Privacy & Data Protection

On January 1, 2010, two important state data security and privacy laws took effect in Nevada and New Hampshire. The laws create new obligations for most companies that do business in Nevada and for health care providers and business associates in New Hampshire.

Nevada’s law requires “data collectors,” including government agencies and businesses, that accept payment cards and are “doing business” in Nevada to comply with the Payment Card Industry Data Security Standard (“PCI DSS”). Nevada now becomes the only state to require compliance with PCI DSS in its entirety.

Read the rest of this entry »

Several states now require businesses that maintain personal information to implement data security measures. Massachusetts has been especially active in this area. Last fall, that state issued regulations requiring any person who holds personal information about Massachusetts residents to develop and implement a comprehensive, written information security program to protect the data. The compliance deadline, originally January 1, 2009, was later extended to May 1, 2009 and has now been pushed back further to January 1, 2010 in consideration of the economic climate.

In addition to extending the compliance deadline, Massachusetts has made substantive changes to the requirements.

Read the rest of this entry »

The economic stimulus legislation, known as the American Recovery and Reinvestment Act (“ARRA”), is set to have a significant impact on organizations’ handling of personal data security breach notifications in the health care context – and beyond.

Provisions of ARRA require certain entities to notify affected individuals, government agencies and the media of breaches of “unsecured protected health information.”

Read the rest of this entry »