Washington State’s Data Breach Notification Law Changes (House Bill 1078) and Data Breach Fiduciary Responsibilities for Healthcare Organizations

Michael Reph, Account Executive
Ryan Roberts, Account Executive

Effective July 24th, 2015, Washington State law H.B. 1078 amends the State’s data breach notification statue. The amendment:

• Expands the statute to cover breaches of non-computerized data (hard copy data – which almost every business still houses)
• Imposes a 45-day deadline for notification of affected consumers (as opposed to 60 days previously)
• Mandates the notification of Washington State Attorney General for breaches larger than 500 Washington state residents
• Introduces a safe harbor for personal information that is secured or encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) requirements

These changes are important for management and directors of healthcare organizations to know, especially as the number of data breaches continues to increase (per the Identity Theft Resource Center). Whether it be personal healthcare information, SSN’s, or credit card information, understanding what is classified as secured (per the National Institute of Standards Technology) how to properly notify the appropriate parties, and what can be counted as an official breach is critical. For healthcare organizations, fiduciary responsibility of personally sensitive information storage is two-fold:

1. As a covered entity, for employee health plans and personal data and
2. For third party liability of patients’ personal data

To ensure proper data breach response preparedness (and to show proper due diligence), your directors and leadership staff should be asking I.T. and key partners the pertinent questions now, before a breach occurs:

• Have we ever had system penetration testing done, and have we reviewed the results?
• Do we have adequate I.T. security policies in place?
• Are we using updated operating systems to help manage electronic medical records?
• Who would be working as our forensic team, post-breach?
• Do we have a breach response plan in place? A public relations firm to deal with the blowback after an attack occurs?
• Do we have sufficient cyber/data liability insurance coverage to mitigate the legal, reputational, and credit monitoring costs? And if we don’t carry insurance coverage, will our current finances be sufficient to cover such costs when we have a data breach?

Proper documentation of these internal conversations (via minutes) and actions (i.e. having readily available system penetration testing results and documenting the actions shoring up weaknesses) will help defend the organization in federal and civil lawsuits, post-breach. It is important to note that historical lawsuits have shown that directors are not required to be experts in this area, but that they do need to rely on outside experts or expert internal management for advice when addressing these issues. The Ponemon Institute indicates that 90% of healthcare organizations had exposed their patients’ data or had it stolen in 2012 and 2013.

The ever-changing requirements in data breach notification requirements within Washington State, continued increase in the number and severity of cyber attacks, and increase in the size of federal lawsuit judgments make this an important topic which needs to be addressed by healthcare organizations, both large and small. Partnering with a well-versed risk consultant who understands both the pre and post cyber breach actions necessary to defend your organization will provide better organizational resiliency when your organization is attacked.

Should you have any questions about data liability and the impact a breach will have on your healthcare organization, feel free to contact one of our cyber liability experts here at Parker, Smith & Feek:

Return to Articles index