Beware of Broadening Data Security Requirements – A National Trend

In the wake of some of the largest data security breaches in history, including the massive breach of government computer systems in June that compromised the sensitive information of 21.5 million people, several states have recently amended their current data security laws.  The recent amendments will likely give data security statutes more bite by providing expansive definitions of the types of information protected and by increasing the role of states’ Attorney Generals in enforcing these laws.  Furthermore, recent litigation concerning the theft of consumer information by hackers highlights additional implications for businesses that own or license the protected information of consumers in the event of a data security breach.

The recent trend in heightened data security legislation among the states demonstrates a shift towards the more stringent Massachusetts model. Under this model, which mirrors federal data security statutes, businesses or individuals that own or license computerized personal information of customers are required to “develop, implement, and maintain” safeguards for protecting such information from unauthorized access. Also, the Massachusetts model imposes a similar obligation on businesses (service providers) that maintain such information on behalf of a business or individual subject to the statute.  201 CMR 17.00.

On the East coast, Connecticut has recently amended its data security statute to require entities that contract with the state to receive the “confidential information” of consumers to implement and maintain a “comprehensive data-security program.” Similarly, third-party service providers will be required to establish administrative and physical safeguards, some of which include limitations on storage and transmission of data that are used in current practice today such as storing on flash drives or external hard drives.   Additionally, Connecticut will require all smart phones sold within the state to be equipped with hardware or software that will allow authorized users to disable “essential features” in order to safeguard personal information.  Finally, covered entities will now be required to provide one year of identity theft protection to consumers affected by certain data security breaches.

In the Midwest, Illinois is once again amending its Personal Information Protection Act (PIPA).  Importantly, PIPA will expand its definition of “personal information” in order to stay current with evolving technology.  PIPA will not only cover biometric data, but will also cover consumer marketing information and geolocation information, the latter which is “information or derived from an electronic communication device that is sufficient to identify the street name and city in which the device is located.”  Moreover, notice to the Attorney General will now be required in the event of a breach that affects more than 250 Illinois residents.  Many observers note that this will likely increase the enforcement of data security laws, which will bring compliance to the forefront for businesses covered by the statute.

Moreover, Illinois has made several additions to the data security requirements for health care providers.  Clinical providers that use a secure patient portal or secure messaging will be required to establish and maintain reasonable safeguards to protect patient information from “unauthorized access, use, destruction or modification.”  Conspicuous postings of privacy policies will be mandatory for health care providers’ websites.  Finally, the Department of Justice has issued a guidance report for health care organizations to facilitate the implementation of heightened data security measures for covered health care entities. However, similar to many other data security laws, PIPA incorporates a provision whereby HIPAA compliance is considered PIPA compliance, making myriad of regulations somewhat less overwhelming for covered entities amidst the recent changes.

The West Coast has also seen its share of recent data security action.  First, Oregon has followed suit of many other states and expanded its statutory definition of “personal information,” to include biometric, medical and health insurance information.  Notice to the Attorney General is also now required where a covered entity must notify more than 250 consumers of a data security breach.  Further, the Attorney General will be empowered to bring enforcement actions pursuant to the Unfair Trade Practices Act for violations of the data breach statute.  Businesses should recognize that these changes will likely cause increased enforcement action of Oregon’s data security statute and implement security measures accordingly. However, the Oregon statute is now a “harm-trigger” statute, meaning that covered entities need not notify customers in the event of a data breach if the customers are unlikely to suffer harm as a result of the breach.  This feature will make risk assessment technology more prevalent than ever and covered entities must equip themselves to conduct fast and efficient risk assessments in the event of a breach.

Second, a recent class action filed in federal court in California demonstrates that governmental regulatory enforcement should not be the only source of concern for entities that possess the personal information of consumers (a copy of the complaint can be found here).  Private plaintiffs have filed suit against UCLA Health System (UCLA) following a data breach in March that compromised the names, birth dates, social security numbers and medical record numbers of 4.5 million individuals in March 2015.  Plaintiffs allege that UCLA failed to implement basic safeguards, namely encryption, to protect their personal information. Also, despite UCLA’s efforts to investigate suspicious activity within the network beginning in October 2014 with the help of the FBI, plaintiffs contend that delaying notice until March gave hackers greater opportunity to access and use consumer information.  However, experts disagree that encryption would have prevented this attack, considering that UCLA’s network had been compromised and keys and credentials used to unencrypt the data were likely accessible to the hackers. In any event, this lawsuit demonstrates that businesses may not be currently equipped to fully investigate suspected system breaches, even with the help of federal law enforcement.  The outcome of this class action could shape the landscape of private actions against covered entities in the new world of data security regulation.

This recent movement among the states towards stricter data security laws demonstrates a growing need to protect the personal information entrusted to businesses by consumers.  It also shows an increasing desire for states to internally regulate businesses that possess the personal information of consumers by allowing for increased enforcement potential.  Covered entities must realize that their data security responsibilities are changing and must pay specific attention to their evolving statutory obligations.

Bryan Bessette assisted in writing this blog post.  For more information about this blog post, HIPAA and data security, contact Danielle Holley.