Over the past several months, many states, including Illinois, New York, Texas, and Washington, have passed significant amendments to their state data breach notification laws.  Currently, most state data breach notification laws only require notification of residents (and possibly state regulators or others) following a “breach” of personally identifiable information (“PII”), which is often defined as a resident’s name along with a Social Security number, driver’s license or state identification card number, or a financial account, debit, or credit card number with any required security code, access code, or password to access a financial account.  Among other changes, these amendments have expanded the categories of PII that may trigger notification obligations if breached, imposed new requirements to notify regulators (in addition to affected individuals) in the event of a breach, and implemented specific timing requirements for how soon after a breach individuals and regulators must be notified.  These changes are summarized in additional detail below.

Arkansas: Following the passage of H.B. 1943, the definition of PII under Arkansas’ data breach notification law has expanded to include certain biometric data of Arkansas residents when disclosed along with a resident’s name.  As a result of this change, entities might now be required to provide notice in the event of a breach of this information.  Entities will also now be required to notify the state Attorney General following certain breaches.  Such notifications will need to occur within 45 days, but will only be required if a breach affects more than 1,000 individuals.

Illinois: Once recently-passed S.B. 1624 enters into force on January 1, 2020, entities will be required to notify the Illinois Attorney General if the entity provides notice of a breach to more than 500 Illinois residents.  This change will significantly expand regulatory notification obligations under the law, as the current version of the Illinois data breach notification law only requires notification to the Illinois Attorney General in limited circumstances for certain entities subject to and compliant with HIPAA.

Maine: Effective September 19, 2019, L.D. 696 will amend Maine’s data breach notification law to require notification to affected residents within 30 days after an entity becomes aware of a breach of PII.  The current version of the law does not include a specific time frame for such notifications, although it does state that such notifications must be made as expediently as possible and without unreasonable delay.

New Jersey: Following the passage of S.B. 52, the definition of PII under New Jersey’s data breach notification law has expanded to include a resident’s name along with credentials for accessing an online account.  Previously, the law only defined PII to include a resident’s name along with a Social Security number, driver’s license or state identification card number, or certain financial account or credit/debit card information.

New York: As described in greater detail in a separate post here, recently-passed S.B. 5775B included significant amendments to New York’s data breach notification law.  As of October 23, 2019, these amendments will expand the law’s definition of PII to also include online account credentials, as well as the following types of data when disclosed with an individual’s name: (1) certain biometric data; or (2) a financial account, credit, or debit card number without a security code, access code, or password, if it could be used to access a financial account.  In addition, while the current New York law defines a “breach” to only include unauthorized acquisition of PII, the amendments will broaden this definition to also include unauthorized access to PII, potentially expanding the types of breaches that may require notification.  While these changes may broaden the scope of the law’s applicability, the amendments will also introduce new safe harbors for entities that provide notice to affected individuals in accordance with GLBA, HIPAA, the NYS DFS cybersecurity regulations, or other federal or New York state data security rules or regulations.

Oregon: As of January 1, 2020, amendments to the state’s data breach notification law pursuant to S.B. 684 will expand the types of PII covered by the law, and therefore potentially requiring notification in the event of a breach, to also include a username or identifying information “for purpose of permitting access to the consumer’s account,” together with “any other method necessary” to authenticate.  The amendments will also impose additional obligations on “vendors” who maintain, store, access, manage, or process PII on behalf of “covered entities,” including obligations to notify the state Attorney General directly under certain circumstances.  (Under the current version of the law, an entity that maintains or possesses PII on behalf of another entity is only required to notify that entity of the breach.)

Texas: The state’s data breach notification law currently requires notification of individuals as expediently as possible and without unreasonable delay, but without a specific required time frame, and does not require notice to regulators following a breach.  Amendments to the state’s data breach notification law pursuant to H.B. 4390, which will enter into force on January 1, 2020, will require notification to affected individuals within 60 days.  Entities will also be required to notify the state Attorney General within 60 days if a breach involves more than 250 residents.  

Virginia: H.B. 2396 has expanded the definition of PII under the state’s data breach notification law to include a passport number or military identification number when disclosed with an individual’s name.  As a result of these amendments, a breach involving these categories of PII may now require notification to individuals and the Virginia Attorney General.

Washington: As described in greater detail in a separate post here, H.B. 1071 will implement significant changes to the state’s data breach notification law once it enters into force on March 1, 2020.  The bill will expand the law’s definition of PII – and, therefore, the types of information potentially requiring notice if breached – to include (1) online account credentials, as well as (2) other data elements when disclosed with an individual’s name, such as dates of birth, private keys, certain biometric data, medical or health insurance information, or student, military, or passport identification numbers.  While current law requires notice to residents (and the state Attorney General, if more than 500 residents are notified) within 45 days after a breach is discovered, the amendments will shorten this time frame to 30 days.

In addition to changes to generally-applicable state data breach notification laws, several states have also recently passed sector-specific breach notification laws.  Building on recent trends, six additional jurisdictions (Alabama, Connecticut, Delaware, Maryland, Mississippi, and New Hampshire) have recently passed breach notification laws aimed at state-licensed insurance entities which, in addition to other requirements, may require notification to certain state regulators in as little as three days.  Illinois and Nevada, meanwhile, have recently passed laws that will impose breach notification requirements on various providers of educational services, including operators of educational websites and applications.

Tags: breach notification, Cybersecurity, Data Breach, Data Protection, Data Security, Legislation
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less