Connecticut officially changed its data breach security notification process, as Governor Dannell Malloy signed a proposed bill into law earlier this week.
S.B. 949 was designed in an effort to create greater assurances around data security for individuals who contract with the state and anyone who does business in Connecticut. For example, one of the changes with the new legislation is that businesses will be required to notify potential victims within 90 days of a cyber attack or a data breach.
Health data will also be part of the new data breach notification law. As of October 1, 2015, a health insurer, healthcare center or other entity licensed to do health insurance business in this state will also be considered a “company” that is liable under the law. Furthermore, PHI will also be considered “personal information,” that if compromised, a company will need to notify individuals.
“Not later than October 1, 2017, each company shall implement and maintain a comprehensive information security program to safeguard the personal information of insureds and enrollees that is compiled or maintained by such company,” the bill states, adding that the security program will need to be in writing and contain appropriate administrative, technical and physical safeguards.
Those safeguards will need to consider the following guidelines:
- The size, scope and type of business of such company
- The amount of resources available to such company
- The amount of data compiled or maintained by such company
- The need for security and confidentiality of such data.
Another important part of the data breach notification law is that organizations will need to provide no less than one year of identity theft prevention services.
S.B. 949 also addresses the issue of data encryption, and explains that all personal information that is being transmitted wirelessly or on a public internet connection must be encrypted. Sensitive personal data must also be encrypted on laptops and other portable devices.
“‘Breach of security’ means unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable,” the legislation states.
Earlier this year, Connecticut Attorney General George Jepsen said that it is an unfortunate reality that consumers will likely continue to have their information threatened as hackers become more sophisticated.
“The legislation passed by the Senate and the House this year will provide clarity on the minimum requirements under Connecticut law for businesses that experience data breaches affecting consumers’ personal information,” Jepsen said, as previously reported by HealthITSecurity.com.
North Dakota also recently updated its data breach notification law, which goes into effect August 1, 2015. The amendment widens the scope of the businesses that will need to notify the attorney general should they encounter a data breach affecting more than 250 people. Under current law, only those who conduct business in North Dakota are subject to the data breach notification law. With the change, “any person that owns or licenses computerized data that includes personal information, shall disclose any breach of the system following discovery.”
View the original content and more from this author here: http://ift.tt/1CpaiAr
from health IT caucus http://ift.tt/1NOc7ar
via IFTTT
No comments:
Post a Comment