In the midst of substantial legislative attention to data security and privacy in states across the nation this year, two states took concrete action this month to clarify and expand notification requirements following a data security breach. In addition, the state of Connecticut opened a new agency department within the Office of Attorney General to handle data security and consumer privacy matters.
Montana and Wyoming each amended their data security breach notifications laws to redefine what constitutes personally identifiable information, altering the types of data that would trigger a notification requirement. Notably, both states now include health and medical record information within the category of personally identifiable information. In addition, Wyoming has removed certain employment data from the definition, including a person’s place of employment and employee identification number, and added other types of data, such as login and password information that would permit access to an online account. A separate bill amended Wyoming’s law to require companies to provide “clear and conspicuous notice” to individuals affected by a data security breach, including at a minimum a general description of the breach, the approximate date of the breach, actions taken to guard against future breaches, and advice for how to remain vigilant in protecting against identity theft. Lastly, Montana’s law now requires companies to notify the state attorney general’s Consumer Protection Office in addition to affected individuals, and insurance entities must also notify the state’s insurance commissioner. The full text of Montana’s law as amended, which becomes effective in October 2015, is available here. The amended provisions of Wyoming’s law go into effect in July 2015 and are available here and here.
Connecticut created a new permanent department within the Office of the Attorney General this month titled the Privacy and Data Security Department. Formed to continue the work of an interdisciplinary Privacy Task Force appointed in 2011, the new department will work exclusively on investigations and litigation related to data security and consumer privacy. The announcement from State’s Attorney General George Jepsen is available here.
These actions demonstrate a continued effort among select states to protect the personally identifiable information of their constituents, especially in the absence of a national data breach statute from Congress. Although Congress is currently considering a sweeping bill to establish a national standard for data breach notification, until its enactment companies storing personally identifiable information must navigate a complicated landscape of state law to ensure compliance. As of yet, 47 different state data breach notification laws remain in force.