October 17, 2019

October 17, 2019

Subscribe to Latest Legal News and Analysis

October 16, 2019

Subscribe to Latest Legal News and Analysis

October 15, 2019

Subscribe to Latest Legal News and Analysis

State Data Breach Notification Statutes: A Year in Review and Preparing for 2017

Following on the heels of an active 2015, where eight states enacted changes to their data breach notification laws, another five states amended their statutes in 2016, adding complexity to the current “patchwork” system of breach notification legislation. Several trends have emerged from these recent enactments. States are broadening the definition of “personal information,” redefining content and timing requirements for notification, clarifying the role of encryption in providing a safe harbor, and providing carveouts for entities compliant with other privacy regulations.

State Data Breach notification statutes

The amendments enacted in Nebraska, Tennessee, and Arizona all took effect in 2016, while the updates in California and Illinois became effective on January 1, 2017. For a summary of the amendments, please click on the image below.

The divergent and frequently changing state statutes create challenges for compliance and may require organizations to revisit their security incident response plans and other privacy policies and procedures to ensure that the policies reflect these new obligations.

Next Steps

As states continue to revise their data breach laws, organizations must continue to monitor these changes to prepare for and respond to data breaches.

  • In particular, because of the expansions to what constitutes “personal information,” companies must continue to conduct assessments of the information they collect and receive, and create data maps to have a better understanding of their data in order to implement appropriate procedural and security safeguards.

  • Organizations should also review security measures to ensure that an incident involving encrypted data does not go undetected. 

  • Organizations also need to understand if they are required to comply with GLBA or HIPAA and how those laws affect compliance with state data breach laws.

© 2019 Foley & Lardner LLP

TRENDING LEGAL ANALYSIS


About this Author

Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney
Associate

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management...

617-502-3211
Julia Kadish, Foley Lardner Law Firm, Technology Drafting Attorney
Associate

Julia (Julie) Kadish is an associate with Foley & Lardner LLP where her practice focuses on drafting and reviewing technology agreements across a variety of industries, and counseling clients on privacy and data security matters, including data breach response and preparedness. She also has experience implementing corporate compliance programs from an initial risk assessment to implementation, training, and annual audits. Ms. Kadish is a Certified Information Privacy Professional (CIPP/US).

312-832-4911
Steven Millendorf, Technology Attorney, Foley and Lardner Law Firm
Associate

Steven Millendorf is an associate and intellectual property lawyer with Foley & Lardner LLP. He has experience drafting, reviewing and revising technology agreements, including protections for privacy and data security. Mr. Millendorf regularly tracks changes to state breach notification laws and revises Foley’s nationally published state data breach notification database. He also has experience in defending electronics and telecommunications clients in IP litigation matters. Mr. Millendorf is a member of the firm’s Technology Transactions & Outsourcing,...

858-847-6737
Jennifer L. Rathburn iFoley & Lardner LLP Milwaukee data protection programs, data incident management lawyer
Partner

Jennifer L. Rathburn is a partner with Foley & Lardner LLP. Ms. Rathburn focuses on counseling clients on data protection programs, data incident management, and breach response and recovery, as well as the monetization of data, the Health Insurance Portability and Accountability Act (HIPAA), and other privacy and security issues. She is one of the founders of the Midwest Cyber Security Alliance and has a deep understanding of the complex risk, operational, and legal issues companies must address to maintain the confidentiality of, access to, and integrity of their...

414-297-5864
Aaron K. Tantleff, Foley Lardner, E-Commerce lawyer, IP Attorney, Patents
Partner

Aaron K. Tantleff is a partner and intellectual property lawyer with Foley & Lardner LLP. His practice focuses upon providing legal and strategic guidance regarding information technology, outsourcing, licensing, consulting, professional services, e-commerce, manufacturing, supply, and distribution agreements, as well as product acquisitions, strategic alliances, mergers and acquisitions, and private equity investments where technology and intellectual property are of significant importance and value. Mr. Tantleff is a member of the firm’s Technology...

312-832-4367