January 22, 2018

January 22, 2018

Subscribe to Latest Legal News and Analysis

January 19, 2018

Subscribe to Latest Legal News and Analysis

States Take Action! New Mexico, Tennessee and Virginia Pass New Data Breach Legislation

After a quiet winter there has been significant activity in state legislatures to enact, strengthen or clarify their data breach notification statutes. The latest happenings are summarized below.

New Mexico

Last week we alerted you that, at long last, data breach legislation was sitting on the desk of New Mexico’s governor. On April 6th, Governor Susana Martinez signed the Data Breach Notification Act, which passed unanimously in the state’s House and Senate, and with the stroke of her pen she finally ended New Mexico’s unenviable status as one of only three states without a data breach notification law on the books.  We are keeping an eye on the last two outliers – Alabama and South Dakota – and will keep you up to date if we see any meaningful legislative activity in these states.

Click here for the final text of the statute.  The law will go into effect on June 6, 2017.


The Tennessee legislature has been tinkering with the state’s data breach notification statute since last year and earlier this month passed an amendment to clarify some confusion arising out of its 2016 amendment.  This latest amendment clearly states that businesses experiencing a breach of encrypted computerized data do not need to notify affected residents unless the key necessary to defeat the encryption is also compromised as part of the breach. Click here for the full text of the amended statute. The amendment became effective on April 4, 2017.


In Virginia, legislators are clearly well-aware of the rampant W-2 phishing e-mails that have plagued businesses in recent years and cost many states millions of dollars as a result of payments made and investigations conducted on fraudulent tax returns. To combat this wildly successful scam, Virginia has amended its data breach notification statute to ensure that its Attorney General and Department of Taxation is aware when employers and payroll service providers experience a breach involving taxpayer identification numbers and withholding information.  Click here for the full text of the amendment (see italicized language in § 18.2-186.6(M)).  The amendment will become effective on July 1, 2017.

The amended portion of the statute applies to employers or payroll service providers who experience a security breach (i.e. unauthorized access and acquisition of personal information) involving unencrypted and unredacted computerized data containing a taxpayer identification number in combination with income tax withholding information for that taxpayer. Following such a breach, and a determination that it is reasonably likely to cause identity theft or fraud, the employer or payroll service provider must notify the Attorney General and provide its name and federal employer identification number. The Attorney General will then notify Virginia’s Department of Taxation.

It is important to note that this amendment supplements the existing statute and applies only to employers and payroll service providers.

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Michael B. Katz, Mintz Levin, employee stock trading lawyer, records management attorney

Michael focuses on corporate law matters.

During law school, Michael was a Summer Associate at the firm. He also interned with the Honorable Raymond J. Brassard in the Superior Court of Massachusetts. Michael was a member of the Pro Bono Board and president of the Health Law Society.

Before attending law school, Michael was a legal specialist with Bain & Company, where he worked directly with its in-house legal team on implementing policies and best practices for confidentiality, data collection, employee stock...

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer

Cynthia is Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP).  She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.

Cynthia has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions.

She conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise.

She is a frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies.