Header graphic for print
Privacy Law Blog

Category Archives: Security Breach Notification Laws

Subscribe to Security Breach Notification Laws RSS Feed

HHS Announces New Patient Privacy and Security Protections

Posted in HIPAA, Medical Privacy, Mobile Privacy, Privacy Litigation, Security Breach Notification Laws, Uncategorized

On January 17, 2013, U.S. Department of Health and Human Services Secretary Kathleen Sebelius announced the final omnibus rule that among other things (1) increases patient privacy protections; (2) provides individuals with new rights to receive a copy of their electronic medical record in an electronic form;  and (3) provides individuals with the right to… Continue Reading

Is data breach notification compulsory under French law?

Posted in Data Breaches, Data Privacy Laws, Electronic Communications, European Union, Security Breach Notification Laws

On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French  authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers.   The guidance was issued with reference to European Directive 2002/58/EC, the e-Privacy Directive, which imposes specific breach notification requirements on electronic communication service providers. French legislator recently amended… Continue Reading

Veto, Veto, Pass! New Governor Means New Breach Notification Law in California

Posted in California, Security Breach Notification Laws

On Wednesday, August 31, 2011, California became the third state this year to amend its existing security breach notification law when Governor Jerry Brown signed into law Senate Bill 24 (“SB 24″). SB 24′s specific changes, while far from sweeping, include the addition of content requirements for notice letters to individuals and a requirement to send a sample letter to the state’s attorney general if more than 500 people are affected by a breach. SB 24 won’t add much to most nationwide breach response plans, but will up the ante for those doing business primarily (or exclusively) in California.

“Illinois-ed” About the Lack of Useful Information in Breach Notices? Illinois Amends Breach Notice Law to Specify Notice Content, Cooperation

Posted in Security Breach Notification Laws

On August 22, Illinois Governor Pat Quinn signed House Bill 3025 into law. In doing so, he aligned Illinois with a small group of states responding to increased concern about privacy and information security by retooling their existing information security breach notification frameworks. HB3025, in particular, amends the state’s breach notification law to specify both the types of information that should be provided to notice recipients and the breach notice obligations of service providers that maintain or store, but don’t own or license, personal information about Illinois residents.

Breach Notification Obligations In All 50 States?

Posted in Security Breach Notification Laws

Did you know there are breach notification obligations in all 50 states (effective 9/2012), even though only 46 states have adopted them?  How could that be, you ask?  Because Texas said so.  (Does that surprise you?) Texas recently amended its breach notification law so that its consumer notification obligations apply not only to residents of… Continue Reading

HHS and FTC Announce New Breach Notification Rules for Unsecured Protected Health Information

Posted in Data Breaches, Medical Privacy, Security Breach Notification Laws

On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify individuals of security breaches concerning… Continue Reading

Show-Me State Finally Shows Its Residents a Data Breach Notification Law, Other States (TX, NC, ME) Make Changes

Posted in Security Breach Notification Laws

Missouri: HB 62 includes many provisions that are similar to other state laws requiring notice to individuals when the security of their personal information has been compromised. For example, HB 62 includes a “material risk of harm” trigger. In other words, a business is not required to notify Missouri residents if, after an appropriate investigation or consultation with relevant law enforcement authorities, the business determines that identity theft is not likely to result from the breach. In addition, a business is not required to notify state residents if the personal information compromised was encrypted. Like some other state laws, HB 62 also requires notice to the Missouri Attorney General and national consumer reporting agencies if more than 1,000 Missouri residents are notified, and allows the Attorney General to seek actual damages or civil penalties from persons that fail to comply with the law.

Decrypting HHS Guidance on Breach Notification and Security under the HITECH Act: NIST, FIPS, and More

Posted in Medical Privacy, Security Breach Notification Laws

Two months after Congress mandated notification for the breach of unsecured protected health information (PHI), the Secretary of Health and Human Services (HHS) defined what it means to be “unsecured.” As required by Section 13402 of the HITECH Act, H.R. 1, 111th Cong. (1st Sess. 2009) (which was part of the American Recovery and Reinvestment Act of 2009), the Secretary issued guidance and a request for comments on the technologies and methodologies rendering information unusable, unreadable or indecipherable. 74 Fed. Reg. 19006 (Apr. 27, 2009) (to be codified at 45 C.F.R. pts. 160, 164).

Seven Days Is All She Wrote . . .

Posted in Security Breach Notification Laws

As our readers know, many of the 44 state data breach notification laws allow for (and may even require) a brief delay in notifying affected individuals of the breach if that notification would interfere with or impede a law enforcement investigation. Last week, the governor of Maine amended that state’s data breach notification law. The amendment clarifies that notification may be delayed for no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.

Third Time’s a Charm for “Data Accountability and Trust”? Federal Breach Notification Bill Introduced in the House. Again. This Time With Data Security Provisions.

Posted in Security Breach Notification Laws

On April 30, 2009, Representative Bobby Rush (D-Ill) introduced H.R. 2221, the Data Accountability and Trust Act. The bill is nearly identical to H.R. 958, introduced by Rep. Rush in the 110th Congress, and is similar to the Data Accountability and Trust Act, introduced by Rep. Stearns (R-FL) in the 109th Congress. Of course, the newest “Data Accountability and Trust Act” is only the most recent of dozens of bills proposed over the last several years that would implement uniform federal breach notification requirements and preempt the 44 state laws requiring notification. Rep. Rush’s latest bill also includes data security provisions and would preempt the growing number of state laws imposing such requirements.

Will Congress Enact Data Security Breach Provisions This Year – ? Guess What, It Already Has

Posted in Medical Privacy, Security Breach Notification Laws

By Jeffrey D. Neuburger and Sara Krauss Congress has been dithering over the adoption of a federal data security breach notice law for the last several years without coming to an agreement on a national standard for reporting breaches in the security of personal and financial data, but on February 17, data breach notice provisions… Continue Reading

Northern Disclosure: Alaska Enacts 44th State Breach Notification Law

Posted in Security Breach Notification Laws, Security Freeze

Alaska passed a breach notification law in June, making it state number 44 to do so. As most are aware by now, Alaska’s new law, Alaska Stat. § 45.48.010 et seq., includes breach notification requirements, restrictions on use of Social Security numbers, and allows consumers to place a security [deep] freeze on their credit reports. Notification of a breach is not required if, after an appropriate investigation and written notification to Alaska’s attorney general, the covered entity determines that there is not a reasonable likelihood that harm to consumers has resulted or will result from the breach. By popular demand, following is our updated list of security breach notification laws.

Iowa Enacts 43rd State Breach Notification Law

Posted in Security Breach Notification Laws

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer’s personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

More Breach Notification Laws — 42 States and Counting

Posted in Security Breach Notification Laws

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma). Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).

Updated Breach Notification Laws

Posted in Security Breach Notification Laws

Following is an updated list of citations to state data breach notification laws. We also note that as of January 1, 2008, California’s data breach notification law, Civil Code § 1798.82, will include "medical information" and "health insurance information" in the definition of personal information. Also, any business "maintained for the purpose of managing medical… Continue Reading

Governor Schwarzenegger Says No to California A.B. 779

Posted in Security Breach Notification Laws

On Saturday, California Governor Arnold Schwarzenegger vetoed AB 779, legislation that would have amended California’s landmark data security breach legislation. The bill would have been the first to follow law enacted by Minnesota earlier this year and effective August 1, 2007, that amended Minnesota’s security breach notification law by, among other things, prohibiting businesses from retaining certain payment card data after authorization of a transaction.

Breach Law Data

Posted in Identity Theft, Security Breach Notification Laws

We thought it might be helpful to provide citations to the 37 state (plus D.C. and Puerto Rico) breach notification laws that cover private entities (Oklahoma’s law, that only addresses state agencies, is not included). We also provide links, or uploaded copies, where available.

Consumer Unable to Demonstrate Injury Based on Credit Monitoring Costs in Data Breach Case

Posted in Identity Theft, Security Breach Notification Laws

A recent decision from the Southern District of Ohio echoes prior decisions of district courts addressing negligence claims against companies that have experienced a data breach. The court held that the cost of obtaining credit monitoring services does not count as damages without evidence of identity fraud. Kahle v. Litton Loan Servicing LP, case no. 1:05cv756.

In Response To TJX Data Breach, One State Enacts Legislation Imposing New Security and Liability Obligations; Similar Bills Pending in Five Other States

Posted in Security Breach Notification Laws

Lawmakers in six states have responded quickly to the massive data breach at TJX Companies, Inc. with various bills designed to strengthen merchant security and/or render companies liable for third party companies’ costs arising from data breaches. These latest bills – introduced in California, Connecticut, Illinois, Massachusetts, Minnesota and Texas – represent a new front of… Continue Reading