This summer has seen a flurry of new state-based legislative activity concerning data security and data breach notification, as Nevada, Oregon, Rhode Island and Connecticut have each amended their laws to strengthen protections for individuals affected by data breach. Many of these new laws expanded the definition of “personal information,” which, if released in an unencrypted form, can trigger notification obligations among entities storing consumer data.
Nevada amended its data breach notification laws in May 2015 to broaden the scope of “personal information,” which is defined as certain data elements combined with an individual’s name. The newly added data elements include a driver authorization card number, a medical identification number or health insurance identification number, and any username, email address, or unique identifier accompanied by a password, access code, or security question response, so as to permit access to an online account. The new law also clarifies a public availability exemption, which eliminates the notification requirement when the same information has already been released to the general public by the government.
Oregon enacted an amendment to the Oregon Consumer Identity Theft Protection Act in June 2015 that expands the definition of “personal information” to include certain biometric and medical data. The amended law also imposes a new duty to notify the Oregon Attorney General of any breach that results in notification to more than 250 residents, although it simultaneously releases entities from notifying consumers in the first place if the individuals affected by the breach are “unlikely to suffer harm.” The amendment similarly lowers the standard for notifying consumer reporting agencies by requiring notice to such agencies only when the breach affects more than one thousand residents.
Rhode Island passed the Rhode Island Identity Theft Protection Act (RIITPA) in June 2015, which extends the definition of “personal information” to include medical and health insurance information, as well as certain email address information. RIITPA requires notification to individuals affected by a data breach within 45 days of discovery, as well as notification to the state Attorney General within the same time frame if the breach involves more than 500 individuals. RIITPA also mandates that any entity doing business in Rhode Island that “stores, collects, processes, maintains, acquires, uses, owns or licenses personal information” about residents must implement a “risk-based information security program” to protect consumer data. If those entities wish to divulge personal information to third parties, they execute a written contract specifying reasonable security measures.
Connecticut recently enacted amendments to its data security breach laws that will now require notification to individuals affected by breach within 90 days of discovery of the breach (with a permissible delay as necessary to fully investigate the breach). If the breach affects social security numbers, entities must also offer one year of complimentary identity theft prevention and mitigation services, as well as information on signing up for such services and implementing credit freezes. The amendments also establish new standards for protecting data in the health insurance industry, which now includes a “comprehensive information security program” that incorporates specific access controls. Most provisions of these new laws will take effect in October 2015 or in 2017.