Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way
As has become typical in the data security space, there was quite a bit of activity in state legislatures over the previous year concerning data breach notification statutes. Lawmakers are keenly aware of the high profile data breaches making headlines and the increasing concerns of constituents around identity theft and pervasive cybercrime. In response, states are beefing up their data security statutes in order to provide greater protection for a broader range of data, to require notification to Attorneys General, and to speed up the timeline companies have to advise residents when their personal information has been compromised, to name a few steps.
According to a recent summary published by the National Conference of State Legislatures, more than 25 states in 2016 have introduced or are currently considering security breach notification bills or resolutions. While much legislation remains pending in statehouses across the country, statutory amendments passed in four states took effect over this past summer alone. Here is a brief summary of significant amendments to data breach notification rules in Nebraska, Nevada, Rhode Island and Tennessee.
Definition of Personal Information
Nevada now includes in its definition of “personal information” a medical identification number, a health insurance identification number, and a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that permits access to an online account.
Similarly, Rhode Island now counts as “personal information” any medical information, health insurance information, and an email address in combination with any required security code, access code or password that allows access to an individual’s personal, medical, insurance or financial account.
Nebraska did not go quite as far but now considers a user name or email address in combination with a password or security question and answer that permits access to an online account to be “personal information”.
Speaking of definitions, Tennessee broadened its definition of “unauthorized persons” to include an employee of a covered entity who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. Tennessee also removed the word “unencrypted” from its definition of “Breach of the security system” in order to ensure that partial encryption of compromised personal information does not evade the statute.
Encryption Safe Harbor
Nebraska and Rhode Island both decided that data should not be considered “encrypted” if the confidential process or key permitting access to otherwise encrypted data is also acquired in connection with a security breach.
Attorney General Notification
Nebraska and Rhode Island both imposed new obligations around notification to Attorneys General in the event of a security breach. In Nebraska, a covered entity must now notify the state’s Attorney General of a security breach not later than the time when notice is provided to affected residents. In Rhode Island, any covered entity notifying more than five hundred (500) residents of a security breach now must also notify the state’s Attorney General.
Notice to Affected Residents
Both Rhode Island and Tennessee put covered entities on the clock and now require notification to affected residents within forty-five (45) days of discovery of a security breach unless a delay is necessary for law enforcement purposes. Rhode Island also imposed new requirements for the specific contents of notice to affected residents.
These summaries are not exhaustive. Be sure to read our previous blog post about new rules taking effect in Illinois on January 1, 2017 when the state’s Personal Information Protection Act will go into force.