This spring has seen significant legislative activity with regards to state data breach notification laws, ranging from new laws in Alabama and South Dakota to amendments to existing laws in Oregon, Arizona, and elsewhere. Continuing this trend, three states recently passed legislation to amend their existing data breach notification laws. Legislation recently passed in Colorado will require notification of affected individuals and the state Attorney General within 30 days, while recent amendments to Louisiana’s data breach notification law will expand the scope of personally identifiable information (“PII”) covered by the law. In addition, Vermont recently passed legislation that will create specific data breach notification requirements for “data brokers.” This post examines each state’s amendments in greater detail below.
Through the passage of H.B. 1128, which takes effect on September 1, 2018, Colorado has broadened the definition of PII under its existing data breach notification law, in addition to requiring notification of the state Attorney General and imposing strict notification timelines. Once the new provisions enter into force, covered entities will be required to notify affected individuals within 30 days of the determination that a breach has occurred. Colorado joins Florida as the only states that have imposed a 30-day notification deadline for notice to individuals, although Colorado’s law, unlike Florida’s, will not include a provision that allows for an extension of this deadline under certain limited conditions. In addition, Colorado’s amendments will require notification of the state Attorney General if a covered entity believes that more than 500 state residents have been affected by a breach. As with individual notifications, the notification to the state Attorney General must be provided within 30 days after the date of determination of a breach.