Over the past six months, a significant number of states have amended their data breach notification statutes. Specifically, thirteen states have amended their statutes to: (1) require notice to the State Attorney General, (2) broaden existing definitions (e.g., expand the definition of “personal information”), (3) provide industry exemptions (e.g., exempt HIPAA-regulated entities, financial institutions, and entities regulated by the state’s insurance code), (4) regulate the insurance industry (through implementation of the National Association of Insurance Commissioner’s 2017 Insurance Data Security Model Law), (5) add new terms and definitions, (6) require stricter notification timeframes, (7) regulate entities that were breached, but were not the owner or licensee of the data, (8) add a statute of limitations for civil actions brought under the statute, and (9) create a state cybersecurity task force. The below descriptions provide a high-level overview of each state’s data breach notification statute amendments, which are further summarized in the below chart.
Arkansas amended its data breach notification statute (Ark. Code Ann. § 4-110-101, et seq. (West 2019)) to broaden the definition of “personal information” to include “biometric data[;]” and require notification to the State Attorney General, if 1,000 or more individuals are affected, at the same time as notice to the affected individuals or 45 days after the business “determines that there is a reasonable likelihood of harm to customers, whichever occurs first[.]”
Bill: H.B. 1943
Passed: April 15, 2019
Effective: July 23, 2019
Connecticut amended its data breach notification statute (Conn. Gen. Stat. § 36a-701b (West 2019)) to add the “Insurance Data Security Law,” which regulates those licensed under Connecticut insurance laws.
Bill: H.B. 7424
Passed: June 26, 2019
Effective: October 1, 2019
Florida amended its data breach notification statute (Fla. Stat. § 501.171 (West 2019)) to transfer “powers, duties, functions, records, offices, personnel, pending issues [and] contracts, administrative authority, administrative rules, [and] funds from” the Florida Agency for State Technology (“AST”) to the Florida Department of Management Services (“DMS”); establish the Division of State Technology within DMS; specify reporting requirements for the executive branch agencies and judicial branch through a statewide travel management system; require each state agency to adopt formal procedures for cloud-computing options; and create a Florida Cybersecurity Task Force “to review and conduct an assessment of the state’s cybersecurity infrastructure, governance, and operations.”
Bill: H.B. 5301
Passed: June 24, 2019
Effective: July 1, 2019
Maryland amended its data breach notification statute (Md. Code Ann., Com. Law. § 14-3501, et seq. (West 2019)) to add the “Insurance – Breach of Security of a Computer System – Notification Requirement,” which requires “certain carriers […] to notify the Maryland Insurance Commissioner […] that a certain breach of the security of a system has occurred;” and requires “a carrier to provide the notice” within 45 days (S.B. 30). Further, Maryland amended its statute to add that when the breached business is not the “owner or licensee of the computerized data, the business may not charge the owner or licensee of the computerized data a fee for providing information that the owner or licensee needs to make a notification under” the statute, and the “owner or licensee of the computerized data may” only use the information relative to the breach to (1) provide notification of the breach, (2) protect or secure personal information, or (3) provide notification to national information security organizations created for information-sharing and analysis of security threats to avert additional breaches (S.B. 1154).
Bills: S.B. 30 H.B. 1154
Passed: April 18, 2019 April 30, 2019
Effective: October 1, 2019 October 1, 2019
Massachusetts amended its data breach notification statute (Mass. Gen. Laws Ann. ch. 93H, § 1, et seq. (West 2019)) to add requirements to a breach notification letter to affected consumers, the State Attorney General, and the office of consumer affairs and business regulation. The requirements include whether the organization implemented a written information security program.
Bill: H.B. 4806
Passed: January 10, 2019
Effective: April 10, 2019
Michigan amended its data breach notification statute (Mich. Comp. Laws § 445.61, et seq. (West 2019)) to exempt entities regulated by the Insurance Code (Mich. Comp. Laws §§ 500.100-8302 (West, 2019)), and added a chapter to the Insurance Code (Mich. Comp. Laws § 500.559, et seq. (West 2019)) to regulate individuals or companies licensed by the Michigan Department of Insurance and Financial Services with respect to data breaches separate and apart from other industry sectors.
Bills: H.B. 6491 H.B. 6406
Passed: December 28, 2018 December 28, 2018
Effective: January 20, 2021 January 20, 2020
Mississippi amended its data breach notification laws (Miss. Code § 75-24-29 (West 2019)) to add the “Insurance Data Security Law,” which regulates those licensed under Mississippi insurance laws.
Bill: S.B. 2831
Passed: April 3, 2019
Effective: July 1, 2019
New Jersey amended its data breach notification statute (N.J. Rev. Stat. § 56:8-161, et seq. (West 2019)) to broaden the definition of “personal information” to include “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account,” and the business that was breached may provide notification in “in electronic or other form that directs the customer […] to promptly change any password […] to protect the online account with the business,” but the “business […] that furnishes an email account shall not provide notification to the email account that is subject to a security breach.”
Bill: S.B. 52
Passed: May 10, 2019
Effective: September 1, 2019
Oregon amended its data breach notification statute (Or. Rev. Stat. § 646A.600, et seq. (West 2019)) to broaden the definition of “personal information” (e.g., a “user name or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification”); define “covered entity” (“a person that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities”) and “vendor” (“a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity”); exempt entities regulated under HIPAA; and require a breached “vendor” to notify the State Attorney General when there is more than 250 affected consumers.
Bill: S.B. 684
Passed: May 24, 2019
Effective: January 1, 2020
Texas amended its data breach notification statute (Tex. Bus. & Com. Code § 521.001, et seq. (West 2019)) to impose, on state agencies, a breach notification timeframe of 10 days “after the date of the eradication, closure, and recovery from a breach, suspected breach, or unauthorized exposure;” and create a cybersecurity coordination program for utilities (H.B. 64). Further, Texas amended its statute to add a breach notification requirement to the State Attorney General where more than 250 residents are affected and to impose a 60-day reporting period to affected residents and the State Attorney General following determination of a breach; and provide requirements for the contents of a breach notification letter, including any measures intended to be taken regarding the breach after notification (H.B. 4390).
Bills: H.B. 4390 H.B. 64
Passed: June 14, 2019 April 15, 2019
Effective: January 1, 2020 September 1, 2019
Utah amended its data breach notification statute (Utah Code § 13-44-101, et seq. (West 2019)) to add the definition of “financial institution;” exempt financial institutions and their affiliates; add a statute of limitations of 5 years for a civil action under the statute; and amend the State Attorney General litigation fund from $2 million to $4 million, which now includes “citizen education and outreach[.]”
Bill: S.B. 193
Passed: March 26, 2019
Effective: May 14, 2019
Virginia amended its data breach notification statute (Va. Code § 18.2-186.6 (West 2019)) to broaden the definition of “personal information” to include “[p]assport number;” and “[m]ilitary identification number” and require notification of a breach of such information in combination with the resident’s “first name or first initial and last name” to the State Attorney General and any affected residents “without unreasonable delay[.]”
Bill: H.B. 2396
Passed: March 18, 2019
Effective: July 1, 2019
Washington amended its data breach notification statute (Wash. Rev. Code Ann. § 19.255.010, et seq. (West 2019)) to broaden the definition of “personal information” (e.g., “full date of birth,” “Student, military, or passport identification number,” etc.) and change the timing of notification to affected individuals and the State Attorney General from 45 to 30 days after discovery of a data breach.
Bill: S.H.B. 1071
Passed: May 7, 2019
Effective: March 1, 2020
***
In light of these amendments, organizations should revisit their incident response plans to ensure compliance with the new data breach notification requirements.