Calif. Expands Privacy Protections; U.S. Sits By

California has led the nation in passing laws to protect private data, and it continues to hold true to the role. This past Tuesday, a California law went into effect expanding the state's groundbreaking security breach notification law, the nation's first law requiring companies to notify customers if a cyberattack exposes personal financial information.

The law now applies to personal health records. Security breaches that expose unencrypted medical histories, information on mental or physical conditions, and medical treatments and diagnoses are covered under the law. The law also applies to the insurance industry. If unencrypted insurance policy or subscriber numbers, insurance applications, claims histories or appeals are exposed through a security breach, insurance companies or the medical facilities storing the data must notify the individuals whose records were possibly stolen or viewed.

The law becomes effective at an auspicious moment, notes the San Francisco Chronicle:

In July 2006, Republican Gov. Arnold Schwarzenegger issued an executive order to store medical records on computers, which probably will result in more data breaches, said Robert Herrell, a legislative assistant to Assemblyman Dave Jones, D-Sacramento, who wrote the bill.

In December, Sutter Lakeside Hospital in Lakeport (Lake County) notified 45,000 patients, doctors and employees after a contractor downloaded their records onto a hospital laptop, took it home and the machine was stolen."

The expanded law led editors of the SANS Institute's “newsbites” section to wonder when Congress will finally pass legislation that protects personal data for all Americans: "Other states will undoubtedly once again follow California's lead. A disturbing question, however, is why the U.S. government has not yet passed legislation with similar provisions."