Last week, New Mexico and Tennessee both passed legislation updating each state’s requirements for notifying residents following a data breach.  New Mexico’s new law, H.B. 15, makes it the 48th U.S. state to enact a state data breach notification law, leaving Alabama and South Dakota as the only states that have not enacted similar laws.  Tennessee’s bill, S.B. 547, amended its Identity Theft Deterrence Act of 1999 to exempt certain encrypted data from triggering notification requirements.

New Mexico’s breach notification law is similar to that of other states, with a few notable differences.  Like a handful of states, the statute’s definition of Personal Identifying Information (PII) includes biometric data as well as more commonly used categories such as Social Security numbers, driver’s license numbers, or bank account or payment card information.  If the breach gives “rise to a significant risk of identity theft or fraud,” the law imposes a 45-day deadline to provide notification to affected consumers.  However, if a single breach affects more than 1,000 New Mexico residents, the state attorney general and major consumer reporting agencies (CRAs) must also be notified within 45 days.  Further, the statute specifies the content required when notifying a New Mexico resident of a breach.  In addition to details about the PII believed to have been compromised and a description of the incident, affected residents are entitled to information about their rights under the Fair Credit Reporting Act, a federal statute designed to protect the privacy of consumer report information and the accuracy of data supplied to CRAs.

Tennessee’s new legislation follows last year’s amendment to its existing statute, which imposed a 45-day notification deadline for breaches of both encrypted and unencrypted data.  At the time, Tennessee became the only state with a data breach notification law that did not include an encrypted data exemption.  The amendment signed into law last week restores the exemption, with the added requirement that the applied encryption must comply with the National Institute of Standards and Technology’s (NIST) Federal Information Processing Standard (FIPS) 140-2 in order to qualify for the exemption.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.