RadarFirst Blog

Regulatory Update: EU-U.S. Privacy Shield Invalid under Schrems II, 4 State Breach Notification Laws Take Effect

It’s been a busy summer on the regulatory front. On July 16, the Court of Justice of the European Union issued its decision on the so-called “Schrems II” case, invalidating the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework. This is the framework which more than 5,000 U.S. companies use to conduct trans-Atlantic trade in compliance with GDPR. Now these companies will need another way to legally enable transfers under EU data protection rules. (We’ll provide an in-depth analysis on Schrems II ruling in the coming days, so stay tuned.)

And in the United States, four new breach notification laws recently came into effect in Indiana, Vermont, Virginia, and Washington, D.C. Here’s what you need to know:

Insurance Laws Take Effect for Indiana, Virginia

On July 1st, Indiana HB 1372 and Virginia HB 1334 became effective. These laws create a new insurance data security section under each state’s insurance statutes, requiring insurers and other entities licensed by the state’s department of insurance to implement an information security program based on an internal risk assessment. It also requires insurers to notify the state insurance commissioner as promptly as possible but no later than 72 hours after determining that a cybersecurity event involving nonpublic information occurred.

Amended Breach Notification Laws Become Effective in Vermont and Washington, D.C.

Washington, D.C. B23-0215, also known as the Security Breach Protection Amendment Act of 2020, went into effect on June 17th. This law:

  • Expands the definition of personal information.
  • Specifies notification content to affected individuals.
  • Requires notification to the attorney general.
  • Requires an entity to provide two years of free identity theft prevention services to victims of a breach involving a Social Security number or taxpayer ID number.

Vermont S110, which took effect on July 1st, also expands its definition of personal information.

Alignment with Previously Identified Trends in Changing Data Breach Laws

This new regulation aligns with four previously identified trends published in the RadarFirst 2020 regulatory trends ebook:

1. Insurance laws based on the NAIC Model Law

In the wake of major data breaches affecting millions of insurance customers, state insurance regulators adopted the Insurance Data Security Model Law from the National Association of Insurance Commissioners (NAIC). In 2017, the U.S. Treasury Department recommended that all states adopt and implement the model law. So far, 11 states have done so. Louisiana (HB 614) will join the list on August 1st, and Connecticut HB 7424 will take effect on October 1, 2020.

We should note that states are tailoring the model law to their own specifications. For example, the breach notification deadline was extended to three business days in Ohio and Delaware, and 10 days in Michigan.

Read more on the NAIC Model Law >

2. The expanding scope of personal information

How a regulation defines personal information significantly impacts what could potentially trigger a breach notification obligation. The scope of what qualifies as personal information has continued to expand since the first data breach notification law went into effect in California in 2003. In 2019, several states added online credentials and/or biometric data.

With the passage of B23-0215, Washington, D.C. follows this trend by expanding the scope of personal information to also include  biometric data and online credentials—similar to the New York SHIELD Act. The D.C. law also includes government-issued identification numbers, health insurance information, and other sensitive information in its definition.  Vermont S110  similarly expands the scope of personal information by adding biometric data, genetic information, online credentials, passport numbers, and health information.

Learn more about the expanding scope of personal information >

3. Specifying notification content

In most states, the first wave of data breach notification laws did not typically specify what information must be included in a notice to affected individuals. More recently, we’ve seen an emergence of notification content requirements as states amend their general breach notification statutes. In 2019, six states added this specificity: Delaware, Massachusetts, New Jersey, New York, Ohio, and South Carolina.

Washington, D.C.’s amended law follows this trend by requiring that notification content to affected individuals includes:

  • The types of data compromised
  • Contact information for the entity reporting the breach, the toll-free numbers for credit reporting agencies, the FTC, and the D.C. attorney general.
  • Information on how to obtain a security freeze free of charge.

Read more about specifying notification content >

4. The requirement to notify the state attorney general

State attorneys general themselves are the driving force behind this growing trend. Not only do their offices help consumers deal with the repercussions of a data breach, they also investigate data security lapses and enforce data breach notification laws. Keeping abreast of data breaches is critical to performing this work. In 2019, four states added a requirement to notify the attorney general in the event of a breach: Arkansas, Massachusetts, Maryland, and New York.

With B23-0215 in effect, notice to the D.C. attorney general must include, among other things, the types of personal information exposed, the nature and cause of the breach, the number of D.C. residents affected, and the actions taken to contain the breach.

Learn more about the requirement to notify the state attorney general >

What Does This Mean for Privacy Professionals?

With all the movement in industry, state, federal, and global data breach notification regulations, navigating the complex and ever-changing data breach law landscape means staying on top of pending and recently passed legislation and identifying common themes in changing regulations.

It also means establishing an incident response process that takes inefficiency and guesswork out of the equation. A mature incident response process will be:

  • Defensible: You need to be able to show consistent, objective multi-factor risk assessments and well-documented criteria for your decisions whether to notify or not.
  • Universal: Your risk assessment and response need to take into account all the laws that may apply in each separate incident.
  • Fast and accurate: Your team needs to arrive at the right notification decision in time to meet compliance deadlines for every applicable regulation and jurisdiction.

Resources to Help You Get Compliant:

You might also be interested in:

Topics: Breach Notification Laws