On January 17, 2013, U.S. Department of Health and Human Services Secretary Kathleen Sebelius announced the final omnibus rule that among other things (1) increases patient privacy protections; (2) provides individuals with new rights to receive a copy of their electronic medical record in an electronic form; and (3) provides
Security Breach Notification Laws
Is data breach notification compulsory under French law?
On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers. The guidance was issued with reference to European Directive 2002/58/EC, the e-Privacy Directive, which imposes specific breach notification requirements on electronic communication service providers.
French legislator recently amended Article 34 of the Data Protection Act to reflect the EU e-Privacy Directive’s breach notification requirement.According to Article 34 of the French data protection law (as revised), the notification obligations are applicable if:
- Personal data is processed;
- By an electronic communications service provider;
- During the course of its business of providing electronic communications services (e.g. telephone service or internet access)
Veto, Veto, Pass! New Governor Means New Breach Notification Law in California
On Wednesday, August 31, 2011, California became the third state this year to amend its existing security breach notification law when Governor Jerry Brown signed into law Senate Bill 24 (“SB 24”). SB 24’s specific changes, while far from sweeping, include the addition of content requirements for notice letters to individuals and a requirement to send a sample letter to the state’s attorney general if more than 500 people are affected by a breach. SB 24 won’t add much to most nationwide breach response plans, but will up the ante for those doing business primarily (or exclusively) in California.
“Illinois-ed” About the Lack of Useful Information in Breach Notices? Illinois Amends Breach Notice Law to Specify Notice Content, Cooperation
On August 22, Illinois Governor Pat Quinn signed House Bill 3025 into law. In doing so, he aligned Illinois with a small group of states responding to increased concern about privacy and information security by retooling their existing information security breach notification frameworks. HB3025, in particular, amends the state’s breach notification law to specify both the types of information that should be provided to notice recipients and the breach notice obligations of service providers that maintain or store, but don’t own or license, personal information about Illinois residents.
Breach Notification Obligations In All 50 States?
Did you know there are breach notification obligations in all 50 states (effective 9/2012), even though only 46 states have adopted them? How could that be, you ask? Because Texas said so. (Does that surprise you?)
Texas recently amended its breach notification law so that its consumer notification obligations apply not only to residents of Texas, but to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Texas’s amended law (H.B. 300) specifically requires notification of data breaches to residents of states that have not enacted their own law requiring such notification (that is, Alabama, Kentucky, New Mexico and South Dakota). …
HHS and FTC Announce New Breach Notification Rules for Unsecured Protected Health Information
On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify…
List of State Breach Notification Laws
Show-Me State Finally Shows Its Residents a Data Breach Notification Law, Other States (TX, NC, ME) Make Changes
Missouri: HB 62 includes many provisions that are similar to other state laws requiring notice to individuals when the security of their personal information has been compromised. For example, HB 62 includes a “material risk of harm” trigger. In other words, a business is not required to notify Missouri residents if, after an appropriate investigation or consultation with relevant law enforcement authorities, the business determines that identity theft is not likely to result from the breach. In addition, a business is not required to notify state residents if the personal information compromised was encrypted. Like some other state laws, HB 62 also requires notice to the Missouri Attorney General and national consumer reporting agencies if more than 1,000 Missouri residents are notified, and allows the Attorney General to seek actual damages or civil penalties from persons that fail to comply with the law.