Gray Areas Need to be Eliminated
My fingers are crossed that the final version of the federal breach notification rule greatly clarifies when a breach has to be reported to the individuals affected as well as federal authorities.
I hope the final version states in the simplest possible terms that the federal law supersedes state laws, unless the state laws have tougher requirements.
Write the rule in clear enough language that an organization doesn't need to hire a lawyer to decipher it.
And I also hope the so-called "harm standard" in the interim final version of the rule bites the dust. Several members of Congress, and some privacy advocates, already have called for its demise.
The harm standard provision allows healthcare organizations and their business associates to conduct a risk assessment to determine whether a particular data security breach presents "significant risk" and thus needs to be reported to those affected.
The provision creates gray area in the law. It needs to be replaced by clear-cut, black-and-white guidance on what must be reported.
Regulators need to make it easier for an organization to figure out how to comply with the rule. Spell out when a breach needs to be reported. Spell out when federal regulations prevail over state regulations. Remove any room for interpretation. Write the rule in clear enough language that an organization doesn't need to hire a lawyer to decipher it.
To Continue Reading: Click Here
---------------------------------------------------------
Source: blogs.infosecurity.com
By: Howard Anderson
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment