With so much attention being paid to the impending California Consumer Privacy Act, it can be easy to forget that other states have privacy and data security laws too. And those laws change routinely, with potentially significant impacts on businesses. Here is a quick rundown of changes to state data breach notification laws that have been enacted since the beginning of 2019.
Arkansas: On April 10, 2019, the Arkansas General Assembly enacted amendments to the Arkansas Personal Information Protection Act. The amendments added “biometric data,” such as fingerprints, retina scans, voiceprints, and DNA data, to the law’s definition of “personal information.”
The amendments also require personal data holders to notify the Arkansas attorney general if a data breach involves more than 1,000 individuals. The attorney general must be notified at the same time the affected individuals are notified or within 45 days after the breached entity determines there is a reasonable likelihood of harm to customers, whichever occurs first.
The amendments also require a breached entity to retain a copy of the written determination of a data breach and supporting documentation for five years after the breach has been detected. If the attorney general submits a written request for this documentation, the entity must provide it within 30 days.
The amendments became law on April 15, 2019 and become effective on July 23, 2019.
Illinois: On May 27, 2019, the Illinois General Assembly, passed amendments to the Illinois Personal Information Protection Act with regard to data breach notifications. Under the amended law, in addition to any obligation they may have to notify the affected individuals, data collectors are also required to notify the Illinois attorney general if a data breach involves the personal information of more than 500 Illinois residents. Data collectors must give notice to the attorney general “in the most expedient time possible and without unreasonable delay,” but no later than when notice is given to the affected individuals.
The General Assembly sent the bill to Governor J.B. Pritzker on June 25. He has 60 days to approve or veto the bill. Absent action from Governor Pritzker, the bill will automatically become law upon expiration of the 60 days.
Maryland: On April 30, 2019, Governor Larry Hogan signed a bill amending the security breach notification requirements of Maryland’s Personal Information Protection Act. The amendments expand data breach investigation requirements to businesses that maintain computerized personal data but do not own or license that data. When there is a breach in such a situation, notification requirements fall on the business that owns or licenses the personal data. The business that maintains the data, however, cannot charge the owner or licensee a fee for providing the information the owner or licensee needs to make the required notifications.
The new provisions become effective on October 1, 2019.
New Jersey: On May 10, 2019, New Jersey enacted amendments to certain provisions of its data breach notification laws. These amendments expand the definition of “personal information” to include a person’s first name or first initial and last name when linked with a “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.” If a breach includes no additional personal information as defined in the law, the entity may provide notice electronically and direct the individual whose information has been breached to “promptly change any password and security question or answer” or take “other appropriate steps to protect the online account . . . and all other online accounts for which the customer uses the same user name or email address and password or security question or answer.” An entity that provides a customer email account, however, cannot send notification of a data breach to an email address that is subject to that data breach.
The amendments become effective on September 1, 2019.
Oregon: On May 24, 2019, Governor Kate Brown signed into law amendments to the Oregon Consumer Identity Theft Protection Act, which will be renamed the Oregon Consumer Information Protection Act when the amendments become effective on January 1, 2020. The amendments make a distinction between a “covered entity” and a “vendor” that is similar to the “controller” and “processor” distinction in the GDPR. A covered entity is an entity that “owns, licenses, maintains, stores, manages, collects, processes, acquires, or otherwise possesses personal information” in the course of its “business, vocation, occupation or volunteer activities.” A vendor is an entity “with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.”
A vendor who discovers a breach or has reason to believe a breach has occurred must notify the covered entity “as soon as practicable but not later than 10 days” after discovering the breach or having reason to believe a breach has occurred. The covered entity is then responsible for giving the requisite notice to the affected individuals. The vendor must also notify the Oregon attorney general if the breach involves more than 250 Oregon residents or the vendor is unable to determine the number of Oregon residents affected. This is in addition to any requirements the covered entity may have to notify the attorney general.
Texas: On June 14, 2019, Texas Governor Greg Abbott signed into law amendments to the Texas Identity Theft Enforcement and Protection Act. Under the prior version of the law, holders of sensitive personal data had to disclose any data breach to the individuals affected “as quickly as possible.” The amendments change this standard to “without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred.” The amendments also now require notification to the Texas attorney general if a breach involves at least 250 Texas residents. These new notification provisions go into effect on January 1, 2020.
The law also creates the Texas Privacy Protection Advisory Council “to study data privacy laws in this state, other states, and relevant foreign jurisdictions.” The council will consist of 15 Texas residents: five state representatives and two industry representatives appointed by the speaker of the house, five senators and two industry representatives appointed by the lieutenant governor, and three industry representatives and two non-profit or academia representatives appointed by the governor. The law tasks the council with studying privacy and data protection laws from other jurisdictions. It must report its findings and recommendations for any changes to Texas law no later than September 1, 2020.
Utah: On May 14, 2019, certain amendments to Utah’s Protection of Personal Information Act became effective. Under the prior version of the law, notification of a data breach could be provided by publication in a newspaper of general circulation and in accordance with general legal notice requirements. Under the new law, notice by publication is permitted only for Utah residents for whom notification by other permissible means “is not feasible.”
The amendments also lifted the cap on civil penalties for data breaches that involve 10,000 or more Utah residents and 10,000 or more residents of other states. They also set a 10-year limitations period for administrative enforcement actions under the Act and a 5-year limitations period for civil actions under the Act, both running from “the day on which the alleged breach of system security last occurred.”
Washington: On May 7, 2019, Governor Jay Inslee signed a bill amending Washington’s data breach notification law. The amendments require any notification involving a data breach of login credentials to “inform the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other appropriate steps to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer.” This notification can be sent by email, unless of course, it is the login credentials to that email account that have been breached. Under the amendments, breach notifications are now required to include the date of the breach and the date the breach was discovered. And the maximum time to issue breach notification is lowered from 45 days to 30 days, subject to certain exceptions.
Under the amendments, breached entities must notify the Washington attorney general within 30 days of discovery of any breach involving more than 500 Washington residents. Along with the information previously required, this notice must now also include the types of personal information breached, the time frame of exposure, a summary of the steps taken to contain the breach, and a sample copy of the security breach notification sent to the affected individuals.
The amendments become effective on March 1, 2020
At least nine other state legislatures are currently considering bills that would create data breach notification obligations or modify those that are already in place. As you can see, it is important for businesses to assess which state laws they are subject to and monitor them to stay informed as to how their legal obligations may change over time.