After a quiet winter there has been significant activity in
state legislatures to enact, strengthen or clarify their data
breach notification statutes. The latest happenings are summarized
below and we have updated our
"Mintz Matrix" to reflect these new and pending laws.
Last week we alerted you that, at long last, data breach
legislation was sitting on the desk of New Mexico's governor.
On April 6th, Governor Susana Martinez signed the Data
Breach Notification Act, which passed unanimously in the
state's House and Senate, and with the stroke of her pen she
finally ended New Mexico's unenviable status as one of only
three states without a data breach notification law on the books.
We are keeping an eye on the last two outliers – Alabama and
South Dakota – and will keep you up to date if we see any
meaningful legislative activity in these states.
The Tennessee legislature has been tinkering with the
state's data breach notification statute since last year and
earlier this month passed an amendment to clarify some confusion
arising out of its 2016 amendment. This latest amendment clearly
states that businesses experiencing a breach of encrypted
computerized data do not need to notify
affected residents unless the key necessary to defeat the
encryption is also compromised as part of the breach. Click here for the full text of the amended
statute. The amendment became effective on April 4, 2017.
In Virginia, legislators are clearly well-aware of the rampant
W-2 phishing e-mails that have plagued businesses in recent years
and cost many states millions of dollars as a result of payments
made and investigations conducted on fraudulent tax returns. To
combat this wildly successful scam, Virginia has amended its data
breach notification statute to ensure that its Attorney General and
Department of Taxation is aware when employers and payroll service
providers experience a breach involving taxpayer identification
numbers and withholding information. Click here for the full text of the amendment
(see italicized language in § 18.2-186.6(M)). The amendment
will become effective on July 1, 2017.
The amended portion of the statute applies to employers or
payroll service providers who experience a security breach (i.e.
unauthorized access and acquisition of personal information)
involving unencrypted and unredacted computerized data containing a
taxpayer identification number in combination with income tax
withholding information for that taxpayer. Following such a breach,
and a determination that it is reasonably likely to cause identity
theft or fraud, the employer or payroll service provider must
notify the Attorney General and provide its name and federal
employer identification number. The Attorney General will then
notify Virginia's Department of Taxation.
It is important to note that this amendment supplements the
existing statute and applies only to employers and payroll service
Our quick disclaimer: The Mintz Matrix is for
informational purposes only and does not constitute legal advice or
opinions regarding any specific facts relating to specific data
breach incidents. You should seek the advice of experienced legal
counsel (e.g., the Mintz Levin privacy team) when reviewing options
and obligations in responding to a particular data security
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
At last week's Health Care Compliance Association's annual "Compliance Institute," Iliana Peters, HHS Office for Civil Rights' Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR's current and future endeavors.
The challenges that come along with securing sensitive information are unprecedented. It has become extremely difficult to protect data which is stored electronically, and breaches have unfortunately become a frequent occurrence.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).