- Arizona is now including healthcare data breaches in its data breach notification law.
Under legislation introduced in January and signed into law by Arizona Governor Doug Ducey earlier this month, information about an individual's medical or mental health treatment or diagnosis by a healthcare professional is now considered "personal information".
Any breach involving that information would be subject to the requirements of the data breach notification law, according to an analysis by the law firm of Ballard Spahr.
Other information added to the personal information definition includes a private key that is unique to an individual and is used to authenticate or sign an electronic record; an individual health insurance identification number; a passport number; a taxpayer identification number or an identity protection personal identification number issued by the IRS; or unique biometric data used for online authentication purposes.
The new law also sets a 45-day deadline for notification of victims. Under the previous law, notification was to be provided “without unreasonable delay.” However, a third-party forensic auditor or law enforcement agency can override the notification requirement if it determines that the “breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.”
The legislation defines a breach as an “unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals.”
The amended statute requires that the notice contain the date of the breach, a brief description of the information disclosed, and contact information for the three largest consumer credit reporting agencies and the Federal Trade Commission.
If the breach affects more than 1,000 people, notice must be provided to the consumer credit reporting agencies and the state Attorney General.
The Attorney General can now fine violators up to $500,000 to recover the total economic loss sustained by affected individuals in a breach or series of breaches. Under the previous law, the cap was set at only $10,000 per breach or series of breaches.
“I applaud Representative [T.J.] Shope and members of the legislature for adopting these common sense improvements to our data breach laws,” said Attorney General Mark Brnovich, who helped draft the law.
“Consumers have a right to know when their sensitive information has been breached so they can protect themselves from financial loss. A key component of the legislation was notification to the Attorney General’s Office of a breach. My office will be better positioned to investigate massive breaches in the future and assist consumers to protect their assets from theft.”
Last month, South Dakota and Alabama became the final two states to adopt data breach notification laws. Both laws include healthcare information in the definition of personal information covered by the notification requirements and both set deadlines for notification.
Some members of Congress are pushing for a national data breach notification law to standardize requirements. However, many states oppose a national law, arguing that it would preempt legitimate state authority to protect consumers.
A group of 32 attorneys general, led by Illinois Attorney General Lisa Madigan, sent a letter to Congress last month objecting to a draft bill, the Data Acquisition and Technology Accountability and Security Act circulated by Rep. Blaine Luetkemeyer (R-Mo.) and Rep. Carolyn Maloney (D-NY) in February.
“This bill totally preempts all state data breach and data security laws, including laws that require notice to consumers and state attorneys general of data breaches,” the letter said.
“States have proven themselves to be active, agile, and experienced enforcers of their consumers’ data security and privacy,” the attorneys general argued.
The attorneys general objected to the draft bill’s provision giving organizations that experience a data breach the discretion whether to notify consumers based on their judgment of risks. In addition, breaches affecting fewer than 5,000 consumers would be exempt from the notification requirement.
“We believe there is a place for both state and federal agencies to act to protect consumers’ important personal information,” the attorneys general wrote.
States obviously want to keep the power to regulate data breaches, but many in the business community are frustrated by the varying requirements of 50 separate state laws. They either want no regulation or, if regulation is unavoidable, a federal standard that has uniform reporting requirements.