No Script Needed for California Breach Notification
California Governor Arnold Schwarzenegger vetoed a state legislature bill on October 11 that would have specified content requirements for privacy breach notifications.
California law requires businesses and state agencies that have unencrypted personal information lost, stolen, or improperly accessed from their databases to notify affected consumers. However, the law does not specify what information the notification letters must contain.
Senate bill 20 would have ensured businesses include key information in their notices, such as the type of personal information breached, a description of the incident, the date it took place, and who to contact for more information.
The bill was vetoed, Schwarzenegger wrote in his explanation, because there is no evidence of a problem with the information businesses are currently providing consumers.
The veto does not dramatically affect state healthcare organizations, which beginning September 23 must meet similar requirements under federal breach notification laws. The federal laws require companies that handle personal health information to include specific information in breach notification letters, including date of the incident and the personal information breached.
However, the federal provisions—part of the American Recovery and Reinvestment Act’s HITECH section—only cover healthcare businesses, leaving California organizations such as banks and educational institutions open to include as much or as little information in their breach notifications as they deem appropriate.
Senate bill 20 was proposed by state senator Joe Simitian, who said it was necessary to ensure that victims receive the information they need to understand the problem and protect themselves from harm.
“This is one of the most surprising vetoes I’ve gotten while I’ve been here, over nine years,” Simitian said.
The bill had moved through the state legislature with strong support.
Simitian acknowledged that the majority of the notices that go out to consumers do contain adequate, helpful information. However, he said there have been instances of vague and meaningless breach notifications.
A survey of data breach victims included in a 2007 University of California-Berkeley School of Law paper found that 28 percent of those receiving a breach notification did not understand the “potential consequences of the breach after reading the letter.” Simitian cited this study as well as personal conversations with confused breach notification recipients to explain why legislation is needed.
The proposed additions to California’s privacy law would not break new ground. Several states have added similar breach notice requirements to their privacy laws, Simitian said. Setting notification requirements could also benefit businesses by spelling out their responsibilities. Having clear-cut requirements saves businesses from guessing at what they should do to be compliant.
While he feels the breach notification content requirements were not necessarily a bad idea, California-based healthcare attorney Reece Hirsch said he can understand why the bill was vetoed. Hirsch, a partner with Morgan Lewis’s FDA/Healthcare regulation practice, has helped clients draft many breach notifications. The breach notification requirements proposed in the bill are considered best practices in the field and already followed, he noted.
“Most companies responding to a security breach under the existing law would typically include the elements that are stated in senate bill 20,” Hirsch said. “Certainly there are consumer groups who have felt that these notices are maybe confusing, not as forthcoming as they should be.
“But by and large I am not sure that the elements that were specified in senate bill 20 would really affect a real change in the sorts of notices that consumers are seeing under the current California law.”
No Copy for the Attorney General
Senate bill 20 also called on businesses to send a copy of their breach notifications to the California attorney general if the breach affected more than 500 people. The provision was included to give law enforcement and the legislature a way to track privacy breaches across industries and identify trends, Simitian said.
In his veto message, Schwarzenegger wrote there was “no additional consumer benefit” to the provision because the bill does not require the attorney general to do anything with the notices.
“I thought there was a little irony in the veto message suggesting that we didn’t have evidence of the nature of the problem, and then going on to say ‘and by the way, why on earth would you want to have a place where there is a repository of this information,’” Simitian said.
Under state law that took effect January 1 of this year, healthcare organizations are already required to report breaches of any size to the California Department of Public Health, Center for Health Care Quality, which has power to investigate and fine organizations.
However, sending a breach notice directly to the attorney general could have increased an organization’s chance of being prosecuted, Hirsch noted. The federal breach notification provisions give attorneys general the power to enforce privacy protections and take enforcement action against healthcare organizations that have experienced a breach of protected health information.
Though the bill was vetoed, Simitian said he will have conversations with the California governor’s office on how to get the bill passed. He plans to reintroduce the legislation next year.
The Federal Content Requirements
Two federal laws govern breach notification. A rule promulgated by the Department of Health and Human Services governs HIPAA covered entities; a rule published by the Federal Trade Commission applies to noncovered entities such as personal health record vendors.
The rule governing covered entities spells out that breach notifications must:
- Be written in plain language
- Describe what happened, including the date of breach and discovery (if known)
- Describe the types of unsecured personal information involved in the breach
- Provide steps individuals should take to protect themselves
- Give a brief description of what the healthcare organization is doing to investigate, mitigate harm, and protect against further breaches
- Describe contact procedures for patient questions, including a toll-free telephone number
The rule currently exists as an interim final rule, meaning that it could be modified based on public comments. The comment period ends this Friday, October 23. The FTC law governing noncovered entities has similar content requirements, though it provides less detail.
The California bill would have required businesses to include two items in addition to what the federal laws specify:
- Contact information for credit reporting agencies
- A statement describing whether there was a delay in notification because of law enforcement investigations