[BreachExchange] State Data Breach Notification Laws: 2018 in Review

[Inga Goddijn]

https://www.insideprivacy.com/data-security/data-breaches/state-data-breach-notification-laws-2018-in-review/

Recent years have seen significant amounts of legislative activity related
to state data breach notification laws, and 2018 was no exception.  Not
only did South Dakota and Alabama enact new data breach notification laws
in 2018, becoming the last of 50 U.S. states to enact such laws, but other
states also enacted changes to existing data breach notification laws
during 2018 to expand their scope and implement additional notification
requirements.  Following up on our global year-end review of major privacy
and cybersecurity developments
<https://www.insideprivacy.com/data-privacy/privacy-and-cybersecurity-a-global-year-end-review/>,
we’ve summarized the major developments and trends observed with regards to
state data breach notification laws over the past year.
*Data Breach Notification Laws in All 50 States.*  With the enactment of
new data breach notification laws in South Dakota
<https://www.insideprivacy.com/data-security/south-dakota-breach-notification-law-breaks-new-ground/>
and Alabama
<http://alisondb.legislature.state.al.us/ALISON/SearchableInstruments/2018rs/PrintFiles/SB318-enr.pdf>,
all fifty states and the District of Columbia have implemented data breach
notification laws.  The new laws in South Dakota and Alabama, which went
into effect in mid-2018, included many features commonly seen in recent
amendments to other states’ existing data breach notification laws, such as
expanded PII definitions, explicit notification deadlines, and state
regulator notification requirements.

*Explicit Notification Deadlines.*  During 2018, several states also joined
a growing trend by revising their data breach notification laws to include
explicit deadlines for notifying affected individuals.  Notably, Colorado
enacted a 30-day deadline
<https://www.insideprivacy.com/data-security/data-breaches/colorado-louisiana-and-vermont-add-to-recent-trend-of-changes-to-state-data-breach-notification-laws/>
from the discovery of the breach for notifying affected individuals, which
matches Florida’s 30-day deadline for the shortest notification deadline in
the U.S.  Alabama, Arizona
<https://apps.azleg.gov/BillStatus/BillOverview/69875>, and Oregon
<https://olis.leg.state.or.us/liz/2018R1/Measures/Overview/SB1551> all
passed legislation in 2018 requiring notification of affected individuals
within 45 days of discovery of a breach, while Louisiana
<https://www.insideprivacy.com/data-security/data-breaches/colorado-louisiana-and-vermont-add-to-recent-trend-of-changes-to-state-data-breach-notification-laws/>
and South Dakota passed legislation requiring notification of affected
individuals within 60 days of discovery.

*Regulator Notification Requirements.*  Several states passed legislation
in 2018 to require notification of a breach to the state Attorney General
or other state regulators.  However, most of these states will only require
such notifications if a certain number of state residents have been
affected by the breach.  For instance, while Colorado will now require
notification
<https://www.insideprivacy.com/data-security/data-breaches/colorado-louisiana-and-vermont-add-to-recent-trend-of-changes-to-state-data-breach-notification-laws/>
to the state Attorney General within 30 days, such notification will only
be required if more than 500 residents are notified of the breach.
Similarly, while Arizona passed legislation to require notification of the
state Attorney General within 45 days, this requirement only applies if
more than 1,000 state residents are notified of the breach.

*Expanded PII Definitions.*  Several states also passed legislation
expanding the types of PII covered under data breach notification laws.
For instance, several states expanded their breach notification laws’ PII
definitions to include an individual’s name in combination with biometric
data, medical or health information, student or military ID numbers, online
account credentials, or passport numbers.

*Credit Monitoring Requirements.*  As part of a small but growing trend,
several states also implemented, or enhanced, requirements to provide free
credit monitoring or identity theft protection services following certain
breaches.  In the spring of 2018, amendments
<https://www.insideprivacy.com/data-security/data-breaches/delaware-amends-data-breach-notification-law-to-require-credit-monitoring-attorney-general-notification/>
to Delaware’s data breach notification law entered into force that required
entities to offer individuals whose Social Security numbers have been
breached one year of free credit monitoring services.  In mid-2018,
Connecticut passed an amendment
<https://www.cga.ct.gov/2018/ACT/pa/pdf/2018PA-00090-R00SB-00472-PA.pdf> to
its data breach notification law to require entities to offer two years of
free identity theft prevention and, if appropriate, identity theft
mitigation services to individuals whose Social Security numbers have been
breached.  Although Connecticut and Delaware, along with California, are
the only states whose laws require the provision of credit monitoring or
identity theft protection services after certain breaches, it will bear
watching to see if other states implement similar requirements in 2019.

*Sector-Specific Notification Requirements.*  While each U.S. state now has
a generally applicable data breach notification law, several states have
also begun to implement additional sector-specific data breach notification
requirements.  Following the implementation of the New York Department of
Financial Services’ cybersecurity regulation in 2017, which included a
72-hour deadline for regulator notifications, South Carolina, Vermont, and
Virginia also passed sector-specific data breach notification requirements
in 2018.  South Carolina’s law, similar to the NYDFS regulations, will
require regulator notifications within 72 hours for certain licensed
insurers.  Vermont, meanwhile, passed a law
<https://www.insideprivacy.com/data-security/data-breaches/colorado-louisiana-and-vermont-add-to-recent-trend-of-changes-to-state-data-breach-notification-laws/>
implementing additional information security requirements for “data
brokers” that will require such entities to disclose security breaches to
state regulators as part of an annual required registration process
<https://www.insideprivacy.com/data-privacy/vermont-publishes-new-guidance-on-law-regulating-data-brokers/>.
Finally, Virginia also passed new legislation
<https://lis.virginia.gov/cgi-bin/legp604.exe?181+sum+HB183> during 2018
that will require income tax preparers to notify regulators of a breach of
tax “return information.”

*Private Rights of Action and Safe Harbors.*  Part of the California
Consumer Privacy Act, passed by the California legislature earlier this
year, will create a private right of action for certain data breach-related
harms.  As subsequently amended
<https://www.insideprivacy.com/united-states/state-legislatures/california-legislature-passes-amendments-to-expansive-consumer-privacy-law/>
by the legislature, the CCPA will provide a private right of action
following a breach of an individual’s PII caused by an entity’s failure to
implement and maintain reasonable security measures.  However, the
individual must provide the entity with written notice of the alleged
violations of the CCPA, and there is no private right of action if the
entity cures the alleged violations within thirty days after receiving
notice and provides the consumer an express written statement that the
violations have been cured.  In addition, the Ohio legislature passed a bill
<https://www.legislature.ohio.gov/legislation/legislation-summary?id=GA132-SB-220>
earlier this year that provides entities with a safe harbor from certain
types of tort-based liability related to data breaches if the entity
implements a cybersecurity program that satisfies certain requirements set
forth in the bill.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181231/f49c9907/attachment.html>