Nevada and Connecticut recently enacted amendments to breach notification and data security requirements that are relatively unique among existing state laws, thus imposing new compliance obligations upon companies doing business in these states, as further described below.
Nevada’s Assembly Bill No. 179 expands the definition of “personal information” subject to Nevada’s data security, encryption, and breach notification requirements to include online account credentials, medical identification number, health insurance identification number, and driver authorization card number.
The Nevada amendment is unique due to its expansion of Nevada’s already significant encryption requirement, which mandates encryption of personal information transferred electronically outside of the business for companies doing business in the state that are not subject to the Payment Card Industry Data Security Standards (“PCI-DSS”). Nevada continues to require companies that accept payment cards to comply with PCI-DSS, including its encryption obligations. As such, companies that do not accept payment cards are subject to different, and in some ways more burdensome, encryption requirements under Nevada law than those that do accept credit and debit cards. For these companies, Nevada now sets a new standard for state encryption requirements of general applicability by mandating encryption of online account credentials, medical identification number, health insurance identification number, and driver authorization card number – personal data not subject to the encryption obligations under Nevada’s existing law or the Massachusetts data security regulations.
Further, in addition to encryption, the Nevada amendment requires “reasonable” data security, as well as breach notification, for this expanded set of personal information. With respect to breach notification, AB 179 follows a trend started by California in 2013, as reported here, in requiring notice for breach of online account credentials. Unlike California, however, Nevada does not allow for an alternative notification format option with respect to breaches of online account credentials. Assembly Bill 179, which took effect July 1, 2015, requires compliance with the new obligations by July 1, 2016.
Connecticut recently amended its breach notification statute pursuant to Public Act No. 15-142, effective October 1, 2015, to require that breached entities offer “appropriate identity theft prevention services and, if applicable, identity theft mitigation services” to affected Connecticut residents whose Social Security numbers were exposed in the breach. The Connecticut amendment requires such offering at no cost for a period of not less than 12 months, although a representative of the Connecticut Attorney General’s Office has publicly indicated that they will continue to expect two years of the identity theft prevention services when Social Security numbers are compromised. Public Act 15-142 further specifies that the breached entity must provide affected individuals with “all information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident's credit file.”
Connecticut’s amendment follows a similar amendment to California’s breach notification law, reported here, arguably requiring by statute an offering that has been expected, and generally offered, in connection with breaches exposing Social Security numbers or other information particularly at risk for identity theft, for some time. Public Act 15-142 also limits the “without unreasonable delay” standard for notification letters to no more than 90 days after discovery of a breach, unless a shorter time is required by federal law, and imposes new requirements that health insurance companies must maintain a comprehensive information security program, and certify that it complies with such requirement. New information security requirements are also imposed on state contracting agencies and their contractors.