[BreachExchange] 2016 Data Breach Legislation Roundup: What to Know Going Forward

[Audrey McNeil]

http://www.jdsupra.com/legalnews/2016-data-breach-legislation-roundup-10735/

States were busy updating their data breach notification statutes in 2016.
With 2016 in the rear view, let’s take a look back at the legislative
changes that will impact corporate incident response processes and what
those trends portend going forward.

Expanded Definition of “Personal Information”

Login Credentials. In 2016, Rhode Island, Nebraska and Illinois (effective
January 2017), joined the ranks of states that include usernames (or email
addresses) and passwords in the definition of “personal information” that
triggers notification obligations. As of this writing, the following eight
states may require notification when login credentials are compromised:
California, Florida, Illinois, Nebraska, North Dakota, Nevada, Rhode Island
and Wyoming.

Biometric Data. Illinois (effective January 2017) and Oregon (effective
January 2016) added biometric data to the list of triggering personal
information. Both statutes define biometric data to include “measurements”
of an individual’s physical characteristics used to authenticate that
individual for a financial or other transaction, such as a “fingerprint,
retina, or iris” image. Note that Oregon also requires notice to consumers
if “medical” or “health insurance” information is compromised.

License Plate Data. In a novel move, California added “[i]nformation or
data collected through the use or operation of an automated license plate
recognition system” to the elements classified as “personal information”
under its breach notification statute. This change took effect on January
1, 2016.

Encryption

Encryption Defined. Rhode Island amended its statute in 2016 to clarify
that information is “encrypted”—and therefore potentially exempt from
notification—if it is obscured via a “one hundred twenty-eight (128) bit or
higher algorithmic process into a form in which there is a low probability
of assigning meaning without use of a confidential process or key.”  Rhode
Island is the first state to specifically denote a methodology that
satisfies the encryption safe harbor from notification.

Effective January 1, 2016, California’s data breach statute defines
“encrypted” information as “information [that] has been rendered unusable,
unreadable or indecipherable to an unauthorized person through a security
technology or methodology generally accepted in the field of information
security.”

Encryption Key Compromises. California’s legislature passed yet another
amendment to its notification statute in 2016: effective January 1, 2017,
California will require companies to provide notice where an encryption key
is compromised together with encrypted information. Nebraska and Illinois
similarly revised their statutes to clarify that data is not considered to
be “encrypted” if the encryption key was also compromised in the incident.

Notice Format and Contents

Under Rhode Island’s 2016 data breach statute amendments, the state will
become the first in the nation to require that consumer notifications
explicitly note the number of individuals affected. The amended Rhode
Island statute also requires consumer notices to include (i) a brief
description of the incident; (ii) the type(s) of information affected;
(iii) an estimated date or date range during which the breach occurred;
(iv) the date the breach was discovered; (v) “[a] clear and concise
description of any remediation services offered to individuals” and contact
information for the credit reporting agencies, remediation service
providers and the attorney general; and (vi) a clear and concise
description of the consumer’s ability to file a police report and request a
security freeze, along with the information that must be provided when
requesting the security freeze. Additionally, beginning in January 2016,
California’s data breach statute required a specified format for notice to
consumers.

Notice to State Attorneys General

Several more states added State Attorney General notification requirements.
Companies are now required to provide notice to the Oregon Attorney General
of all breaches affecting more than 250 Oregon residents. Notice to the
Rhode Island Attorney General is now required for all breaches affecting
more than 500 Rhode Island residents. Finally, under Nebraska’s statutory
amendments, companies must provide notice to the Nebraska Attorney General
for all breaches regardless of the number of affected individuals. The
Nebraska amendment specifies that notice to the Attorney General must be
provided no later than notice to consumers.

Notice Deadlines

Beginning in June 2016, Rhode Island requires notice to consumers no later
than 45 days from “confirmation” of a data breach. A month later,
Tennessee’s amendments to its data breach statute went into effect,
requiring notice to consumers within 45 days after “discovery or
notification” of a breach.

Conclusion

In light of the patchwork of varying statutory requirements, responding
appropriately when a breach occurs requires attention to detail and a
nimble approach. Persistent monitoring of new legislation will continue to
be important, as legislative activity does not appear to be slowing down.

Companies are also well advised to keep tabs on these statutory changes in
the context of other critical notification-related dynamics:

Courts have increasingly scrutinized statements made in post-breach
notifications to infer that plaintiffs were “harmed” sufficiently to
establish standing to sue. In this context, courts have relied on broad
offers of credit monitoring (Neiman Marcus), admonishments to monitor
credit reports (P.F. Chang’s), and most recently, a recommendation that
consumers set up fraud alerts and place security freezes on credit reports,
without an accompanying offer to pay for the security freeze itself
 (Nationwide).  Companies should carefully craft breach communications to
not only comply with statutory requirements, but also with an eye toward
litigation-risk management.
The U.S. District Court for the Northern District of Illinois held recently
that the “nearly six weeks” it took Barnes & Noble to provide notice under
California’s breach notification law was too long to satisfy the statutory
“most expedient time possible” standard.  While some states have specified
timing deadlines, organizations must be careful to time notifications in a
way that satisfies states with more flexible “as-soon-as-practicable” or
“without-unreasonably-delay” type requirements.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170130/fb4a4f85/attachment.html>