Security Breach Notification Laws

On January 17, 2013, U.S. Department of Health and Human Services Secretary Kathleen Sebelius announced the final omnibus rule that among other things (1) increases patient privacy protections; (2) provides individuals with new rights to receive a copy of their electronic medical record in an electronic form;  and (3) provides

On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French  authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers.   The guidance was issued with reference to European Directive 2002/58/EC, the e-Privacy Directive, which imposes specific breach notification requirements on electronic communication service providers.

French legislator recently amended Article 34 of the Data Protection Act to reflect the EU e-Privacy Directive’s breach notification requirement.According to Article 34 of the French data protection law (as revised), the notification obligations are applicable if:

  • Personal data is processed;
  • By an electronic communications service provider;
  • During the course of its business of providing electronic communications services (e.g. telephone service or internet access)

On Wednesday, August 31, 2011, California became the third state this year to amend its existing security breach notification law when Governor Jerry Brown signed into law Senate Bill 24 (“SB 24”). SB 24’s specific changes, while far from sweeping, include the addition of content requirements for notice letters to individuals and a requirement to send a sample letter to the state’s attorney general if more than 500 people are affected by a breach. SB 24 won’t add much to most nationwide breach response plans, but will up the ante for those doing business primarily (or exclusively) in California.

On August 22, Illinois Governor Pat Quinn signed House Bill 3025 into law. In doing so, he aligned Illinois with a small group of states responding to increased concern about privacy and information security by retooling their existing information security breach notification frameworks. HB3025, in particular, amends the state’s breach notification law to specify both the types of information that should be provided to notice recipients and the breach notice obligations of service providers that maintain or store, but don’t own or license, personal information about Illinois residents.

Did you know there are breach notification obligations in all 50 states (effective 9/2012), even though only 46 states have adopted them?  How could that be, you ask?  Because Texas said so.  (Does that surprise you?)

Texas recently amended its breach notification law so that its consumer notification obligations apply not only to residents of Texas, but to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  Texas’s amended law (H.B. 300) specifically requires notification of data breaches to residents of states that have not enacted their own law requiring such notification (that is, Alabama, Kentucky, New Mexico and South Dakota). 

On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify

Missouri: HB 62 includes many provisions that are similar to other state laws requiring notice to individuals when the security of their personal information has been compromised. For example, HB 62 includes a “material risk of harm” trigger. In other words, a business is not required to notify Missouri residents if, after an appropriate investigation or consultation with relevant law enforcement authorities, the business determines that identity theft is not likely to result from the breach. In addition, a business is not required to notify state residents if the personal information compromised was encrypted. Like some other state laws, HB 62 also requires notice to the Missouri Attorney General and national consumer reporting agencies if more than 1,000 Missouri residents are notified, and allows the Attorney General to seek actual damages or civil penalties from persons that fail to comply with the law.