Progress in Data Security Breach Notification Legislation
We’ve been seeing a trend in the U.S. in which cybersecurity legislation is being passed by states, but not by the federal government. In no area has this been more true than in the case of data security breach notification. California got the proverbial ball rolling with its now well-known State Bill 1386, which in essence required commercial entities that experienced data security breaches involving certain kinds of customer information such as credit card information and banking PINs to promptly notify affected individuals unless the information was encrypted. When this bill was passed it was revolutionary, but by today’s standards it is rather blasé. A stronger data security breach notification law has since been passed in California, and nearly every state within the US now has a law that requires organizations that leak financial and/or person information to notify those whose information has been compromised.
The plot is getting thicker, however, and Connecticut is the reason. A recently passed law in this state requires every insurance company that does business there to report extrusion of personal data to state authorities within a five calendar day limit, regardless of whether the data were encrypted. This law applies to both hardcopy and electronic versions of personal information. The primary motivation behind the new legislation in Connecticut is a string of medical data compromises in the state. The state’s Attorney General, Richard Blumenthal, broke with the trend last year when he sued an insurance company for HIPAA violations. The company agreed to pay a fine of $250,000 and to improve its data protection measures.
Interestingly, Connecticut’s new law applies only to HMOs, preferred insurance providers, other healthcare insurance providers, casualty and property insurance providers, medical discount organizations, and pharmacy benefit organizations. Hospitals and physicians are excluded. But even though the scope of the legislation is limited, the fact that legislation of this nature is now law within a state is a very significant development. It will serve as an impetus for other states to pass similar legislation, just as California’s SB 1386 statue did several years.
Meanwhile, the US government is not standing by idly. An interim rule, the HITECH Act breach notification rule, requires organizations that leak personal and/or financial information belonging to individuals to conduct a risk analysis to determine the degree of harm that could occur to them. If the potential harm is significant, organizations must notify the individuals; otherwise, notification is not required. The potential harm provision of this rule is currently being debated. Customer rights advocates want this provision to be dropped on the grounds that it gives organizations that have been negligent in protecting personally identifiable information the power to determine how much risk to potentially affected individuals there is. If history holds true, these organizations will error on the side of not notifying individuals, because notification costs money and also can lead to the possibility of embarrassment and loss of reputation.
So Connecticut is leading the way when it comes to mandatory data security breach notification legislation. Which state will be the first to follow Connecticut remains to be seen, but one thing seems certain–others will follow.