1. Home
  2. |Insights
  3. |To Notify or Not to Notify - 2006 Update

To Notify or Not to Notify - 2006 Update

Client Alert | 2 min read | 04.07.06

Following in the footsteps of the California legislature, twenty-three other states have now passed security breach notification laws, and there are similar laws pending in several more states. Additionally, as we march into the second quarter of 2006, several states are considering legislation to expand their existing security breach notification laws to broaden the types of entities covered by the law, to eliminate exemptions under the law (including some exemptions for HIPAA-covered or Graham-Leach-Bliley-covered entities) and to regulate the use of social security numbers, among other things.

Each of the recently enacted laws, like the California law, generally requires entities to promptly notify the residents of that state if the security, confidentiality or integrity of their personal information (defined similarly by most states with some notable exceptions) has been compromised. 

However, the new state security laws don't just require notification of breaches after the fact. Some states require businesses to take measures now to prevent the occurrence of breaches. Depending on where you do business, you could be required by state law to:

  • Implement and maintain security procedures and practices to protect personal information.
  • Adopt measures to ensure transfers of personal information to third parties are subject to contractual safeguards.
  • Review existing document destruction policies to ensure appropriate timing and methods for the destruction of personal information.
  • Utilize encryption to ensure the safe transfer of personal information to third parties.

The best way to avoid disclosure under the new laws is to avoid the breach in the first place. Therefore, corporations are well-advised to adopt procedures for handling the security of personal information generally, and prepare a response plan which includes an established method for notifying individuals when and if their personal information is compromised. In addition to enforcement by the State Attorneys General and private litigants, the FTC is actively enforcing privacy laws through the general unfair act or practices portion of the FTC Act.

The FTC brought a number of high profile enforcement actions involving security breach incidents in 2005 and the trend continues in 2006, increasing the pressure for businesses to implement and maintain adequate security procedures and practices that closely mirror those found in the Safeguards Rules of the Gramm-Leach-Bliley Act. Most notably, the FTC recently issued the largest fine in FTC history against ChoicePoint, with $10 million in civil penalties, and $5 million in consumer redress.

Insights

Client Alert | 6 min read | 03.26.24

California Office of Health Care Affordability Notice Requirement for Material Change Transactions Closing on or After April 1, 2024

Starting next week, on April 1st, health care entities in California closing “material change transactions” will be required to notify California’s new Office of Health Care Affordability (“OHCA”) and potentially undergo an extensive review process prior to closing. The new review process will impact a broad range of providers, payers, delivery systems, and pharmacy benefit managers with either a current California footprint or a plan to expand into the California market. While health care service plans in California are already subject to an extensive transaction approval process by the Department of Managed Health Care, other health care entities in California have not been required to file notices of transactions historically, and so the notice requirement will have a significant impact on how health care entities need to structure and close deals in California, and the timing on which closing is permitted to occur....