This spring has seen significant legislative activity with regards to state data breach notification laws, ranging from new laws in Alabama and South Dakota to amendments to existing laws in Oregon, Arizona, and elsewhere.  Continuing this trend, three states recently passed legislation to amend their existing data breach notification laws.  Legislation recently passed in Colorado will require notification of affected individuals and the state Attorney General within 30 days, while recent amendments to Louisiana’s data breach notification law will expand the scope of personally identifiable information (“PII”) covered by the law.  In addition, Vermont recently passed legislation that will create specific data breach notification requirements for “data brokers.”  This post examines each state’s amendments in greater detail below.

Colorado

Through the passage of H.B. 1128, which takes effect on September 1, 2018, Colorado has broadened the definition of PII under its existing data breach notification law, in addition to requiring notification of the state Attorney General and imposing strict notification timelines.  Once the new provisions enter into force, covered entities will be required to notify affected individuals within 30 days of the determination that a breach has occurred.  Colorado joins Florida as the only states that have imposed a 30-day notification deadline for notice to individuals, although Colorado’s law, unlike Florida’s, will not include a provision that allows for an extension of this deadline under certain limited conditions.  In addition, Colorado’s amendments will require notification of the state Attorney General if a covered entity believes that more than 500 state residents have been affected by a breach.  As with individual notifications, the notification to the state Attorney General must be provided within 30 days  after the date of determination of a breach.

Colorado’s amendments also broaden the law’s definition of PII to include an individual’s name in combination with a student, military, or passport number, medical information, a health insurance identification number, or biometric data.  In addition, the definition of PII will also now include credentials for an online account, as well as payment card or financial account information, even if not in combination with an individual’s name.

Finally, the amendments will also impose new requirements for the content of notifications to affected individuals.  Once the amendments enter into force, these notices must include the date of the breach, a description of the PII that was acquired, contact information for the covered entity, and numbers, addresses, and websites for CRAs and the FTC, along with a statement that the recipient can obtain information from the FTC and CRAs about fraud alerts and security freezes.  If online account credentials are affected, the notice must direct the affected individual to promptly change his or her password and security question or answer or take other steps to protect any accounts using similar credentials.

Louisiana

Louisiana has also updated its data breach notification law with the recent passage of S.B. 361, which takes effect on August 1, 2018.  Once the bill’s new provisions enter into force, covered entities will be required to notify affected individuals of a data breach no later than 60 days from the discovery of the breach.  If the notice is delayed for purposes of a law enforcement investigation or to determine the scope of the breach, prevent further disclosure, or restore data system integrity, the bill states that a covered entity must notify the state Attorney General in writing within the 60-day notification period of the reasons for the delay, and the state Attorney General “shall allow a reasonable extension of time” following the receipt of the written reasons for the delay.  The amendments also broaden the law’s definition of PII to include an individual’s name along with a passport number or biometric data.

Vermont

Vermont has also enacted H.B. 764, which takes effect on January 1, 2019, to impose new data breach notification requirements on “data brokers,” defined as a business or business unit that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”  The bill does not significantly modify Vermont’s generally applicable data breach notification statute, but will impose the additional measure of requiring data brokers to report any “data broker security breaches” to the Vermont Secretary of State as part of an annual registration process.  Notably, a “data broker security breach” is defined the unauthorized acquisition of “brokered personal information,” a broad category that includes an individual’s name, address, date or place of birth, mother’s maiden name, biometric data, household members’ names or addresses, Social Security number or other government-issued identification number, or other information that “would allow a reasonable person to identify the consumer with reasonable certainty.”

Tags: breach notification, Colorado, Data Breaches, Louisiana, Vermont
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less