The compliance landscape is rapidly shifting, with new regulators stepping up and new laws being proposed at the State and Federal levels, as well as international legislature such as the draft EU General Data Protection Legislation which will have a widespread impact on multinationals. Wading the complex compliance waters is more difficult than ever before.
In the Senate’s Subcommittee on Commerce, Science and Transportation in a hearing titled “Getting it Right on Data Breach and Notification Legislation in the 114th Congress” held last month, many industry experts and security advisors pushed for strong Federal data breach legislation. Although Federal data breach legislation is still pending, after its endorsement by President Barack Obama earlier this year, revisions could include a broader definition of what constitutes sensitive data. There is also a push for a federal agency to investigate large data breaches across any industry.
At the State level, legislators continue to push the agenda by pushing forward State legislature. In Montana, House Bill 74 was signed into law by Montana governor Steve Bullock, amending the existing data breach notification law to expand the definition of personal information to include medical record information and, among other changes, requires organizations to give more details to the state Attorney General’s Consumer Protection Office about how affected individuals are notified of the breach.
In Washington, the House of Representatives passed House Bill 1078, also amending an existing law to require notification to the state Attorney General in the event of a breach, to require notification of affected individuals within 45 days, and additional content requirements for the notification. In contrast to most other laws, this new legislation would remove the exemption for encrypted data on the premise that encryption is easy to break, and thus does not afford exemption.
In Illinois, Attorney General Lisa Madigan announced a legislative proposal to strengthen the state’s existing data breach notification law, making similar changes as above as well as requiring “reasonable safeguards” to protecting personal information, safeguards which would come under scrutiny in the event of a breach. Madigan’s bill would also extend protections to other types of information including medical information outside of federal privacy laws, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts.
In New Jersey, Senate Bill 562 was enacted, requiring health insurance carriers to use encryption or other technology to make information unreadable, undecipherable, or unusable by unauthorized persons when compiling or maintaining computerized records. This is one of the first laws to explicitly require encryption, rather than vague mentions of “adequate safeguards,” in the hopes that data breaches can be prevented. Failure to encrypt data would subject organizations to heavy damages and enforcements. It is unclear if SB 562 will apply to business associates.
In Connecticut, the response to the large Anthem data breach has triggered new legislation, SB 1024, which would require require health insurers and other entities to implement security technology that encrypts personal information and to meet minimum security technology safeguards.
New Mexico, one of three remaining States without current data breach legislation, is continuing to push forward its first Data Breach Notification Act, HB 217, which covers the secure storage and disposal of personal identifying information as well as new requirements for notification following a breach.
Given some of the large-scale data breaches affecting the healthcare field, there is growing pressure for a possible revision to HIPAA which could include new security standards, such as encryption. Although encryption is only recommended at this stage, not required, even if it were to be mandated by HIPAA, it is not without its limitations.
Encryption is only one piece of the puzzle, whether it’s a part of protecting data on network or on the endpoint. You must be able to prove encryption was in place and working in order to satisfy compliance auditors. Encryption can be bolstered by a persistent security and management solution.
Changes to the regulatory landscape, paired with increased data security risks, the rapid pace of change in technology and more complex employee demographics, has created a complex environment for IT data security. To stay on top of the ever shifting regulatory landscape, we invite you to watch our webinar, “Data Security: Preparing for the Compliance Landscape of Tomorrow.” Learn how Absolute Software can help your organization navigate the choppy regulatory landscape and to mitigate data security risks here.