HealthLawProf Blog

Editor: Katharine Van Tassel
Concordia University School of Law

Friday, July 8, 2011

Poor Man's Privacy Law May Have Teeth

I am not a big fan of data breach statutes whether legislated by the states (usefully collected here) or the federal government, for example Sec. 13402 HITECH and regulations made thereunder (outlined here). Practically, they seem to embrace a "horse bolted after we left the barn door unlocked" approach to data protection. And,from a policy perspective, they strike me as a lazy post hoc (and sometimes sectoral) legislative responses to a problem that deserves a more comprehensive and integrated regulatory model.

However, as we continue to wait (and wait) on the Senate's Committee on Commerce, Science, and Transportation Committee for some good news about privacy reform (here), at least one state has demonstrated that a breach notification statute can have some teeth. This week the Indiana Attorney General announced a settlement with WellPoint Inc., (here) in which the company will pay $100,000 to the state and accept responsibility for credit monitoring and identity theft protection for affected consumers. According to the Attorney General "This case should be a teaching moment for all companies that handle consumers' personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the Attorney General's Office and consumers promptly. Early warning helps minimize the risk that consumers will fall victim to identity theft… The requirement to notify the Attorney General 'without unreasonable delay' is not fulfilled by having me read about the breach in the newspaper." Now, we are not talking about penalties of the size being thrown around by the newly energized Office of Civil Rights ($865,500 from UCLA this week for HIPAA violations, here), but maybe I should give breach notification statutes a second chance. [NPT]

| Permalink

TrackBack URL for this entry:

Listed below are links to weblogs that reference Poor Man's Privacy Law May Have Teeth:


Post a comment