Proposed Bill Brings National Data Breach Notification Standard for Non-HITECH Entities
A proposed bill in the US House of Representatives seeks to bring unity and clarification to the various state-level breach notification laws following the Equifax data breach, according to an article in HealthITSecurity.
Reintroduced by Congressman Jim Langevin (D-RI), co-founder and co-chair of the Congressional Cybersecurity Caucus, the Personal Data Notification and Protection Act of 2017 (H.R. 3806) would “replace the patchwork of 48 state breach notification laws with a single nationwide standard that would clarify and strengthen companies’ obligations to report intrusions that compromise consumers’ personal information,” according to a statement from Langevin. He noted that while this law was not the only legislative response to increasingly significant data breaches such as Equifax’s, it was an important first step “in building accountability and protecting consumers.”
The laws regarding how businesses must communicate and handle a data breach vary from state to state, and neither Alabama nor South Dakota have such laws at all, according to The Hill. Also, state law covers individuals in their state—so if a Californian has personal health data stolen from a server in Alabama, California law applies to that individual, complicating matters. HIPAA and HITECH act as the floor, not the ceiling, for privacy law, meaning individual states can build additional regulations on top of the national laws—and many have.
In the past some have opposed a national breach notification law that preempts the work done by states to build in more strict breach and privacy protections. The National Association of Attorneys General (NAAG) wrote a letter to Congress in 2015 that stressed the need for states to have the ability to enact and enforce state breach notification, according to HealthITSecurity.
Under the proposed bill, all states would follow the same standard of notifying all affected victims of a breach within 30 days and coordinating notifications with the Federal Trade Commission. HITECH Act covered entities and business associates, or “business entities to the extent that they act as vendors of personal health records,” are excluded from the proposed bill in its current form.
Sarah Sheber is Assistant Editor/Web Editor at Journal of AHIMA.