SB 24 requires all breach notifications to include the name and contact information of the notifying person or entity and a list of the types of personal information compromised, or reasonably believed to have been compromised. The notifying person or entity must also provide the toll-free telephone numbers and addresses of the three major credit reporting agencies – TransUnion, Equifax and Experian – if the breach exposed a Social Security number, driver’s license, or California card identification number.   Notifications must also be written in “plain language” and provide a general description of the breach if this information has been determined.

If it is possible to determine at the time of the breach, the notification must provide the date of the breach, an estimated date of the breach, or a date range within which the breach occurred. Each notice should include the date of the notice. The notification must also state whether the notification was delayed because of a law enforcement investigation.  The law allows, but does not require, the person or business to provide information regarding what the person or business has done to protect individuals whose information has been breached and recommendations on how individuals can protect themselves.

Special requirements also apply to larger-scale breaches. The law requires any agency, person or business that notifies more than 500 California residents to submit a single sample copy of the notification - excluding any personally identifiable information - to the Attorney General. 

In addition, SB 24 provides that HIPAA covered entities following the HITECH Act breach notice requirements will be deemed in compliance with the SB 24 content requirements, but such entities will still have to comply with the Attorney General notice provision.

SB 24 follows recent proposals at the federal level to implement a nationwide data breach notification requirement. See our recent post here for more information.    

The second report,  Audit of Information Technology Security Included in Health Information Technology Standards, took ONC to task for failing to include requirements for adequate IT security controls in its requirements for health care providers to qualify for incentive payments to adopt electronic health records under the “meaningful use” program. The report recommends that ONC: (1) broaden its focus to include well-developed general IT security controls for supporting systems, networks, and infrastructures; (2) use its leadership role to provide guidance to the health industry on established general IT security standards and IT industry security best practices; (3) emphasize to the medical community the importance of general IT security; and (4) coordinate its work with CMS and OCR to add general IT security controls where applicable.

OIG's summaries of the two reports, including links to copies of the complete reports, are available at the following links:

Nationwide Rollup Review of the Centers for Medicare & Medicaid Services HIPAA Oversight

Audit of Information Technology Security Included in Health Information Technology Standard

Download Product Brief - Sitrof DCM Compliance

As the life sciences industry is constantly battling to keep up with ever-evolving standards of CFR 22 Part 11, SOX, HIPAA, ISO, etc., there is a critical need to improve efficiency and proactively prepare for litigation. Sitrof and StoredIQ’s eDiscovery Preparedness solution make it easy to comply with internal and external regulations through a highly customizable, auditable data topology map of active electronically stored information files and emails that are located on network servers, email servers, content management systems, storage systems and PC’s. By utilizing this solution, organizations in the life sciences industry can respond with unprecedented levels of speed and accuracy to legal discovery and compliance requirements.

Sitrof is extremely pleased with this partnership, as well as being named the exclusive VAR for StoredIQ. Sitrof is confident that StoredIQ’s solution is the industry best for helping organizations make better legal decisions, effectively prepare for Rule 26(f) “meet & confer” conferences, protect against process attacks and sanctions for under-producing, respond quickly and accurately to legal discovery and compliance requirements and reduce risk. Coupled with Sitrof’s experienced implementation team, organizations can expect tremendous cost cutting, pro-active and re-active benefits, such as: automating processes, improving efficiency and dramatically reducing cost.

The StoredIQ eDiscovery Preparedness solution creates a highly customizable, auditable data topology map of active electronically stored information (ESI) files and emails that are located on network servers, email servers, content management systems, storage systems, and PC's. The data topology map is ideal for helping organizations better prepare for FRCP Rule 26(f) conferences. The solution performs a system crawl, collecting all data without disrupting the business. Furthermore, it is deployed and maintained in-house, increasing the level of protection of your organization's sensitive data.

The eDiscovery Process Flow encompasses awareness, early case assessment, data preservation, data topology reporting, meet and confer preparation and review preparation. The on-going, proactive activities are comprised of continually indexing unstructured data; monitoring, viewing and analyzing data; and applying records management policies to reduce the amount of data retained. Awareness includes reasonably anticipating litigation and any formal communications needed for opposing counsels. In the early case assessment phase, relevant data sources are identified and reviewed to recognize source correspondence as well as the scope and amount of data to be collected and preserved. In this phase, email attributes are used to reconstruct threads, and deep attribute and content query functionality are used to identify relevant custodians and custodian relevant data in shared locations. The early case assessment is concluded with collection/preservation tagging to verify one's search results by reviewing relevant metadata, email, and document content. Preservation is an easy, single click process that renders powerful results. In this process chain, custody, authenticity, and original, full-object path information are all preserved and properly maintained in an audit log of the collection. The audit log is maintained by creating a hash value before and after data collection. Data topology reporting creates an auditable map of active ESI files and emails for potentially responsive data, with full analytic reporting. Topology maps and query reports help prepare organizations for the meet and confer phase by compiling all data under preservation, including key word analysis reports across all custodian data. Lastly, key review preparation functionality includes the ability to generate a review load file of all responsive items negotiated in the meet and confer, data de-duplication, container file capabilities, automatic prefixing, automated rolling productions, and load file support for many litigation review platforms.

Clearly this solution eliminates the risks associated with legal discovery, records retention, privacy, security, and illegal and irrelevant content in organizations with unmanaged, unstructured information. Compliance becomes a matter of ease with effective information policy management as well as detailed, reportable knowledge of what information is stored and where it is located. Not only does this solution enable organizations to comply with policies and regulations before litigation, but it also dramatically reduces costs often associated with the discovery of ESI (including document collection from inaccessible locations, massive volume storage, unanticipated legal risk, spoliation risk, quantitative per-document review cost, and document delivery).

If your organization is struggling to keep up with compliance, governance, and legal discovery requirements, please contact Sitrof today for a free on-site assessment.