United States: States Introduce Data Breach Notification Legislation

Several state legislatures introduced measures in early 2016 to strengthen their respective state data breach notification requirements.

• On January 14, H.B. No. 1631 was introduced in Tennessee to redefine the time period within which a business must notify a consumer if the consumer's personal information was obtained by an unauthorized person and to identify employees of a business who use sensitive information unlawfully as "unauthorized persons."
• On January 13, S.B. No. 29 was introduced in Maryland to expand the definition of "personal information" to include state identification card numbers, passport numbers, and other identification numbers issued by the federal, state, or local government.
• On January 12, H.B. No. 1033 was introduced in Florida to require notice to the Agency for State Technology as well as the Florida Department of Legal Affairs in the event that 500 or more Florida residents have to be notified of a security breach.
• On January 12, H.B. No. 1357 was introduced in Indiana to: (i) specify that the data breach notification statute is not limited to breaches of computerized data; (ii) amend or define the terms "data owner," "data collector," and "data user," and to replace the term "personal information" with "sensitive personal information" and make conforming amendments; (iii) require a data user to post certain information concerning the data user's privacy practices on the data user's website; (iv) increase the amount of the civil penalty that a court may impose in an action by the attorney general under certain circumstances; (v) identify certain information that a data owner must include in a disclosure of a security breach; and (vi) specify the applicability of different enforcement procedures available to the attorney general under the statute.
• On January 8, L.B. No. 835 was introduced in Nebraska to amend the definition of "personal information" to include a user name or email address in combination with a password or security question and answer, and to require notice to the Nebraska Attorney General in the event of a breach of security.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.