California AB 375, the California Consumer Privacy Act of 2018, introduces key privacy requirements for businesses and grants consumers new rights regarding their personal information. It doesn’t add to or change breach notification obligations under existing general data breach notification sections of the California Civil Code and California Health and Safety Code. The RADAR regulatory team will continue to monitor any amendments to the Act that would impact breach notification obligations.
This bill revises the definition of personal information to add specified unique biometric data and additional government-issued identification numbers such as a person’s tax identification number and passport number.
This Senate bill amends the Illinois Personal Information Protection Act. Under the new amendment, a data collector required to report any single breach that affects more than 100 Illinois residents must also report these breaches to the Attorney General.
New Hampshire’s new Insurance Data Security Law requires licensees of the New Hampshire Insurance Department to notify the commissioner within three business days of any cybersecurity event that results in unauthorized access to, disruption or misuse of an information system or nonpublic information stored on an information system. The law includes an exception for information that is encrypted, providing the encryption key is not also compromised.
Oregon Senate Bill 684 amends Oregon’s general breach notification statute, broadening the definition of personal information to include online credentials. Oregon’s definition of personal information now includes the username or other means of identifying a consumer for the purpose of permitting access to that person’s account plus other information used to authenticate the username or means of identification. The bill also adds definitions of “covered entity” and “vendor,” amends an exemption for HIPAA-regulated entities, and adds an attorney general notification threshold of more than 250 affected consumers.
This act amends the Texas Business and Commerce Code, adding a requirement to notify the attorney general in the event of a breach that affects more than 250 Texas residents. It requires that both the attorney general and affected individuals must be notified no later than 60 days after determination that a breach occurred, and it specifies the content that must be included in any notice to affected individuals. (Most of this act took effect September 1, 2019, except for the amendments to breach notification obligations, which takes effect January 1, 2020.)
That’s the roll-up on new U.S. privacy laws, and it’s a lot. For everyone involved with data privacy, the new decade will start with a bang bigger than any New Year’s Eve firecracker.
Privacy teams coast to coast need to be ready: including biometrics and other new information in risk assessments for consumers in California, reviewing PII definitions for Oregon, and updating breach notification requirements for four of the five states. If your privacy team uses Radar for privacy incident response, you have a head start because the new requirements will be reflected in the software by the time the new laws go into effect.
Like every other year in the data privacy world, 2020 is going to test your readiness and resolve. But our team here at RADARFirst will always have your back, so enjoy your holidays. Happy New Year and good luck!
FREE Global Data Breach Notification Law Library
Access this free library of hundreds of global data privacy regulations in 2020 and beyond to stay current on existing and proposed legislation. Visit Breach Law Radar >