Melissa Bianchi, a lawyer representing the American Hospital Association, told the Senate Commerce, Science and Technology Consumer Protection, Product Safety and Insurance Subcommittee, that healthcare providers should be exempt from breach notification rules in the proposed Data Security and Breach Notification Act of 2010 because they're covered under HIPAA, the law designed to protect patient privacy.
If hospitals must comply with Federal Trade Commission rules under the proposed bill and Department of Health and Human Services regulations mandated by HIPAA, she said, then they could be required to send two letters to the same patient for a single security incident. "That simply doesn't make sense for patients, and it doesn't increase the protection of their information," she testified.
Receiving multiple notices about a single breach could confuse patients, making notifications less meaningful and, perhaps, causing them to disregard important information and not take action to protect their information and identities, she said. "If there are too many notices, at some point, letters about security breaches will become just more white noise," Bianchi said.
Bianchi said hospitals would not object to proposed breach notification rules in the bill for their workers because HIPAA protects patient, not employee, privacy.
Symantec Chief Technology Officer Mark Bregman, representing the IT industry lobbying group TechAmerica, agreed that organizations covered by other laws should be exempt from a new breach notification law. He also said any new legislation should not direct the creation of new standards, but draw upon existing standards set out under Gramm-Leach-Bliley, the Fair Credit Reporting Act and industry-developed standards such as the Payment Card Data Security Standard and ISO 27001. "Directing the creation of new standards could unnecessarily create conflicting or duplicative standards, increasing the burden on business and increasing confusion for consumers," he said.
Though the bill would elevate federal law over state breach notification regulations, it would allow state law enforcers to bring actions against those who engage in conduct that violate the bill's provisions, an idea endorsed by Consumers Union, the pro-consumer group that publishes Consumer Reports. Ioana Rusu, Consumer Union policy counsel, told the senators that state attorneys general have been at the forefront of notice of data breach issues and have played an invaluable role in addressing identity theft and data breach. "This bill arms state officials with strong enforcement tools to ensure compliance with the law," she said. "Consumers' personal information will be better protected."
Subcommittee Chairman Mark Pryor, D-Ark., said the panel could redraft and vote on the bill as early as next week. In his opening statement, Pryor cited the Privacy Rights Clearinghouse, which said more than a half billion data records have been compromised by unauthorized access to consumer databases since 2005. Last year, he said, nearly 500 data breaches in the United States potentially exposed 222 million sensitive records.
As currently drafted, the bill - S. 3742 - would require businesses and organizations to adopt security protocols to reasonably protect their databases from unauthorized access and to notify all affected consumers of data breaches in a timely manner unless there is no reasonable risk of identity theft or harm to consumers.
The bill also requires information brokers - companies that amass, organize and sell vast amounts of consumers' information to third party buyers for a profit - to give consumers the right to know what data information brokers are collecting on them and the right to correct any inaccuracies they may find.