States ramp up data security laws
'It's long past time we updated our data security laws'
Healthcare organizations not only must heed federal data security laws; they also have state laws to keep in mind. And a growing trend has states making these regulations tougher than ever. One state that currently has no laws requiring organizations to implement certain data security protections has proposed legislation that would hold entities fully responsible for failing to safeguard consumer data.
As businesses continue to demonstrate grievous security failings, New York state has decided to join a growing number of states that have chosen to ramp up their data security laws. The announcement last week from the state's Attorney General Eric T. Schneiderman comes on the heels of a report last year, finding that nearly 23 million New Yorkers have had their personal records compromised since 2006.
New York entities are only required to notify individuals of a data security breach if "private information" has been compromised. Private information, as state officials pointed out, has a very narrow definition and does not include email addresses and passwords; medical data and health insurance data, among other items.
[See also: HIPAA data breaches climb 138 percent.]
The proposed law would broaden the definition of private information to include email addresses, security questions and medical and health insurance data. The law would also establish a safe harbor rule for companies that implement specific data security plans and standards that officials say would minimize the chance of a breach.
In 2013 – a "record-setting" breach year for New York – these data security breaches cost organizations a whopping $1.37 billion statewide. Some 40 percent of those breaches were hacking related, according to a 2014 N.Y. Attorney General report.
What's more, healthcare organizations proved to be the biggest offenders, with healthcare data breaches being responsible for compromising the largest number of records of New Yorkers since 2006. "As the healthcare industry moves toward increasing digitization, it has become a repository for large troves of sensitive information, making the industry uniquely susceptible to data loss, particularly through lost or stolen electronic storage equipment," Schneiderman wrote in the report.
"With some of the largest-ever data breaches occurring in just the last year, it's long past time we updated our data security laws and expanded protections for consumers," said Schneiderman in a Jan. 15 press release. "We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection."
[See also: Healthcare to be 'plagued' by data breaches in 2015.]
One of the state's biggest data breaches ever reported was announced by the New York City Health & Hospitals Corporation's North Bronx Healthcare Network, which compromised the health records of some 1.7 million employees, vendors and patients.
In light of the increase in scope and frequency of these data security breaches, just last month, Oregon's AG Ellen Rosenblum called on the state's legislature to update and toughen Oregon's data breach law, which does not protect medical or health insurance data. Indiana's AG also in December proposed similar legislation that would tighten data security laws in the state.