Saturday, February 10, 2007

Massachusetts among 16 states that don't require notification of data breaches

A new survey published in the Journal of the American Health Information Management Association made me aware of something that hadn't caught my eye before. Massachusetts, my home state, is one of a minority of states that DOES NOT have a data security breach notification law. California, which enacted its law in 2003, has the strongest such law in the country and was the inspiration for many other states' laws. In 2006, 27 states had such laws; beginning on January 1, 2007, 7 more state laws went into effect. But not in Massachusetts.

I'm not sure how much such laws do -- in Massachusetts, for example, TJX recently reported a huge data spill despite the fact that we have no such law, and according to a recent survey by PricewaterouseCoopers, as many as 1 out 6 companies required to comply with the California law do not do so.

Ironically, the market may be taking care of this in ways that it hasn't been able to before. TJX stock plummeted after the Massachusetts Bankers Association directly linked cases of fraud to the data spilled by the company (click here for an interesting description of this).

There is much talk about the need for more transparency in the healthcare market. Most healthcare organizations aren't publicly traded, of course, but the idea is that patients will vote with their feet if they see meaningful differences in health care quality among providers. If data breaches start becoming more widely reported, data security could become another factor that patients use to decide where they get their care.

1 comment:

George said...

Thanks for posting this. ID theft is a huge problem, and I'd like to see a breach notification law for MASS. Not just notification, but TIMELY notification.

I am a former employee affected by IBM's data breach. IBM notified my in May. The 2-month delay was plenty of time for an ID theft to do damage, but luckily no theft attempts (yet). IMHO, this was too slow notification. While medical record breaches are very serious, I think that it is important to also focus on breaches where prior employee data is exposed. We all have prior employers. And medical firms/HMOs are employers, too. I write a blog about my experience dealing with IBM, the ID theft risk IBM caused me, and related issues of corporate responsibility: