Multiple new statutes and rules are imposing deadlines on businesses and organizations that hold sensitive personal data records. These deadlines are fast approaching or have already passed. Failure to comply with new regulations may result in sanctions or provide ammunition for plaintiffs who bring suit alleging negligent protection of private personal data.

HIPAA Privacy and Security Rules/HITECH:

In 2009, Congress enacted the HITECH Act, amending HIPAA Privacy and Security Rules. The HITECH rules are now in full effect and organizations that are Covered Entities or Business Associates are obliged to comply. Under the amended rules, "Business Associates" must, among other things, designate a HIPAA security officer, conduct a written risk analysis as to potential risks and vulnerabilities to confidential, protected health information that the Business Associate holds, establish policies and procedures for the implementation of the HIPAA Security Rules, and provide security awareness and training for the workforce. As of February 22, 2010, Health and Human Services ("HHS") will impose sanctions on Business Associates for breaches of confidentiality of personal health information that violate these data security rules.

FTC Identity Theft Red Flag Rules:

The FTC's Red Flag Rules become effective June 1, 2010. The rules require financial institutions and creditors with "covered accounts" to create and implement an identity theft prevention program to identify and address the "red flags" of identity theft, consider the nature of the covered entity’s business, the risks at issue, and update its program periodically.

Whether a business or organization is a creditor under the Rules will require a case-by-case analysis based on its activities, not its industrial classification. The rules define a "creditor" as any business that regularly extends, renews or continues credit, participates in the decision to extend credit or defers payment for goods or services and bills customers later. It is a very broad definition.