January 23, 2018

January 23, 2018

Subscribe to Latest Legal News and Analysis

January 22, 2018

Subscribe to Latest Legal News and Analysis

Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way

As has become typical in the data security space, there was quite a bit of activity in state legislatures over the previous year concerning data breach notification statutes.  Lawmakers are keenly aware of the high profile data breaches making headlines and the increasing concerns of constituents around identity theft and pervasive cybercrime.  In response, states are beefing up their data security statutes in order to provide greater protection for a broader range of data, to require notification to Attorneys General, and to speed up the timeline companies have to advise residents when their personal information has been compromised, to name a few steps.

According to a recent summary published by the National Conference of State Legislatures, more than 25 states in 2016 have introduced or are currently considering security breach notification bills or resolutions.  While much legislation remains pending in statehouses across the country, statutory amendments passed in four states took effect over this past summer alone.  Here is a brief summary of significant amendments to data breach notification rules in Nebraska, Nevada, Rhode Island and Tennessee.

Definition of Personal Information

  • Nevada now includes in its definition of “personal information” a medical identification number, a health insurance identification number, and a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that permits access to an online account.

  • Similarly, Rhode Island now counts as “personal information” any medical information, health insurance information, and an email address in combination with any required security code, access code or password that allows access to an individual’s personal, medical, insurance or financial account.

  • Nebraska did not go quite as far but now considers a user name or email address in combination with a password or security question and answer that permits access to an online account to be “personal information”.

Speaking of definitions, Tennessee broadened its definition of “unauthorized persons” to include an employee of a covered entity who is discovered to have obtained personal information and intentionally used it for an unlawful purpose.  Tennessee also removed the word “unencrypted” from its definition of “Breach of the security system” in order to ensure that partial encryption of compromised personal information does not evade the statute.

Encryption Safe Harbor

  • Nebraska and Rhode Island both decided that data should not be considered “encrypted” if the confidential process or key permitting access to otherwise encrypted data is also acquired in connection with a security breach.

Attorney General Notification

  • Nebraska and Rhode Island both imposed new obligations around notification to Attorneys General in the event of a security breach. In Nebraska, a covered entity must now notify the state’s Attorney General of a security breach not later than the time when notice is provided to affected residents.  In Rhode Island, any covered entity notifying more than five hundred (500) residents of a security breach now must also notify the state’s Attorney General.

Notice to Affected Residents

  • Both Rhode Island and Tennessee put covered entities on the clock and now require notification to affected residents within forty-five (45) days of discovery of a security breach unless a delay is necessary for law enforcement purposes. Rhode Island also imposed new requirements for the specific contents of notice to affected residents.

These summaries are not exhaustive. Be sure to read our previous blog post about new rules taking effect in Illinois on January 1, 2017 when the state’s Personal Information Protection Act will go into force.

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Michael B. Katz, Mintz Levin, employee stock trading lawyer, records management attorney

Michael focuses on corporate law matters.

During law school, Michael was a Summer Associate at the firm. He also interned with the Honorable Raymond J. Brassard in the Superior Court of Massachusetts. Michael was a member of the Pro Bono Board and president of the Health Law Society.

Before attending law school, Michael was a legal specialist with Bain & Company, where he worked directly with its in-house legal team on implementing policies and best practices for confidentiality, data collection, employee stock...

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer

Cynthia is Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP).  She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.

Cynthia has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions.

She conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise.

She is a frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies.