CA1386 meet AB1298
Life is about to get a lot more complicated for companies that do business in California. I completely missed this getting signed back in October, but on 10/14, the Governator signed AB1298 which updates CA1386 to mandate that medical and health insurance policy information also are to be treated as PII. To say that this is a huge quantity of information that now needs to be encrypted is an understatement. To make things even more challenging for companies that handle this sort of data, AB1298 goes into effect on January 1, 2008, lots of folks are going to be scrambling to implement encryption or be crossing a lot of fingers and hoping they don’t have a breach before they can come into compliance. It will definitely be interesting to see who publishes a breach first and if these new breaches follow the trends of the breaches we’ve already been seeing with financially oriented PII. It should also be interesting to see if any of the other 39 states (and Washington DC) follow suit and if so, how long it takes for them to do so.
[via the IAPP and Rebecca Herold]
Or conversely, as my company is doing, waiting to see what the penalties shape up to be in order to maximize efficiency of our limited IT funds (see, gambling). What’s cheaper? Paying the fine or paying for all of these crazy consultants to properly encrypt our data?
What’s with the sky is falling?
Mmm, legal feature creep. Soon, we’ll have to disclose all breaches, and let the CA privacy office know. Then we’ll have more data to crunch. Mmm. Data.
I wouldn’t call it the sky is falling, far from it. I probably should have said that I think this is a good move in the right direction.
Those zany copycats over in the EU may be getting in on the act, too.
http://www.out-law.com/PDF/Directive_amendingPECR.pdf