After a quiet winter there has been significant activity in state legislatures to enact, strengthen or clarify their data breach notification statutes. The latest happenings are summarized below.

New Mexico

Last week we alerted you that, at long last, data breach legislation was sitting on the desk of New Mexico’s governor. On April 6^th, Governor Susana Martinez signed the Data Breach Notification Act, which passed unanimously in the state’s House and Senate, and with the stroke of her pen she finally ended New Mexico’s unenviable status as one of only three states without a data breach notification law on the books.  We are keeping an eye on the last two outliers – Alabama and South Dakota – and will keep you up to date if we see any meaningful legislative activity in these states.

Click here for the final text of the statute.  The law will go into effect on June 6, 2017.

Tennessee 

The Tennessee legislature has been tinkering with the state’s data breach notification statute since last year and earlier this month passed an amendment to clarify some confusion arising out of its 2016 amendment.  This latest amendment clearly states that businesses experiencing a breach of encrypted computerized data do not need to notify affected residents unless the key necessary to defeat the encryption is also compromised as part of the breach. Click here for the full text of the amended statute. The amendment became effective on April 4, 2017.

Virginia

In Virginia, legislators are clearly well-aware of the rampant W-2 phishing e-mails that have plagued businesses in recent years and cost many states millions of dollars as a result of payments made and investigations conducted on fraudulent tax returns. To combat this wildly successful scam, Virginia has amended its data breach notification statute to ensure that its Attorney General and Department of Taxation is aware when employers and payroll service providers experience a breach involving taxpayer identification numbers and withholding information.  Click here for the full text of the amendment (see italicized language in § 18.2-186.6(M)).  The amendment will become effective on July 1, 2017.

The amended portion of the statute applies to employers or payroll service providers who experience a security breach (i.e. unauthorized access and acquisition of personal information) involving unencrypted and unredacted computerized data containing a taxpayer identification number in combination with income tax withholding information for that taxpayer. Following such a breach, and a determination that it is reasonably likely to cause identity theft or fraud, the employer or payroll service provider must notify the Attorney General and provide its name and federal employer identification number. The Attorney General will then notify Virginia’s Department of Taxation.

It is important to note that this amendment supplements the existing statute and applies only to employers and payroll service providers.