[BreachExchange] Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way

[Audrey McNeil]

http://www.natlawreview.com/article/summer-round-four-
states-bolster-data-breach-notification-laws-and-more-changes-way

As has become typical in the data security space, there was quite a bit of
activity in state legislatures over the previous year concerning data
breach notification statutes.  Lawmakers are keenly aware of the high
profile data breaches making headlines and the increasing concerns of
constituents around identity theft and pervasive cybercrime.  In response,
states are beefing up their data security statutes in order to provide
greater protection for a broader range of data, to require notification to
Attorneys General, and to speed up the timeline companies have to advise
residents when their personal information has been compromised, to name a
few steps.

According to a recent summary published by the National Conference of State
Legislatures, more than 25 states in 2016 have introduced or are currently
considering security breach notification bills or resolutions.  While much
legislation remains pending in statehouses across the country, statutory
amendments passed in four states took effect over this past summer alone.
Here is a brief summary of significant amendments to data breach
notification rules in Nebraska, Nevada, Rhode Island and Tennessee.

Definition of Personal Information

Nevada now includes in its definition of “personal information” a medical
identification number, a health insurance identification number, and a user
name, unique identifier or electronic mail address in combination with a
password, access code or security question and answer that permits access
to an online account.

Similarly, Rhode Island now counts as “personal information” any medical
information, health insurance information, and an email address in
combination with any required security code, access code or password that
allows access to an individual’s personal, medical, insurance or financial
account.

Nebraska did not go quite as far but now considers a user name or email
address in combination with a password or security question and answer that
permits access to an online account to be “personal information”.

Speaking of definitions, Tennessee broadened its definition of
“unauthorized persons” to include an employee of a covered entity who is
discovered to have obtained personal information and intentionally used it
for an unlawful purpose.  Tennessee also removed the word “unencrypted”
from its definition of “Breach of the security system” in order to ensure
that partial encryption of compromised personal information does not evade
the statute.

Encryption Safe Harbor

Nebraska and Rhode Island both decided that data should not be considered
“encrypted” if the confidential process or key permitting access to
otherwise encrypted data is also acquired in connection with a security
breach.

Attorney General Notification

Nebraska and Rhode Island both imposed new obligations around notification
to Attorneys General in the event of a security breach. In Nebraska, a
covered entity must now notify the state’s Attorney General of a security
breach not later than the time when notice is provided to affected
residents.  In Rhode Island, any covered entity notifying more than five
hundred (500) residents of a security breach now must also notify the
state’s Attorney General.

Notice to Affected Residents

Both Rhode Island and Tennessee put covered entities on the clock and now
require notification to affected residents within forty-five (45) days of
discovery of a security breach unless a delay is necessary for law
enforcement purposes. Rhode Island also imposed new requirements for the
specific contents of notice to affected residents.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160906/3718ab06/attachment.html>