[BreachExchange] Nebraska and Illinois Update Breach Notice Requirements

Inga Goddijn inga at riskbasedsecurity.com
Wed Jun 29 23:13:14 EDT 2016 

http://www.jdsupra.com/legalnews/nebraska-and-illinois-update-breach-48552/

The data breach notification laws for Nebraska
<http://nebraskalegislature.gov/laws/statutes.php?statute=87-801> and
Illinois
<http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act.>
have been updated  to expand the definition of “personal information” to
include usernames and email addresses in combination with a password or
security question and answer allowing access to an online user account.

In addition to expanding the scope of covered information, Nebraska’s L.B.
835 <http://nebraskalegislature.gov/FloorDocs/Current/PDF/Slip/LB835.pdf>
will require notification to the Attorney General in the event of any
breach that requires notice to a Nebraska resident in the first instance.
Illinois’ H.B. 1260
<http://www.ilga.gov/legislation/publicacts/99/PDF/099-0503.pdf> further
expands the definition of PI to include a resident’s medical information,
health insurance information, and unique biometric data, specifies required
notice content when consumers’ usernames or email addresses are affected by
a breach, and imposes new data security requirements.

Nebraska’s new law will go into effect on* July 21, 2016, *while Illinois’
new law will become operative on* Jan. 1, 2017*. Changes to these laws are
summarized below, and can be compared to other states requirements on our
website <http://www.dwt.com/statedatabreachstatutes/>.

*Changes to Nebraska’s Breach Notification Statute *

   - *New PI Data Elements.* The definition of Personal Information or “PI”
   is expanded to include a resident’s online *username or email address*,
   combined with a password or security question and answer allowing access to
   an online account.
   - *Compromised Encryption Key. *Nebraska’s breach notification statute
   currently includes a safe harbor that allows a business to forego data
   breach notification when affected PI is encrypted, redacted or otherwise
   made unreadable. L.B. 835 clarifies that data is not considered encrypted
   when the encryption process or key itself is compromised in the breach.
   - *AG Notice.* Nebraska’s data breach notification law will soon require
   businesses and other entities to notify the Nebraska Attorney General
   whenever notice to any state resident is required, and must be given no
   later than the time when the resident is notified.

*Changes to Illinois’ Breach Notification Statute*

   - *New PI Data Elements.*B. 1260 will enlarge the definition of PI to
   include:
   - A resident’s *medical information, health insurance information, and
   unique biometric data* when combined with a consumer’s first name or
   first initial and last name; and
   - A resident’s online *username or email address*, combined with a
   password or security question and answer allowing access to an online
   account.
   - *Notice Content for Breach of Username or Email Address*. Businesses
   will be permitted to notify Illinois residents of a breach affecting
   usernames or email addresses via electronic or other form directing
   residents to promptly change their username or password and security
   question or answer or take “other appropriate steps” to protect all
   affected online accounts which use the same username or email address and
   security question or answer.
   - *Compromised Encryption Key*. H.B. 1260 clarifies Illinois’ safe
   harbor *does not apply* when the key to unencrypt, unredact, or
   otherwise read the data elements is itself compromised in the breach.
   - *Substitute Notice to “Local Media.”* If a breach impacts Illinois
   residents in *one geographic area*, affected businesses otherwise
   permitted by the statute to give notice via substitute notice (i.e. if
   notification costs exceed $250,000 or if the affected business would have
   to notify more than 500,000 residents) will be allowed to notify prominent
   *local* media instead of major *statewide* Businesses should note that
   such localized notice is in addition to the other substitute notice
   requirements (i.e. email notice if residents’ addresses on file, and
   conspicuous posting of the notice on the business’ website), and must be
   “reasonably calculated” to give residents actual notice.
   - *Data Security Requirements.* In addition, H.B. 1260 expands the
   current Illinois statute to include data security requirements very similar
   to those demanded by Nevada’s data breach notification laws (NRS 603A.210
   <http://www.leg.state.nv.us/NRS/NRS-603A.html>). When the statute goes
   into effect next year, all entities that own, license, maintain or store
   records containing residents’ PI will be required to:
      - Implement and maintain *“reasonable security measures”* to protect
      from unauthorized access, acquisition, destruction, use, modification, or
      disclosure; and
      - Require all third parties to implement and maintain similar
      security measures when PI will be disclosed pursuant to a contract.
   - *Entities Covered by other Federal Privacy and Data Security Regimes*
      - Covered entities and business associates subject to and in
      compliance with the Health Insurance Portability and
Accountability Act as
      amended (HIPAA) and the Health Information Technology for Economic and
      Clinical Health (“HITECH”) Act will be deemed complaint with the Illinois
      statute for data security purposes, *but* any covered entity or
      business associate required to provide notification of a breach to the
      Secretary of Health and Human Services pursuant to HITECH must provide
      notice to the Illinois Attorney General within 5 business days
of notifying
      the Secretary.
      - Financial institutions subject to applicable provisions of the
      Gramm-Leach-Bliley Act will also be deemed in compliance with
Illinois’ new
      data security requirements.

*What’s Next for Businesses?*

The Nebraska and Illinois updates are just the latest changes in the
patchwork of state-level data breach notification requirements.  Tennessee
<http://www.privsecblog.com/2016/04/articles/dataprotection/tennessee-gives-businesses-45-days-for-data-breach-notice/>
recently passed substantive amendments to its breach notification statute
that will which go into effect on July 1 and the amendments to Rhode
Island’s statute
<http://www.privsecblog.com/2015/07/articles/policy-regulatory-positioning/2015-data-breach-legislation-six-month-review-many-proposals-few-changes/>
will take effect on July 2.

Some of Nebraska’s and Illinois’ expanded requirements mirror those that
already exist under other states’ notice regimes, however, all entities
that collect consumer information  should:

   - *Review breach notification policies and procedures and update as
   needed. *As with any change to state data breach notification statutes,
   businesses and other entities are strongly encouraged to revisit, review,
   and revise their breach notification policies and procedures where needed
   to be in compliance with the alterations to these statutes.
   - *Don’t Store Data and Encryption Keys in the Same Place.* The tweaks
   to Nebraska’s and Illinois’ encryption safe harbors are good reminders that
   encrypting or taking other measures to make sensitive data unreadable will
   not do much if the keys to decode the data are compromised as well.
   Companies should *not* store their encryption keys on the same machine
   or in the same location as the data that the keys secure. More importantly,
   when transmitting encrypted files, companies should use alternate methods
   of transmitting the encryption keys.  For instance, don’t email an
   encrypted file and include the encryption key in the same email.

Cut: Companies required by other state or federal laws to implement greater
protections to safeguard records with PI, as well as those subject to and
in compliance with the Gramm-Leach-Bliley Act, will be deemed in compliance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160629/eb05a6cf/attachment.html>

More information about the BreachExchange mailing list