Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Category Archives: Data Breach Notification Laws

Subscribe to Data Breach Notification Laws RSS Feed

Iowa Breach Notification Law Now Requires AG Notification, Applies to Paper Records

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Identity Theft, Information Security
Iowa recently joined an increasing number of states that require notification of state regulatory authorities following a breach, as well as a handful of states in which paper records can trigger notification obligations.  On April 3, 2014, Iowa Governor Terry Branstad signed S.F. 2259 into law, amending Iowa’s Personal Information Security Breach Protection statute (Iowa … Continue Reading

Kentucky Enacts Data Breach Notification Statute

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Education, Information Security, Privacy
On April 10, 2014, Kentucky Governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation.  Prior to H.B. 232, Kentucky was one of only four states—including Alabama, New Mexico, and South Dakota—that had not adopted data breach notification legislation.  H.B. 232 also includes a separate section … Continue Reading

Is the 5th Time the Charm? – Nationalizing Data Breach Notification

Posted in Breach Notification, Data Breach Notification Laws, Federal Legislation
Once the smoke and dust clears from the latest enormous data breach, the fried servers are hauled away and the ritual IT department purge takes place, the focus seems to turn to the lack of any comprehensive national data breach law. Although certain sector specific breach notification laws are in place, such as HIPAA/HITECH in … Continue Reading

Vermont Grocery Store Agrees to Settlement with Attorney General for Alleged Violation of State Data Breach Response Laws

Posted in Data Breach Notification Laws, Data Breaches
Co-authored by: Charles K. Shih Natural Provisions, Inc., a Vermont health foods grocery chain, agreed to pay $30,000 to settle claims brought by the Vermont attorney general that it failed to notify consumers and the attorney general within the statutory period required by Vermont’s Security Breach Notice Act and Consumer Protection Act. Natural Provisions, Inc. … Continue Reading

North Dakota Breach Notification Law – Personal Information Includes Health Information

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, HIPAA/HITECH, Medical Privacy, Privacy
North Dakota has amended its Notice of Security Breach for Personal Information statute, North Dakota Century Code Section 51-30 et seq., to expand the definition of  “personal information” to include “medical information” and health insurance information.”  Pursuant to the amended statute, “medical information” includes any information regarding an individual’s medical history, mental or physical condition, … Continue Reading

SEC To Issue Stronger Cybersecurity Guidance?

Posted in Cybersecurity, Data Breach Notification Laws
In February we wrote about whether Facebook’s IPO would set the tone under the SEC’s then-relatively new cybersecurity disclosure guidance. In subsequent months, it has become apparent that this guidance is still not yielding the level of disclosure on cybersecurity matters that regulators want. This is especially true with respect to the disclosure of past … Continue Reading

Vermont and North Dakota Amend Breach-Notice Laws

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Financial Privacy, HIPAA/HITECH, Medical Privacy
On May 13, 2013, Vermont Governor Peter Shumlin signed H.513 into law. The new law includes an amendment to Vermont’s Security Breach Notice Act, 9 V.S.A. § 2435. Previously, under § 2435, Vermont-regulated financial institutions were exempt from notifying any Vermont authority in case of a security breach involving personally identifiable data. The new law … Continue Reading

What Covered Entities and Business Associates Need to Do to Prepare for the New HIPAA/HITECH Requirements (Part II)

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy, Privacy
There has been a lot of discussion about the impact of Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (HITECH).  In Part I, we discussed what HIPAA … Continue Reading

What Covered Entities and Business Associates Need to Do to Prepare for the New HIPAA/HITECH Requirements (Part I)

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
The Department of Health and Human Services (HHS) issued, on January 17, 2013, its Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  Our initial discussion can … Continue Reading

The HIPAA/HITECH Final Rule Has Been Released

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, Federal Legislation, HIPAA/HITECH, Identity Theft, Medical Privacy, Privacy
The long awaited HIPAA/HITECH Final Rule is out.  The final rule is effective March 26, 2013, but covered entities (CEs) and business associates (BAs) will have 180 days beyond the effective date to come into compliance. While we are still conducting a comprehensive review of this 563-page document, below are a few of the changes we have found so far: … Continue Reading

Connecticut to Require Notice to Attorney General Following a Breach

Posted in Breach Notification, Data Breach Notification Laws, Enforcement
Connecticut has been in the forefront in protecting the personal information of its residents.  In July 2010, in the first action by a state attorney general for violations of HIPAA since HITECH authorized state attorneys general to enforce HIPAA, a settlement was reached between HealthNet and the state of Connecticut – stemming from a May … Continue Reading

France’s New Breach Notification Requirements

Posted in Breach Notification, Data Breach Notification Laws, International Privacy Law
On May 28, 2012, the French data protection regulator (CNIL) released new guidance on breach notification laws.  The guidance regards a 2011 ordinance that recently came into force on April 1.  Among other things, the ordinance amends existing French data protection law (Law on Information Technology and Liberties (78-17 of 1978)) to reflect the EU … Continue Reading

Significant Changes to Vermont’s Data Protection and Notification Law

Posted in Breach Notification, Data Breach Notification Laws
On May 8, 2012, the Vermont General Assembly approved changes to the state’s consumer protection law (Act 109, in effect on passage 5/8/12).  The changes include substantial revisions to Vermont’s data protection and notification law.  A summary of the changes are provided below.  The term “personally identifiable information” (“PII”) has been adopted.  “Security breach” is … Continue Reading

Update to Cybersecurity / Data Breach Notification Legislative Outlook

Posted in Cybersecurity, Data Breach Notification Laws
Congress is back from a two week Easter recess and despite lingering concerns from privacy groups, House leaders plan to bring to the floor for votes one or more cybersecurity bills designed to protect the nation’s critical infrastructure – from power plants to financial markets – by encouraging information sharing about cyber threats between the … Continue Reading

Will Facebook’s IPO Cybersecurity Disclosures Set the Tone Under SEC’s New Guidance?

Posted in Cybersecurity, Data Breach Notification Laws, Information Security
Facebook filed its long-awaited Form S-1 with the SEC on February 1.  Given the nature of its business, concerns regarding data privacy were peppered throughout the filing.  While other business risk factors may be paramount (e.g., reliance on Zynga, slowing growth, etc.), data privacy has been and will continue to be an important issue for … Continue Reading

Privacy and Data Breach Regulatory Activity–A Year in Review

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, HIPAA/HITECH, Identity Theft, Information Security, Medical Privacy, Online Privacy, Payment Card Industry, Privacy
While plaintiffs continue to face an uphill battle proving damages in privacy litigation – regulatory actions and investigations seem to be increasing.  During 2011, we saw activity from many government agencies—both state and federal—including the Federal Trade Commission (FTC), Department of Education (DOE), Department of Health and Human Services (HHS) Office for Civil Rights (OCR), … Continue Reading

Data Breach Response: A Year in Review

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches
In 2011, we saw some of the most significant data breaches in U.S. history.  There are a plethora of causes—ranging from hackers to employee error to criminals using sophisticated malware.  Notification letters are being sent so frequently, consumers are almost becoming immune to the daily announcements that personal information has been breached.  Still, corporations facing data … Continue Reading

Baker Hostetler Data Breach Emergency Response Team Launches Data Breach Hotline

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches
After you learn of a potential data breach, the clock is ticking and potential liabilities are mounting. Quickly identifying the right team to guide your company through the complexities of the response is paramount. Baker Hostetler’s Privacy, Security & Social Media Emergency Response Team has launched a dedicated hotline so it can be reached at … Continue Reading

The A to Z of Healthcare Data Breaches

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, HIPAA/HITECH
I recently presented on the topic of Healthcare Data Breaches–A to Z at the annual American Society for Healthcare Risk Management (ASHRM) conference in Phoenix.  Attendees at any conference are always looking for practical takeaways to share with their colleagues and to help guide them even before a crisis event occurs.  During my presentation, with … Continue Reading

SAFE Data Act Approved by House Subcommittee

Posted in Data Breach Notification Laws, Federal Legislation
The House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Mary Bono Mack (CA), approved the Secure and Fortify Electronic Data Act (H.R. 2577) (SAFE Data Act) following lengthy debate on July 20, 2011.  The SAFE Data Act contains information security requirements and breach notice obligations consistent with Rep. Bono Mack’s statements following the … Continue Reading

HIPAA Audits ARRA Coming! Is your PHI Secure?

Posted in Breach Notification, Data Breach Notification Laws, HIPAA/HITECH
In the growing world of RAC audits, Voluntary Disclosure Protocols, IRS Form 990 disclosures, “Never Events” and HIPAA breach notifications, there is a new kid on the block in the area of federal audit and oversight for health care providers, health plans and their business associates under the health information privacy and security provisions of … Continue Reading

Sony & Epsilon Support National Data Breach Notice Law in Testimony Before House Subcommittee

Posted in Breach Notification, Data Breach Notification Laws, Federal Legislation
On June 2, 2011, representatives from Sony Network Entertainment International and Epsilon Data Management, LLC appeared before a House panel to answer questions regarding their responses to recent security breaches.  The hearing of the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade was called by Subcommittee Chairwoman Mary Bono Mack (R-Calif.) as part … Continue Reading

Three National Data Breach Notification Legislative Proposals Issued

Posted in Breach Notification, Data Breach Notification Laws, Federal Legislation
So far this month, three legislative proposals containing a national data breach notification requirement have been issued.  On May 4, Rep. Bobby L. Rush (D-Ill.) reintroduced the Data Accountability and Trust Act.  On May 11, Rep. Cliff Stearns (R-Fla.) introduced the Data Accountability and Trust Act (DATA) of 2011.  One day later, the White House … Continue Reading