In the absence of federal action, state legislators continue to propose bills that would increase data privacy and security protections for consumers. Any entity that does business in these states or maintains confidential information of their residents should monitor the legislation to determine whether and how the proposed changes may affect operations.
The bills are a direct reaction to Equifax's data breach disclosure last summer. In prior alerts and articles, we discussed proposed legislation in Arizona, Colorado, North Carolina, and South Dakota. In this alert, we examine legislation being considered in Oregon, New York, Alabama, and Rhode Island.
To put the discussion into context, 48 states already have laws requiring entities to notify affected individuals if the entity suffers a loss or compromise of the individuals' confidential information. Those laws differ in many respects, resulting in a complex web of legal responsibilities that creates headaches for entities required to comply with them.
The challenge will become even more complex if the proposed bills become law, because, generally speaking, they would:
-
expand the types of confidential information covered under state breach notification requirements;
-
implement specific deadlines for when affected individuals must be notified;
-
require businesses to implement and maintain reasonable security procedures to prevent data breaches; and
-
authorize state attorneys general to enforce these provisions through substantial fines and penalties for non-compliance.