Veto, Veto, Pass! New Governor Means New Breach Notification Law in California

Posted on September 7, 2011 by Brendon Tavelli

On Wednesday, August 31, 2011, California became the third state this year to amend its existing security breach notification law when Governor Jerry Brown signed into law Senate Bill 24 (“SB 24”). Interestingly, the bill also marks the third time (in three years) that a bill attempting to beef up the state’s breach notice law has landed on the Governor’s desk. Former Governor Arnold Schwarzenegger vetoed the previous two. SB 24’s specific changes, while far from sweeping, include the addition of content requirements for notice letters to individuals and a requirement to send a sample letter to the state’s attorney general if more than 500 people are affected by a breach.

Like HB 3025 enacted in Illinois (see our post here), SB 24 won’t add much to most nationwide breach response plans. The amendments will, however, up the ante for those doing business primarily (or exclusively) in California. As of January 1, 2012, breach notifications to California residents must be written in “plain English” and include at least the following elements:

  • The date of the notice
  • The name and contact information of the person reporting a breach
  • A list of the types of personal information likely impacted
  • If the breach exposed a social security number or a driver’s license or California identification card number, the toll-free telephone numbers and addresses of the major credit reporting agencies

In addition, the notice must include the following information if such information is possible to determine before sending the notice:

  • The date, estimated date, or date range of the breach 
  • Whether notification was delayed as a result of a law enforcement investigation
  • A general description of the breach incident

Finally, notices may include, at the discretion of the person reporting a breach, any of the following:

  • Information about what the person or business has done to protect individuals whose information has been breached
  • Advice on steps that the person whose information has been breached may take to protect himself or herself

SB 24 requires any person who notifies more than 500 California residents as a result of a single breach to “electronically submit a single sample copy of [the applicable] security breach notification, excluding any personally identifiable information, to the Attorney General.” Oh yeah, and section 2(e) of SB 24 also specifically provides that a HIPAA-covered entity will be deemed to have complied with the state’s notice requirements if it has complied completely with Section 13402(f) of the federal HITECH Act. For more on that law, see our blog post here.

If you’re thinking, “obviously we’re going to write the notice in ‘plain English’ and date it,” we’re with you. Like we said, SB 24 probably won’t add much to your nationwide breach response plans. But even if the requirements seem a bit odd, you still have to comply with them! Forewarned is forearmed.
Tags: , , , ,

You, NOT the Newspapers, Should Report a Breach: WellPoint to Pay $100,000 to Indiana AG for Delayed Breach Notification

Posted on July 11, 2011 by Brendon Tavelli

On July 5, 2011, Indiana Attorney General Greg Zoeller announced a settlement with health insurer WellPoint, Inc. The settlement resolves allegations that the company failed to promptly notify the Attorney General’s office of a data breach as is required by the Indiana Disclosure of Security Breach Act. As part of the settlement, WellPoint will pay a fine of $100,000 and provide certain identity-theft-prevention assistance to consumers affected by the breach. Interestingly, the settlement includes an admission by WellPoint that the company failed to comply with the law by not notifying Zoeller’s office “without unreasonable delay.”

The data breach out of which the Attorney General’s investigation, lawsuit, and ultimate settlement arose occurred between October 2009 and March 2010. During that time, personal information submitted in connection with applications for individual insurance policies was made publicly accessible via the company’s online application tracker website. The exposed information included Social Security numbers, financial account information, and health records. WellPoint immediately secured the application tracker site in early March 2010 after being told by a consumer, a second time, that records containing personal information were potentially accessible on the site.

WellPoint notified affected consumers of the breach beginning in June 2010, but did not also notify the Attorney General’s office as required by Indiana law. When Zoeller’s office learned of the breach through news reports in late July, it launched an investigation and in October filed suit against the company seeking an injunction and civil penalties for violations of the Indiana Disclosure of Security Breach Act. The parties’ recent settlement makes the Attorney General’s lawsuit disappear, but not without significant costs to WellPoint. The settlement mandates that WellPoint pay $100,000 into the Attorney General’s Consumer Assistance Fund; comply with the Disclosure of Security Breach Act in the future and admit that it failed to do so in this instance; provide affected consumers with up to two years of credit monitoring; and reimburse affected consumers up to $50,000 for any losses that result from identity theft stemming from the breach.

Although WellPoint is currently the public face of improper breach notification in Indiana, it is apparently not alone. Attorney General Zoeller’s office has issued warning letters to 47 other companies that delayed issuing appropriate security breach notifications. Perhaps it should go without saying, but according to Zoeller, “[t]he requirement to notify the Attorney General ‘without unreasonable delay’ is not fulfilled by having me read about the breach in the newspaper.” Sounds simple enough, but are you faster than the reporters? We certainly hope so.
Tags: , , , , ,

Glacially Expedient? Vermont Attorney General Settles with HealthNet for Failure to Timely Notify State Residents of Data Breach

Posted on January 28, 2011 by Brendon Tavelli

On January 18, 2011, Vermont Attorney General William Sorrell announced a settlement with HealthNet, Inc. and Health Net of the Northeast, Inc. over allegations that the company violated the state’s data breach notification law when the company waited over six months to notify state residents of the loss of a portable hard drive that contained their unencrypted personal information. The Attorney General’s settlement, the first under Vermont’s Security Breach Notice Act, demonstrates that, in the opinion of the Vermont Attorney General, even in the frozen North a six-month gap between the discovery of a breach and notice to individuals cannot be reconciled with the Act’s requirement to notify individuals “in the most expedient time possible and without unreasonable delay.”

The lengthy delay between discovery of the lost hard drive and individual notifications was not the only thing Sorrell found to be wrong with HealthNet’s response to the May 2009 breach, however. Vermont’s Attorney General also claimed that HealthNet violated the federal Health Insurance Portability and Accountability Act (“HIPAA”) by failing to secure protected health information and the state’s Consumer Fraud Act by misrepresenting, in its letters to individuals, the risk posed by the breach. In those letters, HealthNet told individuals that the risk of harm to them was “low” because the files were saved in a format that could not be easily accessed when, in reality, the files were saved in the relatively easily viewable TIF format.

The Vermont Attorney General’s settlement with HealthNet, which the U.S. District Court for the District of Vermont approved on January 21, 2011, requires the company to pay $55,000 to the State, submit to a data-security audit, and file reports with the State regarding the company’s information security programs for the next two years.

The HealthNet settlement is an important reminder that the unpleasantness of a security breach is only compounded by a poor response. If you have not already done so, the time for establishing a comprehensive breach response plan is now!
Tags: , , , , ,

Show-Me State Finally Shows Its Residents a Data Breach Notification Law, Other States (TX, NC, ME) Make Changes

Posted on July 30, 2009 by Brendon Tavelli

On July 9, 2009, Missouri Governor Jay Nixon signed House Bill 62 ("HB 62”), making the Show-Me State the 45th state with an information security breach notification law on the books. The new law takes effect on August 28, 2009. But Missouri’s new law isn’t the only new data breach notification requirement on the horizon. Amendments to existing data breach notice laws in three other states, Texas, Maine and North Carolina, will also become effective soon.

Missouri: HB 62 includes many provisions that are similar to other state laws requiring notice to individuals when the security of their personal information has been compromised. For example, HB 62 includes a “material risk of harm” trigger. In other words, a business is not required to notify Missouri residents if, after an appropriate investigation or consultation with relevant law enforcement authorities, the business determines that identity theft is not likely to result from the breach. In addition, a business is not required to notify state residents if the personal information compromised was encrypted. Like some other state laws, HB 62 also requires notice to the Missouri Attorney General and national consumer reporting agencies if more than 1,000 Missouri residents are notified, and allows the Attorney General to seek actual damages or civil penalties from persons that fail to comply with the law.

HB 62 applies to the “typical” categories of personal information, including Social Security numbers, driver’s license numbers and information that would permit access to an individual’s financial accounts. But unlike most other state data breach notification laws, HB 62 also applies to medical and health insurance information, including an individual’s medical history, mental or physical condition, treatment or diagnosis, health insurance policy number and any other unique identifier used by a health insurer. Previously, only laws in California, Arkansas and Texas (see below) applied to this kind of information.

Texas:  On June 19, 2009, Texas Governor Rick Perry signed House Bill 2004 (“HB 2004”), which expanded the scope of Texas’ data breach notification law to include public sector entities and health information. Specifically, HB 2004 amends the definition of “sensitive personal information” to include health care information, such as information about an individual’s physical or mental health or payment for health care services. The bill also amends the definition of “breach of system security” to reach breaches of encrypted information “if the person accessing the data has the key required to decrypt the data.” Finally, HB 2004 makes the state’s breach notice obligations applicable to public sector entities and nonprofit athletic and sports associations.

North Carolina: As of October 1, 2009, entities doing business in North Carolina will be required to both provide more detailed data breach notices to individuals and be more forthcoming with the state’s attorney general. North Carolina Senate Bill 1017 (“SB 1017”), signed by Governor Bev Perdue on July 27, 2009, amends North Carolina’s data breach notification law in two significant ways. First, SB 1017 requires notice to the attorney general anytime a business notifies North Carolina residents of a breach. Previously, such notice had been required only for breaches affecting more than 1,000 people. Second, notices to individuals affected by a breach will now be required to include a telephone number for the business providing the notice; toll-free numbers and addresses for the national credit reporting agencies; and toll-free numbers, addresses and web site addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office along with a statement that individuals can learn about preventing identity theft from these sources. These new requirements build on top of existing mandates to (1) describe the incident, the type(s) of personal information unlawfully obtained and the actions being taken to prevent further unauthorized access; (2) provide a telephone number that the recipient may call for further information and assistance; and (3) advise affected individuals to remain vigilant by reviewing account statements and monitoring free credit reports.

MaineFor information about the recent amendment to Maine’s breach notification law, soon to become effective, see our prior blog post.

Since Missouri’s new law and these important updates need to be added to the smorgasbord of state data breach notification laws, it is probably a good time to revisit “The List” of such laws. Here it is!

Alaska (ALASKA STAT. § 45.48.010 et seq.)

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (D.C. CODE § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (HAW. REV. STAT. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (IOWA CODE § 715C.1 et seq.)

Kansas (KAN. STAT. ANN. § 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.; see also L.D. 970)

Maryland (MD. CODE ANN., COM. LAW § 14-3501 et seq.)

Massachusetts (MASS. GEN. LAWS ANN. ch. 93H, § 1 et seq.)

Michigan (MICH. COMP. LAWS ANN. § 445.72)

Minnesota (MINN. STAT. § 325E.61)

Missouri (HB 62, tentatively codified at MO. REV. STAT. § 407.1500)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT. § 75-65; see also SB 1017)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (OKLA. STAT. § 74-3113.1)

Oregon (OR. REV. STAT. § 646A.600 et seq.)

Pennsylvania (73 PA. STAT. § 2303)

Puerto Rico (P.R. LAWS ANN. tit. 10, § 4051)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3)

South Carolina (S.C. CODE ANN. § 39-1-90)

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COM. CODE ANN. § 521.001 et seq.; see also HB 2004)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia (Va. Code Ann. § 18.2-186.6)

U.S. Virgin Islands (V.I. CODE ANN. tit. 14, § 2209)

Washington (WASH. REV. CODE § 19.255.010)

West Virginia (W. Va. Code § 46A-2A-101 et seq.)

Wisconsin (WIS. STAT. § 134.98)

Wyoming (WYO. STAT. ANN. § 40-12-501 et seq.)
Tags: , , , , , , , , , , ,