data breach notification law

Continuing to add to the confusion surrounding provisions in 47 different state breach notification laws, Wyoming amended two laws last month which expand the definition of personal information requiring notification in the event of a breach starting in July of 2015.

Specifically, the definition of personal information was amended to include an individual’s first name

Montana became the latest state to revise its data breach notification law to take into account recent data breaches affecting millions of consumers. In particular, the Montana law was revised to include medical record information (which is not included in most state breach notification laws), a taxpayer identification number and “an identity protection personal identification number issued by the United States internal revenue service” in the definition of “personal information” that requires breach notification. This is no doubt in response to the millions of Americans whose identities have been used to file fraudulent tax returns with the IRS.

It is significant that the Montana law requires notification for the breach of any health information, as this requirement is arguably stricter than the breach notification requirements of the HIPAA Omnibus Rule. This change will be important for health care entities and any other companies that maintain health records. This law applies to all companies, not just health care entities and business associates covered by HIPAA.
Continue Reading Montana revises data breach notification law