•• FTC’s Fair Information Practice FTC’s Fair Information Practice Principles, COPPA and HIPAAPrinciples, COPPA and HIPAA
•• Pharma Privacy Compliance with Fair Pharma Privacy Compliance with Fair Information Practice Principles (Information Practice Principles (FIPsFIPs))
•• Federal CANFederal CAN--SPAM LawSPAM Law
•• Selected State Law SynopsesSelected State Law Synopses
•• Privacy SelfPrivacy Self--Assessment for VendorsAssessment for Vendors
PharmaPharma companies and their agents companies and their agents collect sensitive personal information collect sensitive personal information from consumers through several channelsfrom consumers through several channels
•• Health web sitesHealth web sites•• ResearchResearch•• Rebate programsRebate programs•• Patient assistance programsPatient assistance programs•• Targeted marketing programsTargeted marketing programs•• Market research (e.g., focus groups)Market research (e.g., focus groups)•• Pharmacy compliance programsPharmacy compliance programs
Vendors often assist Vendors often assist pharmapharma companies to collect personal consumer data (PCD) or companies to collect personal consumer data (PCD) or use PCD to carry out educational, marketing, or research programuse PCD to carry out educational, marketing, or research programs for s for pharmapharma clients clients who expect vendors to have bestwho expect vendors to have best--inin--class privacy and security policies and programs.class privacy and security policies and programs.
The more data you collect, the greater the The more data you collect, the greater the odds that you will have problems with…odds that you will have problems with…
GOVERNMENTGOVERNMENT CONSUMERSCONSUMERSConsequently, Consequently, pharmapharma is under pressure to assure that their vendors and is under pressure to assure that their vendors and information handling partners are privacy certified as a conditiinformation handling partners are privacy certified as a condition for doing on for doing business with them. A critical privacy selfbusiness with them. A critical privacy self--assessment is a necessary assessment is a necessary component of your certification process.component of your certification process.
Privacy is a major concern, especially Privacy is a major concern, especially among “health seekers”…among “health seekers”…
•• EightyEighty--nine percent of health seekers on the nine percent of health seekers on the Internet are concerned that a Web site might sell or Internet are concerned that a Web site might sell or give away information about what they did online.give away information about what they did online.(source: Pew Internet & American Life Project survey, 2000)(source: Pew Internet & American Life Project survey, 2000)
•• Only 14% of online health seekers have a “high Only 14% of online health seekers have a “high level of trust” of Pharmaceutical company or level of trust” of Pharmaceutical company or product web sites.product web sites. (source: 2000 Cyber Dialogue survey commissioned by the (source: 2000 Cyber Dialogue survey commissioned by the Internet Healthcare Coalition and the California Healthcare FounInternet Healthcare Coalition and the California Healthcare Foundation)dation)
•• Which translates into a profound Which translates into a profound lack of trust lack of trust andandgovernment regulationsgovernment regulations..
PharmaPharma companies will increasingly look to vendors who can prove that companies will increasingly look to vendors who can prove that they they can be trusted with sensitive personal consumer information.can be trusted with sensitive personal consumer information.
•• Health Insurance Portability and Accountability Health Insurance Portability and Accountability Act of 1996Act of 1996
•• Primary purpose is to improve health insurance Primary purpose is to improve health insurance accessibility for people changing employers or accessibility for people changing employers or leaving workforceleaving workforce
•• Also includes “Administrative Simplification” Also includes “Administrative Simplification” provisions to protect patient privacy and the provisions to protect patient privacy and the security of electronic health datasecurity of electronic health data
HIPAAHIPAAWho is covered?Who is covered?•• Covered Entity (CE)Covered Entity (CE)
–– Certain health care providersCertain health care providers–– Health plansHealth plans–– Clearing housesClearing houses
•• Business Associate (BA)Business Associate (BA)–– Performs a function on behalf of a CE that involves the Performs a function on behalf of a CE that involves the
use or disclosure of individually identifiable health use or disclosure of individually identifiable health informationinformation
•• In general, pharmaceutical companies are not covered In general, pharmaceutical companies are not covered entities subject to HIPAA, but HIPAA is a national floor entities subject to HIPAA, but HIPAA is a national floor for medical privacy and is often used as a model for for medical privacy and is often used as a model for state medical privacy laws applicable to Pharmacosstate medical privacy laws applicable to Pharmacos
FIP: Personally Identifiable Information (PII)FIP: Personally Identifiable Information (PII)•• (a) a first and last name(a) a first and last name
•• (b) a home or other physical address, including street name and (b) a home or other physical address, including street name and name name of city or townof city or town
•• (c) an email address or other online contact information, such a(c) an email address or other online contact information, such as an s an instant messaging user identifier or a screen name that reveals instant messaging user identifier or a screen name that reveals an an individual’s email addressindividual’s email address
•• (d) a telephone number(d) a telephone number
•• (e) a social security number(e) a social security number
•• (f) an Internet Protocol (“IP”) address or host name that identi(f) an Internet Protocol (“IP”) address or host name that identifies an fies an individual consumerindividual consumer
•• (g) a persistent identifier, such as a customer number held in a(g) a persistent identifier, such as a customer number held in a“cookie” or processor serial number, that is combined with other“cookie” or processor serial number, that is combined with otheravailable data that identifies an individual consumeravailable data that identifies an individual consumer
•• (h) a facial image viewed in person or via digital or tape mediu(h) a facial image viewed in person or via digital or tape mediumm, or , or
•• (i) any information that is combined with (a) through (h) above.(i) any information that is combined with (a) through (h) above.
HIPAA HIPAA Protected Health Information (PHI)Protected Health Information (PHI)•• A subset of health information, including demographic A subset of health information, including demographic
information collected from an individual, and: information collected from an individual, and:
•• (1) Is (1) Is created or received by a health care providercreated or received by a health care provider, health , health plan, employer, or health care clearinghouse; and plan, employer, or health care clearinghouse; and
•• (2) Relates to the past, present, or future physical or (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future health care to an individual; or the past, present, or future payment for the provision of health care to an individual; payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the which there is a reasonable basis to believe the information can be used to identify the individual. information can be used to identify the individual.
FIP: Notice/AwarenessFIP: Notice/AwarenessProvide consumers clear and conspicuous Provide consumers clear and conspicuous notice notice of your information practicesof your information practices (What, Where, (What, Where, Who, When):Who, When):–– what information you collectwhat information you collect
–– how you collect it (e.g., directly or through nonhow you collect it (e.g., directly or through non--obvious means obvious means such as cookies)such as cookies)
–– how you use ithow you use it
–– how you provide Choice, Access, and Security to consumershow you provide Choice, Access, and Security to consumers
–– whether you disclose the information collected to other entitieswhether you disclose the information collected to other entities
–– whether other entities are collecting information through your swhether other entities are collecting information through your siteite
Question for vendors:Question for vendors: What’s the best way to notify consumers about your information What’s the best way to notify consumers about your information collection and handling practices? Should you have a privacy polcollection and handling practices? Should you have a privacy policy on your Web site?icy on your Web site?
HIPAA: Notice of Privacy PracticesHIPAA: Notice of Privacy Practices
Covered entities must provide a “notice of Covered entities must provide a “notice of privacy practice” to each patient describing privacy practice” to each patient describing his/her rights regarding protected health his/her rights regarding protected health informationinformation–– Uses and disclosures of informationUses and disclosures of information–– Rights and choicesRights and choices
•• Offer consumers choices [Opt In] as to how their Offer consumers choices [Opt In] as to how their personal identifying information is used beyond personal identifying information is used beyond the use for which the information was provided the use for which the information was provided (e.g., to consummate a transaction). Including:(e.g., to consummate a transaction). Including:
–– internal secondary uses (such as marketing internal secondary uses (such as marketing back to consumers) and back to consumers) and
–– external secondary uses (such as disclosing external secondary uses (such as disclosing data to other entities).data to other entities).
Question for vendors:Question for vendors: Your client asks for demographic information about the Your client asks for demographic information about the consumers in your database. Have you obtained the necessary optconsumers in your database. Have you obtained the necessary opt--ins?ins?
•• Authorization from patient is required for use or Authorization from patient is required for use or disclosure of PHI for purposes other than disclosure of PHI for purposes other than Treatment, Payment, or Operations (TPO)Treatment, Payment, or Operations (TPO)–– e.g., use of patient data for pharmaceutical e.g., use of patient data for pharmaceutical
marketing as in use of pharmacy data for marketing as in use of pharmacy data for direct mail advertising by pharmacodirect mail advertising by pharmaco
Question for vendors:Question for vendors: You are a vendor tasked with assembling patient focus You are a vendor tasked with assembling patient focus groups for a groups for a pharmapharma client. You want to find qualified candidates by solicitation client. You want to find qualified candidates by solicitation of local physicians. Are you subject to HIPAA regulations? What of local physicians. Are you subject to HIPAA regulations? What is a best is a best practice procedure for doing this?practice procedure for doing this?
•• Offer consumers reasonable access to the Offer consumers reasonable access to the information collected about them, including a information collected about them, including a reasonable opportunity to reasonable opportunity to –– review information and review information and –– to correct inaccuracies or delete information.to correct inaccuracies or delete information.
Question for vendors:Question for vendors: You have PCD in a database. What’s the correct You have PCD in a database. What’s the correct procedure for handling access to your database by consumers? procedure for handling access to your database by consumers?
•• HIPAA gives patients the right to review their HIPAA gives patients the right to review their medical records and request modifications. medical records and request modifications. However, physicians are not required to make However, physicians are not required to make corrections based on these requestscorrections based on these requests
•• Must take reasonable steps to protect the Must take reasonable steps to protect the security of the information collected from security of the information collected from consumers. (FTC)consumers. (FTC)
•• Personal information must be relevant for the Personal information must be relevant for the purposes for which it is to be used. An purposes for which it is to be used. An organization should take reasonable steps to organization should take reasonable steps to ensure that data is reliable for its intended use, ensure that data is reliable for its intended use, accurate, complete, and current. (EU Safe accurate, complete, and current. (EU Safe Harbor)Harbor)
FIP: Chain of Trust/Onward TransferFIP: Chain of Trust/Onward Transfer
•• Entity may transfer information to a third party Entity may transfer information to a third party that is acting as an agent if that is acting as an agent if ……–– the entity enters into a written agreement the entity enters into a written agreement
requiring that the third party provide at least requiring that the third party provide at least the same level of privacy protection as is the same level of privacy protection as is required by the relevant principles. (EU Safe required by the relevant principles. (EU Safe Harbor)Harbor)
Question for vendors:Question for vendors: You have several subYou have several sub--contractors working for you on a contractors working for you on a pharmapharma client project. Several of them handle PCD. Do you have the necclient project. Several of them handle PCD. Do you have the necessary essary provisions in your subprovisions in your sub--contractor agreements/contracts to assure that they contractor agreements/contracts to assure that they abide by your privacy and security policies? How should you veriabide by your privacy and security policies? How should you verify this fy this compliance?compliance?
HIPAA: Business Associate ContractHIPAA: Business Associate Contract
•• A business associate of a covered entity A business associate of a covered entity performs a treatment, payment, or medical performs a treatment, payment, or medical operations function on behalf of a covered entity operations function on behalf of a covered entity and requires access to PHIand requires access to PHI
•• CE may disclose PHI to a BA if there is a written CE may disclose PHI to a BA if there is a written contractual assurance that the BA will take contractual assurance that the BA will take proper measures to protect PHI proper measures to protect PHI
•• CE must disclose the CE must disclose the ““minimum necessaryminimum necessary””information for BA to do its jobinformation for BA to do its job
•• Enforcement approaches includeEnforcement approaches include–– industry selfindustry self--regulationregulation–– legislation that would create private remedies for legislation that would create private remedies for
consumers; and/or consumers; and/or –– regulatory schemes enforceable through civil and regulatory schemes enforceable through civil and
criminal sanctions.criminal sanctions.
•• FTC enforcement under Section 5 of the FTC Act for FTC enforcement under Section 5 of the FTC Act for unfair and deceptive trade practices. FTC can take unfair and deceptive trade practices. FTC can take action against web site operators who violate their action against web site operators who violate their own publicly posted privacy policiesown publicly posted privacy policies
Question for vendors:Question for vendors: Can the FTC sue you for unfair business practices if you Can the FTC sue you for unfair business practices if you are working under contract with a are working under contract with a pharmapharma company to handle PCD?company to handle PCD?
The Lilly Consent DecreeThe Lilly Consent Decree•• Lilly was the first major company to settle an Lilly was the first major company to settle an
online consumer privacy complaint with FTConline consumer privacy complaint with FTC
•• Settlement announced January 18, 2002Settlement announced January 18, 2002
•• No immediate monetary penalties, but the No immediate monetary penalties, but the company could be subject to fines should it violate company could be subject to fines should it violate the consent order in the futurethe consent order in the future
•• Provisions apply to Lilly’s vendors as wellProvisions apply to Lilly’s vendors as well
•• Serves as a guide to any company interested in Serves as a guide to any company interested in implementing an internal privacy compliance implementing an internal privacy compliance program and vendor certification programprogram and vendor certification program
•• HHS Office of Civil Rights enforces Privacy RuleHHS Office of Civil Rights enforces Privacy Rule
•• Investigates complaints and resolves complaints or Investigates complaints and resolves complaints or sends on to DOJsends on to DOJ
•• Civil monetary penalties (OCR)Civil monetary penalties (OCR)–– $100 per violation$100 per violation–– Capped at $25,000 for each calendar year for Capped at $25,000 for each calendar year for
each identical requirement each identical requirement
•• Criminal Penalties (DOJ)Criminal Penalties (DOJ)–– Up to $250,000 & 10 years Up to $250,000 & 10 years
Pharma Online Privacy Policy AnalysisPharma Online Privacy Policy AnalysisIf privacy compliance is good business, how well is the If privacy compliance is good business, how well is the pharmaceutical industry doing?pharmaceutical industry doing?
•• Access the publicly available Access the publicly available onlineonline privacy policies of privacy policies of the top selling Rx productsthe top selling Rx products
•• Evaluate policy compliance with a select set of Evaluate policy compliance with a select set of Fair Fair Information Practice PrinciplesInformation Practice Principles
•• Assign a numerical value of 20 for compliance with each Assign a numerical value of 20 for compliance with each principle and sum up to derive a “Privacy Compliance principle and sum up to derive a “Privacy Compliance Score” (MAX=100)Score” (MAX=100)
•• Rank products according to their Compliance ScoresRank products according to their Compliance Scores
•• Compare to other healthcare industry entitiesCompare to other healthcare industry entities
Privacy Compliance ScorePrivacy Compliance ScoreMeasurable Fair Information Practice PrinciplesMeasurable Fair Information Practice Principles
NoticeNotice (20 points)(20 points)–– Who is collecting info (4)Who is collecting info (4)–– What info is collected (4)What info is collected (4)–– When and how info is collected (4)When and how info is collected (4)–– How info is used or disclosed to How info is used or disclosed to
3rd parties (4)3rd parties (4)–– Whether or not visitors will be Whether or not visitors will be
ChoiceChoice (20 points)(20 points)–– Right to optRight to opt--in or optin or opt--out (10)out (10)–– Right to limit disclosure to Right to limit disclosure to
business partners, affiliates, and business partners, affiliates, and other 3rd parties (10)other 3rd parties (10)
AccessAccess (20 points)(20 points)–– Ability to view info submitted Ability to view info submitted
voluntarily (10)voluntarily (10)–– Ability to correct info (10)Ability to correct info (10)
SecuritySecurity (20 points)(20 points)–– Security measures explained (10)Security measures explained (10)–– Different security measures for Different security measures for
sensitive data (10)sensitive data (10)
Chain of TrustChain of Trust (20 points)(20 points)–– Policy binding on business Policy binding on business
partners, advertisers, etc. (20)partners, advertisers, etc. (20)
•• Requires parental consent to collect personal Requires parental consent to collect personal information online from children under the information online from children under the age of 13age of 13
•• Applies if you “knowingly” collect personal Applies if you “knowingly” collect personal information from children under 13information from children under 13
•• Best practice dictates that for any attempt to Best practice dictates that for any attempt to restrict children under 13 (or 18) from restrict children under 13 (or 18) from entering personal information, the site should entering personal information, the site should NOT use methods that could encourage age NOT use methods that could encourage age falsificationfalsification
To improve our service to you, please provide us with some inforTo improve our service to you, please provide us with some informationmationabout yourself. This information will not be used for any other about yourself. This information will not be used for any other purpose.purpose.
Name Name
Email Address Email Address
Street Street
City City State State Zip Zip
Age Age 66--10 10 1111--18181919--35353636--50505151--656566+ 66+
Federal CANFederal CAN--SPAM ActSPAM Act•• ““Controlling the Assault of NonControlling the Assault of Non--Solicited Pornography Solicited Pornography
and Marketing”and Marketing”•• Effective January 2004Effective January 2004
•• Some provisions may apply to all commercial eSome provisions may apply to all commercial e--mail, mail, including permissionincluding permission--based, optbased, opt--in ein e--mailmail–– B2B eB2B e--mail (e.g., email (e.g., e--detailing msgs)detailing msgs)–– OneOne--toto--one commercial eone commercial e--mail (e.g., email (e.g., e--mail from sales mail from sales
rep to physician)rep to physician)–– B2C eB2C e--mail (e.g., newsletters, product mail (e.g., newsletters, product
Question for vendors:Question for vendors: You manage an optYou manage an opt--in ein e--mail marketing newsletter for mail marketing newsletter for consumers for a consumers for a pharmapharma client. Is your program subject to CANclient. Is your program subject to CAN--SPAM? Are you SPAM? Are you liable for any violations of this law in relation to the programliable for any violations of this law in relation to the program??
•• Presents some challenges to Pharma, Presents some challenges to Pharma, especially especially with regard to vendorwith regard to vendor--assisted eassisted e--mail marketing mail marketing campaignscampaigns–– Who is the “sender”?Who is the “sender”?–– Maintenance of OptMaintenance of Opt--out (suppression) listsout (suppression) lists
•• Requires clarification from FTCRequires clarification from FTC–– Define “primary purpose”Define “primary purpose”–– Use of identifiers in subject line (e.g., “ADV”). Use of identifiers in subject line (e.g., “ADV”).
Not required if optNot required if opt--in.in.–– FTC will FTC will notnot implement a “doimplement a “do--notnot--spam” list spam” list
•• Texas Medical Privacy Act (SB 1136)Texas Medical Privacy Act (SB 1136)–– Effective January 1, 2004Effective January 1, 2004–– Purpose: “to extend application of the federal Purpose: “to extend application of the federal
privacy standards regarding marketing privacy standards regarding marketing communications to anyone that comes into communications to anyone that comes into possession of protected health information, and possession of protected health information, and to impose to impose stricterstricter standards related to certain standards related to certain productproduct--specific communications that specific communications that encourage a change in prescription drugs or encourage a change in prescription drugs or prescription medical devices.”prescription medical devices.”
Question for vendors:Question for vendors: Are you subject to this law?Are you subject to this law?
•• Requires clear and unambiguous permission in Requires clear and unambiguous permission in written or electronic form to use or disclose written or electronic form to use or disclose protected health information for any marketing protected health information for any marketing communicationcommunication–– e.g., making a producte.g., making a product--specific written communication specific written communication
to a Texas consumer that to a Texas consumer that encourages a change in encourages a change in productsproducts is considered marketing regardless of whether is considered marketing regardless of whether or not it can be justified as treatment or case or not it can be justified as treatment or case management. Defines “product” as “a prescription drug management. Defines “product” as “a prescription drug or prescription medical device.”or prescription medical device.”
•• If using PHI to send marketing information by If using PHI to send marketing information by mail, envelope must not include certain mail, envelope must not include certain information (e.g., medical condition)information (e.g., medical condition)
•• Requires removal of a person's name from a Requires removal of a person's name from a mailing list not later than the 45mailing list not later than the 45thth day after the day after the date request is received (was 5date request is received (was 5thth day)day)
State Laws State Laws -- CaliforniaCalifornia•• Online Privacy Protection Act (OPPA)Online Privacy Protection Act (OPPA)
–– Affects every business that has a web site Affects every business that has a web site collecting information oncollecting information on--lineline
–– Operator "shall conspicuously post its privacy Operator "shall conspicuously post its privacy policy on the Web site“policy on the Web site“
–– Identify categories of information collected and Identify categories of information collected and entities with whom information is sharedentities with whom information is shared
–– State whether operator reserves right to change State whether operator reserves right to change policy without noticepolicy without notice
–– Operator must keep old versions of privacy Operator must keep old versions of privacy policies and make them available on request up policies and make them available on request up to five yearsto five years
State Laws State Laws –– California (cont’d)California (cont’d)
•• Security Breach Information Act (SB 1386)Security Breach Information Act (SB 1386)–– Effective July 2003Effective July 2003–– Requires companies to disclose any security breach to Requires companies to disclose any security breach to
any resident of California whose unencrypted personal any resident of California whose unencrypted personal information was, or information was, or is reasonably believed to have is reasonably believed to have beenbeen, acquired by an unauthorized person, acquired by an unauthorized person
•• Physician Prescribing Practices Act (AB 262)Physician Prescribing Practices Act (AB 262)–– Dead… for nowDead… for now–– Would have established physician “do not call” list Would have established physician “do not call” list
regarding use of prescribing dataregarding use of prescribing data
Privacy Best PracticesPrivacy Best Practices•• Have one consistent corporate privacy policyHave one consistent corporate privacy policy
–– helps to have a privacy officer to enforce across all helps to have a privacy officer to enforce across all brandsbrands
•• Comply with Fair Information Practice PrinciplesComply with Fair Information Practice Principles–– develop and implement develop and implement practicalpractical written procedures for written procedures for
the collection of and access to informationthe collection of and access to information–– implement appropriate physical, technical, and implement appropriate physical, technical, and
administrative security measuresadministrative security measures–– move towards EU Safe Harbor and/or HIPAA as best move towards EU Safe Harbor and/or HIPAA as best
practicepractice
•• Make sure your information collection practices Make sure your information collection practices comply with your policycomply with your policy
Information Security ProgramInformation Security Program
•• Designate appropriate personnel to coordinate and Designate appropriate personnel to coordinate and oversee the program oversee the program
•• Identify reasonably foreseeable internal and external risks Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal to the security, confidentiality, and integrity of personal information information
•• Address these risks … Address these risks … whether performed by employees whether performed by employees or agentsor agents, including: , including: –– management and training of personnelmanagement and training of personnel–– information systems for the processing, storage, information systems for the processing, storage,
transmission, or disposal of personal informationtransmission, or disposal of personal information–– prevention and response to attacks, intrusions, prevention and response to attacks, intrusions,
unauthorized access, or other information systems unauthorized access, or other information systems failures failures
•• Do you have written Standard Operating Procedures Do you have written Standard Operating Procedures (SOPs)?(SOPs)?–– Restrict access to PII to employees based on needRestrict access to PII to employees based on need–– Restrict use of PII only for purposes allowed by data Restrict use of PII only for purposes allowed by data
subjectsubject–– Protect PII from external threatsProtect PII from external threats–– Secure storage and transfer of PIISecure storage and transfer of PII–– Subcontractors protect PII in equivalent mannerSubcontractors protect PII in equivalent manner–– Train all employees, temporary workers, and Train all employees, temporary workers, and
subcontractors that have access to PIIsubcontractors that have access to PII
•• SOPs should cover all data collection methodsSOPs should cover all data collection methods–– EE--mail campaignsmail campaigns–– WebsitesWebsites–– BRCsBRCs–– Mail or Call Center InquiryMail or Call Center Inquiry–– Coupon/Rebate ProgramCoupon/Rebate Program
•• Written procedures to handle optWritten procedures to handle opt--out requests out requests from any source listedfrom any source listed
•• SOPs for secure access to PIISOPs for secure access to PII–– Segregate individuals who “use” PII from those who Segregate individuals who “use” PII from those who
“administer” databases“administer” databases–– Password controlPassword control–– Termination of accessTermination of access–– EncryptionEncryption
•• Data Subject AccessData Subject Access–– How do you provide access? Via secure Web site? How do you provide access? Via secure Web site?
Phone? Mail?Phone? Mail?–– How do you validate the identity of the person How do you validate the identity of the person
•• Storage of hardcopies (e.g., Storage of hardcopies (e.g., BRCsBRCs, Faxes) of PII , Faxes) of PII –– Is your office secure at all times or only locked Is your office secure at all times or only locked
after hours?after hours?–– Do you store documents containing PII in Do you store documents containing PII in
locked drawers or file cabinets?locked drawers or file cabinets?–– What happens to hardcopies after PII entered What happens to hardcopies after PII entered
•• Security of PII Security of PII –– Are databases containing PII secured behind a firewall?Are databases containing PII secured behind a firewall?–– Do you use intrusion detection software?Do you use intrusion detection software?–– Do you monitor unauthorized Do you monitor unauthorized internalinternal access?access?–– Do you have virus detection software in place and Do you have virus detection software in place and
updated frequently?updated frequently?–– Do you have an incident response SOP in place and Do you have an incident response SOP in place and
are relevant employees trained on it?are relevant employees trained on it?–– How often do you perform a vulnerability assessment How often do you perform a vulnerability assessment
and how do you address findings?and how do you address findings?
•• Other QuestionsOther Questions–– Do you have a Business Continuity Plan (Do you have a Business Continuity Plan (BCPsBCPs)? e.g., )? e.g.,
offoff--site backup and recovery.site backup and recovery.–– Do you perform quality assurance checks? i.e., How do Do you perform quality assurance checks? i.e., How do
you verify that communications to a data subject you verify that communications to a data subject contain only information about that person and not any contain only information about that person and not any one else? one else?
–– Do you allow temporary storage of PII by employees or Do you allow temporary storage of PII by employees or contractors for use offcontractors for use off--site? e.g., disks, etc.site? e.g., disks, etc.
