You hopefully already know that Maryland’s data breach notification law went into effect this week (on January 1, 2018). We anticipate that other states may follow one of Maryland’s modifications, namely its expansion of the definition of personal information. Under the amended law “personal information” now includes an expanded definition of biometric information. Biometric information is defined as any automatically generated biologic measurements, rather than just specifically listed items like fingerprints (the definition prior to the amendment). A handful of states have laws —like Maryland— that include biometric information in the definition of personal information. Those include Illinois, Nebraska, Nevada, North Carolina, Wisconsin, and Wyoming. We expect other states may join these. We also expect that states may otherwise continue to expand the definition of personal information in their breach notice laws.

Putting It Into Practice: Companies that collect and store information about individuals should continue to examine their information protection measures as the definition “personal” expands in breach notice laws.