Over the past several months, many states, including Illinois, New York, Texas, and Washington, have passed significant amendments to their state data breach notification laws. Currently, most state data breach notification laws only require notification of residents (and possibly state regulators or others) following a “breach” of personally identifiable information (“PII”), which is often defined as a resident’s name along with a Social Security number, driver’s license or state identification card number, or a financial account, debit, or credit card number with any required security code, access code, or password to access a financial account. Among other changes, these amendments have expanded the categories of PII that may trigger notification obligations if breached, imposed new requirements to notify regulators (in addition to affected individuals) in the event of a breach, and implemented specific timing requirements for how soon after a breach individuals and regulators must be notified. These changes are summarized in additional detail below.
Arkansas: Following the passage of H.B. 1943, the definition of PII under Arkansas’ data breach notification law has expanded to include certain biometric data of Arkansas residents when disclosed along with a resident’s name. As a result of this change, entities might now be required to provide notice in the event of a breach of this information. Entities will also now be required to notify the state Attorney General following certain breaches. Such notifications will need to occur within 45 days, but will only be required if a breach affects more than 1,000 individuals.
Illinois: Once recently-passed S.B. 1624 enters into force on January 1, 2020, entities will be required to notify the Illinois Attorney General if the entity provides notice of a breach to more than 500 Illinois residents. This change will significantly expand regulatory notification obligations under the law, as the current version of the Illinois data breach notification law only requires notification to the Illinois Attorney General in limited circumstances for certain entities subject to and compliant with HIPAA.
Maine: Effective September 19, 2019, L.D. 696 will amend Maine’s data breach notification law to require notification to affected residents within 30 days after an entity becomes aware of a breach of PII. The current version of the law does not include a specific time frame for such notifications, although it does state that such notifications must be made as expediently as possible and without unreasonable delay.
New Jersey: Following the passage of S.B. 52, the definition of PII under New Jersey’s data breach notification law has expanded to include a resident’s name along with credentials for accessing an online account. Previously, the law only defined PII to include a resident’s name along with a Social Security number, driver’s license or state identification card number, or certain financial account or credit/debit card information.
New York: As described in greater detail in a separate post here, recently-passed S.B. 5775B included significant amendments to New York’s data breach notification law. As of October 23, 2019, these amendments will expand the law’s definition of PII to also include online account credentials, as well as the following types of data when disclosed with an individual’s name: (1) certain biometric data; or (2) a financial account, credit, or debit card number without a security code, access code, or password, if it could be used to access a financial account. In addition, while the current New York law defines a “breach” to only include unauthorized acquisition of PII, the amendments will broaden this definition to also include unauthorized access to PII, potentially expanding the types of breaches that may require notification. While these changes may broaden the scope of the law’s applicability, the amendments will also introduce new safe harbors for entities that provide notice to affected individuals in accordance with GLBA, HIPAA, the NYS DFS cybersecurity regulations, or other federal or New York state data security rules or regulations.
Oregon: As of January 1, 2020, amendments to the state’s data breach notification law pursuant to S.B. 684 will expand the types of PII covered by the law, and therefore potentially requiring notification in the event of a breach, to also include a username or identifying information “for purpose of permitting access to the consumer’s account,” together with “any other method necessary” to authenticate. The amendments will also impose additional obligations on “vendors” who maintain, store, access, manage, or process PII on behalf of “covered entities,” including obligations to notify the state Attorney General directly under certain circumstances. (Under the current version of the law, an entity that maintains or possesses PII on behalf of another entity is only required to notify that entity of the breach.)
Texas: The state’s data breach notification law currently requires notification of individuals as expediently as possible and without unreasonable delay, but without a specific required time frame, and does not require notice to regulators following a breach. Amendments to the state’s data breach notification law pursuant to H.B. 4390, which will enter into force on January 1, 2020, will require notification to affected individuals within 60 days. Entities will also be required to notify the state Attorney General within 60 days if a breach involves more than 250 residents.
Virginia: H.B. 2396 has expanded the definition of PII under the state’s data breach notification law to include a passport number or military identification number when disclosed with an individual’s name. As a result of these amendments, a breach involving these categories of PII may now require notification to individuals and the Virginia Attorney General.
Washington: As described in greater detail in a separate post here, H.B. 1071 will implement significant changes to the state’s data breach notification law once it enters into force on March 1, 2020. The bill will expand the law’s definition of PII – and, therefore, the types of information potentially requiring notice if breached – to include (1) online account credentials, as well as (2) other data elements when disclosed with an individual’s name, such as dates of birth, private keys, certain biometric data, medical or health insurance information, or student, military, or passport identification numbers. While current law requires notice to residents (and the state Attorney General, if more than 500 residents are notified) within 45 days after a breach is discovered, the amendments will shorten this time frame to 30 days.
In addition to changes to generally-applicable state data breach notification laws, several states have also recently passed sector-specific breach notification laws. Building on recent trends, six additional jurisdictions (Alabama, Connecticut, Delaware, Maryland, Mississippi, and New Hampshire) have recently passed breach notification laws aimed at state-licensed insurance entities which, in addition to other requirements, may require notification to certain state regulators in as little as three days. Illinois and Nevada, meanwhile, have recently passed laws that will impose breach notification requirements on various providers of educational services, including operators of educational websites and applications.