Several States Strengthened Their Data Breach Notification Laws in 2019
Tuesday, June 18, 2019
Legislatures in several states are improving their existing data breach notification laws to provide stronger protections for consumers.
To fully appreciate the changes requires an understanding of the current legal status. The National Conference of State Legislatures summarized the current status:
"All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/information brokers, government entities, etc.); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information)."
The increased legislative activity comes in the aftermath of the massive Equifax breach in 2017 affecting 145.5 million persons. 2018 was a terrible year with more than one billion consumer accounts affected by multiple data breaches.
Many of the improvements across states requires sooner notice to affected persons, so consumers can check their bank/card statements for fraudulent activity, and take other security actions. Without sooner notice, fraud can perpetuate with more money stolen.
Now, the legislative activity in selected states.
First, legislators amended the requirements in the Maryland Personal Information Protection Act (MPIPA), or House Bill 1154. Maryland Governor Larry Hogan approved of the changes, which will go into effect on October 1, 2019. A summary of the changes:
- Requires businesses that own or license "computerized data that includes personal information of an individual residing in the State" to conduct a good-faith breach investigation to determine data abuse when they discover or are notified of a data breach,
- Requires notification of affected persons within 45 days, and
- Requires businesses to maintain records of the breach for three years of its breach investigation and determination that notification of affected persons is not required.
Second, Massachusetts Governor Charlie Baker signed legislation in January which went into effect on April 11, 2019. Changes in the new law: no fees for consumers to place, lift, or remove Security Freezes; credit monitoring required when Social Security numbers disclosed during the breach; and an expanded list of requirements when businesses provide notice to the Massachusetts Attorney General and to the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR).
Third, New Jersey amended its breach law. SC Magazine summarized the changes:
"The new law expands the definition of what constitutes personal information that, if exposed in a breach, would require a company to issue a notification. Once S-52 takes effect on Sept. 1, 2019, personal information will also include a “user name, email address, or any other account holder identifying information, in combination with any password or security questions and answer…” the law states."
Fourth, Oregon Governor Kate Brown signed into law Senate Bill 684 on May 24, 2019. The JD Supra site reported:
"The most significant changes are around service providers, who will take on an independent obligation to notify the state Attorney General (AG) about data security breaches. A handful of other, more subtle changes are also included in the amendments, which take effect January 1, 2020... The obligation that service providers notify the AG is triggered by breaches affecting the personal information of over 250 Oregon consumers, or when the number cannot be determined... The new obligation increases the number of parties involved in incident response and notice decisions... This round of amendments adds user names, combined with password or other means of authentication, to the list of notice-triggering personal information... One other amendment also touches service providers. Where previously service providers had to notify business customers “as soon as practicable” after discovering a breach, the amendments set a deadline of 10 days."
Many companies outsource back-office work to vendors. So, the Oregon law keeps pace with common business practices. Readers wanting to learn more can read this blog's Outsourcing section.
A new, separate bill in Oregon covers internet-connected devices, also called the Internet of Things (IoT). Many consumers have installed IoT devices in their homes. According to JD Supra:
"The Oregon connected device security law is largely consistent with California’s new connected device security law, and both take effect January 1, 2020. Both require that manufacturers equip IoT devices with reasonable security features. Under either statute that can mean setting unique passwords for each unit shipped, or requiring end users to set a new password when they first access the device, in order to access the devices remotely from outside the devices’ local area network. This is a floor, not a ceiling, and both laws leave room for other security features..."
When manufacturers sell IoT devices all configured with the same universal password, it is a huge security problem. Bad actors can remotely access consumers' IoT devices to commit identity theft, fraud, and more. Consumers require greater protection, and the new IoT law is a good first step. Readers wanting to learn more can read this blog's Internet of Things section.
Fifth, Washington Governor Jay Inslee signed signed HB 1071 on May 7) which expanded the state’s data breach notification law. The changes become effective March 1, 2020. The National Law Review reported that breach:
"... notices must be provided no more than thirty days after the organization discovers the breach. This applies to notices sent to affected consumers as well as to the state’s Attorney General. The threshold requirement for notice to the Attorney General remains the same—it is only required if 500 or more Washington residents were affected by the breach."
The new law in Washington also expanded the list of sensitive data elements comprising "personal information" when combined with a person's name: birth date; "unique private key used to authenticate" electronic records; passport, military, and student ID numbers; health insurance policy or identification number; medical history, health conditions, diagnoses, and treatments; and biometric data (e.g., fingerprints, retina scans, voiceprints, etc.).
As more states announce amended breach notification laws, this blog will cover those actions.
Comments
You can follow this conversation by subscribing to the comment feed for this post.