Several states passed new breach notification laws. Florida and Iowa both amended their existing laws, while Kentucky enacted its first. All three of these laws took effect in July. California also passed an amendment to its breach notification, data security, and social security number marketing laws. With the addition of Kentucky there are now 49 breach notification laws in the United States.
Florida. The Florida amendments are extensive, replacing the former statute with a new section in the state code. The new law expands the definition of the term “personal information” to include usernames or email addresses in combination with passwords or security questions, as well as information related to health insurance. The new law also extends the trigger for notification from “unauthorized acquisition” to “unauthorized access.” Florida shortened the timing of resident notification from 45 to 30 days, and added a requirement to report breaches (as well as findings of no risk of harm) to the Florida Attorney General for breaches involving more than 500 residents. The law took effect July 1, 2014.
Iowa. Iowa clarified that a “breach of security” includes unauthorized acquisition of personal information in any medium, including paper. Iowa also expanded the scope of personal information to include encrypted records when the method to unencrypt the records was also obtained in the breach. The new law imposed a new requirement to report breaches affecting over 500 residents to the Iowa Attorney General. These amendments took effect July 1, 2014.
Kentucky. The new Kentucky law mirrors many of the other breach notification laws in the country. For example, it limits the definition of the term “personally identifiable information” to an individual’s first name or first initial and last name in combination with social security number, driver’s license number, or financial account information. The law is triggered by unauthorized acquisition of covered data and requires notification to be made in an expedient manner. The law took effect July 15, 2014. A separate law set out breach notification requirements for Kentucky’s governmental agencies.
California. The California law (AB 1710), which passed on August 25, 2014, amends current legal requirements for data breach, data security, and use of social security numbers for marketing purposes. First, entities that “maintain” personal information, not just those that own or license such data, must maintain reasonable data security procedures. Second, the law requires an entity that is the source of a breach that included social security, driver’s license, or California identification numbers to include language in the notice offering twelve months of free identity theft protection. Finally, the amended law will bar entities from selling, or offering to sell, social security numbers for marketing purposes. The bill has been sent to the Governor of California, and if signed, would take effect January 1, 2015.