State Law Round-up: New Privacy Breach Notification Laws Potentially Affecting Labs

As illustrated by the recent MIE settlement (click here for the story), security breaches involving patients’ electronic protected health information (ePHI) exposes your lab to liability risks under not just HIPAA but also state medical privacy and even consumer protection laws. In 2019, no fewer than nine states have proposed, adopted or are about to adopt strict new breach notification laws and other privacy protection laws that could potentially be used to prosecute labs for violations involving the private information of residents of the state.

Illinois: Breach Notification (SB 1624)

New requirement under the Personal Information Protection Act that businesses notify the state Attorney General of privacy breaches involving at least 500 Illinois residents. Status: Passed the legislature and the Governor is expected to sign it.

Maine: Internet Consumer Data Protection (LD 946)

New Act to Protect the Privacy of Online Consumer Information bans internet service providers (ISPs) from using, selling or distributing consumer data without their consent or attempting to pressure customers into letting the ISPs selling their data, e.g., via a penalty or discount. Status: Takes effect July 1, 2020.

Maryland: Breach Notification (HB 1154)

New rules under the Personal Information Protection Act banning a business that’s responsible for a data breach from charging the data owner or licensee for information needed for notification and using information about the breach for purposes other than providing notification of the breach, protecting or securing the personal information involved and taking measures to avoid future breaches. Status: Takes effect Oct. 1, 2019.

Massachusetts: Breach Notification (HB 4806)

New requirement that businesses:

• Offer free credit monitoring for 18 months if a breach involves a resident’s Social Security number;
• Provide breach notifications on a rolling basis if necessary to avoid delay;
• Identify the third party that owns the exposed data, if any; and
• Notify state regulators if they maintain “a written information security program.”

Status: Took effect April 11, 2019.

New Jersey: Scope of Protected Information & Breach Notification (S. 52)

Expands the definition of “personal information” protected by the privacy law to include usernames, email addresses, passwords, and security questions and answers affiliated with an individual’s online account. Also requires businesses to notify New Jersey residents affected by a breach and direct them to promptly change their log-in credentials associated with that business, and any other accounts in which they use the same username or email address, password or security questions/answers. Bans business from using email for notification if the victim’s email account was the subject of the security breach. Status: Takes effect Sept. 1, 2019.

New York: Scope of Protected Information & Breach Notification (SB5575B)

Proposed amendments to Stop Hacks and Improve Electronic Data Security Act to:

• Expand security breach protection to biometric data, account numbers and credit or debit card numbers without a security code, and usernames, email addresses, passwords, and security questions and answers;
• Exempt businesses from issuing breach notifications when: (a) the breach results from an unauthorized person’s inadvertent disclosure andthe business reasonably finds that the breach doesn’t pose any financial or emotional harm; or (2) the business has already sent out notifications under federal or other New York regulations;
• Expand definition of “breach” to include unauthorized access, in addition to acquisition, of private information;
• Require businesses to take “reasonable safeguards” to protect information through procedures such as: designating and training employees to implement and oversee security programs; regularly testing the effectiveness of security programs and making necessary modifications; and promptly deleting private information that’s no longer used;
• Extend the statute of limitation for the New York Attorney General to prosecute a business for a violation from two years to three.

Status: Proposed on May 9, 2019.

Oregon: Scope of Protected Information & Breach Notification (SB 684) 

Stricter breach notification requirements of vendors under Oregon Consumer Information Protection Act including requiring them to notify any contracted “covered entity” within 10-days of discovering a breach of security; must also notify the Attorney General if the breach involves more than 250 consumers or the number of individuals effected is unknown. Expands definition of “personal information” to include “user names or other means of identifying a consumer for the purpose of permitting access to the consumer’s account.” Status: Effective Jan. 1, 2020.

Texas: Breach Notification (HB 4390)

Requires businesses to send Texas Identity Theft Enforcement and Protection Act law breach notifications to affected individuals without “unreasonable delay” and no later than 60 days after identifying a breach. Must also notify Texas Attorney General within 60 days if the breach affects at least 250 Texas residents. Status: Effective Jan. 1, 2020.

Washington: Scope of Protected Information & Breach Notification (HB 1071)

• Expands definition of “personal information” protected by privacy laws to include birthdate, unique private keys for signing electronic records, student, military or password identification numbers, medical information, biometric information, and online login credentials;
• Allows businesses to send breach notifications by email unless the breach involves the credentials associated with that email account;
• Requires notice to the Attorney General of breaches affecting more than 500 residents that identify the type of information exposed, the time frame of exposure, the steps taken to fix the breach, and a copy of the notice sent to affected individuals;
• Cuts the notification deadline from 45 to 30 days.

Status: Takes effect March 1, 2020