Nevada, Washington and North Dakota Expand Data Breach Definition and Notice Requirements
Continuing the trend of states expanding their data privacy laws, companies that store and transmit personal information about residents of Nevada, Washington and North Dakota must now take note of additional data-element definitions and notice requirements following data breach incidents. In Nevada, the expansion of protected personally identifiable information (PII) now includes medical and health information while Washington sets a 45-day limit for notification and North Dakota removes the limitation to only companies that conduct business in the state. In addition, Washington and North Dakota now require notification of the state attorney general in certain instances.
The end result is an increasingly complex array of laws that can leave companies confused as to how to plan and prepare for a potential incident and scrambling to ensure legal compliance if an incident does occur.
PII had been defined to include a person’s name in combination with one or more additional unencrypted identifiers such as a Social Security number, driver’s license number, identification card number, or financial account information in combination with any required security code, access code or password that would permit access to the person’s financial account.
Nevada A.B. 179, which went into effect on July 1, 2015, expands the definition of “data elements” that constitute the definition of PII to include:
- Driver authorization card numbers
- Medical identification or health insurance identification numbers
- User names, unique identifiers or email addresses in combination with passwords, access codes, or security questions and answers permitting access to an online account.
Nevada’s prior definition recognized an exemption for the last four digits of a Social Security number, driver’s license number or identification card number. A.B. 179 includes driver authorization card numbers in that exemption, but narrows the exemption to provide that it only applies to information that is lawfully, publicly available from federal, state or local government records.
The “good news” is that although the law came into effect on July 1, 2015, businesses and “data collectors” are exempt from complying with the amendatory provisions until July 1, 2016.
In an effort to strengthen the effectiveness of data breach notification requirements, Washington has enacted H.B. 1078, which took effect July 24, 2015, and requires notification of the breach of unencrypted information as well as encrypted information where the person also acquires the means to decipher the information. This legislation codifies a risk of harm analysis into the notification requirement and is expanded to include non-computerized (paper) data.
Companies now have 45 days from when the breach is discovered to notify affected residents and that notification is required to include:
- The name and contact information for the reporting entity
- The types of personal information that were subject to the breach
- Toll-free telephone numbers and addresses for the major credit reporting agencies.
If more than 500 Washington residents are notified, the attorney general must also be notified by the time notice is provided to consumers.
Finally, H.B. 1078 adds federal preemption language for companies covered under HIPAA and the Gramm-Leach-Bliley Act to comply with those statute-specific timelines.
S.B. 2214, which takes effect August 1, 2015, expands coverage to any entity that owns or licenses personal information of North Dakota residents, while limiting disclosure of employer identification numbers only when “in combination with any required security code, access code, or password.”
Companies will be required to notify the attorney general if more than 250 individuals are affected.
As states continue to diverge in their approach to data privacy regulations, companies find themselves responsible for an expanding field of what constitutes personal information and a shrinking list of acceptable responses. Checklists and response plans finalized as recently as six months ago are rapidly becoming obsolete, so companies need to incorporate an ongoing review of their response plans to stay ahead of external threats and changing law.