This post was also written by Frederick Lah.
We previously reported on Texas House Bill 300 that was signed into law last year. The new law presents stricter requirements for health privacy and data breach notification obligations. That law is set to become effective September 1, 2012. Two types of entities will be primarily affected by the law: “Covered entities” – as that term is defined under the Texas law – will need to comply with the health privacy requirements. For the breach notification amendment, any person who “conducts business” in Texas and owns or licenses computerized sensitive personal information about “individuals” (not limited to just Texas residents) must comply with the law. For our previous Client Alert on H.B. 300, please click here.
Connecticut is another state that has recently enacted its data breach notification law. Connecticut House Bill 6001 now requires that notification be provided to the attorney general any time notification is required to be given to a resident, at a time “not later than the time when notice is provided to the resident.” This change is set to become effective October 1, 2012.
These two upcoming changes follow a busy year in state privacy law amendments. Illinois, California, and Vermont have all amended their data breach notification laws within the past year. We previously covered the Vermont amendments here. Each of these data breach notification laws is currently effective. Also earlier this year, while not an amendment, the grandfather provision under the Massachusetts Regulations with respect to non-compliance for service provider contracts expired. Now, all companies subject to the Regulation must ensure that their contracts with service providers contain a provision to implement and maintain appropriate safeguards. We covered this specific provision here.