State Law Roundup: Legislatures Across the U.S. Revamp Data Breach Notification Laws
As the number of highly publicized data breaches continues to skyrocket and proposals for a federal data breach notification law stagnate, state legislatures around the country have been busy amending their own breach notification statutes. So far, 2015 has been a banner year for state breach law makeovers, with nine states formalizing amendments to their laws, and several others poised to follow suit.
Since California took the lead by enacting the first data breach statute back in 2003, 46 other states (plus D.C., Puerto Rico, Guam, and the Virgin Islands) have passed their own security breach notification requirements. And California could be credited with having started another trend in 2013 when it expanded the definition of personal information in its breach notification law to include email addresses and passwords used to access an individual’s online account. California made further revisions to its law in 2014, and since then there has been a steady stream of state law changes, many of which have followed California’s example to some extent.
The past year has seen amendments to data breach notification laws in Connecticut, Montana, Nevada, New Hampshire, North Dakota, Oregon, Rhode Island, Washington, and Wyoming. Even Canada has joined the fray, enacting a federal breach notification law last month. In addition, several states have revisions to their data breach statutes on the table, including California and Illinois, which appear likely to pass amendments in the next few months. Below we provide overviews of the forthcoming changes to the state laws.
On June 26, 2015, Rhode Island Governor Gina Raimondo signed the Rhode Island Identity Theft Protection Act of 2015 (“SB134”) into law. SB134 substantially revises the prior statute by expanding the definition of “personal information,” requiring notification to the Rhode Island Attorney General, and mandating a risk-based information security program. The law will take effect one year from its passage, on June 26, 2016.
- Personal Information: SB134 amends the definition of personal information to include Social Security numbers; driver’s license numbers, Rhode Island identification card numbers, or tribal identification numbers; health insurance and medical information; and email addresses combined with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial accounts.
- Security Breach: The law broadens the definition of a “breach of the security system” to include “unauthorized access or acquisition of unencrypted computerized data,” and it requires an entity to use a 128-bit or higher algorithmic encryption process in order to be considered “encrypted data” for purposes of breach notification under the law.
- Notification: The law requires notification to the Rhode Island Attorney General for breaches involving 500 or more Rhode Island residents. The amendments also require Rhode Island consumers to be notified of a breach within 45 calendar days from confirmation of the breach. Each reckless violation of Rhode Island’s revised statute, including the failure to notify, can result in a penalty of $100 per record, while knowing and willful violations could reach $200 per record.
- Risk-Based Information Security Program: SB134 requires entities to “implement a risk- based information security program which contains reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information and the purpose for which the information was collected.” The use of “risk- based information security program” suggests that the Rhode Island legislature expects entities to adopt a risk management plan similar to that currently mandated under the Health Insurance Portability and Accountability Act (HIPAA).
As we previously reported, this year Connecticut became the first state in the nation to require free identity theft protection for Connecticut residents affected by a data security breach. Signed into law by Connecticut Governor Dannel P. Malloy on June 30, 2015, Public Act No. 15-142 will take effect October 1, 2015, except for provisions relating to state contractors, which took effect July 1, 2015.
- Free Identity Theft Services: The law requires companies and entities that fall victim to a data breach involving the compromise of the Social Security numbers of Connecticut residents to provide at least one year of free identity theft prevention services and, if applicable, identity theft mitigation services, to affected Connecticut residents. It also requires entities to provide information to Connecticut residents about how to place a credit freeze on their credit file.
- Notification: Under the new law, entities must give notice to affected Connecticut residents no later than 90 days after discovery of a breach. Notice must also be given to the Connecticut Attorney General not later than the time notice is provided to Connecticut residents.
- Personal Information: The new law defines information to include protected health information; taxpayer identification numbers; alien registration numbers; government passport numbers; demand deposit account numbers; savings account numbers; credit card numbers; debit card numbers; and unique biometric data, “such as a fingerprint, a voice print, a retina or an iris image, or other unique physical representations and biometric information.”
- Mandated Data-Security and Information Security Programs for State Contractors and Health Insurers: The law also includes new requirements for state contractors and health insurers, HMOs, and related entities to implement comprehensive data-security and information security programs. The provisions relating to state contractors became effective July 1, 2015. The provisions relating to health insurers become effective October 1, 2015.
As we reported earlier this month, on June 12, 2015, New Hampshire Governor Maggie Hassan signed into law House Bill 322, which requires the New Hampshire Department of Education to implement additional procedures to protect student and teacher data from security breaches, and to notify affected individuals of any such breach. The law goes into effect August 11, 2015.
On June 10, 2015, Oregon Governor Kate Brown signed Senate Bill 601, which makes a number of amendments to the state’s data breach notification statute. The new law will take effect January 1, 2016.
Personal Information: The law expands the existing definition of personal information to include:
- Biometric information used for authentication purposes (i.e., “[d]ata from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction”);
- A consumer’s health insurance policy number or health insurance subscriber identification number (if in combination with any other unique identifier that a health insurer uses to identify the consumer); and
- “Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.”
- Notification: The amendments require notification to the Oregon Attorney General whenever a data breach affects more than 250 Oregon residents. The new Oregon law also requires entities to provide consumer reporting agencies with the police report number assigned to a breach – a unique requirement that has not been a part of any other state breach notification law to date.
On May 13, 2015, Nevada Governor Brian Sandoval signed Assembly Bill 179, amending the definition of what constitutes personal information under Nevada’s existing data breach notification law. Although the law officially became effective on July 1, 2015, it contains a provision that exempts “a data collector, as that term is defined in NRS 603A.030, or a business” from complying with the new provisions until July 1, 2016.
- Personal Information: Under the new law, personal information now includes driver authorization card numbers; medical identification or health insurance identification numbers; and user names, unique identifiers, or email address when combined with passwords, access codes, or security questions and answers that would permit access to an online account.
Signed into law on April 23, 2015 by Washington Governor Jay Inslee, Washington House Bill 1078 revises the state’s data breach notification law to impose an Attorney General notification requirement, a notification timing requirement, and certain content requirements for the notification letter, among other changes. The law took effect on July 24, 2015.
- Persons Covered: The breach notification law now applies to any person, business, or agency that conducts business in Washington that owns, licenses, and/or maintains any data (computerized or hard copy) that includes personal information of Washington residents.
- Notice to the Attorney General: The Washington Attorney General must be notified when a single breach affects more than 500 Washington residents.
- Notification Timing Requirement: Notice of a breach must be provided to consumers (and to the Washington Attorney General, when applicable) no more than 45 calendar days after discovery of the breach.
- Safe Harbors and Exemptions: The amendments create a safe harbor for encrypted data and exempt covered entities that are subject to the HIPAA/HITECH breach notification requirements or to the Interagency Guidance issued pursuant to the Gramm-Leach-Bliley Act.
- Content of Breach Notification: Breach notices to consumers must be written in plain language and include the name and contact information of the reporting person or business; a list of the types of personal information that were or are reasonably believed to have been the subject of a breach; and the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information.
- Technical Breach of Security System: The amendments clarify language regarding disclosure of a breach caused by a technical breach of a security system, stating that a covered entity shall not be required to disclose a technical breach that does not seem “reasonably likely to subject customers to a risk of harm.”
On April 13, 2015, North Dakota Governor Jack Dalrymple signed Senate Bill 2214 into law, which expanded the reach of the state’s notification requirements and the range of businesses subject to those requirements. The law takes effect August 1, 2015.
- Covered Entities: The amendments now apply to any person or business that owns or licenses computerized data that includes personal information about a North Dakota resident (as opposed to any person or business that conducts business in North Dakota).
- Personal Information: The law narrows the definition of personal information with regard to employer data notification numbers, specifying that the term includes only such numbers in combination with a required security code, access code, or password.
- Notice to North Dakota Attorney General: In addition to providing notice to consumers in “the most expedient time possible and without unreasonable delay,” covered entities must now provide notice to the North Dakota Attorney General when a data breach affects more than 250 North Dakota residents.
As we reported earlier this year, on March 2, 2015, Wyoming Governor Matt Mead signed bills expanding the definition of “personally identifiable information” and requiring additional minimum content requirements for notifications to affected individuals. Both laws went into effect on July 1, 2015.
Going forward, notices to affected Wyoming residents must be “be clear and conspicuous” and include, at a minimum:
- The types of PII reasonably believed affected;
- A general description of the breach;
- The approximate date of the breach;
- The remedial actions taken by the entity to prevent further breaches;
- Advice directing affected persons to remain vigilant by reviewing account statements and credit monitoring reports; and
- Whether a law enforcement investigation delayed breach notification.
In addition, the definition of personally identifiable information now includes data containing the first name or first initial and last name of a person in combination with one or more of the following data elements:
- Telephone number;
- Social Security number;
- Driver’s license number;
- Government-issued identification card;
- Tribal identification card;
- Bank account number or credit or debit card number in combination with any security code that would allow access to a financial account;
- Shared secrets or security tokens that are known to be used for data-based authentication;
- User name or email address in combination with a password or security questions and answer;
- Birth or marriage certificate;
- Medical information, defined as a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
- Health insurance information, defined as a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application, and claims history;
- Unique biometric data used for authentication purposes; or
- An individual taxpayer identification number.
On February 27, 2015, Montana Governor Steve Bullock signed House Bill 74, which amends Montana’s existing data breach notification statute to broaden the definition of personal information and require that entities notify the Montana Attorney General. The amendments go into effect October 1, 2015.
Introduced to the California Senate on February 26, 2015, Senate Bill 570 would amend California’s existing data breach notification law to clarify and require specific content of breach notifications to consumers. The bill passed the California Senate on May 28, 2015, and is currently being considered before the California Assembly Appropriations Committee.
Breach Notification Content: The amendments would require notices to convey information under the following specified headings (the amendments would also provide a sample one-page format for the notice listing this information):
- What Happened?
- What Information Was Involved?
- What We Are Doing.
- What You Can Do.
- For More Information.
- Conspicuous Posting: The amendments would clarify the “conspicuous posting” requirement to require companies or individuals who have suffered a breach to post a conspicuous notice on the home page or “first significant page” after entering the company or individual’s website for a minimum of 30 days.
Introduced to the Illinois Senate on February 20, 2015, Senate Bill 1833 would amend the Illinois Personal Information Act. The bill is currently before Illinois Governor Bruce Rauner for signature and could be partially vetoed. The bill would amend the following:
- Personal Information: The bill would make Illinois the first state to include geolocation data and third-party consumer marketing information in the definition of personal information.
- Notification to Attorney General: The bill would require data breach notification to the Illinois Attorney General within 30 days of the discovery of a breach affecting 250 or more Illinois residents.
- Security Measures: The bill would create a new requirement for “data collectors” that use but do not own personal information of Illinois residents to implement and maintain reasonable security measures to protect those records from unauthorized access.
To help navigate the continuing developments in state breach notification law requirements, BakerHostetler has assembled a state-by-state survey that is updated regularly to reflect newly enacted legislation.