Category: HIPAA News

A bill that expands the types of personal information that require notifications to be sent to consumers in the event of a data breach occurring has been unanimously passed by the New Jersey Assembly.

Up to now it has been required by New Jersey breach notification laws that businesses and public entities must send notifications to consumers if there has been a breach of their Social Security number, driver’s license number, or bank account number or credit/debit card information if they are accompanied with a password or code that enables access to the account.

The amendment to the New Jersey data breach notification requirements of the Consumer Fraud Act will see an expansion of the definition of personal information to include usernames and email addresses along with a password or answers to security questions that would allow accounts to be accessed.

This bill (A-3245) was sponsored by Ralph Caputo (D-Essex) and was recently passed by the Senate by a 37-0 vote and by the Assembly by a 76-0 vote. A bill which was almost identical (S-52) was passed by the Senate and Assembly in 2018, however it was not signed by the state governor at the time, Chris Christie. It is expected that current state governor Phil Murphy will sign the bill.

The bill closes a gap in current laws which would enable businesses to avoid notifying consumers of breaches of their online information. If online accounts are accessed or compromised, criminals can gain access to a variety of sensitive information that can be used for identity theft and fraud. Consumers have the right to be made aware if an online account can be accessed by someone else as a result of a data breach so they can take steps to secure their accounts.

Once the new bill is passed, breach notifications can be mailed to consumers or electronic notices can be provided. A substitute breach notice can be issued if more than 500,000 individuals have been affected or if the cost of providing notices would cost in excess $250,000. In such events, breach victims should be emailed promptly, and a notice should be posted in a prominent position on the company’s website.

However, a business or public entity that furnishes an email account is prohibited from issuing email notifications to breached accounts and must use a different means to deliver notices. An example of such a method could be providing a notice that is clearly visible when the user logs into their account from an IP address or location that has previously been used by the user to access their account.

A fine of up to $10,000 can be placed on any business or public entity found to have willfully violated state data breach notification laws and up to $20,000 for any subsequent offenses after the first. Furthermore, for individuals who have suffered ascertainable losses as a result of a data breach, there is now also a private right of action available.

Sensitive health data is collected by Facebook from third party apps, even if the user has not logged in via Facebook or doesn’t even own a Facebook account according to a recent analysis of Facebook’s data collection practices.

Private information such as heart rate data, blood pressure measurements, menstrual cycle data, and other health metrics are handed over to Facebook, often without the user’s knowing or any specific disclosure that data provided by users or collected directly by apps are shared with the social media platform.

The Wall Street Journal recently conducted an investigation which tested various health-related apps. Although it was known that some of those apps send data to Facebook about when they are used, just how much data sharing that was occurring was not well understood. It was revealed by the report that 11 popular smartphone apps have been handing over sensitive data to Facebook without any apparent consent obtained from users.

On one particular app, Flo Period & Ovulation Tracker, dates of a user’s last period are shared with Facebook and the predicted date when the user is ovulating. Similarly, the Instant Heart Rate: HR Monitor App in the Apple iOS store was discovered to send users’ heart rate information to Facebook right after it is recorded. Neither of these apps or any others that were found to be sharing sensitive data with Facebook appeared to offer users a way of opting out of having their data shared.

The WSJ report notes that while the data sent by these apps may be anonymous, Facebook have a method of matching the information with a particular Facebook user and use the data to target specific ads.

The WSJ made contact with Facebook in relation to the report and received a reply confirming that some of the apps cited in the report appeared to be violating its business terms and that the social media platform does not authorize app developers to share “health, financial information or other categories of sensitive information,” and that the responsibility lies with the app developers to be clear to their users about the information that is being shared. A Facebook spokesperson also spoke to Reuters, saying “we also take steps to detect and remove data that should not be shared with us.”

Investigation of Facebook Instructed by New York Governor

New York State Governor Andrew M. Cuomo issued a press release on Friday, February 22, 2019, stating that he has instructed the Department of Financial Services and the Department of State to investigate how Facebook is acquiring health data and other sensitive information from developers of smartphone apps and the alleged breaches of Facebook’s own business terms and privacy violations.

Cuomo also said that if WSJ’s findings are correct, it amounts to “an outrageous abuse of privacy.”

Cuomo is determined to ensure companies are held responsible for upholding the law and ensuring the sensitive data of smartphone users is kept private and confidential. Personal data should not be shared with other companies without the clear consent of users.