Recent years have seen significant amounts of legislative activity related to state data breach notification laws, and 2018 was no exception.  Not only did South Dakota and Alabama enact new data breach notification laws in 2018, becoming the last of 50 U.S. states to enact such laws, but other states also enacted changes to existing data breach notification laws during 2018 to expand their scope and implement additional notification requirements.  Following up on our global year-end review of major privacy and cybersecurity developments, we’ve summarized the major developments and trends observed with regards to state data breach notification laws over the past year.

  • Data Breach Notification Laws in All 50 States.  With the enactment of new data breach notification laws in South Dakota and Alabama, all fifty states and the District of Columbia have implemented data breach notification laws.  The new laws in South Dakota and Alabama, which went into effect in mid-2018, included many features commonly seen in recent amendments to other states’ existing data breach notification laws, such as expanded PII definitions, explicit notification deadlines, and state regulator notification requirements.
  • Explicit Notification Deadlines.  While most states require entities to provide breach notifications in the most expedient time possible and without unreasonable delay following the discovery of a breach, certain states’ breach notification laws include explicit deadlines for providing such notifications.  During 2018, several states joined a growing trend by revising their data breach notification laws to include explicit deadlines for notifying affected individuals.  Notably, Colorado enacted a 30-day deadline from the discovery of the breach for notifying affected individuals, which matches Florida’s 30-day deadline for the shortest notification deadline in the U.S.  Alabama, Arizona, and Oregon all passed legislation in 2018 requiring notification of affected individuals within 45 days of discovery of a breach, while Louisiana and South Dakota passed legislation requiring notification of affected individuals within 60 days of discovery.
  • Regulator Notification Requirements.  Several states passed legislation in 2018 to require notification of a breach to the state Attorney General or other state regulators.  However, most of these states will only require such notifications if a certain number of state residents have been affected by the breach.  For instance, while Colorado will now require notification to the state Attorney General within 30 days, such notification will only be required if more than 500 residents are notified of the breach.  Similarly, while Arizona passed legislation to require notification of the state Attorney General within 45 days, this requirement only applies if more than 1,000 state residents are notified of the breach.
  • Expanded PII Definitions.  Several states also passed legislation expanding the types of PII covered under data breach notification laws.  For instance, several states expanded their breach notification laws’ PII definitions to include an individual’s name in combination with biometric data, medical or health information, student or military ID numbers, online account credentials, or passport numbers.
  • Credit Monitoring Requirements.  As part of a small but growing trend, several states also implemented, or enhanced, requirements to provide free credit monitoring or identity theft protection services following certain breaches.  In the spring of 2018, amendments to Delaware’s data breach notification law entered into force that required entities to offer individuals whose Social Security numbers have been breached one year of free credit monitoring services.  In mid-2018, Connecticut passed an amendment to its data breach notification law to require entities to offer two years of free identity theft prevention and, if appropriate, identity theft mitigation services to individuals whose Social Security numbers have been breached.  Although Connecticut and Delaware, along with California, are the only states whose laws require the provision of credit monitoring or identity theft protection services after certain breaches, it will bear watching to see if other states implement similar requirements in 2019.
  • Sector-Specific Notification Requirements.  While each U.S. state now has a generally applicable data breach notification law, several states have also begun to implement additional sector-specific data breach notification requirements.  Following the implementation of the New York Department of Financial Services’ cybersecurity regulation in 2017, which included a 72-hour deadline for regulator notifications, South Carolina, Vermont, and Virginia also passed sector-specific data breach notification requirements in 2018.  South Carolina’s law, similar to the NYDFS regulations, will require regulator notifications within 72 hours for certain licensed insurers.  Vermont, meanwhile, passed a law implementing additional information security requirements for “data brokers” that will require such entities to disclose security breaches to state regulators as part of an annual required registration process.  Finally, Virginia also passed new legislation during 2018 that will require income tax preparers to notify regulators of a breach of tax “return information.”
  • Private Rights of Action and Safe Harbors.  Part of the California Consumer Privacy Act, passed by the California legislature earlier this year, will create a private right of action for certain data breach-related harms.  As subsequently amended by the legislature, the CCPA will provide a private right of action following a breach of an individual’s PII caused by an entity’s failure to implement and maintain reasonable security measures.  However, the individual must provide the entity with written notice of the alleged violations of the CCPA, and there is no private right of action if the entity cures the alleged violations within thirty days after receiving notice and provides the consumer an express written statement that the violations have been cured.  In addition, the Ohio legislature passed a bill earlier this year that provides entities with a safe harbor from certain types of tort-based liability related to data breaches if the entity implements a cybersecurity program that satisfies certain requirements set forth in the bill.

 

Tags: breach notification, California, Cybersecurity, Data Breach, Data Security, Legislation
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less