July 15, 2019

July 15, 2019

Subscribe to Latest Legal News and Analysis

States’ Data Breach Notification Statute Amendments in 2019

Over the past six months, a significant number of states have amended their data breach notification statutes.  Specifically, thirteen states have amended their statutes to: (1) require notice to the State Attorney General, (2) broaden existing definitions (e.g., expand the definition of “personal information”), (3) provide industry exemptions (e.g., exempt HIPAA-regulated entities, financial institutions, and entities regulated by the state’s insurance code), (4) regulate the insurance industry (through implementation of the National Association of Insurance Commissioner’s 2017 Insurance Data Security Model Law), (5) add new terms and definitions, (6) require stricter notification timeframes, (7) regulate entities that were breached, but were not the owner or licensee of the data, (8) add a statute of limitations for civil actions brought under the statute, and (9) create a state cybersecurity task force.  The below descriptions provide a high-level overview of each state’s data breach notification statute amendments, which are further summarized in the below chart.

Arkansas amended its data breach notification statute (Ark. Code Ann. § 4-110-101, et seq. (West 2019)) to broaden the definition of “personal information” to include “biometric data[;]” and require notification to the State Attorney General, if 1,000 or more individuals are affected, at the same time as notice to the affected individuals or 45 days after the business “determines that there is a reasonable likelihood of harm to customers, whichever occurs first[.]”

Bill:                 H.B. 1943

Passed:            April 15, 2019

Effective:        July 23, 2019

Connecticut amended its data breach notification statute (Conn. Gen. Stat. § 36a-701b (West 2019)) to add the “Insurance Data Security Law,” which regulates those licensed under Connecticut insurance laws.

Bill:                 H.B. 7424

Passed:            June 26, 2019

Effective:        October 1, 2019

Florida amended its data breach notification statute (Fla. Stat. § 501.171 (West 2019)) to transfer “powers, duties, functions, records, offices, personnel, pending issues [and] contracts, administrative authority, administrative rules, [and] funds from” the Florida Agency for State Technology (“AST”) to the Florida Department of Management Services (“DMS”); establish the Division of State Technology within DMS; specify reporting requirements for the executive branch agencies and judicial branch through a statewide travel management system; require each state agency to adopt formal procedures for cloud-computing options; and create a Florida Cybersecurity Task Force “to review and conduct an assessment of the state’s cybersecurity infrastructure, governance, and operations.”

Bill:                 H.B. 5301

Passed:            June 24, 2019

Effective:        July 1, 2019

Maryland amended its data breach notification statute (Md. Code Ann., Com. Law. § 14-3501, et seq. (West 2019)) to add the “Insurance – Breach of Security of a Computer System – Notification Requirement,” which requires “certain carriers […] to notify the Maryland Insurance Commissioner […] that a certain breach of the security of a system has occurred;” and requires “a carrier to provide the notice” within 45 days (S.B. 30).  Further, Maryland amended its statute to add that when the breached business is not the “owner or licensee of the computerized data, the business may not charge the owner or licensee of the computerized data a fee for providing information that the owner or licensee needs to make a notification under” the statute, and the “owner or licensee of the computerized data may” only use the information relative to the breach to (1) provide notification of the breach, (2) protect or secure personal information, or (3) provide notification to national information security organizations created for information-sharing and analysis of security threats to avert additional breaches (S.B. 1154).

Bills:                S.B. 30                       H.B. 1154

Passed:           April 18, 2019             April 30, 2019

Effective:        October 1, 2019          October 1, 2019

Massachusetts amended its data breach notification statute (Mass. Gen. Laws Ann. ch. 93H, § 1, et seq. (West 2019)) to add requirements to a breach notification letter to affected consumers, the State Attorney General, and the office of consumer affairs and business regulation.  The requirements include whether the organization implemented a written information security program

Bill:                 H.B. 4806

Passed:           January 10, 2019

Effective:        April 10, 2019

Michigan amended its data breach notification statute (Mich. Comp. Laws § 445.61, et seq. (West 2019)) to exempt entities regulated by the Insurance Code (Mich. Comp. Laws §§ 500.100-8302 (West, 2019)), and added a chapter to the Insurance Code (Mich. Comp. Laws § 500.559, et seq. (West 2019)) to regulate individuals or companies licensed by the Michigan Department of Insurance and Financial Services with respect to data breaches separate and apart from other industry sectors.

Bills:                H.B. 6491                               H.B. 6406

Passed:           December 28, 2018                 December 28, 2018

Effective:        January 20, 2021                     January 20, 2020

Mississippi amended its data breach notification laws (Miss. Code § 75-24-29 (West 2019)) to add the “Insurance Data Security Law,” which regulates those licensed under Mississippi insurance laws.

Bill:                 S.B. 2831

Passed:           April 3, 2019

Effective:        July 1, 2019

New Jersey amended its data breach notification statute (N.J. Rev. Stat. § 56:8-161, et seq. (West 2019)) to broaden the definition of “personal information” to include “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account,” and the business that was breached may provide notification in “in electronic or other form that directs the customer […] to promptly change any password […] to protect the online account with the business,” but the “business […] that furnishes an email account shall not provide notification to the email account that is subject to a security breach.”

Bill:                 S.B. 52

Passed:           May 10, 2019

Effective:        September 1, 2019

Oregon amended its data breach notification statute (Or. Rev. Stat. § 646A.600, et seq. (West 2019)) to broaden the definition of “personal information” (e.g., a “user name or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification”); define “covered entity” (“a person that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities”) and “vendor” (“a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity”); exempt entities regulated under HIPAA; and require a breached “vendor” to notify the State Attorney General when there is more than 250 affected consumers.

Bill:                 S.B. 684

Passed:           May 24, 2019

Effective:        January 1, 2020

Texas amended its data breach notification statute (Tex. Bus. & Com. Code § 521.001, et seq. (West 2019)) to impose, on state agencies, a breach notification timeframe of 10 days “after the date of the eradication, closure, and recovery from a breach, suspected breach, or unauthorized exposure;” and create a cybersecurity coordination program for utilities (H.B. 64).  Further, Texas amended its statute to add a breach notification requirement to the State Attorney General where more than 250 residents are affected and to impose a 60-day reporting period to affected residents and the State Attorney General following determination of a breach; and provide requirements for the contents of a breach notification letter, including any measures intended to be taken regarding the breach after notification (H.B. 4390).

Bills:                H.B. 4390                               H.B. 64

Passed:           June 14, 2019                         April 15, 2019

Effective:        January 1, 2020                      September 1, 2019

Utah amended its data breach notification statute (Utah Code § 13-44-101, et seq. (West 2019)) to add the definition of “financial institution;” exempt financial institutions and their affiliates; add a statute of limitations of 5 years for a civil action under the statute; and amend the State Attorney General litigation fund from $2 million to $4 million, which now includes “citizen education and outreach[.]”

Bill:                 S.B. 193

Passed:           March 26, 2019

Effective:        May 14, 2019

Virginia amended its data breach notification statute (Va. Code § 18.2-186.6 (West 2019)) to broaden the definition of “personal information” to include “[p]assport number;” and “[m]ilitary identification number” and require notification of a breach of such information in combination with the resident’s “first name or first initial and last name” to the State Attorney General and any affected residents “without unreasonable delay[.]”

Bill:                 H.B. 2396

Passed:           March 18, 2019

Effective:        July 1, 2019

Washington amended its data breach notification statute (Wash. Rev. Code Ann. § 19.255.010, et seq. (West 2019)) to broaden the definition of “personal information” (e.g., “full date of birth,” “Student, military, or passport identification number,” etc.) and change the timing of notification to affected individuals and the State Attorney General from 45 to 30 days after discovery of a data breach. 

Bill:                 S.H.B. 1071

Passed:           May 7, 2019

Effective:        March 1, 2020

***

In light of these amendments, organizations should revisit their incident response plans to ensure compliance with the new data breach notification requirements.

© Polsinelli PC, Polsinelli LLP in California

TRENDING LEGAL ANALYSIS


About this Author

Jane P. Dennis Cybersecurity Lawyer Polsinelli Law Firm
Associate

Jane P. Dennis is an associate attorney in the Technology Transactions and Data Privacy practice group.  Jane regularly advises clients of all sizes and industries through privacy and data security matters and assists clients with domestic and international privacy and cybersecurity compliance.  Further, Jane advises clients on best practices to prepare for and prevent cybersecurity incidents.  Jane is committed to understanding each client’s business model, practices, and objectives to help protect their investment in a range of technologies.  Jane is a Certified Information Privacy...

312-463-6252