At the HIPAA Survival Guide and the Digital Business Law Group we are starting to grapple with the much broader question of when state laws require breach notification. As the NCSL states in their overview on this topic:
Forty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.
Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).
All but Alabama and South Dakota currently have state data breach laws. We are confident that the latter are soon to follow. So, as is obvious to us veterans, a data breach almost always implicates both state and federal law. Further, depending on where the entity responsible for the breach does business, it is almost always more than one state law that is implicated. Although the state data breach laws tend to be similar, they are by no means "harmonized;" which means each one is a special use case. For example, apparently Connecticut requires notification in five days, while many states require notification in 45 days; both are more stringent than HIPAA that requires notification to HHS in 60 days if a certain threshold of records is exceeded.
Also, like HIPAA, many state laws provide a "safe harbor" of sensitive data (our term) if it is encrypted according to certain (usually) government standard protocols (e.g. NIST). Although most states do not mandate encryption of sensitive data, at least one state apparently does, see the quote below.
The following quote come from this somewhat dated but still useful (circa 2014) White Paper:
Other states such as Massachusetts have passed laws which expressly require the encryption of electronically communicated personal data. Section 17.04 of Law 201 CMR 17.00 requires the implementation of adequate computer system security measures to protect personal data which includes ‘encryption of all transmitted records and files containing personal information that will travel across public networks or wirelessly’ and ‘encryption for all personal information stored on laptops or portable devices’.
Attached is a PDF on critical decision points that some of you may find useful. As always we welcome all feedback in this topic!
Comments