DATA BREACH
Maryland Adds Insurance Commissioner to Breach Notification Requirements
Posted on September 23, 2019
Effective October 1, 2019, organizations providing health insurance and related services must notify the Maryland Insurance Administration as part of its breach notification requirements.
In August 2019, the Maryland Insurance Administration issued Bulletin 19-14 informing insurers, nonprofit health plans, HMOs, managed care organizations, managed general agents and third party administrators of a new notice requirement for data breaches.
After an incident, once the regulated company conducts the investigation required by the state’s existing data breach law, the new rule requires that regulated entity to also send notice to the Maryland insurance commissioner if the breach of security “creates a likelihood that personal information has been or will be misused”. The notice must be sent to the commissioner at the same time as the notice submitted to the Maryland AG. The notification must include 1) a description of the security breach, 2) a copy of any consumer notifications, and 3) a copy of the notice sent to the Maryland AG. An online form can be used to submit the notice.
October looks to be a busy month for new breach notification obligations in Maryland. We previously reported on the other amendment happening next month.
PUTTING IT INTO PRACTICE: If your organization provides health insurance and related services, now is the time to update your nationwide breach notice plan to address this additional notification requirement. Maryland is not the only state to have requirements specific to insurance companies or to require notification to an insurance commissioner. Connecticut, Ohio, New Hampshire, and Washington do as well (among others).
Illinois Joins States Requiring Breach Notice to AG
Posted on September 3, 2019
Illinois has updated its breach notice law to require, effective January 1, 2020, notice to the Illinois Attorney General of a data breach involving more than 500 Illinois residents.
The law contains specific requirements about what content to include in the notice to the AG. The notice must include a description of the breach, the number of Illinois residents affected, and the steps taken related to the incident. Companies must notify the Attorney General at or before the time notice is provided to consumers. Finally, the legislation authorizes the Attorney General to publish information related to the breach. This includes the company name, the information compromised and when the breach occurred.
PUTTING IT INTO PRACTICE: Companies who have nationwide breach notice plans should keep in mind not only that the Illinois AG will require notice beginning in January if more than 500 Illinois residents have been impacted, but also that there are timing requirements (at the same time as notice to individuals) content requirements, and the notice may be published by the AG.
    21 Eye on Privacy 2019 Year in Review