Eleven states are increasing data breach protections for residents. From new reporting deadlines to protecting businesses from lawsuits enacted by breached individuals, here's what cybersecurity leaders need to know:
- Arkansas passed a law, effective July 30, that requires state entities to report data breaches to the Arkansas legislative audit within five business days after learning of the incident, the National Law Review reported. State entities also must provide regular updates to the auditor about the incident until the investigation is closed. The auditor must maintain a list of all reported security incidents, annually report the breaches to the legislative council and certain committees.
- California issued regulations, effective July 1, that limit the circumstances when unauthorized access to medical information has to be reported to the California health department, JD Supra reported. If a fax was misdirected to a different physician's office or if a patient received the wrong discharge instructions, hospitals no longer need to report it. However, if a data breach on a healthcare organization does occur, it has 15 days to report if to the health department after the breach was detected.
The new rule will also grant the California health department access to an organization's records, internal assessments and documents if there is a breach. A hospital can be fined up to $25,000 for each patient whose medical information was unlawfully accessed, used or disclosed. It can be fined up to $17,500 per subsequent occurrence. The health department can also penalize a hospital $100 per day if it fails to report the breach to the department or the patients affected. Hospitals can be fined up to $250,000. - Connecticut inked a law, effective Oct. 1, that allows companies to adopt cybersecurity practices that allow them to escape punitive damages if they are alleged to have failed to implement "reasonable cybersecurity controls," the Review reported. The law contains a list of industry-recognized cybersecurity frameworks that would qualify a business for an affirmative defense. HIPAA-regulated companies can rely on this law if their cybersecurity programs are up to date, the report said.
Companies must notify the attorney general's office of the breach within 60 days. If it will take longer to identify the state a resident is from, then a preliminary notice must be submitted within the deadline. Residents may be notified by electronic forms that encourage them to change their passwords, security questions or if login credentials are the same for another account. HIPAA-regulated companies must notify the attorney general at the same time residents are notified and must provide 24 months of identity protection services if Social Security numbers were compromised. - Colorado passed the Colorado Privacy Act, effective July 1, 2023. The law allows residents to opt out of the sale of their personal data. There will be a 60-day cure period for violations, but it's not set to be enacted until 2025. HIPAA-regulation organizations may be entitled to data-based exemptions.
- Hawaii passed the National Association of Insurance Commissioners model insurance data protection law, effective July 1, to establish insurance data security standards for payers, the Review reported. The law requires licensees to develop and implement written information security programs, submit data breach notifications and monitor third-party vendors. Payers must notify the insurance commissioner within three business days of discovering the breach.
- Maine passed an insurance data protection law, effective Jan. 1, 2022, the Review reported. The law requires payers to investigate, notify and report cybersecurity events to the superintendent of the Maine Bureau of Insurance within three days. The law also requires the development and implementation of a written information security program, among other proactive security measures.
- Mississippi amended its data breach notification law, effective July 1, the Review reported. The seeks to further clarify the definition of personal information and to include tribal identification card numbers.
- Oregon passed a data breach law, effective Sept. 23, mandating data breach reporting requirements for tax professionals, the Review reported. The law requires tax professionals to report security breaches associated with tax return preparation to the Oregon Department of Revenue within five days.
- Tennessee enacted a law, effective July 1, that focuses on the cybersecurity practices of payers. Insurance consumers will gain protection for their personal, medical and financial information, the Department of Commerce and Insurance reported. Under the new law, payers must develop a cybersecurity program with a designated employee in charge of the program. Payers must identify threats that can result in unauthorized access, misuse or destruction of private information. Any breach must be investigated and if more than 250 Tennesseans are affected, the insurance commissioner must be notified.
- Texas inked a data breach law, effective Sept. 1, that requires the attorney general's office to post data breach notices to a public website within 30 days of receiving notice of the breach. Companies are required to provide the office a notification within 60 days of discovering the breach if 250 or more Texans are involved, the Review reported.
Reporting companies need to tell the attorney general if law enforcement is investigating the breach, a description of the breach, how many residents have been affected or notified and how it's responded to the breach, Business Insurance reported. The breach notification will be taken down if the company reports no breaches within one year. The law is effective Sept. 1. - Wisconsin enacted the Wisconsin Insurance Data Security Law, effective Nov. 1, the Review reported. The law requires payers to develop an information security program that protects their systems and data. Payers must conduct a risk assessment and address any areas that put their consumers' data at risk. The act further requires payers to develop an incident response plan and provide timely notice of a security incident to affected individuals.