Advocating The Need For A Federal Data Breach Disclosure Law

Information Week's Security Blog advocates for a federal data breach disclosure law in this post, The Time Is Now (Better Yet, Yesterday) For A Federal Data Breach Disclosure Law.

Thanks to the HIPAA Blog for point out the article. I agree with Jeff Drummond's conclusion. After having analyzed overlapping and different state disclosure requirements as a part of assisting clients with data breach issue a federal approach is the direction we should go. (caveat: it should require total preemption - not partial preemption like HIPAA privacy).

A federal approach would help set a national industry standard that can be clearly understood, implemented and followed by those who regularly deal in data, health care or otherwise. The state-by-state patchwork of different laws that currently exist create a complexity that is not needed.

For more on the ongoing complexity issue check out California's recently revised law (AB1298) that recently took effect. AB1298 effective January 1, 2008, expands the coverage and protections to medical information and health insurance information under California's State Information Practices Act.

A clear and concise national approach would simplify compliance for those required to maintain and protect data, including health care providers maintaining health information. Customers and patients who expect their data to be maintained would also benefit by a simplified approach and uniform law that provides for a consistent level of breach notification and protection.

For more on state security breach notification legislation/laws check out the National Conference of State Legislatures website page "Breach of Information". Last updated in April 2007, it states "thirty-five states have enacted legislation requiring companies and/or state agencies to disclosure security breaches involving personal information." I suspect this number will increase after the 2008 legislative sessions around the country.

Also, NCSL provides a summary of data breach notification legislation introduced by year. For 2007, they list three bills introduced (but not passed) before the West Virginia Legislature:

WEST VIRGINIA

WV H 2175	Sponsor: Marshall (D) Title: Acquisition of Security Compromising Data Introduced: 01/16/2007 Location: House Judiciary Committee Summary: Relates to the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. Status: 01/16/2007 INTRODUCED. 01/16/2007 To HOUSE Committee on JUDICIARY.

WV H 2263	Sponsor: Brown (D) Title: Clean Credit Information and Identity Theft Protection Introduced: 01/16/2007 Location: House Judiciary Committee Summary: Ensures clean credit information and identity theft protection (FN). Status: 01/16/2007 INTRODUCED. 01/16/2007 To HOUSE Committee on JUDICIARY.

WV H 2705

Sponsor: Marshall (D) Title: Consumer Right to Impose Freeze on Credit Reports Introduced: 01/30/2007 Location: House Judiciary Committee Summary: Establishes a procedure whereby a consumer may implement a security freeze to prohibit a consumer reporting agency from releasing all or any part of the consumer's credit report. Status: 01/30/2007 INTRODUCED. 01/30/2007 To HOUSE Committee on JUDICIA

As a result of high profile cases like this one that occurred in West Virginia, we will again see activity this year in West Virginia.