State law mandates more data breach info

In a move to protect consumers, Gov. Jerry Brown (D-Calif.) last week signed into law a privacy protection bill that requires organizations to notify affected persons of security breaches, effective Jan. 1, 2012. Introduced by Sen. Joe Simitian (D-Palo Alto), Senate Bill 24 requires data holders to reveal more information about security breaches than previously mandated.

Until now, California only required that data holders notify individuals after their personal information was compromised. However, the law did not specify what type of information that notification must include, according to a press statement from Simitian's office. Now the new law mandates that organizations divulge the type of information that was compromised, the time it took place, and how affected persons can contact major credit card companies, reports Palo Alto Patch.

"No one likes to get the news that personal information about them has been stolen," said Simitian. "But when it happens, people deserve to get the information they need to decide what to do next."

In fact, a UC Berkeley survey found that more than a quarter (28 percent) of data breach victims do not understand the potential consequences of the breach after reading a notification letter, according the Simitian statement.

Expanded notification information may become increasingly important as organizations, specifically hospitals, witness incidents of stolen patient information, such as compromised medical records, Social Security numbers, credit card numbers, and insurance information.

"The crime of identity theft is not going away," Privacy Rights Clearinghouse Director Beth Givens of the nonprofit consumer education and advocacy group told Palo Alto Patch.

In addition, SB 24 requires that data holders send an electronic copy to the Attorney General if the breach affects more than 500 Californians.

Currently under the HITECH Act, organizations must notify Health & Human Services of healthcare-related data breaches affecting 500 or more individuals.

For more information:
- read the press statement
- read the Palo Alto Patch article
- check out SB 24
- read the HHS breach notification rule

Related Articles
Protect your patients' info to avoid the HHS 'wall of shame'
Health Net data breach analysis 'flawed,' SSNs exposed
8 strategies for tightening mobile security at hospitals
UCLA Health System pays $865G to settle HIPAA violation charges