[BreachExchange] Nine States Pass New And Expanded Data Breach Notification Laws

[Destry Winant]

https://www.dataprotectionreport.com/2019/06/nine-states-pass-new-and-expanded-data-breach-notification-laws/

In the absence of federal action, states have been actively passing
new and expanded requirements for privacy and cybersecurity (see some
examples here and here). While laws like the California Consumer
Privacy Act (CCPA) are getting all the attention, many states are
actively amending their breach notification laws. Illinois, Maine,
Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and
Washington have all amended their breach notification laws to either
expand their definitions of personal information, or to include new
reporting requirements.

Below is a roundup of recent and significant changes.

2019 U.S. State Laws Round Up:

Illinois (SB 1624) – Illinois proposes notification requirements to
the Attorney General

The Governor is expected to sign an amendment to the Personal
Information Protection Act, requiring businesses to notify the
Attorney General of breaches involving at least 500 Illinois
residents. The Attorney General will also be permitted to publish
information concerning breaches.

Maine (LD 946) – Maine places new restrictions on internet service
providers (ISPs)

Maine’s new Act to Protect the Privacy of Online Consumer Information
prohibits ISPs from using, selling, or distributing consumer data
without their consent. The Act, which will take effect July 1, 2020,
will prohibit ISPs in Maine from attempting to pressure a customer
into allowing the ISP to sell his or her data including by penalizing
the customer or offering a discount.

Maryland (HB 1154) – Maryland imposes new requirements on entities
following a security breach

Amendments to Maryland’s Personal Information Protection Act go into
effect October 1, 2019. Among other things, the amended law: (1)
expands the scope of businesses covered by the law to include
businesses that own, license or maintain personal information of
Maryland residents; (2) prohibits a business responsible for a breach
from charging the applicable data owner or licensee for information
needed for notification; and (3) prohibits business from using
information “relative to the breach” for purposes other than providing
notification regarding the breach, protecting or securing applicable
personal information, and providing notification to certain
information security organization to alert and avert future breaches.

Massachusetts (HB 4806) – Massachusetts expands data breach
notification obligations

Amendments to the Massachusetts’ data breach notification law went
into effect on April 11, 2019. The amendments require businesses to
offer complimentary credit monitoring for 18 months if a breach
involves a resident’s Social Security number. Furthermore, breach
notifications are to be provided on a rolling basis to avoid delay;
and, if the exposed data is owned by a third party, then notice must
identify that third party. Lastly, businesses must inform state
regulators as to whether they maintain “a written information security
program.”

New Jersey (S. 52) – New Jersey expands the definition of personal
information and modifies notification standards

Effective September 1, 2019, New Jersey’s law expands the definition
of “personal information” to include usernames, email addresses,
passwords, and security questions and answers affiliated with an
individual’s online account. If a breach occurs, businesses are
required to notify affected New Jersey residents through written or
electronic notice, directing them to promptly change their log-in
credentials associated with that business, and any other accounts in
which they use the same username or email address, password, or
security questions/answers. Importantly, if a resident’s email account
is the subject of the security breach, the business cannot provide
electronic notice to that email.

New York (SB5575B)- New York expands the scope of protection under the
law and establishes standards for businesses to protect consumer
information

Amendments to the Stop Hacks and Improve Electronic Data Security Act
expand security breach protection to the following categories: (1)
biometric data, (2) account numbers and credit or debit card numbers
without a security code, and (3) usernames, email addresses,
passwords, and security questions and answers. Businesses are exempt
from issuing breach notifications when (1) the breach results from an
unauthorized person’s inadvertent disclosure andthe business
reasonably finds that the breach does not pose any financial or
emotional harm, or (2) the business has already sent out notifications
under federal or other New York regulations. Additionally, the
definition of “breach” is expanded to include unauthorized access, in
addition to acquisition, of private information. Further, businesses
are directed to take “reasonable safeguards” in protecting information
through procedures such as, but not limited to: designating and
training employees to implement and oversee security programs;
regularly testing the effectiveness of security programs and making
necessary modifications; and promptly deleting private information
that is no longer used. Furthermore, the New York Attorney General
will have three years, instead of two, to bring an action against a
business for violating the act.

Oregon (SB 684) – Oregon expands the scope of protected data and
notification requirements for vendors

Effective January 1, 2020, the Oregon Consumer Information Protection
Act extends certain data breach notification requirements to vendors.
Vendors must now notify any contracted “covered entity” within 10-days
of discovering a breach of security, as well as the Attorney General,
if the breach involves more than 250 consumers or if the number of
individuals effected is unknown. Notification to the Attorney General
is not required by vendors if the covered entity has already notified
the Attorney General. The law also expands the definition of “personal
information” to include “user names or other means of identifying a
consumer for the purpose of permitting access to the consumer’s
account.”

Texas (HB 4390) – Texas adds definitive notification timeline and
establishes an advisory council

Effective January 1, 2020, amendments to the Texas Identity Theft
Enforcement and Protection Act law require businesses to send breach
notifications (1) to affected individuals without “unreasonable
delay,” but no later than 60-days after identifying such breach, and
(2) to the Texas Attorney General within 60-days of identifying the
breach, provided that the breach effects at least 250 Texas residents.
Moreover, the law establishes a Texas Privacy Protection Advisory
Council consisting of 15 appointed members who are “to study data
privacy laws in [the] state, other states, and relevant foreign
jurisdictions.”

Washington (HB 1071) – Washington expands the definition of personal
information and sets new notification requirements

Effective March 1, 2020, the definition of “personal information” is
expanded to include the following categories: birthdate; unique
private keys for signing electronic records; student, military, or
password identification numbers; medical information; biometric
information; and online login credentials. Businesses may send breach
notifications by email, unless the breach involves the credentials
associated with that email account. If the breach effects more than
500 residents, then the entity must provide notice to the Attorney
General, identifying the type of information exposed, the time frame
of exposure, the steps taken to fix the breach, and a copy of the
notice sent to affected individuals. Entities must provide updated
notice to the Attorney General if any information required to be
provided to the Attorney General is unknown at the time the notice is
filed. Lastly, the law reduces the prior 45-day notification timeline
to 30-days.