State Legislative Action on Data Breach Laws

Privacy & Cybersecurity Newsletter
August 2018

The changes keep coming! In 2018, state legislatures have been active in enacting and amending data breach notification laws. With Alabama’s recent enactment, all 50 states now have data breach notification laws. The following summary highlights recent legislative action on state data breach notification laws, some of which require immediate action for preparedness and compliance:

Massachusetts: On February 1, 2018, the Massachusetts Attorney General’s Office rolled out a new online form for submitting data breach notifications, as an efficient alternative to notifying the AG’s office by paper letter or email.

Delaware: On April 14, 2018, Delaware’s amendment to its data breach notification law took effect, which, among other changes, expands the definition of “personal information” to include biometric and other health information, imposes a 60-day notice deadline, and requires 1 year of free credit monitoring if an individual’s Social Security number is breached.

Alabama: Effective June 1, 2018, Alabama’s data breach notification law applies to any person or entity that acquires and uses sensitive personally identifiable information (PII) of Alabama residents. Sensitive PII is defined as an individual’s first name or initial and last name in combination with (i) non-truncated SSN; (ii) non-truncated driver’s license number/passport number/military ID number/other unique ID number issued on a government document used to verify identity; (iii) financial account number (bank account, credit card, debit card) with security code/access code/PIN/expiration date; (iv) any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (v) an individual’s health insurance policy number/subscriber ID and any unique ID used by the health insurer to identify an individual; and (vi) a user name or email address with password or security question (and answer) permitting access to an online account affiliated with the person/entity that acquires and uses the sensitive PII. Subject to a harm threshold, notification to an affected individual is required as a result of the unauthorized acquisition of electronic sensitive PII. In the event more than 1,000 consumers are being notified, the Alabama Attorney General and consumer reporting agencies must be notified.

Oregon: Effective June 2, 2018, Oregon amended its data breach notification law to expand the scope of individuals or entities that are required to report breaches to include individuals or entities that “otherwise possess” personal information, require that notice is provided no later than 45 days after discovery (except for HIPAA covered entities), and include biometric and certain other health information in the definition of personal information. 

South Dakota: Effective July 1, 2018, South Dakota’s data breach notification law applies to any person or entity conducting business in South Dakota that owns or licenses computerized personal or protected information of South Dakota residents. “Personal information” includes (i) Social Security number; (ii) driver’s license number or other unique identification number created or collected by a government body; (iii) account, credit card, or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person’s financial account; (iv) health information as defined in 45 CFR 160.103; or (v) identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes. “Protected information” includes (x) user name or email address, in combination with a password, security question answer, or other information that permits access to an online account; and (y) account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account. Subject to a harm threshold, notification to an affected individual and consumer reporting agencies is required as a result of the unauthorized acquisition of unencrypted or encrypted (with the encryption key) computerized personal or protected information. If relying on the harm threshold to avoid notification, notification must be provided to the Attorney General. In the event more than 250 South Dakota residents must be notified, notification to the Attorney General is required.

Virginia: Effective July 1, 2018, Virginia’s data breach notification law was amended to require income tax preparers to notify the Virginia Department of Taxation of breaches of unencrypted and unredacted “return information,” within a reasonable time. Under the amendment, “return information” is defined as “a taxpayer’s identity and the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, assessments, or tax payments. ‘Return information’ does not include information that is lawfully obtained from publicly-available information or from federal, state, or local government records lawfully made available to the general public.” 

Louisiana: On August 1, 2018, Louisiana’s amendment to its data breach notification law will take effect. The amended Louisiana law expands the definition of “personal information” to include a Louisiana resident’s first name or first initial and last name in combination with a state identification card number, a passport number, and/or biometric data, in addition to other previously-specified data elements. Further, Louisiana law will require companies to implement and maintain reasonable security procedures to protect personal information from unauthorized disclosure, including reasonable procedures for destroying personal information that is no longer to be retained. Louisiana law will also generally require data breach notifications no later than 60 days from discovery of a breach.

Arizona: Effective August 3, 2018, Arizona will expand its data breach notification law in several important ways. The amended Arizona law expands the definition of “personal information” to include an individual’s first name or first initial and last name in combination with either the individual’s private electronic key, health insurance identification number, medical information, passport number, taxpayer ID number, and/or unique biometric data, in addition to other previously specified data elements. Additionally, in the event of a data breach, the owner of the data generally must notify the affected individuals within 45 days, and may face civil penalties in the amount of the economic loss sustained by affected individuals, up to $500,000.

Colorado: On September 1, 2018, Colorado will set a 30-day deadline for notification of data breaches, among the shortest in the country. The amended Colorado law also expands the entities subject to its regulation to any person that “maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation” that identifies a Colorado resident (regardless of whether the entity does business in the state of Colorado, which was the prior determinant). Additionally, covered entities will be required to implement reasonable and appropriate security procedures to protect the PII it maintains, owns, or licenses, and to ensure that any third-party service providers similarly have procedures that protect the PII.

Vermont: Effective January 1, 2019, an amendment to a Vermont law – the first of its kind – will impose special data breach notification requirements on “data brokers,” which are defined as businesses that knowingly collect and sell, or license to third parties, the brokered personal information of a consumer with whom the business does not have a direct relationship. Data brokers will be required to report “data broker security breaches” to the Vermont Secretary of State as part of their annual registrations. A “data broker security breach” is the unauthorized acquisition of unencrypted or unredacted “brokered personal information,” which includes a consumer’s name, address, date of birth, place of birth, mother’s maiden name, biometric data, names or addresses of the consumer’s immediate family or household members, social security or government identification number, and other personally identifiable information. The amendment also imposes detailed technical security requirements on data brokers for the protection of brokered personal information. The failure to comply with the security requirements is treated as an unfair and deceptive practice that is subject to enforcement measures, including penalties and civil action. 

The on-going process of updating data privacy and security policies and practices to reflect the changing landscape in state data breach and data security laws should incorporate the following actions:

  • Inventory: create/update a data map for personally identifiable information and conduct a risk assessment (or update, if last assessment was conducted over a year prior);
  • Process: create/update (and implement) a written information security plan;
  • Response: create/update (and practice implementing) an incident response plan, including a document retention provision; and
  • Training: train key employees on handling personally identifiable information, executing the written information security plan, and executing the incident response plan.