State governments are not waiting for the United States Congress to pass a comprehensive national set of data privacy and cybersecurity standards. Each of the 50 states now has its own breach notification laws, with nearly one-half adopting data security and/or data disposal requirements to protect consumers’ personally identifiable information (PII) from unauthorized disclosure. While most states are not taking a sectoral approach to the type of PII that must be protected, New York and South Carolina have adopted cybersecurity requirements that target industries that include health plans and insurers.
A number of state attorneys general (AGs) are bringing enforcement actions to protect consumer information from unauthorized disclosure. AGs in Massachusetts, New York, and New Jersey have been extremely aggressive, collecting millions of dollars in settlements from healthcare systems and an assortment of IT services vendors for failing to safeguard data containing sensitive personal information.
David Holtzman's comments are featured in this article.