Recent Amendments to State Breach Notification Laws
Tuesday, October 19, 2021
Data breach notification statutes
Print Mail Download i

Over the last several months, a minority of states amended their data breach notification statutes or enacted sector-specific breach notification requirements. Specifically, nine states amended their state statutes to (1) impose notice requirements on state entities, (2) broaden existing definitions (e.g., expand the definition of “personal information”), (3) increase reporting content requirements, (4) regulate the insurance industry, (5) regulate the tax industry, (6) require stricter notification timeframes, and (7) allow the Attorney General to publish data breach information. Below is a high-level overview of each state’s data breach notification statute amendments, which are further summarized in the chart below.

Arkansas passed a law (Ark. Code Ann. § 10-4-429) that requires state entities (including political subdivisions and schools) to report data security incidents to the Arkansas Legislative Auditor within five (5) business days after learning of the incident. State entities also must provide regular updates to the Auditor about the incident until the investigation is closed. The Auditor must maintain a list of all reported security incidents, annually report (by December 15th of each year) such information to the legislative council and certain committees, and, if the incident significantly compromised citizens' data, created a significant security concern, or involved significant theft, notify certain government officials. 

Bill: H.B. 1110
Passed: March 4, 2021
Effective: July 30, 2021

Connecticut amended its data breach notification statute (Conn. Gen. Stat. § 36a-701b) to shorten the breach notification timeframe to which entities must notify impacted individuals and the Connecticut Attorney General from ninety (90) days to sixty (60) days. The amendment also broadens the definition of “personal information” to include biometrics, medical information, passport data, military and state identification cards, health insurance policy numbers, taxpayer identification numbers, and online account credentials. The amendment further requires businesses to provide twenty-four (24) months of complimentary credit identity theft prevention and mitigation services not only to individuals with an impacted Social Security number, but also to those with an impacted tax identification number. Lastly, the amendment exempts entities that are subject to and in compliance with HIPAA and HITECH. 

Bill: H.B. 5310
Passed: June 16, 2021
Effective: October 1, 2021

Hawaii passed a National Association of Insurance Commissioners (“NAIC”) model insurance data protection law to establish insurance data security standards for insurance licensees (Hawaii Acts, L 2021, c 112). The law requires licensees to develop and implement written information security programs, submit data breach notifications (to both the Insurance Commissioner and consumers), and monitor third-party vendors. Of note, the law requires licensees to notify the Insurance Commissioner of a data security incident no later than three (3) business days after learning of an event.
 
Bill: S.B. 1100
Passed: June 29, 2021
Effective: July 1, 2021

Maine enacted a NAIC-inspired insurance data protection law. The law requires licensees to investigate, notify, and report cybersecurity events to the Superintendent of the Maine Bureau of Insurance (within three (3) days). Consumers must be notified of cybersecurity events in accordance with Maine’s general data breach notification law. The law also requires the development and implementation of a written information security program and other proactive security measures.

Bill: LD 51
Passed: March 17, 2021
Effective: January 1, 2022

Mississippi amended its data breach notification statute (Miss. Code § 75-24-29) to expand the definition of “personal information” to include tribal identification card numbers.

Bill: H.B. 277
Passed: March 13, 2021
Effective: July 1, 2021

Oregon passed a tax security breach law mandating reporting requirements on tax professionals in the event of a breach of security. The law requires tax professionals to report security breaches associated with tax return preparation to the Oregon Department of Revenue within five (5) days. The law pertains only to breaches occurring on or after January 1, 2022.  

Bill: H.B. 2128
Passed: June 23, 2021
Effective: September 23, 2021

Tennessee passed an NAIC model insurance data protection law (Tenn. Code Ann. § 56-2-1001, et seq.). The law requires insurance licensees to develop, maintain, and implement an information security program by July 1, 2022; comply with standards for data security; identify cyber threats; and investigate any cybersecurity incident. In the event of a breach, licensees must notify the Commissioner of the Department of Commerce and Insurance within three (3) days and notify consumers within forty-five (45) days. 

Bill: H.B. 766
Passed: May 6, 2021
Effective: July 1, 2021

Texas amended its data breach notification law (Tex. Bus. & Com. Code § 521.053) to require the Texas Attorney General's office to post on its website a list of the notifications it receives when a breach affects at least two hundred-fifty (250) Texans. Entities must include the number of impacted residents who were notified (in addition to the other notice content requirements already in the statute).  The amendment provides that the Texas Attorney General can remove a notification from the website after one year, but only if no additional breaches have been reported by the entity.

Bill: H.B. 3736
Passed: June 14, 2021
Effective: September 1, 2021

Wisconsin enacted the Wisconsin Insurance Data Security Law (Wis. Stat. § 601.95, et seq.) to regulate those licensed under Wisconsin insurance laws.  The law requires licensees to develop an information security program that protects its systems and data. By November 1, 2022, licensees must conduct a risk assessment and address any areas that put their consumer's data at risk. The Act further requires licensees to develop an incident response plan and provide timely notice of a security incident to impacted consumers (and in some cases to the insurance commissioner and consumer reporting agencies). 

Bill: S.B. 160
Passed: July 15, 2021
Effective: November 1, 2021

© Polsinelli PC, Polsinelli LLP in California

Current Legal Analysis

More from Polsinelli PC

FTC Final Rule Banning Most Non-Competes Passes – What Nonprofits Need to Know
by: Jacob Zerkle , Michael Kuczynski
The 80/20 Rule is Here: CMS Finalizes HCBS Care Worker Payment Requirements
by: Ross E. Sallade , Angelo Spinola
Blockchain+ Bi-Weekly: Week of April 25, 2024
by: Jonathan E. Schmalfeld , Stephen A. Rutenberg
FTC Final Rule Banning Most Non-Competes Passes – What You Need to Know
by: Eric E. Packel , Emma R. Schuering
Finally Final — The DOL Issues Its Long-Expected Final Rule Raising the FLSA Overtime Exemption Salary Thresholds
by: Jason N. W. Plowman , Matthew P.F. Linnabary
"Please Pay No Attention to the Microphone:” DOJ Announces New Program Offering Protections to Criminal Whistleblowers
by: Kurt R. Erskine , Nicole K. Nielly
HRSA Aims for Swift Dispute Resolution with new 340B ADR Final Rule
by: Mary H. Canavan , Kyle A. Vasquez
Critical Infrastructure Cybersecurity – Evolving Incident Response Obligations, Integral to Effective Risk Management
by: Romaine C. Marshall , Kurt R. Erskine
Vote Scheduled for FTC Final Rule Banning Non-Competes – What You Need to Know
by: Eric E. Packel , Sean R. Gallagher
FDA Preemption of State Law for False Labeling Survives Appeal to Supreme Court
by: Gina L. Tincher , Stacy A. Carpenter

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins