Breach notification statutes remain one of the most active areas of the law. Seldom does a month go by without a new bill or amendment addressing privacy or data security, and this month is no exception.
The state of Virginia recently expanded its breach notification statute to include income tax information among the types of information that require notification to the Office of the Attorney General. Likely a reaction to the increase in W2 tax fraud discussed in greater detail by my colleague here, this new amendment does not require notification to the individual taxpayers. Instead, affected entities must notify the Virginia attorney general, who in turn must notify the Department of Taxation. Of course, if the incident involves Social Security numbers, which the majority of W2 tax fraud incidents do, then the existing provisions would require notification to affected individuals.
In Tennessee, lawmakers are amending the state’s notification statute for the second time in less than a year. Tennessee’s original 2005 breach notification law included a safe harbor for encrypted data. In 2016, that exemption was removed from the definition of “breach” but remained in the definition of “personal information.” This led to some confusion as to whether unauthorized access to encrypted data still required notification. This latest amendment revises both definitions, and clarifies that notification is required if an unauthorized person acquires either unencrypted data or encrypted data and the corresponding decryption key.
Finally, although it has not signed the statute yet, New Mexico is on the verge of becoming the 48th state to enact a breach notification statute. Last month, the New Mexico legislature passed the Data Breach Notification Act (HB 15). Pending Governor Martinez’s signature, HB 15 would require notification to affected individuals within 45 days from the date of discovery. If the incident affects more than 1,000 New Mexico residents, notice must also be provided to the state attorney general and the three major credit bureaus. There is a risk-of-harm threshold and an exception for entities subject to the Gramm-Leach-Bliley Act or HIPAA. For a detailed analysis of HB 15, see: New Mexico passes data breach notification and protection bill.