Personal information has become the prey of relentless poachers. In light of the influx of data breaches, state legislatures are taking action. Not surprisingly, now every state has enacted data breach notification laws, which are triggered when personal information is breached. Read below for a summary of relevant state legislation recently adopted or laws recently amended that pertaining to data breach notification.
Arizona amended its data breach notification law, effective July 21, 2018. This amendment requires companies to notify affected consumers within a 45-day window upon discovery of a data breach. If the data breach impacts more than 1,000 consumers, companies must also notify the state attorney general as well as the three largest consumer credit reporting agencies. The state attorney general can also impose up to $500,000 in penalties for a company’s non-compliance.
With data breach notification requirements already in place, Colorado amended its data breach notification law with bill, HB18-1128, effective September 1, 2018, to strengthen the current requirements and build greater consumer protection. HB18-1128 requires companies to notify consumers within 30 days of determination that a breach occurred. If the data breach impacts more than 500 residents, companies must also notify the state attorney general. This bill also requires companies to have a written policy for the disposal of personal information, and impart security measures to third-party service providers who handle personal information. In addition, the bill expands the scope of the types of data that must be protected. “Data” now includes not only information such as social security numbers and driver’s license numbers, but also student, military, and passport identification numbers, as well as medical information and health insurance identification numbers. The bill also adds new requirements for what companies must disclose in its notice letters to its residents, such as date of breach, description of the personally identifiable information disclosed and contact information for consumer reporting agencies and the Federal Trade Commission.
Iowa’s student personal information protection law, H.F. 2354, effective July 1, 2018, enhances the security of students’ personal information. Specifically, the law prohibits website operators from selling or renting students’ information, and it requires website and mobile app operators to exercise security procedures in accordance with industry standards and state and federal laws.
Louisiana amendment, S.B. 361, effective August 1, 2018, expands the scope of personally identifiable information covered by the law. Under, this bill, companies must notify affected consumers within 60 days of determination that a breach has occurred. Extensions of this timeframe may be granted in certain situations, per the state attorney general’s approval. Additionally, consistent with the trend among many states, S.B. 361 broadens the definition of personally identifiable information to include a resident’s first name/initial and last name, in combination with a passport number, state identification card number or biometric data.
Oregon adopted S.B. 1151, effective June 2, 2018, which enhances its data breach notification laws by requiring companies to notify affected consumers within a 45-day notification window upon discovery of a breach. If the data breach impacts more than 250 consumers, companies must also notify the state attorney general. Additionally, companies holding personal information must employ administrative safeguards, such as regular employee training on security procedures and practices and must review user access privileges on a regular basis. Personal information protected by this law now includes biometric data, and a consumer’s financial account numbers or debit/credit card number in combination with an access code/password, or “any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account.”
South Dakota’s first data breach notification law, S.B. 62, took effect on July 1, 2018. This bill requires companies to notify affected consumers within 60 days of discovery of a data breach. If the data breach impacts more than 250 consumers, companies must also notify the state attorney general. However, if the company reasonably determines that consumers are unlikely to face harm following the breach, then consumer notification is not required, though if the breach affects more than 250 consumers, the state attorney general still must be notified. The state attorney general can also impose up to $10,000 per violation per day in penalties for a company’s non-compliance.
Effective January 1, 2019, Vermont amendment, H.B. 764, also enhances data breach notification requirements by creating a heightened requirements for data brokers (any company that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship”). In addition to these requirements, the bill adds a notification step for data breaches and requires data brokers to inform Vermont’s Secretary of State of a data broker security breach, which includes information that “would allow a reasonable person to identify the consumer with reasonable certainty.”
This post was written with the help of Justine Parry who is a McGuireWoods summer associate.