February 3, 2023

Volume XIII, Number 34


February 03, 2023

Subscribe to Latest Legal News and Analysis

February 02, 2023

Subscribe to Latest Legal News and Analysis

February 01, 2023

Subscribe to Latest Legal News and Analysis

Recent Amendments to State Breach Notification Laws

Over the last several months, a minority of states amended their data breach notification statutes or enacted sector-specific breach notification requirements. Specifically, nine states amended their state statutes to (1) impose notice requirements on state entities, (2) broaden existing definitions (e.g., expand the definition of “personal information”), (3) increase reporting content requirements, (4) regulate the insurance industry, (5) regulate the tax industry, (6) require stricter notification timeframes, and (7) allow the Attorney General to publish data breach information. Below is a high-level overview of each state’s data breach notification statute amendments, which are further summarized in the chart below.

Arkansas passed a law (Ark. Code Ann. § 10-4-429) that requires state entities (including political subdivisions and schools) to report data security incidents to the Arkansas Legislative Auditor within five (5) business days after learning of the incident. State entities also must provide regular updates to the Auditor about the incident until the investigation is closed. The Auditor must maintain a list of all reported security incidents, annually report (by December 15th of each year) such information to the legislative council and certain committees, and, if the incident significantly compromised citizens' data, created a significant security concern, or involved significant theft, notify certain government officials. 

Bill: H.B. 1110
Passed: March 4, 2021
Effective: July 30, 2021

Connecticut amended its data breach notification statute (Conn. Gen. Stat. § 36a-701b) to shorten the breach notification timeframe to which entities must notify impacted individuals and the Connecticut Attorney General from ninety (90) days to sixty (60) days. The amendment also broadens the definition of “personal information” to include biometrics, medical information, passport data, military and state identification cards, health insurance policy numbers, taxpayer identification numbers, and online account credentials. The amendment further requires businesses to provide twenty-four (24) months of complimentary credit identity theft prevention and mitigation services not only to individuals with an impacted Social Security number, but also to those with an impacted tax identification number. Lastly, the amendment exempts entities that are subject to and in compliance with HIPAA and HITECH. 

Bill: H.B. 5310
Passed: June 16, 2021
Effective: October 1, 2021

Hawaii passed a National Association of Insurance Commissioners (“NAIC”) model insurance data protection law to establish insurance data security standards for insurance licensees (Hawaii Acts, L 2021, c 112). The law requires licensees to develop and implement written information security programs, submit data breach notifications (to both the Insurance Commissioner and consumers), and monitor third-party vendors. Of note, the law requires licensees to notify the Insurance Commissioner of a data security incident no later than three (3) business days after learning of an event.
Bill: S.B. 1100
Passed: June 29, 2021
Effective: July 1, 2021

Maine enacted a NAIC-inspired insurance data protection law. The law requires licensees to investigate, notify, and report cybersecurity events to the Superintendent of the Maine Bureau of Insurance (within three (3) days). Consumers must be notified of cybersecurity events in accordance with Maine’s general data breach notification law. The law also requires the development and implementation of a written information security program and other proactive security measures.

Bill: LD 51
Passed: March 17, 2021
Effective: January 1, 2022

Mississippi amended its data breach notification statute (Miss. Code § 75-24-29) to expand the definition of “personal information” to include tribal identification card numbers.

Bill: H.B. 277
Passed: March 13, 2021
Effective: July 1, 2021

Oregon passed a tax security breach law mandating reporting requirements on tax professionals in the event of a breach of security. The law requires tax professionals to report security breaches associated with tax return preparation to the Oregon Department of Revenue within five (5) days. The law pertains only to breaches occurring on or after January 1, 2022.  

Bill: H.B. 2128
Passed: June 23, 2021
Effective: September 23, 2021

Tennessee passed an NAIC model insurance data protection law (Tenn. Code Ann. § 56-2-1001, et seq.). The law requires insurance licensees to develop, maintain, and implement an information security program by July 1, 2022; comply with standards for data security; identify cyber threats; and investigate any cybersecurity incident. In the event of a breach, licensees must notify the Commissioner of the Department of Commerce and Insurance within three (3) days and notify consumers within forty-five (45) days. 

Bill: H.B. 766
Passed: May 6, 2021
Effective: July 1, 2021

Texas amended its data breach notification law (Tex. Bus. & Com. Code § 521.053) to require the Texas Attorney General's office to post on its website a list of the notifications it receives when a breach affects at least two hundred-fifty (250) Texans. Entities must include the number of impacted residents who were notified (in addition to the other notice content requirements already in the statute).  The amendment provides that the Texas Attorney General can remove a notification from the website after one year, but only if no additional breaches have been reported by the entity.

Bill: H.B. 3736
Passed: June 14, 2021
Effective: September 1, 2021

Wisconsin enacted the Wisconsin Insurance Data Security Law (Wis. Stat. § 601.95, et seq.) to regulate those licensed under Wisconsin insurance laws.  The law requires licensees to develop an information security program that protects its systems and data. By November 1, 2022, licensees must conduct a risk assessment and address any areas that put their consumer's data at risk. The Act further requires licensees to develop an incident response plan and provide timely notice of a security incident to impacted consumers (and in some cases to the insurance commissioner and consumer reporting agencies). 

Bill: S.B. 160
Passed: July 15, 2021
Effective: November 1, 2021

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XI, Number 292

About this Author

Michael J. Waters Cybersecurity Attorney Polsinelli Chicago

Michael Waters is an experienced litigator and Co-Chair of the firm’s Privacy & Cybersecurity practice group. He handled one of the first data breach matters shortly after California passed its breach notification law in 2003 and has become one of the country’s leading data breach attorneys. He has counseled thousands of clients across industries through nearly every conceivable type of breach, from system-wide network intrusions and ransomware attacks to situations involving cyber extortion, stolen laptops and computer hardware, ATM skimmers, email compromises, wire...

Thomas P. Weber Technology Transactions Attorney Polsinelli Denver, CO

Thomas Weber is an associate in the Technology Transactions and Data Privacy practice. He helps clients with data compliancy matters, including compliance with the California Consumer Privacy Act (CCPA), the European Union’s General Data Protection Regulation (GDPR), and Gramm-Leach-Biley Act (GLBA). Thomas also advises clients in breach response matters. Prior to joining the firm, he was a law clerk to the Honorable Judge Rebecca R. Freyre.