Locke Lord QuickStudy: New for Summer: Upcoming Amendments to State Data Breach Laws

The changes keep coming! As a follow up to our last article, we are highlighting additional amendments to various state data breach notification laws, some of which require immediate action for preparedness and compliance. Below is a brief summary of the developments and certain action items to be considered:

Louisiana: On August 1, 2018, Louisiana’s amendment to its data breach notification law will take effect.  The amended Louisiana law expands the definition of “personal information” to include a Louisiana resident’s first name or first initial and last name in combination with a state identification card number, a passport number, and/or biometric data, in addition to other previously specified data elements. Further, Louisiana law will require companies to implement and maintain reasonable security procedures to protect personal information from unauthorized disclosure, including reasonable procedures for destroying personal information that is no longer to be retained. Louisiana law will also generally require data breach notifications no later than 60 days from discovery of a breach. 

For the text of this amendment, click here.

Arizona: Effective August 3, 2018, Arizona will expand its data breach notification law in several important ways. Like Louisiana, the amended Arizona law expands the definition of “personal information” to include an individual’s first name or first initial and last name in combination with either the individual’s private electronic key, health insurance identification number, medical information, passport number, taxpayer ID number, and/or unique biometric data, in addition to other previously specified data elements. Additionally, in the event of a data breach, the owner of the data generally must notify the affected individuals within 45 days, and may face civil penalties in the amount of the economic loss sustained by affected individuals, up to $500,000. 

For the text of this amendment, click here.

Colorado: On September 1, 2018, Colorado will set a 30-day deadline for notification of data breaches, among the shortest in the country. The amended Colorado law also expands the entities subject to its regulation to any person that “maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation” that identifies a Colorado resident (regardless of whether the entity does business in the state of Colorado, which was the prior determinant). Additionally, covered entities will be required to implement reasonable and appropriate security procedures to protect the PII it maintains, owns, or licenses, and to ensure that any third-party service providers similarly have procedures that protect the PII. 

For the text of this amendment, click here.

The on-going process of updating data privacy and security policies and practices to reflect the changing landscape in state data breach and data security laws should incorporate the following actions: 

• Inventory: create/update a data map for personally identifiable information and conduct a risk assessment (or update, if last assessment was conducted over a year prior);
• Process: create/update (and implement) a written information security plan; 
• Response: create/update (and practice implementing) an incident response plan, including a document retention provision; and
• Training: train key employees on handling personally identifiable information, executing the written information security plan, and executing the incident response plan.