States’ Data Breach Notification Statute Amendments in Quarters 3-4 of 2019
From late June 2019 through mid-October 2019, a handful of states amended their data breach notification statutes. Specifically, six states amended their states to (1) require notice to the State Attorney General, (2) broaden existing definitions (e.g., expand the definition of “personal information”), (3) add data security requirements, (4) regulate the insurance industry (through implementation of the National Association of Insurance Commissioner’s 2017 Insurance Data Security Model Law), (5) require stricter notification timeframes, (6) allow the Attorney General to publish data breach information, and (7) add a specific risk of harm analysis. The below descriptions provide a high-level overview of each state’s data breach notification statute amendments, which are further summarized in the below chart.
California amended its data breach notification statute (Cal. Civ. Code § 1798.82) to expand the definition of “personal information” to include biometric data and specific forms of identification.
Bill: A.B. 1130
Passed: October 11, 2019
Effective: January 1, 2020
Delaware added a chapter to its Insurance Code (Del. Code tit. 18, §§ 8601-11), “Insurance Data Security Act,” (the “Act”), to regulate those licensed under Delaware insurance laws. The Act states that a licensee has one year from July 31, 2019, to implement an information security program and two years from July 31, 2019, to implement oversight of third-party service provider arrangements.* The Act includes certain exceptions, including that a licensee with fewer than 15 employees is exempt from implementing an information security program. Notably, after the licensee determines that a cybersecurity event has occurred and certain criteria have been met, the licensee has 3 days to notify the Commissioner and 60 days to notify the impacted consumers.
Bill: H.B. 174
Passed: July 31, 2019
Effective: July 31, 2019*
Illinois amended its data breach notification statute (815 Ill. Comp. Stat. 530/1, et seq.) to require notification to the State Attorney General, if more than 500 individuals are affected, “in the most expedient time possible and without unreasonable delay[,] but in no event later than when the data collector provides notice to consumers[.]” The amendment specifies what information should be included in the notice. This section does not apply to covered entities or business associates in compliance with Section 50 of the Personal Information Protection Act (815 Ill. Comp. Stat. 530/50). Additionally, the amendment includes that the Attorney General “may publish the name of the data collector that suffered the breach, the types of personal information compromised in the breach, and the data range of the breach.”
Bill: S.B. 1624
Passed: August 9, 2019
Effective: January 1, 2020
Maine amended its data breach notification statute (Me. Rev. Stat. tit. 10, § 1346, et seq.) to specifically include “municipalities” and “school administrative units” to the definition of a “person” required to provide notice of breaches in personal data security. Additionally, the statute now includes a notification timeframe of 30 days if there is no delay due to a law enforcement investigation.
Bill: L.D. 696
Passed: June 28, 2019
Effective: September 18, 2019
New Hampshire added a chapter to its Insurance code (N.H. Rev. Stat. Ann. § 420-P:1, et seq.), “Insurance Data Security Law,” to regulate those licensed under New Hampshire insurance laws. The law states that a licensee has one year from January 1, 2020, to implement an information security program and two years from January 1, 2020, to implement oversight of third-party service provider arrangements.* The Act includes certain exceptions, including that a licensee with fewer than 20 employees is exempt from implementing an information security program. Notably, after the licensee determines that a cybersecurity event has occurred and certain criteria have been met, the licensee has 3 business days to notify the Commissioner.
Bill: S.B. 194
Passed: August 2, 2019
Effective: January 1, 2020*
New York amended its data breach notification statutes (N.Y. Gen. Bus. Law § 899-aa (applicable to non-governmental entities, and N.Y. State Tech. § 208 (applicable to governmental entities)) to broaden the definition of “personal information” to include account number alone if used to access an individual’s financial account without additional information, biometric information, and user name or e-mail address in combination with a password. The amendments further expand the definition of “breach of the security of the system” to cover the unauthorized “access to” private information. The amendments omit the prior statement that a business must “conduct business in New York” to be subject to the statutes. Additionally, the amendments require covered entities that are obligated to notify the U.S. Department of Health and Human Services Office for Civil Rights of a data breach to provide such notification the Attorney General within five days of notifying the OCR. Moreover, the amendments expand the type of information to be contained in a notice to impacted individuals and provides for a specific risk of harm analysis with respect to the inadvertent disclosure of private information.
Further, New York added data security protections (N.Y. Gen. Bus. Law § 899-bb) that require businesses that own or license New York residents’ private information in computerized form to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.” For additional information regarding the specific required “reasonable safeguards,” see our earlier blog post, New York Amends Data Breach Notification Law and Enacts Data Security Protections.
Bill: S. 5575-B
Passed: July 25, 2019
Effective: October 23, 2019 (N.Y. Gen. Bus. Law § 899-aa & N.Y. State Tech. § 208)
March 21, 2020 (N.Y. Gen. Bus. Law § 899-bb)
In light of these amendments, organizations should revisit their incident response plans to ensure compliance with the new data breach notification requirements. Further to the above amendments, recall amendments from Quarters 1-2 of 2019 in Michigan (impacting entities regulated by the Insurance Code) and Washington (broadening the definition of personal information and changing the timing of notification to both affected individuals and the Attorney General from 45 to 30 days) will soon take effect. Additionally, keep in mind certain pending legislation in Iowa (S.F. 204), Maryland (H.B. 1127 and S.B. 786), Michigan (S.B. 653), Missouri (H.B. 1499), New Hampshire (H.B. 1482), New Jersey (A.B. 3245 and S.B. 2042), New York (A.B. 1387, 2540, 2868, 3001, 5635, and 7897, and S.B. 133, 5146, 5575, 5721, and 6701), North Carolina (H.B. 904), Oklahoma (S.B. 288), Pennsylvania (H.B. 245, 662, and 1181, and S.B. 308 and 487), Virginia (H.B. 1334), and Washington (S.B. 5064).