Since June 1, several states have enacted or amended their data breach notification laws:
- On June 1, Alabama's new data breach notification law became effective. The law governs data breach notification requirements for entities acquiring or using sensitive personally identifying information of an Alabama resident. The bill requires notification to affected customers in the event of a breach within 45 days of the entity determining that a breach occurred. The law also provides that covered entities and their agents must implement and maintain reasonable security measures to protect sensitive personally identifying information.
- On June 2, amendments to Oregon's data breach notification law became effective. The amendment requires that an entity provide notification of a breach of security not later than 45 days after discovery. If the entity offers to provide credit monitoring services in connection with the notification, it may not condition the provision of services on the consumer providing a credit or debit card number. The law also expands the definition of "personal information" to include any information or combination of information that the entity reasonably knows or should know would permit access to the consumer's financial account.
- On July 1, South Dakota's new data breach notification law became effective. The law governs data breach notification requirements for entities conducting business in South Dakota and those owning or licensing computerized personal or protected information of South Dakota residents. The bill requires notification to affected consumers not later than 60 days from the discovery or notification of the breach of system security.
- On July 20, amendments to Arizona's data breach notification law became effective. The law expands the definition of "personal information," requires individual and regulatory notification within 45 days of a breach, and broadens the risk-of-harm provision by allowing covered entities to forego individual or regulatory notification if it is determined the breach is unlikely to result in substantial economic loss to affected individuals.
- On August 1, amendments to Louisiana's data breach notification law became effective. Covered entities are now required to notify affected individuals of a data breach no later than 60 days from the discovery of the breach. If the notice is delayed for purposes of a law enforcement investigation or to determine the scope of the breach, prevent further disclosure, or restore data system integrity, the law requires that a covered entity notify the state attorney general of the reasons for the delay in writing within the 60-day notification period. The amendments expand the definition of "personally identifiable information" to include an individual's name along with a passport number or biometric data.
- On September 1, amendments to Colorado's data breach notification law became effective. Colorado has broadened the definition of "personally identifiable information," expanded the notification requirements to include notice to the state attorney general under certain circumstances, and imposed a 30-day deadline to notify affected individuals.
- On August 3, Ohio amended its data breach notification law to provide companies with a "safe harbor" against tort actions brought under Ohio law alleging a lack of reasonable information security controls. To qualify for the safe harbor, companies must adopt reasonable cybersecurity measures, which must "reasonably conform" to certain industry-recognized frameworks. Companies must also tailor their cybersecurity programs to the company's size and complexity, the nature of the company's activities, the nature of the personal information, the cost and availability of tools to improve information security controls, and the company's resources. Finally, the company's cybersecurity measures must "reasonably conform" to certain industry-recognized frameworks. The amendments will go into effect on November 2, 2018.
- Effective January 1, 2019, Vermont has amended its data breach notification law to impose new data breach notification requirements on "data brokers," defined as a business or business unit that "knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship." The law does not significantly modify Vermont's generally applicable data breach notification statute but will require data brokers to report any "data broker security breaches" to the Vermont Secretary of State as part of an annual registration process.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.