Alt

Regulatory Watchlist: Recent Changes to State Data Breach Notification Regulations

A number of state data breach bills have recently gone into effect, or are poised to go into effect in the next two months. Continuing our series of articles around trends in state data breach notification laws, let’s take a look at this legislation and see what trends we can identify.

We’ll focus on the following list of bills, listed in order of effective date:

  • Delaware HB 180, Effective April 14, 2018
  • Alabama SB 318 / HB 410, Effective June 1, 2018
  • Oregon SB 1551, Effective June 02, 2018
  • South Dakota SB 62, Effective July 01, 2018
  • Arizona HB 2154, Effective August 3, 2018

Two of the most notable items in the list are the new laws for Alabama and South Dakota, the last remaining states to enact breach notification legislation. In every piece of legislation noted above, including the new laws for Alabama and South Dakota, we see at least one of the trends we’ve been watching and writing about over the past couple of years.

Trend: Expanded scope of personal information

  • Alabama SB 318 comes out strong with a definition of personal information that includes standard information (meaning a person’s name in combination with a Social Security number, driver’s license number or state identification card number, or financial account number in combination with a PIN or other access code or password that would permit access to the financial account), but also includes any government-issued unique identification number used to verify identify, medical information, health insurance information, and a username or email address in combination with a password or security question and answer that would permit access to an online account.
  • Arizona HB 2154 expands the scope of personal information to include a private key that is unique to an individual and is used to authenticate or sign an electronic record, medical information, health insurance information, a passport number, a taxpayer identification number or an identity protection personal identification number issued by the IRS, or unique biometric data used to authenticate an individual when the individual accesses an online account.
  • Delaware HB 180 expands the definition of personal information to include any state or federal identification card number, a passport number, a username or email address in combination with a password or security question and answer that would permit access to an online account, medical information, health insurance information, biometric data, and an individual taxpayer identification number.
  • South Dakota SB 62 also comes out strong with a definition of personal information that, in addition to standard information (see Alabama note above), includes health information as defined in 45 CFR 160.103 (HIPAA), any unique identification number created or collected by a government body, an identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes, and a username or email address in combination with a password, security question answer, or other information that permits access to an online account.

Trend: Required notification to the state attorney general

  • Alabama SB 318 requires notification to the attorney general if more than 1000 residents are notified as the result of a single breach.
  • Arizona HB 2154 requires notification to the attorney general if more than 1000 residents require notification.
  • Delaware HB 180 requires notification to the attorney general if more than 500 residents are affected.
  • South Dakota SB 62 requires notification to the attorney general if more than 250 residents are affected.

Trend: Specified notification timelines to individuals

  • Alabama SB 318 / HB 410 requires notification be provided within 45 days following notification or determination of a breach.
  • Delaware HS 1 requires notification be provided no later than 60 days after determination of a breach.
  • South Dakota SB 62 requires notification be made no later than  60 days from discovery or notification of a breach.
  • Oregon SB 1551 requires notification be provided no later than 45 days after discovering or receiving notification of a breach.

Challenges for Privacy and Professionals: Increased Complexity and Nuance in Incident Risk Assessment

No two state data breach notification laws are exactly alike, and staying on top of changing legislation and multi-jurisdictional data breach notification requirements can mean the difference between meeting compliance obligations vs. over- or under-reporting which could lead to the possibility of fines, penalties, reputational damage, and loss of trust from the public and regulators.

Tools to Stay Informed:

For RADAR customers, the RADAR regulatory team continuously tracks changes in data breach notification laws and regulations to ensure that any changes are applied in RADAR prior to enforcement. RADAR customers have access to summaries of all data breach notification statutes within the RADAR Law Overviews, as well as a regulatory watchlist of active bills, along with an indicator of recent activity.

IAPP members also have exclusive access to the IAPP-RADAR Incident Response Center, with up-to-date overviews of U.S. and international data breach notification requirements — including GDPR. Click here to access the tool (login required).

Related reading: