Cybersecurity is a hot topic at both the state and federal level. Specifically, Illinois is in the process of amending its Personal Information Protection Act (“PIPA”). Illinois SB 1833 will amend PIPA by establishing more notice requirements in the event of a breach and by adding requirements for data security and the posting of privacy policies. The proposed amendments have been passed by both Houses and is currently awaiting signature from the governor. In addition, the Cybersecurity Unit of the Department of Justice (“DOJ”), Criminal Division recently released a “best practices” document on responding to and reporting cyber incidents.
Expanded personal information definition
The proposed amendments to the current PIPA regulations add the following four definitions: (1) consumer marketing information, (2) geolocation information, (3) health insurance information, and (4) medical information.
In addition, the breadth of what is considered to be personal information is expanded to now include:
- medical information (any information regarding an individual’s medical history, mental or physical condition, medical treatment, or diagnosis);
- health insurance information (includes an individual’s health insurance policy number, subscriber identification number, unique identifier, or health insurance application and claims history);
- biometric data (includes fingerprints, retina images, or other physical or digital representation of biometric data);
- geolocation information (information generated or derived from an electronic communications device that is sufficient to identify the street name and the city in which the device is located);
- consumer marketing information (information related to a consumer’s online browsing history, online search history, or purchasing history);
- user name and email address in combination with a password or security question and answer; and
- any combination of two of the following (1) home address, telephone number, or email address; (2) mother’s maiden name; or (3) month, day, and year of birth.
Current PIPA legislation does not require notice to the Illinois Attorney General in the event of an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a “data collector” in Illinois (“breach”). The amendments change this by incorporating a notice requirement in the event of a breach that affects more than 250 Illinois residents. Specifically, any data collector (both those that own and do not own data) will have to provide notice to the Attorney General within 30 business days of the discovery of the breach or two days before notification is sent to the consumer. In its notification to the Attorney General, a data collector that owns or licenses the data will need to include (1) a description of the personal information compromised, (2) the number of Illinois residents affected, (3) any steps the data collector has taken or plans to take relating to the notification of the breach to consumers, and (4) the date and timeframe of the breach, if known at the time of notification. Whereas, a data collector that does not own the data will have to provide notification to the Attorney General including (i) a description of the personal information compromised in the breach, (ii) the number of Illinois residents affected, (iii) any steps the data collector has taken or plans to take relating to notification of the owner of the data, and (iv) the date and timeframe of the breach, if known at the time of notification.
Heightened data security requirements
The amended PIPA regulations also include the addition of data security requirements. This part of the PIPA amendments will affect clinicians using secure messaging or patient portals that have been implemented via Stage 2 Meaningful Use Core Measures. All clinical providers in Illinois that use a secure patient portal or secure messaging will be required to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure. The amendments include a provision that a data collector that is in compliance with the security standards for protection of electronic health information provided under HIPAA will also be in compliance with PIPA.
Enhanced privacy notifications
Finally, the amendments provide requirements for the conspicuous posting of privacy policies, such as linking and text size. The privacy policy or a link to the privacy policy must be provided on either the homepage or the first significant page after entering the Web site. Specific provisions must be included in the privacy policies of all operators of commercial Web sites or online services, such as identifying the categories of personal information that the operator collects and giving the consumer the right to know how a Web site operator responds when the consumer opts out of tracking.
DOJ releases cybersecurity reporting guidance
The DOJ’s best practices document provides straightforward and easy to understand recommendations that health care organizations can use to better prepare for, analyze, and respond to a cyber-attack. Some of the best practices identified by the document include (1) having well-established plans and procedures for managing and responding to a cyber-attack, (2) notifying law enforcement, and (3) having technology that will be able to respond to a cyber-attack.
By adhering to the PIPA regulations and using the DOJ’s best practices, health care organizations can develop strong policies and procedures to better prevent and respond to cyber-attacks.