The Mintz Matrix – September 2017
As data breaches dominate national headlines it remains important as ever for businesses to invest in security and to be ready to respond if a breach occurs. Part of your preparedness program should be staying current on data breach legislation at the state level and we are here to help with a new installment of our “Mintz Matrix,” a detailed survey of U.S. state data breach notification laws.
There have been a few notable developments since we last published an update of the Mintz Matrix and below we have provided a snapshot of these changes.
New Mexico’s Data Breach Notification Act at last went into effect on June 16, 2017, making it the 48th state to enact some form of legislation regarding data breaches. For a detailed description of New Mexico’s new law, please read our previous blog post on the topic.
As a side note for your next trivia night, the only two remaining states that do not have data breach notification laws are Alabama and South Dakota. PS: You’re welcome.
Amendments to the state’s data breach statute passed by the Virginia legislature this past March went into effect as of July 1, 2017. In an effort to confront the onslaught of W-2 phishing emails that cost states millions of dollars these past couple of years, Virginia now requires companies to notify the state Attorney General and the Department of Taxation after suffering a data breach involving taxpayer identification numbers and withholding information. If you’d like to learn more about the amended legislation, click here for the text of the new statute and here for our previous blog post on the changes.
The biggest movement across the data breach regulatory landscape occurred in Delaware, where the legislature dramatically overhauled the state’s existing statute. The legislation as signed by Delaware’s governor establishes an effective date 240 days after enactment, or April 14, 2018; however, the revised statute as published at Delaware Code Online indicates that the amendment goes into effect on March 14, 2018. Out of an abundance of caution we encourage business to be prepared for Delaware’s new rules by the earlier date. In summary, please be aware of the following major changes:
Timeline of Notification. After discovery of a data breach, companies must notify affected Delaware residents within 60 days under the amended statute. The existing statute only requires companies to provide notification in the “most expedient time possible and without unreasonable delay,” without a fixed deadline. The amended statute allows for a shorter period if required by federal law and leaves in place two other important caveats:
If an internal investigation concludes that affected residents are unlikely to suffer harm as a result of the data breach, no notification is required.
If a law enforcement agency determines that notice will impede an ongoing criminal investigation, notification can be delayed at the direction of the agency.
Notification to the Delaware Attorney General. If a company is required to notify more than 500 Delaware residents under the amended statute, it will also need to notify the Delaware Attorney General.
Complimentary Credit Monitoring Services. If Social Security Numbers are part of the compromised data set, complimentary credit monitoring services must be offered to Delaware residents for one year under the amended statute.
As a practical matter, since California’s statute generally requires companies to provide free credit monitoring to California residents affected by a data breach, businesses oftentimes elect to offer this benefit to all individuals as part of their response to a breach where the California law is triggered. It is interesting that more states are taking California’s lead and beginning to impose this requirement.
Exemptions. The amended statute clarifies that its exemption for data collectors subject to state and federal laws requiring maintenance of procedures consistent with the Delaware data breach statute includes entities subject to the Health Insurance Portability and Accountability Act and the Gramm Leach Bliley Act.
Expanded Definition of Personal Information. The amended statute significantly expands its definition of “Personal Information,” which in effect means that a wider scope of data will trigger obligations under the statute. In addition to first name or first initial and last name in combination with standard data elements (i.e., Social Security number, driver’s license number or state identification number, or financial account number in combination with an access code/password), the new definition includes the following data elements as additional triggers:
Passport number or other federal identification card number;
Username or email address combined with a security question and answer or password that would grant access to a resident’s online account;
Medical history, medical treatment by a healthcare professional, diagnosis of any medical (mental or physical) condition by a health care professional, or DNA profile;
Health insurance policy number, subscriber identification number, or any other health insurance unique identifier;
Individual biometric information generated from assessment of human body characteristics for authentication purposes; and
Taxpayer identification number.
Security Obligations. Any company that handles personal information as defined by the amended statute is obligated to implement and maintain “reasonable” procedures and practices to prevent “the unauthorized acquisition, use, modification, disclosure, or destruction” of that data. This requirement is broadly drafted and requires policies and controls with respect to data storage, data processing and sharing, and record retention. We encourage you to think beyond the data breach context when considering this new obligation.
Eric Halladay contributed to this post.