What impact will The Data Security and Breach Notification Act of 2015 have if passed?
On April 15 2015, the House Energy and Commerce Committee approved the Data Security and Breach Notification Act by a 29-20 vote. The bill is the first federal rule requiring organizations to inform consumers that their personal information may have been compromised by hackers – and will replace any existing State laws.
If passed into law, the legislation requires organizations to maintain “reasonable security measures and practices” to protect consumer data, and to disclose breaches when there is a risk of consumer harm. If a breach occurs that meets this criteria, organizations will need to notify their consumers within 30 days of when the scale of the breach was determined and once their security has been “restored”.
While this sounds like a step in the right direction, some data privacy advocates have raised concerns that the law will override stronger and more comprehensive existing state laws.
As the legislation will “expressly preempt any related State laws to ensure uniformity of this Act’s standards and the consistency of their application across jurisdictions”, consumers may no longer need to be notified when a data breach has occurred.
Of the 50 states with state data breach and notification laws in place, 32 would see their data protection breach notification diminished in some way. This new federal bill requires notification only if an organization determines that there’s “a reasonable risk” of “identity theft, economic loss or economic harm”. This means that depending on the type of data compromised by the breach, organizations will be left to decide whether the breach is considered severe enough to be reported.
Under the federal bill, the Anthem breach, which affected nearly 80 million policyholders after hackers accessed a company database, may not have had to disclose the breach as it believes that no medical records (and therefore no information considered to be sufficient to commit identity fraud or cause economic harm) were accessed.
Anthem stated that it has no evidence that any of the records were used for fraudulent purposes, and so theoretically, they could conclude there was no reasonable risk of financial losses. However, the hackers could have gained access to other personally identifiable information such as names, addresses, birth dates, Social Security numbers and employment data.
Under the California state data breach notification law, Anthem had to disclose the breach – whether there was evidence of records being used for fraudulent purposes or not. The State law requires that notification be made whenever the personal information of any resident is “acquired, or reasonably believed to have been acquired, by an unauthorized person”.
The federal bill doesn’t specify precisely what constitutes a “reasonable risk”, leaving it up to each organization to make that call. This means that if the breach had occurred after this federal bill was passed into law that Anthem could have been justified not informing its policyholders of the massive data breach.
The federal bill also requires that organizations “maintain reasonable security measures and practices to protect and secure personal information”; but again, the bill is unclear as to what it deems reasonable security measures and practices. With these vague guidelines, many organizations could experience a huge or multiple data breaches – and no one outside of the organization would ever know.
For the time being, at least in the healthcare sector, HIPAA will still protect PHI, meaning that if a breach does occur, organizations are required under the act to notify HHS as well as following the breach notification process governed by state law.
However, while the federal bill does not specifically mention HIPAA, it does include covered entities and business associates as “exceptions” in the bill defined under section 160.103 of title 45, Code of Federal 5 Regulations. Despite this, as the bill advances, only time will tell as to how the proposed changes to the federal law will impact data security in the healthcare sector.