Oklahoma 2023 Regular Session

Oklahoma House Bill HB2790 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1		-	An Act
2		-	ENROLLED HOUSE
	1	+
	2	+
	3	+	SENATE FLOOR VERSION - HB2790 SFLR Page 1
	4	+	(Bold face denotes Committee Amendments) 1
	5	+	2
	6	+	3
	7	+	4
	8	+	5
	9	+	6
	10	+	7
	11	+	8
	12	+	9
	13	+	10
	14	+	11
	15	+	12
	16	+	13
	17	+	14
	18	+	15
	19	+	16
	20	+	17
	21	+	18
	22	+	19
	23	+	20
	24	+	21
	25	+	22
	26	+	23
	27	+	24
	28	+
	29	+	SENATE FLOOR VERSION
	30	+	April 13, 2023
	31	+
	32	+
	33	+	ENGROSSED HOUSE
3	34		BILL NO. 2790 By: Stinson and West (Josh) of
4	35		the House
5	36
6	37		and
7	38
8	39		Howard of the Senate
9		-
10		-
11		-
12	40
13	41
14	42
15	43
16	44
17	45		An Act relating to cybersecurity; creating The
18	46		Oklahoma Hospital Cybersecurity Protection Act of
19	47		2023; providing definitions; creating requirements
20	48		for affirmative defense; recognizi ng industry
21	49		framework; providing for severability; provi ding for
22	50		codification; and pro viding an effective date.
23	51
24	52
25	53
26	54
27		-
28		-
29		-	SUBJECT: Cybersecurity
30		-
31	55		BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAH OMA:
32		-
33	56		SECTION 1. NEW LAW A new section of law to be codified
34	57		in the Oklahoma Statutes as Section 2068 of Title 18, unless there
35	58		is created a duplication in numbering, reads a s follows:
36		-
37		-	This act shall be known and may be cited as the "Oklahoma
	59	+	This act shall be known and may be cited as "The Oklahoma
38	60		Hospital Cybersecurity Protection Act of 2023".
39		-
40	61		SECTION 2. NEW LAW A new secti on of law to be codified
41	62		in the Oklahoma Statutes as Sec tion 2069 of Title 18, unless there
42	63		is created a duplication in numbering, reads as foll ows:
	64	+	As used in this act:
43	65
44		-	As used in this act:
45		-	ENR. H. B. NO. 2790 Page 2
46		-	1. "Covered entity" means any hospital, as defined in Section
47		-	1-701 of Title 63 of the Oklahoma Statutes, whether for-profit or
	66	+	SENATE FLOOR VERSION - HB2790 SFLR Page 2
	67	+	(Bold face denotes Committee Amendments) 1
	68	+	2
	69	+	3
	70	+	4
	71	+	5
	72	+	6
	73	+	7
	74	+	8
	75	+	9
	76	+	10
	77	+	11
	78	+	12
	79	+	13
	80	+	14
	81	+	15
	82	+	16
	83	+	17
	84	+	18
	85	+	19
	86	+	20
	87	+	21
	88	+	22
	89	+	23
	90	+	24
	91	+
	92	+	A. "Covered entity" means any hospital, as defined in Section
	93	+	1-701 of Title 63 of the Oklahoma Statutes, whether for profit or
48	94		not-for-profit, which is owned, either in wh ole in or part, or is
49	95		managed in whole or in part, by hospitals whose business is subject
50	96		to the Health Insura nce Portability and Accountability Act of 1996 ,
51		-	Public Law 104-191;
52		-
53		-	2. "Data breach" means the unauthorized access and acquisition
	97	+	Public Law 104-191.
	98	+	B. "Data breach" means the unauthorized access and acquisition
54	99		of unencrypted and unredacted computerized data that compromises the
55	100		security or confidentiality of personal information or restricted
56	101		information maintained by a covered entity as part of a database of
57	102		personal information or restricted information regarding multiple
58	103		individuals and that causes, or the covered entity reasonably
59	104		believes has caused or will cause, identity theft or other fraud to
60	105		any resident of this state. Good -faith acquisition of personal
61	106		information or restricted information by an employee or agent o f a
62	107		covered entity for the purposes of the covered entity is not a
63	108		breach of the security system; provided, that the personal
64	109		information or restricted information, as t he case may be, is not
65	110		used for a purpose other than a l awful purpose of the covered entity
66		-	or subject to further unauthorized disclosure;
67		-
68		-	3. "Personal information " means the first name or first i nitial
	111	+	or subject to further unauthorized disclosure.
	112	+	C. "Personal information" means the first name or first i nitial
69	113		and last name in combination with and linked to any one or more of
70	114		the following data elements that relate t o a resident of this state,
71	115		when the data elements are neither encrypted nor redacted:
72	116
73		-	a. Social Security number,
	117	+	SENATE FLOOR VERSION - HB2790 SFLR Page 3
	118	+	(Bold face denotes Committee Amendments) 1
	119	+	2
	120	+	3
	121	+	4
	122	+	5
	123	+	6
	124	+	7
	125	+	8
	126	+	9
	127	+	10
	128	+	11
	129	+	12
	130	+	13
	131	+	14
	132	+	15
	133	+	16
	134	+	17
	135	+	18
	136	+	19
	137	+	20
	138	+	21
	139	+	22
	140	+	23
	141	+	24
74	142
75		-	b. driver license number or state identification number
76		-	issued in lieu of a driver l icense, or
77		-
78		-	c. financial account number, or credit or de bit card
79		-	number, in combinati on with any required security
80		-	code, access code, or passwor d that would permit
81		-	access to the financial accounts of an individual.
82		-
	143	+	1. Social Security number;
	144	+	2. Driver license number or state identification number issued
	145	+	in lieu of a driver l icense; or
	146	+	3. Financial account number, or credit or de bit card number, in
	147	+	combination with any required security code, access code, or
	148	+	password that would permit access to the financial accounts of an
	149	+	individual.
83	150		The term does not include information tha t is lawfully obtained
84	151		from publicly available informati on, or from federal, state, or
85		-	local government records lawfully made available to the public;
86		-
87		-	4. "Restricted information" means any information about an
	152	+	local government records lawfully made available to the public.
	153	+	D. "Restricted information" means any information about an
88	154		individual, other than personal informati on, that, alone or in
89	155		combination with other information, in cluding personal information,
90		-	can be used to distinguish or trace the individual's identity or ~~ENR. H. B. NO. 2790 Page 3~~
	156	+	can be used to distinguish or trace the individual's identity or
91	157		that is linked or linkable to an individual, i f the information is
92	158		not encrypted, redacted, or altere d by any method or technology in
93	159		such a manner that the info rmation is unreadable, and the breach of
94	160		which is likely to result in a material risk of identity theft or
95		-	other fraud to person or property ; and
	161	+	other fraud to person or property.
	162	+	E. As used in this act, the terms "encrypted" and "redacted"
	163	+	have the same meanings as in Section 162 of Title 24 of the Oklahoma
	164	+	Statutes.
96	165
97		-	5. "Encrypted" and "redacted" shall have the same meanings as
98		-	in Section 162 of Title 24 of the Oklahoma Statutes.
	166	+	SENATE FLOOR VERSION - HB2790 SFLR Page 4
	167	+	(Bold face denotes Committee Amendments) 1
	168	+	2
	169	+	3
	170	+	4
	171	+	5
	172	+	6
	173	+	7
	174	+	8
	175	+	9
	176	+	10
	177	+	11
	178	+	12
	179	+	13
	180	+	14
	181	+	15
	182	+	16
	183	+	17
	184	+	18
	185	+	19
	186	+	20
	187	+	21
	188	+	22
	189	+	23
	190	+	24
99	191
100	192		SECTION 3. NEW LAW A new section of law to be codified
101	193		in the Oklahoma Statutes as Section 2070 of Title 18, unless there
102	194		is created a duplication in numberin g, reads as follows:
103		-
104	195		A. The requirements of this sectio n are voluntary; provided, a
105	196		covered entity may only seek an affirmative defense under this act
106	197		if the following conditions are met:
107		-
108	198		1. A covered entity seeking an affirmati ve defense under this
109	199		act shall create, maintain, and comply, including documentat ion of
110	200		such compliance, with a written cybersecurity program that contains
111	201		administrative, technical, and physical safeguards for the
112	202		protection of both personal information and restricted information
113	203		and that reasonably conform s to an industry-recognized cybersecurity
114		-	framework, as described in this section;
115		-
	204	+	framework, as described in this section.
116	205		2. A covered entity's cybersecurity program shall be designed
117	206		to do all of the following with respect to the information describe d
118		-	in paragraph 1 of this subsection, as applicable:
119		-
	207	+	in paragraph 1 of subsection A of this section, as applicable:
120	208		a. protect the security and confidentiality of the
121	209		information,
122		-
123	210		b. protect against any anticipated threats or hazards to
124	211		the security or integrity of the information, and
125		-
126	212		c. protect against unauthorized access to and acquisition
127	213		of the information that is likely to result in a
128	214		material risk of identity theft or other fraud to the
129		-	individual to whom the information relates;
	215	+	individual to whom the information relates.
	216	+
	217	+	SENATE FLOOR VERSION - HB2790 SFLR Page 5
	218	+	(Bold face denotes Committee Amendments) 1
	219	+	2
	220	+	3
	221	+	4
	222	+	5
	223	+	6
	224	+	7
	225	+	8
	226	+	9
	227	+	10
	228	+	11
	229	+	12
	230	+	13
	231	+	14
	232	+	15
	233	+	16
	234	+	17
	235	+	18
	236	+	19
	237	+	20
	238	+	21
	239	+	22
	240	+	23
	241	+	24
130	242
131	243		3. The scale and scope of a covered entity's cybersecurity
132		-	program under this subsection is appropriate if it is based on all
133		-	of the following factors:
134		-
135		-	a. the size and complexity of the covered entity, ENR. H. B. NO. 2790 Page 4
136		-
	244	+	program under subsecti on A of this section is appropriate if it is
	245	+	based on all of the following factors:
	246	+	a. the size and complexity of the covered entity,
137	247		b. the nature and scope of the activities of the covered
138	248		entity,
139		-
140	249		c. the sensitivity of the information to be protected,
141		-
142	250		d. the cost and availability of tools to improve
143	251		information security and reduce vulnerabilities, and
144		-
145		-	e. the resources available to the covered entity; and
146		-
	252	+	e. the resources available to the covered entity.
147	253		4. The cybersecurity program shall contain requirements that it
148	254		be reviewed, evaluated, and updated on at least an annual basis and
149	255		shall require documentation of the same.
150		-
151	256		B. A covered entity that satisfies paragraphs 1 through 4 of
152	257		subsection A of this section is entitled to an affirmative def ense
153	258		to any cause of action sounding in tort that is brough t alleging
154	259		that the failure to implement reasonable information secur ity
155	260		controls resulted in a data breach concerning personal information
156	261		or restricted information.
157		-
158	262		SECTION 4. NEW LAW A new section of law to be codified
159	263		in the Oklahoma Statute s as Section 2071 of Title 18, unless there
160	264		is created a duplication in numbering, reads as follows:
	265	+	A covered entity's cybersecurity program, as described in
	266	+	Section 2 of this act, reasonably conforms to an industry-recognized
161	267
162		-	A covered entity's cybersecurity program, as described in
163		-	Section 3 of this act, reasonably conforms to an industry-recognized
164		-	cybersecurity framework for purposes of that section if this section
165		-	is satisfied:
	268	+	SENATE FLOOR VERSION - HB2790 SFLR Page 6
	269	+	(Bold face denotes Committee Amendments) 1
	270	+	2
	271	+	3
	272	+	4
	273	+	5
	274	+	6
	275	+	7
	276	+	8
	277	+	9
	278	+	10
	279	+	11
	280	+	12
	281	+	13
	282	+	14
	283	+	15
	284	+	16
	285	+	17
	286	+	18
	287	+	19
	288	+	20
	289	+	21
	290	+	22
	291	+	23
	292	+	24
166	293
167		-	1. The covered entity is subject to the requirements of the
	294	+	cybersecurity framework for purposes of that section if subsection A
	295	+	of this section is satisfied:
	296	+	A. 1. The covered entity is subject to the requirements of the
168	297		laws or regulations listed below, and the cybersecurity program
169	298		reasonably conforms to the entirety of the current versi on of both
170		-	of the following, subject to paragraph 2 of this section:
171		-
172		-	a. the security requirements of the Health Insurance
173		-	Portability and Accountability Act of 1996 , as set
174		-	forth in 45 CFR Part 164 Subpart C, and
175		-
176		-	b. the Health Information Technology for Economic and
177		-	Clinical Health Act, as set forth in 45 CFR Part 162;
178		-	and
179		-	ENR. H. B. NO. 2790 Page 5
180		-	2. When a framework listed in paragraph 1 of this section is
181		-	amended, a covered entity whose cybersecurity program reaso nably
182		-	conforms to that framework shall reasonably conform to the amended
183		-	framework not later than one (1) year after the effective date of
184		-	the amended framework.
185		-
	299	+	of the following, subject to paragraph 2 of subsection A of this
	300	+	section:
	301	+	a. the security requirements of the "Health Insurance
	302	+	Portability and Accountability Act of 1996 ", as set
	303	+	forth in 45 CFR Part 164 Subpart C; and
	304	+	b. the "Health Information Technology for Economic and
	305	+	Clinical Health Act", as set forth in 45 CFR Part 162.
	306	+	2. When a framework listed in paragraph 1 of subsection A of
	307	+	this section is amended, a covered entity whose cybersecurity
	308	+	program reasonably conform s to that framework shall reasonably
	309	+	conform to the amended framework not later than one (1) year after
	310	+	the effective date of the amended framework.
186	311		SECTION 5. NEW LAW A new section of law to be codified
187	312		in the Oklahoma Statutes as Section 2072 of Title 18, unless there
188	313		is created a duplication in numbering, reads as follows:
189		-
190	314		If any provision of this act or the application thereof to a
191	315		covered entity is for any reason held to be invalid, the remainder
192	316		of the provisions under those sections and the application of such
193	317		provisions to other covered entities shal l not be thereby affected.
194	318
	319	+	SENATE FLOOR VERSION - HB2790 SFLR Page 7
	320	+	(Bold face denotes Committee Amendments) 1
	321	+	2
	322	+	3
	323	+	4
	324	+	5
	325	+	6
	326	+	7
	327	+	8
	328	+	9
	329	+	10
	330	+	11
	331	+	12
	332	+	13
	333	+	14
	334	+	15
	335	+	16
	336	+	17
	337	+	18
	338	+	19
	339	+	20
	340	+	21
	341	+	22
	342	+	23
	343	+	24
	344	+
195	345		SECTION 6. This act shall become e ffective November 1, 2023.
196		-	ENR. H. B. NO. 2790 Page 6
197		-	Passed the House of Repr esentatives the 22nd day of March, 2023.
198		-
199		-
200		-
201		-
202		-	Presiding Officer of the House
203		-	of Representatives
204		-
205		-
206		-
207		-	Passed the Senate the 19th day of April, 2023.
208		-
209		-
210		-
211		-
212		-	Presiding Officer of the Senate
213		-
214		-
215		-
216		-	OFFICE OF THE GOVERNOR
217		-	Received by the Office of the Governor this ____________________
218		-	day of ___________________, 20_______, at _______ o'clock _______ M.
219		-	By: _________________________________
220		-	Approved by the Governor of the State of Oklahoma this _____ ____
221		-	day of ___________________, 20_______, at _______ o'clock _______ M.
222		-
223		-
224		-	_________________________________
225		-	Governor of the State of Oklahoma
226		-
227		-	OFFICE OF THE SECRETARY OF STATE
228		-	Received by the Office of the Secretary of State this __________
229		-	day of ___________________, 20_______, at _______ o'clock _______ M.
230		-	By: _________________________________
	346	+	COMMITTEE REPORT BY: COMMITTEE ON HEALTH AND HUMAN SERVICES
	347	+	April 13, 2023 - DO PASS