At any given time, the RADAR regulatory team is busy monitoring, tracking, and preparing for proposed and pending changes to data breach notification law.
As a RADAR product manager specializing in regulatory content, I have a front row view of the work that goes into ensuring RADAR is kept up-to-date with the latest advances in data breach notification law. As part of that work, the regulatory team has identified a number of trends that we expect to continue through 2016. Last week we covered an overarching trend towards increased stringency and specificity.
This week, we will dive a bit deeper into one aspect of this increased stringency as it relates to personal information and incident assessment.
Expanding the scope of personal information
How a state defines personal information hugely impacts what’s acceptable in terms of disclosure and access. When data breach notification laws were first enacted, personal information was minimally defined as an individual’s name in combination with a Social Security number, driver’s license or state identification card number, or a financial account number combined with an access code or password. Recent legislation shows a trend towards significantly expanding the scope of personal information.
States that have recently expanded their definition of personal information include:
- Montana (HB 74) In 2015, Montana amended its privacy law to include medical record information in its definition of personal information. In the same amendment, Montana also expanded the scope of personal information to include taxpayer identification numbers and identity protection personal identification numbers issued by the IRS.
- Nevada (AB 179) Also in 2015, Nevada expanded its scope of personal information to include medical information, as well as a user name, unique identifier, or email address in combination with a password, access code, or security questions and answers that would permit access to an online account.
- Oregon (SB 601) Effective on January 1st of this year, Oregon expanded its definition of personal information to include biometric data, health insurance policy or subscriber number in combination with other unique identifiers, and any information about a consumer’s medical history, mental or physical condition, medical diagnosis, or treatment.
What this means for privacy and security teams
Looking at the impact of this trend, it’s likely that privacy and security teams will face new challenges.
One of those challenges may be an increase in the number of incidents requiring assessment based on the much broader scope of personal information. Another challenge might be uncertainty around where an incident qualifies as a breach, based on a particular state’s definition of personal information.
Is it a breach or not? With increasing frequency, privacy and security teams may be saying yes.
Interested in following the rest of this series? Subscribe to our blog to receive the remainder of our regulatory trend blog posts, as well as future blog posts regarding updates in breach notification law.