DHHS POLICIES AND PROCEDURES

________________________________________________________________________________________________________

Section VIII:	Privacy and Security
Title:	Identity Theft and Security Breach Notification
Current Effective Date:	6/25/08
Revision History:
Original Effective Date:

________________________________________________________________________________________________________

Purpose

In an effort to reduce the risk of exposing its citizens to the possibility of identity theft and to an information security breach, the North Carolina (NC) General Assembly enacted the NC Identity Theft Protection Act which became effective on December 1, 2005. The NC Identity Theft Protection Act is comprised of two (2) statutes, which articulate when “businesses” and state or local governments can collect social security numbers (SSNs) and other identifying information, what they must do if they possess such information, and what notification responsibilities exist if “personal” or “identifying” information is disclosed without valid authorization.

The purpose of the Identity Theft and Security Breach Notification Policy is two-fold:

1. Protect SSNs and other identifying information that DHHS receives, collects, uses, stores, discloses and mails in compliance with North Carolina General Statutes (N.C.G.S.) § 132-1.10; and



2. Outline procedures and protocols for responding to a security breach involving the unauthorized disclosure of unencrypted personal information, in compliance with N.C.G.S. § 132-1.10(c1) and N.C.G.S. § 75-65.

This policy is guided by the following objectives:

• To increase employees’ awareness about the confidential nature of SSNs and other identifying information;
• To reduce the reliance upon SSNs for identification purposes;
• To increase emphasis on the secure use, collection, transmission and storage of SSNs and other identifying information;
• To provide a consistent Department of Health and Human Services (DHHS) policy regarding the collection, usage, storage, transmission, mailing and disclosure of SSNs and other identifying information;
• To increase the confidence of clients and employees that SSNs and other identifying information are maintained in a confidential manner; and
• To institute consistent procedures for determining when a security breach has occurred and whether notice is required.

DHHS is dedicated to ensuring that its divisions and offices protect SSNs and other identifying information of its clients and employees. All DHHS divisions and offices, therefore, must comply with the Identity Theft and Security Breach Notification policy and immediately report any breach of security or compromise of systems containing this type of data to its designated personnel.

Policy

DHHS divisions and offices should request an individual’s identifying information only when required to do so by federal or state law, or at the very minimum, only as necessary to conduct their legitimate business operations. Where the purpose of the identifying information can be satisfied by another personal unique identifier, reduced to the last four digits of the SSN or removed entirely, all DHHS divisions and offices are expected to do so.

Definitions

1. Business: A sole proprietorship, partnership, corporation, association, or other group, however organized and whether organized to operate at a profit. The term includes a financial institution organized, chartered, or holding a license or authorization certificate under [NC law], any other state [law], the United States, or any other country, or the parent or the subsidiary of any such financial institution. Business shall not include any government or governmental subdivision or agency(See N.C.G.S. § 75-61(1)).



2. Collect: To request SSNs and other identifying information from a DHHS client or employee utilizing a paper document or a DHHS system application.



3. Device: Computers and any other equipment or devices that store or display data such as PDAs, smartphones (Treos, Blackberry, Palm devices), copiers, printers, disk drives, diskettes, CDs, or USB (thumb) drives.



4. Disclose: To communicate or make available SSNs, other identifying information, or documents containing SSNs or other identifying information to third parties using verbal, written, or electronic means.



5. Encryption: The use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key (See N.C.G.S. § 75-61(8)).



6. Identifying Information:  N.C.G.S. § 14-113.20(b) includes all of the items listed below.


1. SSNs or employer identification numbers (EINs).
2. Drivers license, state identification card, or passport numbers.
3. Checking and savings account numbers.
4. Credit and debit card numbers.
5. Personal Identification Number (PIN) code, as defined in N.C.G.S. § 14-113.8 (6).
6. Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names.
7. Digital signatures.
8. Any other numbers or information that can be used to access a person’s financial resources.
9. Biometric data.
10. Fingerprints.
11. Passwords.
12. Parent's legal surname prior to marriage.

However, with regard to N.C.G.S. § 132-1.10, “identifying information” does not include the items below:

1. Electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names.
2. Parent's legal surname prior to marriage, or
3. Drivers license numbers appearing on law enforcement records. (See N.C.G.S. § 132-1.10(b)(5)).


7. Incident: A violation of DHHS computer security policies, acceptable use policies, or standard computer security practices. An adverse event where a NC information technology resource is accessed or used without authorization, attacked or threatened with attack, or used in a manner inconsistent with established policy with the potential to cause the real or possible loss of confidentiality, integrity, or availability of the resource or its information (See NC DHHS Policies and Procedures Manual, Section VIII - Privacy & Security - Security Manual – Glossary Policy).



8. Individual: A DHHS state employee, contractor, or volunteer or a client receiving services provided by DHHS.



9. Personal Information:  A person's first name or first initial and last name in combination with “identifying information,” as defined above in N.C.G.S. § 14-113.20(b). Personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records (See N.C.G.S. § 75-61(10)).



10. Redaction: The rendering of data so that it is unreadable or is truncated so that no more than the last four (4) digits of the identification number is accessible as part of the data (See N.C.G.S. § 75-61(13)).



11. Security Breach: An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to an individual.
    
    Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach.  Good faith acquisition of personal information by an employee or agent of the department for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose and is not subject to further unauthorized disclosure (See N.C.G.S. § 75-61(14)).



12. Store: To maintain SSNs and other identifying information in a DHHS system application or keep documents containing SSNs and other identifying information in a locked file cabinet for future access and use.



13. Use: To utilize SSNs and other identifying information for some DHHS business purpose.

Implementation

DHHS divisions and offices that maintain SSNs and other identifying information in paper form or electronic media shall adhere to the following procedures with regard to its collection, usage, storage, transmission, mailing and disclosure, in compliance with N.C.G.S. § 132-1.10. They shall also immediately report any breach of security or compromise of systems containing personal information to designated personnel in compliance with N.C.G.S. § 132-1.10(c1) and N.C.G.S. § 75-65.

1. Collection, Usage, Storage, Transmission, Mailing, Disclosure and Destruction


1. Collection:
   
   DHHS divisions and offices shall not collect SSNs unless and until:
1. The collection is authorized by law or imperative for the performance of the agency’s duties and responsibilities as prescribed by law;
2. The collection is relevant to the purpose for which it is collected;
3. The need for the collection has been clearly documented;
4. The SSNs have been segregated on a separate page so they are easy to redact when there is a valid public records request; and
5. A statement of the purpose(s) for which the SSN is being collected and used is provided to the individual, upon their request, at the time of or prior to the division’s or offices’ actual collection of the SSN.
2. Usage:
   
   DHHS divisions and offices shall not use SSNs for any purpose other than the purpose stated in this policy. Usage shall be for a legitimate business purpose, and a duty exists to safeguard this data and prevent unnecessary access thereto.



3. Storage:
   
   DHHS divisions and offices shall first evaluate and determine whether there is a legitimate business need to store SSNs before this data can be stored in DHHS system applications, locked filed cabinets, or other storage containers. DHHS divisions and offices should reduce the SSN to the last four (4) digits, whenever possible, or replace it with a random identification number. When storage of the entire SSN is necessary, DHHS divisions and offices should implement appropriate safeguards to prevent the possibility of employee misuse.



4. Transmission:
   
   All DHHS divisions and offices shall not:


1. Require an individual to transmit a SSN over the Internet unless the connection is secure or the SSN has been encrypted; or
2. Require an individual to use a SSN to access an Internet web site unless a password, unique identification number or other authentication device is also required.


5. Mailing:
   
   All DHHS divisions and offices shall not:


1. Itentionally print or imbed a SSN on any card required to access government services (i.e. Medicaid, food stamps, etc.);
2. Print a SSN on any mailed materials, unless state or federal law requires it;
3. If required, print a SSN (in whole or in part) on a postcard or other mailer not requiring an envelope;
4. Make a SSN visible on an envelope; or
5. Make a SSN visible without the envelope having been opened.


6. Disclosure:
   
   All DHHS divisions and offices may disclose SSNs, other identifying information or documents containing SSNs or other identifying information only in the following instances:


1. Disclose to another governmental entity or its agents, employees, or contractors if disclosure is necessary for the receiving entity to perform its duties and responsibilities.
   
   NOTE: The receiving governmental entity and its agents, employees, and contractors shall maintain the confidentiality of this information.



2. Disclose pursuant to a court order, warrant, or subpoena;
3. Disclose for public health purposes, pursuant to and in compliance with Chapter 130A;
4. Disclose documents where SSNs or other identifying information have been redacted;
5. Disclose SSNs or other identifying information on certified vital records issued by the NC State Registrar or authorized officials, pursuant to N.C.G.S. § 130A-93(c);
6. Disclose any identifying information, other than SSNs, on uncertified vital records; or
7. Disclose SSNs or other identifying information in a recorded document in the official records of the NC Register of Deeds office or in the Courts.


7. Destruction:
   
   All DHHS divisions and offices must take reasonable measures to protect SSNs, and personal information against unauthorized access to or use of the information in connection with or after its disposal.
   
   The reasonable measures may include:
   
   1. The burning, pulverizing or shredding of papers containing SSNs or personal information so this information cannot be practicably read or reconstructed; or
   2. The destruction or erasure of electronic media and other non-paper media containing SSNs or personal information so the information cannot practicably be read or reconstructed.
   
   DHHS divisions or offices may, after due diligence, enter into a written contract with, and monitor compliance by, a third party engaged in the business of record destruction to destroy SSNS or personal information. Due diligence should ordinarily include one or more of the following:
   
   1. Obtaining information about the disposal business from several references or other reliable sources and requiring that the disposal business be certified by a recognized trade association or similar third party with a reputation for high standards of quality review;
      or
   2. Taking other appropriate measures to determine the competency and integrity of the disposal business.
   
   NOTE: It is the department’s preference that the destruction of SSNs and personal information performed by a third party engaged in the business of record destruction occur onsite.
2. Administrative, Physical and Technical Safeguards:
   
   All DHHS divisions and offices that maintain identifying information shall put into place appropriate administrative, physical, and technical safeguards to protect the privacy of such information. All DHHS divisions and offices shall take steps to reasonably safeguard identifying information from intentional or unintentional use or disclosure that is in violation of state law or departmental privacy policies.
   
   1. Administrative Safeguards
      
      All DHHS divisions and offices shall safeguard identifying information that is generated, received, and/or maintained throughout each agency. Identifying information that is transmitted by facsimile (fax) machines, electronic mail (e-mail), printers, copiers, and by telephone or other oral means of communication shall be protected from unauthorized use and disclosure. DHHS divisions and offices shall:
   
   
   1. Address measures to direct the conduct of its staff in relation to the protection of identifying information; and
   2. Develop and implement safeguard procedures.
   
   
   2. Physical Safeguards
      
      All DHHS divisions and offices shall safeguard identifying information that is generated, received, and/or maintained throughout each agency by establishing protections used for furniture, equipment, supplies, records and work areas to prevent unauthorized use or disclosure of identifying information maintained by the agency.
   
   
   
   3. Technical Safeguards
      
      All DHHS divisions and offices shall safeguard identifying information that is generated, received, and/or maintained throughout each agency by addressing technical safeguards used for accessing confidential information maintained in computer systems and other electronic media through identification of staff who need access to electronic data and control of access through the use of unique user identifiers and passwords.
      
      NOTE: For additional guidance on appropriate administrative, physical and technical safeguards, please consult the NC DHHS Policies and Procedures Manual, Section VIII - Privacy and Security, Privacy Manual - Privacy Safeguards Policy.
   
   
3. Security Breach:
   
   N.C.G.S. § 132-1.10(c1) states that “if an agency of the state or its political subdivisions, or any agency or employee of a government agency, experiences a security breach, as defined in Article 2A of Chapter 75 of the G.S., the agency shall comply with the requirements of N.C.G.S. § 75-65.”
   
   The NC General Assembly enacted N.C.G.S. § 75-65 to require “businesses” and state or local governments to give individuals early warning when their personal information has been accessed by an unauthorized person, so they can take steps to protect themselves against identity theft or to mitigate the crime’s impact.
   
   The Identity Theft and Security Breach Notification policy outlines the procedures all DHHS divisions and offices should follow when they report a disclosure or possible disclosure of identifying information. These procedures will include information on to whom a disclosure or possible disclosure of identifying information should be immediately reported, who should be involved in determining if a security breach has occurred and if the affected persons should be notified.


1. Reporting Disclosures or Possible Disclosures Involving Identifying Information:
   
   Any DHHS division, office, or individual who becomes aware of a disclosure or possible disclosure of identifying information shall immediately notify the DHHS Privacy and Security Office (PSO) and provide answers to the following questions, if known:
   
   
   1. What types of identifying information were involved (i.e. SSN, driver’s license, etc.);
   2. Was medical or health information involved;
   3. Was the individual's first name or first initial and last name included;
   4. Was the identifying information in electronic or paper form;
   5. Was the identifying information stolen, lost, misplaced or other; and
   6. Was the information disclosed to the public?
   NOTE: Reporting to the DHHS PSO shall not be delayed for investigative reasons. If definite answers to all of the questions above are not available at the time the disclosure or possible disclosure is immediately reported to the DHHS PSO, the DHHS division or office shall provide the remaining answers no later than three (3) business days after the event has been reported to the DHHS PSO.



2. Designation of an Identity Theft Coordinator:
   
   Since identity theft can involve both privacy and security issues, all DHHS divisions and offices shall designate an employee to serve as their Identity Theft Coordinator. When a disclosure or possible disclosure of identifying information is suspected to have occurred, the Identity Theft Coordinator will be charged with reporting to the DHHS PSO and coordinating the division or office’s investigations with the assistance of the division/office privacy and/or security officials. All DHHS divisions and offices are encouraged to implement their own internal reporting/investigative procedures to ensure all essential personnel are included in the process and events are reported timely.



3. Evaluation and Response to Reported Disclosure:
   
   Once reported, the DHHS PSO, in conjunction with the DHHS Division or Office Identity Theft Coordinator and other necessary staff, will make an initial evaluation to determine the following:


1. If the matter should be reported to the NC Office of Technology Services (ITS) as an “incident”;
2. If the disclosure or potential disclosure involved protected health information or electronic protected health information; and
3. If the disclosure or potential disclosure involved unencrypted and unredacted records or data containing “personal information”.


4. Reporting Security Incidents to the Office of ITS:
   
   All security incidents must be reported to the Office of ITS, Information Security Office, acting on behalf of the NC State Chief Information Officer, and must include the information required on the incident reporting form. DHHS must ensure that all security incidents occurring within the department are reported to the ITS Information Security Office, acting on behalf of the State Chief Information Officer, within 24 hours of incident confirmation (See Statewide Information Security Manual, Chapter 13 - Detecting and Responding to ITS Incidents Standard, Section 01:130101 - Reporting Information Security Incidents).
   
   In order to comply with ITS’ Detecting and Responding to ITS Incidents Standard, DHHS implemented the DHHS Information Incident Management policy, which requires that security incidents classified as severity level 3, 4, or 5 be reported to the DHHS PSO and the division or office Information Security Official (ISO) within a period of 24 hours from the time the incident was discovered (See NC DHHS Policies and Procedures Manual, Section VIII – Privacy and Security, Security Manual, DHHS Information Incident Management policy). The division or office is required to report the incident to the DHHS PSO in accordance with division or office procedures at the following site:
   
   http://www.security.dhhs.state.nc.us/incident/index.php


NOTE: There can be a difference between a security incident reportable to ITS and a security breach reportable to those affected persons. For example, if a DHHS-issued laptop is stolen from a hotel, this event should be reported as a security incident to the DHHS PSO, since an information technology resource has been accessed or used without authorization. Whether this event is also a security breach will depend upon whether the stolen laptop contained personal information (i.e. a type of identifying information together with a person's first name or first initial and last name) and whether the laptop was encrypted. If personal information was present and the laptop not encrypted, this event could be both a security incident and a security breach.

If you are unsure how to report the event, please contact the DHHS PSO for assistance.


5. Reporting Disclosures or Potential Disclosures Involving Protected Health Information:
   
   If a DHHS division or office is a The Health Insurance Portability and Accountability Act (HIPAA) covered health care component and determines that it has disclosed protected health information (PHI) or electronic protected health information (ePHI) without authorization, a HIPAA Privacy incident should be filed, investigated and remediated as required by the Privacy Incident Reporting policy (See DHHS Policies and Procedures Manual, Section VIII – Privacy and Security, Privacy Manual - DHHS Administrative Policies section).



6. Reporting Disclosures or Potential Disclosures Involving Unencrypted and Unredacted Records or Data containing Personal Information:
   
   If, after making an initial evaluation, the DHHS PSO determines that there has been a disclosure or potential disclosure of unencrypted and unredacted records or data containing personal information, the DHHS PSO shall refer the event to the Office of General Counsel to determine whether a security breach has occurred. If the DHHS General Counsel, with assistance from the DHHS PSO and division or office staff, determines that a security breach has occurred, a decision regarding notification of affected persons will be made by the DHHS General Counsel without unreasonable delay.
   
   If it is determined that the security breach may require a press release, the DHHS PSO or the DHHS General Counsel shall notify the Deputy Secretary, the Director of the Office of Public Affairs (PAO), and the division or office Director.
   
   NOTE: There may be instances when overlapping issues arise and divisions or offices are unsure about whether any given event could be considered a security incident, a HIPAA Privacy incident, a security breach or a combination thereof. In these instances, please contact the DHHS PSO for assistance.


4. Duty to Notify the Attorney General’s Office
   
   N.C.G.S. § 75-65(f) requires that in the event DHHS provides notice of a security breach to more than 1,000 persons at one time, it shall notify, without unreasonable delay, the Consumer Protection Division of the NC Attorney General’s Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.
   
   If the DHHS General Counsel determines that more than 1,000 persons at one time must be notified, he/she shall notify or delegate the responsibility to notify the Consumer Protection Division of the NC Attorney General’s Office and all consumer reporting agencies, without unreasonable delay.



5. Duty to Report to the General Assembly
   
   N.C.G.S. § 120-270 requires all agencies of the state to evaluate and report to the General Assembly about the agency’s efforts to reduce the dissemination of identifying information, as defined in N.C.G.S. § 14-113.20(b) by December 31^st of each year. The evaluation should include a review of the agency’s public forms, the use of its random personal identification numbers, the restriction of access to its personal identifying information, and the reduction of use of its personal identifying information when it is not necessary. Special attention should be given to the agency’s use, collection, and dissemination of SSNs.
   
   In order to ensure compliance with this statute, the DHHS PSO shall coordinate the evaluation and reporting of the department’s efforts to reduce the dissemination of identifying information.



6. Communications with the Media or Outside Agencies
   
   With the exception of the DHHS PSO, the Office of the General Counsel, and the NC PAO, DHHS employees are not authorized to speak on behalf of the department to media personnel or representatives of other outside agencies concerning security incidents, HIPAA Privacy incidents, or security breaches that have or have not been reported. For more information, please consult the following web site address:
   
   http://info.dhhs.state.nc.us/olm/manuals/dhs/pol-30/man/Media_Policy1.htm.
   
   If you need additional help in understanding the document indicated above, please contact the NC PAO at (919) 733-9190.

Enforcement

The department expects that all employees will comply with all laws, standards, policies, procedures, guidelines and expectations regarding the security of identifying and personal information. Violations of this policy may subject an employee to disciplinary action up to and including dismissal, as well as any potential civil or criminal sanctions under the law.

For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.