On March 18, 2019, the commonwealth of Virginia enacted House Bill (HB) 2396, amending the commonwealth's data breach notification statute. Specifically, HB 2396 expanded the commonwealth's definition of "personal information" sufficient to trigger a notification obligation following a data security incident. Effective July 1, 2019, "personal information" will be defined to include both passport number and military identification number in addition to those data sets that were previously regulated.
On March 26, 2019, the state of Utah enacted Senate Bill (SB) 193, amending the state's data breach notification statute as well. Although SB 193 did not alter the state's definition of "personal information" sufficient to trigger a notification obligation following a data security incident, it did amend the statute in three significant ways relating to the provision of notification, the enforcement of the statute, and the penalties applicable to violations thereof. Entities subject to Utah's breach notification statute can expect the following changes, effective May 14, 2019:
- Substitute Notice: Where notification of a data security incident impacting personal information is required, the state of Utah previously allowed for it to be provided in writing, electronically, by telephone, or by "publishing notice of the breach of system security..." By enacting SB 193, the state clarified that notification obligations may only be fulfilled by publishing notice of a breach if providing notification in writing, electronically, or by telephone is not feasible.
- Civil Penalties: With respect to "related violations" of the state of Utah's data breach notification statute concerning more than one consumer, entities were previously subjected to a civil penalty of no greater than $100,000 for such alleged violations. SB 193, however, eliminates the $100,000 limit for incidents impacting 10,000 or more consumers who are residents of Utah or are residents of other states, and thereby expands the potential fines that may result from such violations.
- Statute of Limitations: In enacting SB 193, the state set forth a statute of limitations applicable to both administrative and civil actions brought for violations of the state's data breach notification statute. As such, a civil action and an administrative action shall be commenced no later than five or ten years respectively after the day on which the alleged breach last occurred.
Businesses and other organizations both inside and outside of the commonwealth of Virginia and the state of Utah should assess the applicability of these revised statutes to their practices. Entities should consult with experienced counsel well-versed in the different data breach notification standards across the 50 states and territories, as well as in incident and breach response preparedness, to ensure their breach policies and procedures are in compliance with all applicable standards.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.