States are updating their data security statutes in response to the increasing number of data breaches that are exposing residents’ personal information to unauthorized users. Two states in particular – Illinois and Tennessee – recently made sweeping changes to their respective data security statutes in an attempt to make organizations more responsive in light of this growing data security concern.
On March 24, 2016, Tennessee Gov. Bill Haslam signed S.B. 2005. The Bill is effective July 1, 2016, and makes significant changes to Tennessee’s current data security statute. Organizations that maintain personal information on Tennessee residents should ensure they are compliant with the following changes.
“Encryption Safe Harbor” Eliminated: The Bill’s most significant departure from the current law is the elimination of the “encryption safe harbor.” Previously, organizations were only required to notify Tennessee residents in the event of a breach affecting unencrypted personal information. Organizations will now be required to notify residents regardless of whether or not the data was encrypted. Tennessee is the only state that requires breach notification of encrypted data.
45-Day Notification Requirement Added: Organizations will be required to notify affected Tennessee residents of a data breach immediately, but no later than 45 days from discovery of a data breach. Previously, Tennessee, like most other states, only required notification “in the most expedient time possible and without unreasonable delay.” This 45-day notification deadline now gives organizations a strict deadline for notifying residents of a breach.
“Unauthorized Person” Definition Clarified: The Bill will expand the “unauthorized person” definition to include employees of an organization who have access to personal information and intentionally use it for an unlawful purpose. Because Tennessee has always required notification when personal information is used for unlawful purposes, this clarification should not impose additional reporting burdens.
“Exempted Entities” Expanded: Finally, the Bill will exempt organizations subject to HIPAA from complying with Tennessee’s breach notification laws. This is in addition to the current safe harbor for entities subject to the Gramm-Leach-Bailey Act.
On May 6, 2016, Gov. Bruce Rauner signed House Bill 1260 into law, which significantly broadens Illinois’ data security statute. The Bill, known as the Personal Information Protection Act (PIPA), will take effect Jan. 1, 2017. Organizations that maintain personal information on Illinois residents should ensure they are compliant with the following changes.
“Personal Information” Definition Expanded: “Personal information” now includes medical information, health insurance information and unique biometric data used in combination with an individual’s first name or first initial and last name. Therefore, organizations will be required to provide notice of a breach involving “any information regarding an individual’s medical history, mental or physical condition …” Further, “personal information” was also expanded to cover a resident’s user names or email addresses in conjunction with a password or security question and answer that could give an unauthorized user access to an online account.
“Encryption Safe Harbor” Exception Narrowed: Organizations will be required to notify Illinois residents if the password to unencrypt or underact personal information is also acquired during the breach. This notification must notify the resident to promptly “change his or her user name or password and security question or answer…”
Additional Notice Requirements Added: PIPA will require organizations to report a data security breach that impacts more than 250 Illinois residents to the Illinois Attorney General. Organizations must provide notice either within 45 days of the date when the breach was discovered or 45 days of the date notice was given to residents, whichever is shorter.
“Reasonable Security Measures” Standard Implemented: Finally, PIPA will require organizations to “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.” Similar to most other states, Illinois does not define “reasonable security measures” or provide examples of how to ensure compliance with this standard. Therefore, organizations should ensure that they at least have security protocols that are in line with industry standards.
Exemptions Clarified: PIPA contains a safe harbor for organizations that are subject to and in compliance with the Gramm-Leach Bliley Act or HIPAA. For organizations that are required to provide notice of a data breach to the U.S. Department of Health and Human Services (HHS) must now also notify the Illinois Attorney General within five days of notifying HHS.