IllinoisNebraska, and Tennessee recently amended their data breach notification laws to broaden the scope of protectable data and refine notification procedures in the event of a security breach. Illinois and Nebraska both expanded the definition of "personal information" to include online account credentials (i.e., a user name or email address combined with a password or security question and answer that would permit access to an online account). Illinois additionally created new categories of "personal information" covering certain medical, health, and biometric information. All three states also amended provisions that previously created a safe harbor for encrypted data. Whereas Illinois and Nebraska have clarified those provisions, providing further guidance that data breaches involving encrypted data will still trigger notification obligations if the encryption key has also been acquired, Tennessee became the first state to eliminate the automatic safe harbor entirely. Under the amended Tennessee law, entities can no longer escape notification obligations simply by encrypting their data, though encryption may be considered when determining whether personal information has been "materially compromised." Tennessee also established a new statutory notification deadline that requires notice to individuals within 45 days of discovering a data breach, and Nebraska now imposes a new obligation to notify the state Attorney General no later than the time that notice is provided to individuals. Other amendments to Illinois' data breach notification law include updated data security requirements among data collectors and new requirements for contracts with third parties to narrow the possibility of unauthorized disclosures of personal information pursuant to the contract. The full text of the amended data breach notification laws are available through the following links: ILNE, and TN. Nebraska's and Tennessee's amended laws took effect in July 2016; the Illinois amendments will go into effect on January 1, 2017.