- Pending data breach legislation in New York could potentially affect the future of PHI security, as the proposed bill would include individuals’ medical information under its definition of personal information.
If the bill passes, unsecured PHI that is held by a HIPAA covered entity would be considered the type of data that requires notification should it be compromised in a data breach.
The bill, A10475, is sponsored by Assemblyman Jeffrey Dinowitz, and would go into effect on January 1, 2017.
“New York's data breach notification law needs to be updated to keep pace with current technology,” reads a memo on the legislation. “This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data.”
Along with PHI, biometric data and email addresses or usernames in combination with a password or security question answer will also now be included in the state’s definition of personal information.
The notification process would also be updated. For example, an entity shall notify individuals affected by the data breach as quickly as possible. If a business believes that any private information belonging to a consumer has been accessed by an unauthorized individual that the business notify the consumer.
“The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision four of this section, or any measures necessary to determine the scope of the breach and restore the integrity of the system,” the bill states.
Another important change in A10475 would be the penalty for an entity should it fail to comply with the data breach notification requirements. Currently, penalties are limited to the greater of $5,000 or $10 per instance. However, the penalties are not to exceed $100,000 total.
The proposed bill dicates that penalties will be limited to the greater of $5,000 or $20 per instance, and not to exceed $250,000 total.
“In the event that any New York residents are to be notified, the person or business shall notify the state attorney general, the department of state and the office of information technology services as to the timing, content and distribution of the notices approximate number of affected persons and provide a copy of the template of the notice sent to affected persons. Such notice shall be made without delaying notice to affected New York residents,” the legislation explains.
Other specific provisions of the bill include, but are not limited to the following:
- The Department of State is tasked with receiving and responding to data breach complaints and with informing the public of data security prevention techniques
- Businesses are authorized in certain circumstances to notify the consumer via email of the breach and if the consumers’ email is believed to have been compromised, the business is authorized to use other electronic methods to notify the consumer
- If a business is sending out a new credit or debit card to a consumer, it is required that the consumer be notified that the card in on its way
This is not the first time that New York has worked to make improvements in its data breach notification process.
Last year, New York Attorney General Eric Schneiderman proposed a data security law that would ensure that compromised healthcare information would also be cause for data breach notification.
“With some of the largest-ever data breaches occurring in just the last year, it’s long past time we updated our data security laws and expanded protections for consumers,” Schneiderman said in a statement at the time. “We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection.”
The bill also proposed a “Reasonable Data Security Requirement,” which would require companies that collect or store private information to adhere to administrative, technical, and physical safeguards.