[BreachExchange] United States: Recent Updates To State Data Breach Notification Laws In New Mexico, Tennessee, Virginia

Destry Winant destry at riskbasedsecurity.com
Thu May 4 00:47:31 EDT 2017


With the growing risk of cybersecurity attacks, the landscape of
state-specific data breach notification laws continues to evolve.
Companies and industries must stay aware of changes in the legal
framework if they are to meet their emerging obligations. While
federal laws addressing specific types of sensitive information may
apply, state laws have led the way in setting standards for how data
security incidents must be addressed. In the past few months there
have been three notable developments in state notification laws: New
Mexico enacted a new data breach notification law; Tennessee further
amended its existing law to reinstate the encryption exemption; and
Virginia amended its existing laws to address the continuing trend
involving the compromise of personal information that could lead to
tax fraud.

New Mexico
On April 6, 2017, New Mexico enacted the Data Breach Notification Act
(H.B. 15), making it the 48th state to enact a data breach
notification law and leaving only Alabama and South Dakota without any
such law. Overall, New Mexico's new law is similar to that of many
other states, but there are some notable differences.

Typically, the 48 state laws define "personal identifiable
information" as an individual's first name or initial and last name in
combination with one or more of the following: a social security
number; driver's license number or state identification card number;
or financial account number, credit or debit card number in
combination with a security code or password. New Mexico's new law
defines "personal identifiable information" consistently with most
other states, and joins a growing number of states that have broadened
the definition to include "biometric data," which is defined to
include "fingerprints, voice print, iris or retina patterns, facial
characteristics or hand geometry."

New Mexico also joins a minority of states that impose a specific
notification deadline of 45 days from discovery of a breach. The new
law provides that notification shall be made to affected individuals
"in the most expedient time possible, but not later than forty-five
calendar days following discovery of the security breach." If
notification to more than 1,000 individuals is required, notification
also must be provided to the New Mexico Office of the Attorney General
and major consumer reporting agencies within that same time frame.

Effective date of New Mexico law: June 16, 2017.

On April 4, 2017, Tennessee again amended its data breach notification
law, T. C. A. § 47-18-2107, to restore the encryption safe harbor to
its notification requirements, consistent with most other states. This
new amendment not only harmonizes Tennessee law with that of most
other states but also creates a clear policy incentive to encrypt

Tennessee's original data breach notification laws provided for an
encryption safe harbor by creating an exception to notification
requirements if compromised data were encrypted. However, in 2016,
Tennessee enacted an amendment that created uncertainty over whether
such a safe harbor continued to exist. The new amendment serves to
clear up this uncertainty and provides that the breach of encrypted
data does not trigger notification to affected individuals unless the
encryption key also is compromised. By definition, "encrypted" data
must be in accordance with the current version of the National
Institute of Standards and Technology's (NIST's) Federal Information
Processing Standard (FIPS) 140-2, which is a new requirement as to the
standard of encryption under Tennessee law.

Effective date of Tennessee amendment: April 4, 2017.

On March 13, 2017, Virginia amended its data breach notification law,
Va. Code Ann. § 18.2-186.6(M), expanding the requirement for
notification to its Office of Attorney General to include income tax
information. This amendment is notable in that it addresses a specific
risk, as it was likely enacted in response to the rise in Form W-2 tax
fraud incidents over the past few years.

In addition to notifying affected individuals, the new amendment
requires employers and payroll services providers to notify the
Virginia Office of Attorney General upon discovery of a breach of
unencrypted or unredacted "taxpayer identification information in
combination with the income tax withheld for that taxpayer," provided
that there is a reasonable expectation of identity theft or other
fraud as a result of the breach. Such notification must be made
"without unreasonable delay," and must include the name and federal
employer identification number of the employer. The Office of Attorney
General will then notify the Department of Taxation.

Effective date of Virginia amendment: July 1, 2017.

These developments underscore the fact that states continue to lead
the way when it comes to the protection and security of individuals'
information. Notably, state regulators are moving in the direction of
enacting laws addressing how companies protect information, such as
the regulation enacted by the New York State Department of Financial
Services. Additionally, Colorado's Department of Regulatory Agencies,
Division of Securities recently proposed to its securities act two new
rules involving cybersecurity, potentially putting requirements in
place for broker-dealers and investment advisors operating in the

More information about the BreachExchange mailing list