Breach notification statutes remain one of the most active areas
of the law. Seldom does a month go by without a new bill or
amendment addressing privacy or data security, and this month is no
The state of Virginia recently expanded its breach notification
statute to include income tax information among the types of
information that require notification to the Office of the Attorney
General. Likely a reaction to the increase in W2 tax fraud
discussed in greater detail by my colleague
here, this new amendment does not require notification to the
individual taxpayers. Instead, affected entities must notify the
Virginia attorney general, who in turn must notify the Department
of Taxation. Of course, if the incident involves Social Security
numbers, which the majority of W2 tax fraud incidents do, then the
existing provisions would require notification to affected
In Tennessee, lawmakers are amending the state's
notification statute for the second time in less than a year.
Tennessee's original 2005 breach notification law included a
safe harbor for encrypted data. In 2016, that exemption was removed
from the definition of "breach" but remained in the
definition of "personal information." This led to some
confusion as to whether unauthorized access to encrypted data still
required notification. This latest amendment revises both
definitions, and clarifies that notification is required if an
unauthorized person acquires either unencrypted data or encrypted
data and the corresponding decryption key.
Finally, although it has not signed the statute yet, New Mexico
is on the verge of becoming the 48th state to enact a breach
notification statute. Last month, the New Mexico legislature passed
the Data Breach Notification Act (HB 15). Pending Governor
Martinez's signature, HB 15 would require notification to
affected individuals within 45 days from the date of discovery. If
the incident affects more than 1,000 New Mexico residents, notice
must also be provided to the state attorney general and the three
major credit bureaus. There is a risk-of-harm threshold and an
exception for entities subject to the Gramm-Leach-Bliley Act or
HIPAA. For a detailed analysis of HB 15, see:
New Mexico passes data breach notification and protection
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
At last week's Health Care Compliance Association's annual "Compliance Institute," Iliana Peters, HHS Office for Civil Rights' Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR's current and future endeavors.
The increasing frequency and sophistication of security breaches expose organisations to wide ranging external and internal risks and key among these is the liability that can be imposed under the Payment Card Industry...
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).