Legislators Respond to Big Data Breaches

In light of recent big data breaches, legislation has been proposed to Congress that would set a nationwide data breach notification standard.  Among the proposed bills are (1)  Personal Data Notification and Protection Act, (2) Data Security and Breach Notification Act, (3) Data Security Act, and (4) Consumer Privacy Protection Act,. Proponents of a national standard claim that it would simplify the policies that companies must follow when reporting breaches.  With forty-seven different state data breach notification laws and no national law on the books, retailers are forced to adhere to a patchwork of state laws.

However, the push for such a law has faced much opposition over the years, as many lawmakers believe it would preempt more comprehensive state notification laws. Elise Viebeck noted that past attempts to enact similar legislation have failed due to Congressional turf wars. If history is any indication, lawmakers will likely fail to reach an agreement.  

At the state level, Illinois joins a growing number of states (including New Jersey, Connecticut, California, and Nevada) that are advancing consumer protection laws.  Illinois Attorney General Lisa Madigan stated, “the growing frequency and scope of data breaches has necessitated an overhaul of Illinois’ notification law.”  Currently, the Personal Information Protection Act (“PIPA”) only extends to unencrypted electronic forms of data including first and last name, social security number, driver’s license or state identification card number, and credit card or debit card number in combination with any information that would permit access to a resident’s financial account.  If a breach occurs, the entity must notify each affected resident following discovery of the breach; however, government notice of the breach is not required. 

Illinois SB 1833, drafted by Madigan, is pending in the Illinois General Assembly.  This bill will strengthen PIPA by requiring companies to notify consumers about data breaches that expose financial information as well as geo-location data. Further, the bill extends the definition of personal information to include medical and health insurance data.  The Illinois Senate passed the bill last month and it is awaiting approval by the Illinois House.

What does this mean for health law?  Data breach notification protocol is essential for any organization. The healthcare industry is no exception.  The Anthem breach, announced in early February, affected no less than 75 million people. Premera, another health insurance provider, recently announced the records of 11 million people were compromised. The consequences of hacking healthcare information are unlike that of commercial retailers.  When retailers are hacked, credit card numbers are exposed and can easily be canceled.  Hacking health and insurance data is more troublesome as it reveals the keys to a person’s identity. Rebecca Fayed, a privacy officer for the Advisory Board Co., asserted the “flow of personal information is essential to delivering medical treatment and to arranging payment. ‘We as individuals are never going to be able to know every single entity that has our data.’”

The Health Insurance Portability and Accountability Act (HIPAA) already requires covered entities and their business associates to notify the necessary parties after protected health information is compromised.  It further requires the covered entities to encrypt stored health information or health information transmitted electronically if reasonable and appropriate for them to do so.  Additionally, more states are including medical and health insurance information in their definition of personal information in their data breach notification laws. 

Maintaining HIPPA compliance is still crucial; however, increasing consumer protection (whether by state or federal law) will require healthcare and insurance providers to take further steps to protect personal information and respond more effectively in the event of a breach.

Kathryn Brown is currently a 2L at DePaul University College of Law. Ms. Brown completed her undergraduate degree at Saint Ambrose University, located in Davenport, IA. Ms. Brown wishes to pursue a career in Health Law after graduating in May of 2017.