Provides for notification to the commissioner of insurance of breaches of data security in systems containing certain personal information relating to consumers. (8/1/16)
Impact
The provisions of SB103 aim to enhance the robustness of data protection by enforcing a strict notification system when breaches occur. This could significantly impact state laws concerning data privacy, compelling regulated entities to adopt more vigilant data management and security practices. The enhanced reporting requirements may foster accountability and transparency regarding data breaches, thus potentially benefiting consumers by increasing trust in how companies manage their personal information.
Summary
Senate Bill 103 (SB103) focuses on establishing protocols for notifying the commissioner of insurance regarding data breaches involving personal and protected health information. The bill mandates that any individual or entity regulated by the Department of Insurance must inform the commissioner within ten days of discovering a security breach within any data processing system containing such information. This applies not only to their own systems but also includes breaches from third-party service providers, regardless of whether the personal data was actually compromised. Each report must describe the incident and update the commissioner on subsequent developments.
Sentiment
The general sentiment surrounding SB103 appears to be largely supportive among consumer advocacy groups who see it as a necessary step toward better consumer protection in the face of rising data breaches. However, there are concerns among some industry representatives regarding the increased regulatory burden and the potential for significant fines for noncompliance. This could lead to fears of overreach in regulation, especially if the penalties for breaches seem excessively punitive.
Contention
Notable points of contention revolve around the bill's provisions on reporting and compliance. Critics argue that the requirement to report every breach, regardless of its significance, could lead to a climate of fear among businesses and might overwhelm the regulatory infrastructure. Additionally, there are discussions about the balance between necessary reporting and the implications for law enforcement investigations, as the bill allows for delays in notifications if they are deemed to hinder ongoing investigations.
Further providing for definitions, for notification of the breach of the security of the system, for exceptions and for notice exemption; repealing provisions relating to civil relief; providing for protection of personal information, for civil relief, for information security and for applicability; and repealing provisions relating to applicability.
Provides protections for social media users; creates private cause of action for social media users whose accounts have been hacked and not restored by social media websites under certain circumstances.
An Act Concerning The Insurance Department's Recommendations Regarding The Public Health Fee, Third Party Performance Of The Department's Employees' Duties, The Insurance Data Security Law And Assessments Against Domestic Insurance Companies And Entities.