The Privacy Shield data transfer pact finally received the green light from U.S. and EU privacy regulators, and businesses can begin registering to comply with the framework Aug. 1. Also in recent GRC news: The SEC calls for better transparency for brokers’ order routing practices, and a University of Mississippi hospital is fined $2.75 million for violating HIPAA security rules.
With Privacy Shield finalized, companies are urged to act quickly
The U.S. and the European Commission have greenlighted Privacy Shield, the data transfer agreement that replaces the Safe Harbor framework. Companies can start registering for Privacy Shield on Aug. 1. Experts told the Wall Street Journal that the finalization of the deal could alleviate uncertainty for thousands of businesses that relied on safe harbor for legal guidance as they moved business and customer data across the Atlantic. Privacy Shield contains more robust provisions than Safe Harbor, such as increased limits on U.S. companies regarding European data access and remediation rights for individuals. Privacy regulators will review the framework every year to ensure that it remains effective.
There are aspects of Privacy Shield that will work in favor of companies that adopt the framework, data transfer experts told WSJ. One way it benefits companies is that the Privacy Shield provisions are consistent with the principles of the EU’s General Data Protection Regulation (GDPR), a new law that overhauls how EU citizens’ data is handled. Businesses that are already enacting compliance processes around Privacy Shield can use those endeavors to comply with GDPR. Another benefit is that companies that sign up for Privacy Shield within two months of Aug. 1 receive a grace period of nine months to achieve compliance with the framework.
SEC proposes greater disclosure of order routing practices
The U.S. Securities and Exchange Commission (SEC) has proposed rules that would require brokers to reveal standard data about order routing practices. This data includes possible conflicts of interest with their clients, how adequately they carried out their customers’ orders and the average rebate a broker firm received for its orders, which will be published in aggregated reports on the SEC’s website.
Critics of the current standards say investors lack sufficient details on where their orders are being set and why. “This proposal should provide investors with an important new tool to better assess whether a broker-dealer’s order routing practices are consistent with their investment objectives,” SEC chairperson Mary Jo White said in a public statement.
U-Miss hospital to pay $2.75 million fine for HIPAA infraction
The University of Mississippi Medical Center (UMMC) will pay the Office for Civil Rights, part of the U.S. Department of Health and Human Services, a $2.75 million fine for HIPAA violations. An OCR investigation found that the hospital had been aware that there were vulnerabilities to electronic protected health information (ePHI) since at least 2005, but didn’t take any meaningful action to alleviate or remove the risk until after a laptop was stolen in 2013. The OCR also found that health data were susceptible to unauthorized access through UMMC’s wireless network because users were able to access an active directory holding the ePHI of 10,000 patients. The OCR’s findings showed UMMC were in violation of the HIPAA Security Rule’s guidelines for safeguarding ePHI.
UMMC will enter into a resolution agreement and three-year corrective action plan with the OCR. The resolution agreement states that the hospital failed to enact the appropriate security measures to remain HIPAA-compliant, particularly in regard to reducing data vulnerabilities and notifying patients of insecure ePHI. UMMC accepted the OCR’s resolution agreement, but noted that the acceptance does not admit the hospital’s liability.