After California Takes Bold Action, Other States Ponder Privacy Protection Measures
Several U.S. states, including Oregon, North Carolina, Virginia and Washington, are considering new legislation to shore up consumer data privacy laws in the wake of California passing strict privacy requirements last year.
The European Union's General Data Protection Regulation, which has been enforced since last May, is inspiring renewed efforts worldwide, including at the federal and state levels in the United States, to boost privacy protections.
Democrats in Congress have once again introduced national breach notification and privacy legislation, but many previous efforts to pass similar measures have failed (see: Democratic Senators Introduce Security Legislation).
Meanwhile, federal regulators are considering changes in HIPAA aimed at reducing "regulatory burdens," including ways to improve secure data sharing for patient care coordination, by, for example, easing certain privacy requirements (see: HHS Seeks Feedback on Potential HIPAA Changes).
Rather than wait for Congress or federal regulators to take action, more states are considering a variety of measures designed to strengthen consumer data protections.
For example, Oregon is considering a bill that would prohibit the sale of de-identified protected health information without first obtaining a signed authorization from an individual. The measure also would provide patients the right to be paid for authorizing the de-identification of their PHI for sale to third parties, such as for research and other uses.
In North Carolina, pending legislation would strengthen ID theft/fraud protections. Under the proposal, ransomware attacks would be considered a security breach, and a breached entity would need to notify the state attorney general's office within 30 days.
In Virginia, a bill proposes new requirements for businesses related to disposal of certain consumer records. It also features new requirements for manufacturers pertaining to the design and maintenance of devices that connect to the internet. A business would be required to "take all reasonable steps to dispose of, or arrange for the disposal of, consumer records." But that provision would not apply to HIPAA covered entities and business associates, because HIPAA has its own disposal requirements.
And Washington is considering a bill that would require companies that collect personal data to be transparent about the type of data being collected, whether consumer data is sold to data brokers, and upon request from a consumer, delete the consumer's personal data without undue delay. These provisions are very similar to requirements in the EU's GDPR.
GDPR as Inspiration
"The European Union recently updated its privacy law through the passage and implementation of the General Data Protection Regulation, affording its residents the strongest privacy protections in the world," the Washington bill notes. "Washington residents deserve to enjoy the same level of robust privacy safeguards."
"We may find that there is a sufficient number of these new proposals that there will be an additional push to implement a federal law that applies a common standard."
—Kirk Nahra, Wiley Rein
California's new law enacted last year also requires businesses to disclose the purpose for collecting or selling the information, as well as the identity of the third-party organizations receiving the data. Consumers can also request data be deleted and initiate civil action if they believe that an organization has failed to protect their personal data (see California's New Privacy Law: It's Almost GDPR in the U.S.).
"The California Consumer Privacy Act was passed last year and compliance is required next year, but 2019 is when California's attorney general compliance guidance is expected, and legislative fixes may be needed," says privacy attorney Adam Greene of the law firm David Wright Tremaine.
"Each of the 50 states now has its own breach notification laws, with nearly one-half adopting data security and/or data disposal requirements to protect consumers' personally identifiable information from unauthorized disclosure," says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
"While most states are not taking a sectorial approach to the type of PII that must be protected, New York, Ohio and South Carolina have adopted cybersecurity requirements that target industries that include health plans and insurers," he adds.
"A theme seen in state legislation to update breach notification laws in recent years is to set shorter notification periods. Some argue that this would give consumers more time to take action to protect themselves against the threat of financial fraud or identity theft by notifying major credit reporting agencies."
Privacy attorney Kirk Nahra of the law firm Wiley Rein notes: "The states continue to examine the possibilities for increasing privacy and data security protections, both in currently regulated areas and in situations where federal law is not directly applicable through a specific law or regulation."
Could all the various state activity put more pressure on Congress to adopt national privacy legislation?
"We may find that there is a sufficient number of these new proposals that there will be an additional push to implement a federal law that applies a common standard - although that is still a long way away," Nahra says. "And one of the critical elements of the debate will be how to handle these state laws."
Nahra expects other states, "including some traditional red states," will introduce privacy legislation.
New state privacy laws can potentially have adverse effects, Nahra contends.
For example, the Oregon proposal tightening up permitted uses of de-identified PHI "might seem appealing at first blush but actually would primarily have negative impacts," he claims.
The Oregon proposal, he argues, "would reduce any of the useful research, public health and other benefits that are provided by de-identified information today, and would at the same time create privacy and security risks for individuals by forcing companies to retain a link between the de-identified data and an identifiable individual.
"So, we see potential risks from some of these proposals, particularly where they move through a more chaotic and sometimes less thoughtful state legislative debate."
Greene says the Oregon legislation would be difficult to implement.
"For example, de-identified data may be created for multiple purposes, some of which might require authorization under the law," he notes. "Identifying what is the true purpose may be challenging. Also, it is not clear whether aggregate data, which is no longer at a person-by-person level, qualifies as de-identified data that may be subject to the law."