortgage fraud and occurs when consumers, dealers, auto lenders submits or accepts a fraudulent (falsified information)application for credit
  18. Employment Identity theft: criminal applies for a job using your SSN or ID, the employers reports the income to the IRS under your name and expects you to pay taxes on all income earned in your name/review credit report regularly
  19. Bust-Out Fraud: first party fraud scheme and a deliberate form of fraud or ID theft “sleeper fraud”/ happens when a consumer applies for credit and uses their own name with the intent of maxing out all available credit for the purpose of disappearing
  20. Internet of Things (IoT) Identity theft: occurs when your smartphones/tablets are paired with consumer products such as cars, heart monitors, and household appliances that are connected to the internet which creates an opportunity for hackers to steal your data usually from a security flaw

Identity Theft and Fraud Complaints from 2014-2017

Identity Theft and Fraud Complaints 2014 to 2017

Prevention is the best route

Use Strong Passwords that is unique to you

  • Make it easy for you to remember but hard to guess
  • Use KeePass to store all your passwords securely in an encrypted file (database)
  • Change it as often as you can (routinely)
  • Don’t ever reuse passwords
  • Do not write them and leave them on your desk (put away inside your wallet/inside your purse)

Review Bank statements and Credit Card statements thoroughly each month

  • Check for suspicious transactions

  • Notify bank or card issuer immediately

Check your three credit reports (Experian, TransUnion and Equifax) often for any signs of identity theft

  • If you discover unauthorized access to your credit reports notify the credit reporting agency right away
  • Place a fraud alert, a credit lock, or a security freeze on all three if you suspect your personal information has been compromised


  • This is where you might be tricked into revealing sensitive information via email or text
  • Messages would be created to look like it is from a company you have an account already or someone (person or organization) you know well
  • When you click to the link from the message and attempt to log into your account, you have now handed over your login and password to the “bad guys”
  • Now you are vulnerable to many types of identity theft

Recovery Steps to help limit the damage if you become a victim to Identity Theft

  • File a Report immediately (get copies of the report for your insurance, medical provider, credit bureau, etc.)

  • File with the Federal Trade Commission (FTC) for their Recovery Steps

  • Call the Companies Where the Fraud Occurred (let them know it was not you and ask to work with you)

  • Communicate With Each Credit Bureau and place a freeze or fraud alert on your credit report

  • If it’s a medical fraud call your insurance company and medical providers (get a copy of your medical files and ask to have them corrected/file with the Office for Civil Rights (OCR) as well)

  • If you become a victim of Tax ID Theft contact the Internal Revenue Service (IRS)

Safeguard Against Future Problems

  • Stay up to date by reading and learning continuously (read ways to protect your information)

  • Learn about the warning signs

  • Learn how to reduce your risks

  • How to avoid Identity Theft/How to avoid Frauds & Scams (read)

  • Be persistent by monitoring your accounts and reviewing your personal information to stay on top of looming threats

For more information read: Security Awareness For Taxpayers