In the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington have all amended their breach notification laws to either expand their definitions of personal information, or to include new reporting requirements.
Below is a roundup of recent and significant changes.
2019 U.S. State Laws Round Up:
Illinois (SB 1624) – Illinois proposes notification requirements to the Attorney General
The Governor is expected to sign an amendment to the Personal Information Protection Act, requiring businesses to notify the Attorney General of breaches involving at least 500 Illinois residents. The Attorney General will also be permitted to publish information concerning breaches.
Maine (LD 946) – Maine places new restrictions on internet service providers (ISPs)
Maine’s new Act to Protect the Privacy of Online Consumer Information prohibits ISPs from using, selling, or distributing consumer data without their consent. The Act, which will take effect July 1, 2020, will prohibit ISPs in Maine from attempting to pressure a customer into allowing the ISP to sell his or her data including by penalizing the customer or offering a discount.
Maryland (HB 1154) – Maryland imposes new requirements on entities following a security breach
Amendments to Maryland’s Personal Information Protection Act go into effect October 1, 2019. Among other things, the amended law: (1) expands the scope of businesses covered by the law to include businesses that own, license or maintain personal information of Maryland residents; (2) prohibits a business responsible for a breach from charging the applicable data owner or licensee for information needed for notification; and (3) prohibits business from using information “relative to the breach” for purposes other than providing notification regarding the breach, protecting or securing applicable personal information, and providing notification to certain information security organization to alert and avert future breaches.
Massachusetts (HB 4806) – Massachusetts expands data breach notification obligations
Amendments to the Massachusetts’ data breach notification law went into effect on April 11, 2019. The amendments require businesses to offer complimentary credit monitoring for 18 months if a breach involves a resident’s Social Security number. Furthermore, breach notifications are to be provided on a rolling basis to avoid delay; and, if the exposed data is owned by a third party, then notice must identify that third party. Lastly, businesses must inform state regulators as to whether they maintain “a written information security program.”
New Jersey (S. 52) – New Jersey expands the definition of personal information and modifies notification standards
Effective September 1, 2019, New Jersey’s law expands the definition of “personal information” to include usernames, email addresses, passwords, and security questions and answers affiliated with an individual’s online account. If a breach occurs, businesses are required to notify affected New Jersey residents through written or electronic notice, directing them to promptly change their log-in credentials associated with that business, and any other accounts in which they use the same username or email address, password, or security questions/answers. Importantly, if a resident’s email account is the subject of the security breach, the business cannot provide electronic notice to that email.
New York (SB5575B)- New York expands the scope of protection under the law and establishes standards for businesses to protect consumer information
Amendments to the Stop Hacks and Improve Electronic Data Security Act expand security breach protection to the following categories: (1) biometric data, (2) account numbers and credit or debit card numbers without a security code, and (3) usernames, email addresses, passwords, and security questions and answers. Businesses are exempt from issuing breach notifications when (1) the breach results from an unauthorized person’s inadvertent disclosure and the business reasonably finds that the breach does not pose any financial or emotional harm, or (2) the business has already sent out notifications under federal or other New York regulations. Additionally, the definition of “breach” is expanded to include unauthorized access, in addition to acquisition, of private information. Further, businesses are directed to take “reasonable safeguards” in protecting information through procedures such as, but not limited to: designating and training employees to implement and oversee security programs; regularly testing the effectiveness of security programs and making necessary modifications; and promptly deleting private information that is no longer used. Furthermore, the New York Attorney General will have three years, instead of two, to bring an action against a business for violating the act.
Oregon (SB 684) – Oregon expands the scope of protected data and notification requirements for vendors
Effective January 1, 2020, the Oregon Consumer Information Protection Act extends certain data breach notification requirements to vendors. Vendors must now notify any contracted “covered entity” within 10-days of discovering a breach of security, as well as the Attorney General, if the breach involves more than 250 consumers or if the number of individuals effected is unknown. Notification to the Attorney General is not required by vendors if the covered entity has already notified the Attorney General. The law also expands the definition of “personal information” to include “user names or other means of identifying a consumer for the purpose of permitting access to the consumer’s account.”
Texas (HB 4390) – Texas adds definitive notification timeline and establishes an advisory council
Effective January 1, 2020, amendments to the Texas Identity Theft Enforcement and Protection Act law require businesses to send breach notifications (1) to affected individuals without “unreasonable delay,” but no later than 60-days after identifying such breach, and (2) to the Texas Attorney General within 60-days of identifying the breach, provided that the breach effects at least 250 Texas residents. Moreover, the law establishes a Texas Privacy Protection Advisory Council consisting of 15 appointed members who are “to study data privacy laws in [the] state, other states, and relevant foreign jurisdictions.”
Washington (HB 1071) – Washington expands the definition of personal information and sets new notification requirements
Effective March 1, 2020, the definition of “personal information” is expanded to include the following categories: birthdate; unique private keys for signing electronic records; student, military, or password identification numbers; medical information; biometric information; and online login credentials. Businesses may send breach notifications by email, unless the breach involves the credentials associated with that email account. If the breach effects more than 500 residents, then the entity must provide notice to the Attorney General, identifying the type of information exposed, the time frame of exposure, the steps taken to fix the breach, and a copy of the notice sent to affected individuals. Entities must provide updated notice to the Attorney General if any information required to be provided to the Attorney General is unknown at the time the notice is filed. Lastly, the law reduces the prior 45-day notification timeline to 30-days.