California Governor Arnold Schwarzenegger was busy this past Tuesday signing into law two medical privacy bills and one Radio Frequency Identification (RFID) security bill. The two medical privacy bills apply to health care providers and require protection against unauthorized disclosure of information about the patient. The RFID security bill makes it illegal to read another person’s RFID card without that person’s knowledge.
AB 211 provides for statutory damages in the amount of $1,000 for negligent release of confidential information or records about a person. I have been predicting such a statutorily set level of damages for a while now, based in part on the string of cases involving release of personal information where plaintiff’s claims of negligence have been defeated because of a lack of being able to show damages. This new damage provision will likely cause a significant change in the burden on defendants in data breach cases involving negligence claims. Success on a claim of negligence for data breach generally involves showing a duty to protect the information that was released, a breach of that duty by the defendant that had possession of the data, causation of injury to the data subject, and damages. Plaintiffs have lost at least seven different cases over the past two years because they have not been able to demonstrate that they were damaged. AB 211 dispenses with this requirement by stating that “[i]n order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages.”
Under SB 541, unlawful or unauthorized access or disclosure of a patient’s medical information can also result in administrative penalties of up to $25,000 per patient. An additional administrative penalty of up to $17,500 per patient can be assessed for any subsequent incident of unlawful or unauthorized access or disclosure of that patient’s medical information.
SB 31 criminalizes the reading (or attempting to read) another person’s identification document that contains an RFID chip without that person’s knowledge or prior consent. Punishment for violation of the law consists of up to one year in jail or a fine of $1,500 or both. Recognizing that certain situations might require legitimate reading of an RFID chip, the law contains exceptions for “triage or medical care during a disaster,” reading by a health care professional for health or safety reasons, persons that have been incarcerated, or for various law enforcement purposes.