Data Protection Report - Norton Rose Fulbright

Two states, Tennessee and Nebraska, have recently enacted changes to their data breach notification laws that will go into effect in July.  Here’s what you need to know about each:

Tennessee

Effective date: July 1, 2016

Key changes

  • Encryption of data compromised in a security incident no longer confers a safe harbor. However, a breached entity can still perform a risk analysis and consider encryption as a factor when determining whether notification is necessary.
  • Tennessee residents must be notified within 45 days of discovering the data breach.
  • The definition of an “unauthorized person” now includes employees who are discovered to have obtained personal information and intentionally used it for an unlawful purpose.

Our Take

Tennessee is now the eighth state to set a specific statutory notification deadline, joining Florida (30 days for residents and state officials), Ohio (45 days for residents), Puerto Rico (10 days for state officials), Rhode Island (45 days for residents), Vermont (45 days for residents, 14 for state officials), Washington (45 days for residents and state officials), Wisconsin (45 days for residents).

While encrypted personal information will no longer automatically and cleanly provide a safe harbor for the notification obligation, encryption will remain a significant factor to consider in determining whether data has been “materially compromised.”  A deeper analysis of encryption may be necessary – for example, the security of the encryption keys or passwords used to access the encrypted data will need to be assessed, along with the strength of the particular encryption technology used and whether there are known methods for circumventing it.

 

Nebraska

Effective date: July 20, 2016

Key changes

  • Personal information is not considered encrypted if the encryption key is reasonably believed to have been acquired during the breach.
  • The definition of “personal information” is expanded to include that person’s name or email in combination with a password or security question and answer that could give the holder access to online accounts.
  • Notifications to the Nebraska Attorney General’s office must be delivered no later than the time that notice is provided to a Nebraska resident (with no minimum threshold number of residents or other additional requirement necessary to trigger notification to the AG).

Our Take

Nebraska is now the fifth state to add account credentials to its definition of personal information, joining California, Florida, Nevada, and Wyoming.  This trend has the potential to greatly increase the instances when disclosure is triggered by security incidents, and companies should enhance their security controls around credentials accordingly.

The clarification regarding encryption brings Nebraska’s law into accordance with most state laws on the issue of encryption.  However, it is a good reminder that companies should take precautions to protect encryption keys and processes.

* Mia Havel is admitted to practice law in Massachusetts and the District of Columbia. Her practice is supervised by principals of the firm admitted in Colorado.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.