October 29, 2020

Volume X, Number 303

Advertisement

October 29, 2020

Subscribe to Latest Legal News and Analysis

October 28, 2020

Subscribe to Latest Legal News and Analysis

October 27, 2020

Subscribe to Latest Legal News and Analysis

Nevada, Washington and North Dakota Expand Data Breach Definition and Notice Requirements

Continuing the trend of states expanding their data privacy laws, companies that store and transmit personal information about residents of Nevada, Washington and North Dakota must now take note of additional data-element definitions and notice requirements following data breach incidents. In Nevada, the expansion of protected personally identifiable information (PII) now includes medical and health information while Washington sets a 45-day limit for notification and North Dakota removes the limitation to only companies that conduct business in the state. In addition, Washington and North Dakota now require notification of the state attorney general in certain instances.

The end result is an increasingly complex array of laws that can leave companies confused as to how to plan and prepare for a potential incident and scrambling to ensure legal compliance if an incident does occur.

Nevada

PII had been defined to include a person’s name in combination with one or more additional unencrypted identifiers such as a Social Security number, driver’s license number, identification card number, or financial account information in combination with any required security code, access code or password that would permit access to the person’s financial account.

Nevada A.B. 179, which went into effect on July 1, 2015, expands the definition of “data elements” that constitute the definition of PII to include:

  • Driver authorization card numbers
  • Medical identification or health insurance identification numbers
  • User names, unique identifiers or email addresses in combination with passwords, access codes, or security questions and answers permitting access to an online account.

Nevada’s prior definition recognized an exemption for the last four digits of a Social Security number, driver’s license number or identification card number. A.B. 179 includes driver authorization card numbers in that exemption, but narrows the exemption to provide that it only applies to information that is lawfully, publicly available from federal, state or local government records.

The “good news” is that although the law came into effect on July 1, 2015, businesses and “data collectors” are exempt from complying with the amendatory provisions until July 1, 2016.

Washington

In an effort to strengthen the effectiveness of data breach notification requirements, Washington has enacted H.B. 1078, which took effect July 24, 2015, and requires notification of the breach of unencrypted information as well as encrypted information where the person also acquires the means to decipher the information. This legislation codifies a risk of harm analysis into the notification requirement and is expanded to include non-computerized (paper) data.

Companies now have 45 days from when the breach is discovered to notify affected residents and that notification is required to include:

  • The name and contact information for the reporting entity
  • The types of personal information that were subject to the breach
  • Toll-free telephone numbers and addresses for the major credit reporting agencies.

If more than 500 Washington residents are notified, the attorney general must also be notified by the time notice is provided to consumers.

Finally, H.B. 1078 adds federal preemption language for companies covered under HIPAA and the Gramm-Leach-Bliley Act to comply with those statute-specific timelines.

North Dakota

S.B. 2214, which takes effect August 1, 2015, expands coverage to any entity that owns or licenses personal information of North Dakota residents, while limiting disclosure of employer identification numbers only when “in combination with any required security code, access code, or password.”

Companies will be required to notify the attorney general if more than 250 individuals are affected.

Conclusion

As states continue to diverge in their approach to data privacy regulations, companies find themselves responsible for an expanding field of what constitutes personal information and a shrinking list of acceptable responses. Checklists and response plans finalized as recently as six months ago are rapidly becoming obsolete, so companies need to incorporate an ongoing review of their response plans to stay ahead of external threats and changing law.

© 2020 Wilson ElserNational Law Review, Volume V, Number 211
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Kevin Scott, Wilson Elser, data security attorney, privacy breach lawyer,
Associate

Kevin Scott focuses his practice on data security and privacy breach response and litigation. His exceptional background involved working for the Special Inspector General for Iraq Reconstruction, investigating financial fraud in the handling of government contracts. Kevin also served as a judicial law clerk for the Chief Judge of the U.S. Court of Appeals for the Armed Forces.

Kevin served 27 years in the U.S. Marine Corps, retiring as a Colonel. He flew the A-6E Intruder and F/A-18D Hornet in the Gulf War, Iraq and Afghanistan. His final duty...

312-821-6131
Advertisement
Advertisement