California recently updated both its data security and breach notice laws to include genetic data. With the passage of AB 825, the data security law now includes in the definition of “personal information” genetic data. The information needs to be “reasonably protected.” While many other states have similar “reasonable protection” requirements in their data security laws, California is one of a handful to specifically list genetic information.
Genetic is now “personal information” subject to data breach notification requirements. This includes the breach notification law that applies to state agencies as well as companies. Genetic data is any data that results from an analysis of a biological sample or an equivalent element from a consumer that concerns genetic material. This includes DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, and SNPs.
Both modifications go into effect January 1, 2022.
Putting it Into Practice: Companies will want to review their incident response policies and data security programs prior to the effective date to ensure genetic data is addressed. The inclusion of genetic data into both of these laws shows the increasing regulation of health and medical data outside of HIPAA. (In addition to these amendments, California concluded its 2021 legislative calendar passing a law aimed at direct-to-consumer testing companies collecting genetic data (which we discussed here)).