- HIPAA covered entities in Oregon are exempt from a new requirement that organizations in the state report data breaches within 45 days of discovery.
Oregon Governor Kate Brown signed into law at the end of March amendments (Senate Bill 1551) to the data breach law that would impose the 45-day reporting requirement unless doing so would impede a law enforcement investigation.
The amendment would also prohibit credit reporting agencies from charging a fee to residents who want to freeze or unfreeze their credit reports.
According to analysis of the legislation by David Stauss, an attorney with the law firm of Ballard Spahr, the amendments exempt HIPAA covered entities, which are subject to a 60-day data breach notification requirement under the federal law.
Strauss noted that health insurance policy numbers, subscriber numbers, any medical history, or other information on a person’s physical or mental health are included under the definition of personal information subject to the data breach notification law.
“In the absence of a carve-out, there could have been circumstances under which a HIPAA covered entity may have been required to provide notice sooner than the 60-day requirement in the HIPAA Breach Notification Rule,” Stauss wrote.
“However, it should be emphasized that it will not always be the case that Oregon’s 45-day deadline will run before HIPAA’s 60-day deadline because the HIPAA deadline starts on ‘the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity’,” he observed.
In addition, the new law expands the scope of those who must notify in case of a data breach to anyone who “has control over or access to” data containing personal information. It also requires those subject to the law to conduct risk assessments, provide regular training of employees, review user access privileges on a regular basis, apply security updates, and institute a reasonable security patch management program, wrote Stauss.
According to the law firm of Baker & Hostetler, as of November 2017, there were 12 states that have set a specific deadline for data breach notification: California, Connecticut, Delaware, Florida, Maine, New Mexico, Ohio, Rhode Island, Tennessee, Vermont, Washington, and Wisconsin. You can now add Oregon as well as Alabama and South Dakota, which both recently enacted data breach notification laws with notification deadlines, to the list.
In California, organizations that have suffered a breach have 15 business days from discovery of a data breach to notify the Department of Health Services and residents. Connecticut only gives organizations 5 calendar days to notify the Connecticut Insurance Department about a data breach but gives then 90 days to notify residents.
For Delaware and South Dakota, organizations that have suffered a breach must notify regulators and residents within 60 days of discovery.
Florida gives organizations 30 days for notification, while Maine gives a deadline of 7 business days after completion of an investigation.
Alabama, New Mexico, Ohio, Rhode Island, Tennessee, Vermont, Washington, and Wisconsin all have a 45-day data breach notification period.
Most of the states with deadlines include the proviso that law enforcement can extend the notification period if needed.
At least 30 states, Puerto Rico, and the District of Columbia are working on amendments to their data breach notification laws to strengthen requirements, according to the National Conference of State Legislatures.
The massive Equifax data breach prompted law makers in several states to introduce bills that would enable breach victims to freeze their credit for free. Other amendment provisions would expand the definition of personal information covered by the law, set specific notification deadlines, require reporting to the state’s attorney general, and/or require notification in case of student data breaches.
In addition to legislation, the Massachusetts Attorney General Maura Healey filed an enforcement action against Equifax, alleging that the credit rating agency did not maintain appropriate safeguards to keep consumer information secure.
“We allege that Equifax knew about the vulnerabilities in its system for months, but utterly failed to keep the personal information of nearly three million Massachusetts residents safe from hackers,” Healey said in a statement. “We are suing because Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again.”