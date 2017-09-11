As we have noted before in
this space, states have begun going through the process of
amending their data breach notification laws. California, for
example, recently amended its data breach notification statute
to expand the definition of personal information. Illinois
did the same, and adjusted its safe harbor provision. And
New York created first-of-its-kind financial sector cybersecurity
regulations. Legislatures in other states — like
Massachusetts — have also introduced
legislation to amend their data breach laws.
This makes sense: many of these laws are now a decade or
more old, and the complexion of data security has changed in
various ways since the time these laws and regulations were first
enacted– including what consumers expect will be handled as
private information, the reality of overlapping (and sometimes
competing) regulatory requirements, and the burdens entities bear
(or reasonably should be made to bear) in the face of often
criminal activity.
Expanding the definition of personal information to include
passport and state ID numbers, medical information, biometric data,
and email;
Replacing an open-ended timeframe for notification with a
45-day notification deadline; and
Alternative notice if the breach only compromises consumer
email accounts.
While the multiplicity of competing and state and federal
overlapping regulatory requirements can be deeply frustrating and
expensive for organizations facing compliance questions relating to
data security, the benefit of the 50-state framework is that states
can more nimbly experiment with various approaches even as the face
of security rapidly changes.
