Two States have recently changed their data breach laws. The Kentucky General Assembly passed two new data breach laws, becoming the 47th state to have a general data breach notification law, and Florida has proposed a new and more stringent bill governing data breach requirements.
Coming into effect on July 15, 2014, Kentucky’s new data breach legislation, HB232, will require consumer notification when a data breach reveals personally identifiable information (PII). Kentucky also passed HB5, an act relating to the safety and security of personal information held by public agencies and nonaffiliated third parties doing business with government agencies. If your organization is doing business in Kentucky - with government agencies or handling personal information - reasonable security and breach investigation procedures must be in place before January 1, 2015.
As discussed by the Wyatt law firm here and here, some key points to consider are the notification triggers (the release of electronic PII that is not encrypted or redacted or the breach of non-electronic records that is likely / has resulted in fraud or identity theft), the requirements for notice, and the timing of notification among other particulars.
The Florida Legislature recently passed Senate Bill 1524, the "Florida Information Protection Act of 2014,” which would replace the existing law governing the breach of personal information. The proposed legislation would expand data breach beyond personally identifiable information to include health information such as menial or physical condition, medical treatment or medical history, among other requirements. Usernames and email addresses, in combination with a password or security question / answer, would also be protected. The law would apply to unencrypted information held by a broad number of “covered entities,” as discussed here and would have wide-ranging impacts, particularly for healthcare providers who would be subject to alternate requirements outside of HIPAA.
As with many State laws and other laws such as HIPAA, these changes reflect the importance of having procedures and practices in place for data protection and data breach investigation. Technological requirements to avoid notification post-breach include encryption and a way to redact data. When data is held on an endpoint, you need a way to remotely connect to devices (laptops, tablets, smartphones) to ensure compliance processes are properly implemented and enforced.
Absolute Computrace customers can persistently track and secure all their endpoints from a single cloud-based console and, in the event a device is missing, can remotely delete data and prove, from access logs, that data has not been compromised. Learn more about our compliance reports and certificates here. Read more about Absolute’s solutions for healthcare here.