The MedRisk Blog
Major State Privacy Legislation: On January 2, 2023, the Wall Street Journal reported that many new state laws in the coming year would focus on consumer data privacy. Nearly two years ago we noted that California and Virginia had enacted new and comprehensive privacy statutes, both becoming effective on January 1, 2023.
The California Privacy Rights and Enforcement Act (CPRA) expands upon the current California privacy statute, the California Consumer Privacy Act (CCPA), by regulating not only the buying and selling of consumer information, but also its “sharing.” This term, while appearing to be broad, actually is narrowly defined as targeted advertising based on the consumer’s personal information. The focus of California’s privacy protection measures was and continues to be on commercial use of consumers’ personal information for sales and marketing purposes.
The Virginia Consumer Data Protection Act (CDPA) takes a different approach to consumer privacy, following many of the concepts found in the European Union’s General Data Protection Regulation (GDPR). A business that determines the purpose and means of processing personal data (a “controller”) may collect and use this information for only specific purposes, must allow a consumer to access and in many cases to delete the data, and is responsible for compliance of third party “processors” acting on its behalf.
There are a number of thresholds and exemptions that will relieve most workers’ compensation payers and their service providers from CDPA compliance obligations. Of more relevance to the workers’ compensation industry is the NAIC Insurance Data Security Model Law, which has now been enacted, in whole or part, in 21 jurisdictions.
Similar in many ways to the New York’s Cybersecurity Requirements for Financial Services Companies (NYCCR §500), the Model Law establishes a comprehensive regulatory framework applying to claim payers and protecting the non-public data of insurance “consumers,” including claimants. Key features of the Model Law include the following:
Implications: All business entities participating in adopting states’ workers’ compensation systems are either directly or indirectly subject to the Model Law, so it is important that payers and their trading partners establish a comprehensive information security program complying with the Model Law. Further, because the Model Law has not been enacted in every jurisdiction and has been enacted with important revisions in others, it is important to review the relevant statute for key variances. For example, the Maryland statute, effective October 1, 2022, applies specifically to third party administrators as well as insurers, but this clarifying provision does not appear in the NAIC Model Law.
Sign up for the MedRisk newsletter to get the latest updates from the leading provider of managed physical medicine.
Please fill out this form to receive an access code to see our full list of clients.
Please fill out the following form for an access code to see our full Providers list.