We know how important data privacy and security is to your business. We also know how the legal requirements in this area are constantly evolving. To keep you up to date on the latest data breach notification laws across the United States, we’ve summarized the updates for the first half of 2016 below.
There is currently no federal data breach notification law. Consequently, 47 states have some form of data breach notification law. Generally, these laws incentivize the implementation of effective controls by exposing companies to the harm associated with the public disclosure of a failure to protect personal information. State data breach notification laws are often similar, but vary in important ways from state to state. These laws generally are applicable to private entities conducting business in the particular state. They require notification to the owners of the information subject to the breach. Data breach notification laws are routinely being amended to respond to changes in technology and personal information. So far in 2016, governors in Arizona, Illinois, Nebraska and Tennessee have signed legislation to amend their state’s data breach notification law.
Arizona
H.B. 2363; Signed April 5, 2016; Effective August 6, 2016
House Bill 2363 amended (http://www.azleg.gov/DocumentsForBill.asp?Bill_Number=HB2363) Section 44-7501 of Arizona’s Revised Statutes. Section 44-5701 now states that Arizona’s data breach law does not apply to business associates of covered entities as defined under regulations implementing HIPAA.
Illinois
H.B. 1260; Public Act 503; Signed May 6, 2016; Effective January 1, 2017
Illinois amended (http://www.ilga.gov/legislation/BillStatus.asp?DocTypeID=HB&DocNum=1260&GAID=13&SessionID=88&LegID=85740) the Personal Information Protection Act (815 ILCS 530/1 et seq.) to include breaches of security involving electronic medical information, health insurance information, claims information and unique biometric data to the types of breaches for which notice is required. Notice is now also required for breaches of online accounts involving a user name or email address in combination with a password or security question. Also, substitute notice via local media is now permitted under certain conditions.
Nebraska
LB 835; Signed April 13, 2016; Effective July 20, 2016
Nebraska’s legislature amended the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 (http://nebraskalegislature.gov/bills/view_bill.php?DocumentID=28592). Under the Act, a breach occurs due to unauthorized acquisition of unencrypted computerized data. As amended, data is not considered encrypted if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach of the security of the system. Additionally, the definition of “personal information” is amended to include a user name or email address, in combination with a password or security question and answer. Finally, individuals or commercial entities that are subject to the Act must now notify the Attorney General of the breach, as well as the consumer.
Tennessee
S.B. 2005; Signed March 24, 2016; Effective July 1, 2016
Tennessee amended (http://wapp.capitol.tn.gov/apps/BillInfo/Default.aspx?BillNumber=SB2005) its data breach notification law to require notification of a breach even if the personal information involved in the breach was encrypted. The law was further amended to include employees of the information holder as “unauthorized persons”, and requires disclosure of the breach no later than forty-five days from the discovery or notification of the breach.
Of all the state data breach notification legislation in 2016, Tennessee’s amendment is the most noteworthy. Tennessee is the first state to require notification regardless of whether the data that is the subject of the breach is encrypted. Most data breach notification statutes only require notification if the subject data is unencrypted. This change may lead to an increase in data breaches that will be subject to the notification requirements of the statute. Additionally, Tennessee’s data breach law now requires disclosure of a breach no later than forty-five days from the date of discovery. Tennessee will be one of the few states that provides a set time-period for notification. Most state data breach laws use vague terms to define the notification time-period, such as Tennessee’s previous requirement to notify within the most expedient time possible and without unreasonable delay. As more states move towards implementing set time-periods for notification, it becomes even more important for businesses to prepare for a data breach. Maintaining a written information security plan, with a defined data breach response plan, is the most effective way to prepare for what is becoming a common occurrence for businesses of all sizes.
If you have any questions regarding cyber liability, data privacy or state data breach notification laws, or need assistance creating an information security plan, please contact Tim Hayes at McKenna Storer.