Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Category Archives: Data Breach Notification Laws

Subscribe to Data Breach Notification Laws RSS Feed

State Law Roundup: Legislatures Across the U.S. Revamp Data Breach Notification Laws

Posted in Breach Notification, Data Breach Notification Laws
As the number of highly publicized data breaches continues to skyrocket and proposals for a federal data breach notification law stagnate, state legislatures around the country have been busy amending their own breach notification statutes. So far, 2015 has been a banner year for state breach law makeovers, with nine states formalizing amendments to their… Continue Reading

New Hampshire Enacts Breach Notification Requirement for the Department of Education

Posted in Data Breach Notification Laws
The state of New Hampshire recently enacted House Bill 322 (“HB 322”), which requires the Department of Education (“DOE”) to implement additional procedures to protect student and teacher data from security breaches. Those procedures now include a breach notification requirement. Effective August 11, 2015, the DOE must develop a detailed security plan that requires notification… Continue Reading

Canada Moves Forward with Mandatory Federal Security Breach Notification Law

Posted in Data Breach Notification Laws, International Privacy Law
On June 18, 2015, the Canadian Minister of Industry announced that the Digital Privacy Act, which amends Canada’s foundational Personal Information Protection and Electronic Documents Act (PIPEDA), has received royal assent and is now law. Although the Act contains a number of provisions that are likely to impact organizations doing business in Canada, certain key… Continue Reading

2015 BakerHostetler Incident Response Report Shows One in Five Breaches Involved Paper Records

Posted in Cybersecurity, Data Breach Notification Laws, Data Breaches, Incident Response
BakerHostetler’s inaugural Data Security Incident Response Report offers a wealth of information regarding the causes of data security breaches, the manner in which those incidents are handled, and the legal and regulatory aftermath for affected companies. Among the Report’s interesting takeaways is a rebuttal of the popular assumption that data security incidents are all about… Continue Reading

Wyoming Broadens Data Breach Notification Law

Posted in Data Breach Notification Laws
Wyoming recently joined the list of states passing laws that broaden the scope of their data breach notification laws. On March 2, 2015, Wyoming signed into law two bills (S.F. 35 and S.F. 36) that expand the definition of personally identifiable information (PII) and require additional minimum content requirements for notifications to affected individuals. Specifically,… Continue Reading

Dear Lawmakers, Your New Breach Notice Laws Should Address These Issues

Posted in Breach Notification, Data Breach Notification Laws
The days of companies being so afraid of the reputational impact of a breach that they would look for any way possible to avoid disclosure are gone.  The pendulum has swung in the opposite direction.  Now companies, often in the name of being “completely transparent” with their customers, want to disclose incidents as soon as… Continue Reading

New York Attorney General Announces Proposal to Revamp State Data Security Laws

Posted in Breach Notification, Data Breach Notification Laws
On January 15, 2015, New York Attorney General Eric Schneiderman indicated that he plans to propose legislation to update New York’s information security laws, including by revising the definition of “private information” under the state’s data security breach notification statute. Schneiderman’s proposal comes on the heels of President Obama’s January 13, 2015, unveiling of measures… Continue Reading

What’s on the Horizon in the Golden State?

Posted in Breach Notification, Cybersecurity, Data Breach Notification Laws, Marketing, Online Privacy
As we near the turn of the year into 2015, organizations should keep an eye on laws taking effect on the West Coast. This year, the crop of new privacy statutes includes a few without precedent anywhere in the country. The focus? Kids and security. Following are a few examples of new California laws taking… Continue Reading

California Extends Deadline for Reporting Breaches to the CDPH from 5 to 15 Business Days

Posted in Data Breach Notification Laws, HIPAA/HITECH, Medical Privacy
On September 18, 2014, California Governor, Jerry Brown, signed Assembly Bill 1755 (“AB1755”) into law, amending breach notification provisions in the California Health and Safety Code applicable to licensed clinics, health facilities, home health agencies, and hospices. Under existing law, certain health care entities licensed by the California Department of Public Health (“CDPH”), including hospitals… Continue Reading

Florida Gives Breach Notification Statute More Teeth

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Identity Theft, Information Security
On June 20, 2014, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014 (“FIPA”), which will repeal Florida’s current breach notification statute at Fla. Stat. § 817.5681 and replace it with a new statute at Fla. Stat. § 501.171 effective July 1, 2014.  On the same day, Governor Scott also signed SB… Continue Reading

Iowa Breach Notification Law Now Requires AG Notification, Applies to Paper Records

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Identity Theft, Information Security
Iowa recently joined an increasing number of states that require notification of state regulatory authorities following a breach, as well as a handful of states in which paper records can trigger notification obligations.  On April 3, 2014, Iowa Governor Terry Branstad signed S.F. 2259 into law, amending Iowa’s Personal Information Security Breach Protection statute (Iowa… Continue Reading

Kentucky Enacts Data Breach Notification Statute

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Information Security
On April 10, 2014, Kentucky Governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation.  Prior to H.B. 232, Kentucky was one of only four states—including Alabama, New Mexico, and South Dakota—that had not adopted data breach notification legislation.  H.B. 232 also includes a separate section… Continue Reading

Is the 5th Time the Charm? – Nationalizing Data Breach Notification

Posted in Breach Notification, Data Breach Notification Laws, Federal Legislation
Once the smoke and dust clears from the latest enormous data breach, the fried servers are hauled away and the ritual IT department purge takes place, the focus seems to turn to the lack of any comprehensive national data breach law. Although certain sector specific breach notification laws are in place, such as HIPAA/HITECH in… Continue Reading

Vermont Grocery Store Agrees to Settlement with Attorney General for Alleged Violation of State Data Breach Response Laws

Posted in Data Breach Notification Laws, Data Breaches
Co-authored by: Charles K. Shih Natural Provisions, Inc., a Vermont health foods grocery chain, agreed to pay $30,000 to settle claims brought by the Vermont attorney general that it failed to notify consumers and the attorney general within the statutory period required by Vermont’s Security Breach Notice Act and Consumer Protection Act. Natural Provisions, Inc.… Continue Reading

North Dakota Breach Notification Law – Personal Information Includes Health Information

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, HIPAA/HITECH, Medical Privacy
North Dakota has amended its Notice of Security Breach for Personal Information statute, North Dakota Century Code Section 51-30 et seq., to expand the definition of  “personal information” to include “medical information” and health insurance information.”  Pursuant to the amended statute, “medical information” includes any information regarding an individual’s medical history, mental or physical condition,… Continue Reading

SEC To Issue Stronger Cybersecurity Guidance?

Posted in Cybersecurity, Data Breach Notification Laws
In February we wrote about whether Facebook’s IPO would set the tone under the SEC’s then-relatively new cybersecurity disclosure guidance. In subsequent months, it has become apparent that this guidance is still not yielding the level of disclosure on cybersecurity matters that regulators want. This is especially true with respect to the disclosure of past… Continue Reading

Vermont and North Dakota Amend Breach-Notice Laws

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Financial Privacy, HIPAA/HITECH, Medical Privacy
On May 13, 2013, Vermont Governor Peter Shumlin signed H.513 into law. The new law includes an amendment to Vermont’s Security Breach Notice Act, 9 V.S.A. § 2435. Previously, under § 2435, Vermont-regulated financial institutions were exempt from notifying any Vermont authority in case of a security breach involving personally identifiable data. The new law… Continue Reading

What Covered Entities and Business Associates Need to Do to Prepare for the New HIPAA/HITECH Requirements (Part II)

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
There has been a lot of discussion about the impact of Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (HITECH).  In Part I, we discussed what HIPAA… Continue Reading

What Covered Entities and Business Associates Need to Do to Prepare for the New HIPAA/HITECH Requirements (Part I)

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
The Department of Health and Human Services (HHS) issued, on January 17, 2013, its Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  Our initial discussion can… Continue Reading

The HIPAA/HITECH Final Rule Has Been Released

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, Federal Legislation, HIPAA/HITECH, Identity Theft, Medical Privacy
The long awaited HIPAA/HITECH Final Rule is out.  The final rule is effective March 26, 2013, but covered entities (CEs) and business associates (BAs) will have 180 days beyond the effective date to come into compliance. While we are still conducting a comprehensive review of this 563-page document, below are a few of the changes we have found so far:… Continue Reading

Connecticut to Require Notice to Attorney General Following a Breach

Posted in Breach Notification, Data Breach Notification Laws, Enforcement
Connecticut has been in the forefront in protecting the personal information of its residents.  In July 2010, in the first action by a state attorney general for violations of HIPAA since HITECH authorized state attorneys general to enforce HIPAA, a settlement was reached between HealthNet and the state of Connecticut – stemming from a May… Continue Reading

France’s New Breach Notification Requirements

Posted in Breach Notification, Data Breach Notification Laws, International Privacy Law
On May 28, 2012, the French data protection regulator (CNIL) released new guidance on breach notification laws.  The guidance regards a 2011 ordinance that recently came into force on April 1.  Among other things, the ordinance amends existing French data protection law (Law on Information Technology and Liberties (78-17 of 1978)) to reflect the EU… Continue Reading

Significant Changes to Vermont’s Data Protection and Notification Law

Posted in Breach Notification, Data Breach Notification Laws
On May 8, 2012, the Vermont General Assembly approved changes to the state’s consumer protection law (Act 109, in effect on passage 5/8/12).  The changes include substantial revisions to Vermont’s data protection and notification law.  A summary of the changes are provided below.  The term “personally identifiable information” (“PII”) has been adopted.  “Security breach” is… Continue Reading