In 2004, Mintz Levin created a compendium of state data breach notification laws and has been updating it on a regular basis ever since.
Our latest update is available here, and it should be part of your incident response “toolbox” and part of your planning.
Some changes of note
Tennessee is our most recent state to amend its existing state data breach notification law. Last week, the Governor signed an amendment into law that takes effect on July 1, 2016:
- Joins several other states in tightening the notice period to “no later than 45 days from the discovery or notification of the breach…”
- Eliminates the “encryption safe harbor,” i.e., notification obligations are triggered even where the accessed or acquired data elements are encrypted.
- Specifically defines “unauthorized person” to include an employee “who is discovered … to have obtained personal information and intentionally used it for an unlawful purpose.”
California, Connecticut, Montana, Nevada, North Dakota, Oregon, Rhode Island, Washington and Wyoming all amended data breach laws in 2015. Some amendments signed into law in 2015 do not take effect until later this year, so make sure to note the effective dates on the Mintz Matrix when consulting various states.
What should you do now?
Spring cleaning. Given the number of changes at the state level (and no prospect for federal legislation easing this pain….), spring is a good time to review your incident response plan and data privacy policies to bring everything in line. In particular:
- Note tightened response deadlines (Rhode Island, Tennessee)
- Add identity theft prevention or identity theft mitigation services (Connecticut, California)
- Review data classification to take into account expanded definitions of personal information (Montana, Wyoming)
- Revise notice templates to comply with the new California format
As always, the Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Hat tip to the newest member of the Mintz Levin Privacy team, Michael Katz, for great work on this update!
The HHS Office for Civil Rights (“OCR”) officially launched the long-awaited (and dreaded) Phase 2 of the HIPAA Audits Program on March 21st. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails (check your spam filter!) from OCR that will begin the audit process.
Why Audits? Why Now?
The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2. Continue Reading
For our HIPAA-covered entity readers, we have asked these questions before: Have you taken a business associate inventory ? Have you undertaken a comprehensive risk assessment as required by HIPAA?
It’s all getting real – read on. Continue Reading
As we wrote previously, the federal government released several guidance documents last month implementing The Cybersecurity Information Sharing Act (CISA). Among these was the Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under CISA published by the Department of Homeland Security and Department of Justice. This document provides guidance on the circumstances in which personal information of a specific individual may – or may not – need to be shared in order to adequately describe a cyber threat indicator (CTI). In addition, the release identifies certain categories of information likely to be considered individually identifiable information unrelated to a cybersecurity threat, and provides guidance on sharing CTIs with the government in a manner covered by the Act’s liability protections. Continue Reading
21st Century Oncology Holdings, a company that operates a chain of 181 cancer treatment centers in the US and Latin America, announced on Friday March 4 that it was latest victim of a cyber-attack affecting 2.2 million individuals. When did the attack occur? Months ago. Read on for the gory details….. Continue Reading
Last week, a federal court in Atlanta issued an order preliminarily approving a proposed settlement – valued up to $19.5 million – of the consumer claims arising from the 2014 theft of payment card data from Home Depot. The cash and noncash terms of the proposed settlement are unexceptional. What is unusual about this settlement is its timing. According to plaintiffs’ brief seeking preliminary approval of the settlement, rather than wait for a decision on Home Depot’s still-pending motion to dismiss, the parties conducted a mediation after argument on the motion, and concluded a negotiated settlement before the motion was decided. The decision to settle early in the case – before discovery or summary judgment – may signal a recognition that the likely settlement value of the case did not warrant the substantial cost of additional litigation for either side. Insofar as that logic would apply with equal force in just about any consumer payment card data breach case, the early resolution of the Home Depot case could provide a model for future settlements. Continue Reading
FCC Chairman Tom Wheeler has announced that a proposed rulemaking is being circulated among the Commissioners that would establish privacy and data security requirements applicable to providers of broadband Internet access service (BIAS). The Notice of Proposed Rulemaking (NPRM) itself will not be released to the public until the end of March when it is scheduled for a vote, but Chairman Wheeler released a summary of his proposal on Thursday.
In adopting the Open Internet Order, which reclassified BIAS as a telecommunications service subject to Title II of the Communications Act, the FCC determined that the privacy provisions of Section 222 of the Communications Act that govern how call detail and call record information are used and protected by providers of telecommunications services also would apply to BIAS providers. The Commission concluded, however, that its rules implementing the privacy provisions of that Title were ill-suited for broadband privacy, and opted to forbear from applying those rules to BIAS providers. Instead, the Commission stated that it would establish a new privacy framework applicable to BIAS providers, and last week’s announcement represents the start of that process. Continue Reading
Verizon Wireless has reached a settlement with the Federal Communications Commission over Verizon’s insertion of unique identifier headers (“UIDH”), also known as “supercookies,” to track customers’ mobile Internet traffic without their knowledge or consent. Verizon inserted UIDH into customers’ web traffic and associated the UIDH with customer proprietary information to create profiles and deliver targeted ads. In at least one instance, a Verizon advertising partner overrode customers’ privacy choices by using the UIDH to restore cookies deleted by the customer. For over two years Verizon Wireless did not disclose its use of UIDH in its privacy policies or offer consumers the opportunity to opt-out of the insertion of UIDH into their Internet traffic.
Among the major headlines dominating not only the recent news cycle, but also this week’s RSA Conference in San Francisco, has been Apple’s challenge to the federal government’s request that Apple assist in unlocking the iPhone recovered from the perpetrators of the shootings in San Bernardino. On March 1, 2016, the House Judiciary Committee held a hearing titled “The Encryption Tightrope: Balancing Americans’ Security and Privacy” focused on the intersection of the competing values of privacy and security in American society. Testifying before the committee were two panels, one consisting solely of Federal Bureau of Investigation James Comey and the other of Bruce Sewell, Senior Vice President and General Counsel for Apple, Inc.; Cyrus R. Vance, District Attorney for New York County and Professor Susan Landau of Worcester Polytechnic Institute. Continue Reading
Last week, we discussed the Federal government’s first steps toward implementing the Cybersecurity Information Sharing Act (CISA). Among the guidance documents released by the Department of Homeland Security and the Department of Justice were the Privacy and Civil Liberties Interim Guidelines. This guidance is designed to apply Fair Information Practice Principles (FIPPs) to Federal agency receipt, use and dissemination of cyber threat indicators consistent with CISA’s goal of protecting networks from cybersecurity threats.
FIPPs form the core of many federal and state privacy laws as well as the basis for privacy best practices across numerous industries and government agencies. This guidance applies them to federal agency collection of cyber threat indicators as described below. In practice, the government intends that application of some FIPPs to cyber threat indicators shared via the Department of Homeland Security’s Automated Indicator Sharing (AIS) tool, which we referenced here, will be effectuated via capabilities embedded within the AIS mechanism. Continue Reading