New State Security Breach Notification Laws
Client Alert | 1 min read | 09.08.05
Beyond the HIPAA Privacy Rule and the HIPAA Security Rule, health care entities now face potential compliance obligations under an increasing number of state laws requiring notification of security breaches. Following in the footsteps of the California legislature, nineteen other states have now passed security breach notification laws, and there are similar laws pending in eight states whose legislatures are still in session: New Jersey, Massachusetts, Michigan, North Carolina, Ohio, Oregon, Pennsylvania, and Wisconsin.
Each of the recently enacted laws, like the California law, generally require entities to notify promptly the residents of that state if the security, confidentiality or integrity of their personal information – defined similarly by most states with some notable exceptions – has been compromised.
Failure to comply may result not only in enforcement by state officials, but could also result in civil lawsuits – some of the new state laws incorporate a private right of action.
|
|
If your organization loses personal data,
|
The best way to avoid disclosure under the new laws is to avoid the breach in the first place. Therefore, we recommend that as a supplement to existing HIPAA Security measures, health care entities adopt and implement any necessary state-specific procedures for handling the security of personal information generally. Health care entities should also prepare a response plan which includes an established method for notifying individuals when and if their personal information is compromised. Furthermore, most states will accept an existing information security policy if it contains notification provisions that meet the timing requirements of the new laws. If you already have an information security policy, you may wish to review it to ensure it comports with new applicable state law.
Insights
Client Alert | 2 min read | 07.15.26
CMMC Phase II Suspension Requires Reconsideration of Such Requirements in Solicitations
As discussed in more detail here, the U.S. Department of War (DoW) recently issued a memorandum (Memo 26-P-1023, dated July 13, 2026) directing the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements. Significantly, the memo directs that “all pending and future CMMC implementation milestones across DoW solicitations and contracts are held in abeyance until further notice.” Moreover, the DoW issued a memorandum on implementing these requirements (available here), directing agencies to issue amendments removing CMMC Level 2 and 3 requirements from active solicitations “as soon as practicable.” Contractors should monitor the government’s compliance with this requirement and should be prepared, if needed, to file a bid protest to protect their rights.
Client Alert | 3 min read | 07.13.26
Amici Rally Behind Liberty Global, Urging Tenth Circuit to Rein in Economic Substance Doctrine
Client Alert | 2 min read | 07.13.26
Department of War Immediately Suspends CMMC Phase II Requirements, Launches 60-Day Reform Review
Client Alert | 3 min read | 07.10.26
