This is proving to be a banner year for new breach notice requirements. In the period between 2006 and 2009, most US states enacted data breach notice laws. This year, we are seeing a wave of “second-generation” breach notice laws that may be individually modest but collectively add up to greater compliance requirements for businesses. At least eight states have adopted such second-generation laws this year, and California and Illinois are likely to amend their laws by early fall. In addition, the number of states with data security laws has increased and an onerous state contractor data security law was enacted and has taken effect in Connecticut.
The latest round of high-profile data breaches prompted state Attorneys General and legislators in many states to advocate for more stringent data breach notification requirements. In 2015, updates to breach notice laws were enacted in Connecticut, Montana, Nevada, North Dakota, Oregon, Rhode Island, Washington state and Wyoming. California is very like to enact at least one law specifying the format for breach notices. Less certain is the outcome of a bill that aims to make the Illinois law the broadest in the country (covering geolocation information, third-party consumer marketing data and contact information plus date of birth). This bill, authored by the state Attorney General, has passed both houses by just less than a veto-proof margin and is being reviewed by Governor Bruce Rauner.
Through the work of DLA Piper client the State Privacy & Security Coalition, the scope of each of these individual laws is fairly modest – each state typically remains within the limits of the breach notice requirements of at least one other state. However, collectively, they have significant impact: expanding the scope of personal information that is subject to breach notice requirements; expanding the number of states that require reporting obligations to state Attorneys General; and, once California SB 570 is enacted, requiring that mandatory subheading language be included in breach notices to California residents.
In light of these new laws, companies should review their data privacy, data security and incident response policies and procedures to keep up with these changes by:
- Reconsidering data classification procedures to be sure that they include second-generation data elements, such as medical information, health information, biometric information, user name and password or security question and answer for an online account, name plus taxpayer identification number (in Montana and Wyoming) or a copy of a birth or marriage certificate (in Wyoming only).
- Updating incident response procedures to reflect new breach notice deadlines (e.g., 45 days after discovery of a breach in Rhode Island).
- Updating incident response policies, to provide at no cost to residents identity theft prevention services or identity theft mitigation services, for breaches of personal data of Connecticut residents, if they do not already provide such service.
- Updating information security programs to ensure that security measures appropriate to the size, scope, industry and purpose of use of the information collected are implemented and maintained.
- Updating contracts with third-party service providers to ensure that they also implement security measures appropriate to the size, scope, industry and purpose of use of the information collected are implemented and maintained.
- Reviewing and as necessary updating document retention policies to ensure that personal information is not retained longer than necessary and is destroyed in a secure manner.
STATE DATA BREACH LEGISLATION ENACTED IN 2015
Connecticut SB 949
On June 30, 2015, Governor Dannel Malloy signed SB 949, requiring companies to report breaches to the state Attorney General. The bill also expands the definition of personal information to include protected health information; taxpayer identification numbers; alien registration numbers; government passport numbers; demand deposit account numbers; savings account numbers; credit card numbers; debit card numbers; and unique biometric data, “such as a fingerprint, a voice print, a retina or an iris image, or other unique physical representations and biometric information.” Additionally, SB 949 requires businesses to provide at least 12 months of “appropriate identity theft prevention services and, if applicable, identity theft mitigation services” at no cost to Connecticut residents in the event of a breach. These provisions go into effect on October 1, 2015.
The new law also codifies stringent data security requirements for state contractors. The requirements apply to a very broad range of “confidential information” that includes, among other things, any personal information that is not subject to state Freedom of Information Act rules and that includes a name or any of a long list of identifiers, as well as Family Educational Rights and Privacy Act or Health Insurance Portability and Accountability Act regulated data. Contractors must implement a comprehensive data security plan that limits access of confidential information, maintain secure servers, secure drives, firewalls and other safeguards and notify the state contracting agency and state Attorney General when the contractor becomes aware or has reason to believe any confidential information has been breached. Most problematic is a prohibition against storing any “confidential information” on any portable device, such as a laptop, tablet, phone or other portable media without specific contractual authorization and a waiver from the state Office of Policy & Management. Failure to comply with any of these new requirements may subject a contractor to investigation or civil legal action by the state Attorney General. In addition, SB 949 provides the State Secretary of Office Policy & Management authority to require additional protections or alternate measures of security assurance. These provisions went into effect on July 1, 2015.
Montana HB 74
On February 27, 2015, Governor Steve Bullock signed HB 74 into law. It expands the definition of personal information to include taxpayer identification numbers, IRS-issued identity protection numbers and medical record information. It also requires companies to provide notice of breaches to the state Attorney General and in certain circumstances, the state Insurance Commissioner. The new law does not impose a specific timeframe for regulator notice but requires simultaneous notice when notifying affected consumers, which must be made “without reasonable delay.” The law takes effect on October 1, 2015.
Nevada AB 179
On May 13, 2015, Governor Brian Sandoval signed AB 179 into law, expanding the definition of personal information to include medical identification or health insurance identification numbers; and user names, unique identifiers or e-mail addresses, in combination with a corresponding password, access code or security question and answer that would permit access to the online account. The law went into effect July 1, 2015.
North Dakota SB 2214
On April 13, 2015, Governor Jack Dalrymple signed SB 2214 into law. The act tweaks the definition of personal information to include “an identification number assigned to the individual by the individual's employer in combination with any required security code, access code, or password.” It will also require companies to notify the state Attorney General when a data breach affects 250 or more North Dakota residents. The law takes effect on August 1, 2015.
Oregon SB 601
On June 10, 2015, Governor Kate Brown signed SB 601 into law. Notably, this law amends the definition of personal information to include biometric information used for authentication purposes (i.e., “[d]ata from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction”); a consumer’s health insurance policy number or health insurance subscriber identification number, if breached in combination with any other unique identifier that a health insurer uses to identify the consumer; and “any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.” Under the new law, companies will also have to notify the state Attorney General whenever a breach affects more than 250 Oregon residents. Additionally, unlike any other state, the new law will require notices to consumer reporting agencies to include any police report numberassigned to the breach.
Fortunately for service providers, SB 601 removes confusing language from Oregon’s existing breach notice law that, unlike other states, requires owners, licensees and maintainers of personal information to notify affected consumers. Under SB 601, only “a person that owns or licenses personal information” will be required to notify consumers, while “a person that maintains or otherwise possesses personal information on behalf of, or under license of, another person” must only notify the other person after discovering a breach. The law takes effect on January 1, 2016.
Rhode Island SB 134
On June 26, 2015, Governor Gina Mae Raimondo signed SB 134. The bill establishes a 45-day deadline from the date of discovery of breach to notify consumers. It also expands the definition of personal information to include health insurance and medical information; tribal identification numbers; and e-mail addresses along with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance or financial account. SB 134 broadens the definition of a breach of security to include “unauthorized access or acquisition of computerized data”, narrows the encryption exception to notification to 128 bit key length or greater encryption, adds required content for breach notifications to Rhode Island residents and lowers the risk of harm threshold for notification. Currently, companies are required to notify affected residents when a breach poses asubstantial risk of identity theft. However, SB 134 lowers the threshold to breaches that pose only a riskof identity theft.
In addition, the new Rhode Island law requires companies to implement and maintain a “risk-based information security plan” that contains security measures appropriate to the size, scope, industry and purpose of use of the information collected. Companies must ensure both that (i) personal information is not retained “longer than is reasonably required to provide the services requested, to meet the purpose for which it was collected, or in accordance with a written retention policy or as may be required by law” and (ii) personal information is destroyed in a secure manner. In addition, companies must ensure by written contract that these requirements for appropriate security measures flow through to third-party service providers. The law takes effect on January 1, 2016.
Washington S 1078
On April 23, 2015, Governor Jay Inslee signed S 1078 into law. The law clarifies the previous exception in state law for “technical breaches of security” substituting a “risk of harm” provision that exempts companies from having to notify consumers where the company determines that a breach is “not reasonably likely to subject consumers to a risk of harm.” Companies must now also notify the state Attorney General within 45 days of discovering a breach when the breach affects 500 or more Washington residents. Notably, S. 1078 is the first state breach notice law to reference the National Institute of Standards and Technology (NIST) encryption standard by excluding from breach notice requirements any information that has been “secured” through such encryption or another effective method ( “encrypted in a manner that meets or exceeds the [NIST] standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.”). The law also adds content requirements for breach notices to state resident. The law takes effect on July 24, 2015.
Wyoming SF 35 and SF 36
On March 3, 2015, Governor Matt Mead signed SF 35 and SF 36 into law. SF 35 adds a long list of content requirements for breach notice, requiring companies to include in breach notices to consumers (i) the types of personal information exposed, (ii) a general description of the breach, (iii) the date of the breach, (iv) remedial actions taken, (v) advice directing the consumer to monitor his or her credit reports and (vi) whether a law enforcement investigation delayed notification. SF 36 expands the definition of personal information requiring security breach notice significantly. Additional data elements include government issued identification cards; shared secrets or security tokens that are known to be used for authentication; username or e-mail address, in combination with a password or security question and answer that would permit access to an online account; birth or marriage certificates; medical information; health insurance information; biometric data used for authentication; and taxpayer identification numbers. Note that shared secrets and security tokens, all government identification cards, birth and marriage certificates are new breach notice data elements not found in other state laws. The government issued documents are not referred to in terms of information from the document, but rather the entire document. Both went into effect on July 1, 2015.
Illinois SB 1833
On May 31, 2015, the Illinois State legislature passed SB 1833, which would dramatically expand the definition of breach notice personal information under current law and require notice of data breaches to the State Attorney General’s office within 30 days of determining the scope of a data breach.
Like other states’ second-generation breach laws, the expanded definition would include name plus medical information, health insurance information, unique biometric data (“data generated from measurements or technical analysis of human body characteristics that could be used to identify an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data”). As under California’s law, breach of online account credential information would trigger a special, narrower notification obligation to tell the account-holder to stop using the same credentials at other online accounts.
However, the bill also would make Illinois the first state to include geolocation data and third-party consumer marketing information in the definition of personal information. Geolocation information is defined broadly as “information generated or derived from the operation or use of an electronic communications device that is stored and sufficient to identify the street name and name of the city or town in which an individual is located and the information is likely to enable someone to determine an individual's regular pattern of behavior.” Consumer marketing information is defined as “information related to a consumer’s online browsing history, online search history, or purchasing history, including, but not limited to, consumer profiles that are based upon the information.” However, the definition does not include “information related to a consumer’s online browsing history, online search history, or purchasing history held by a data collector that has a direct relationship with the consumer.” Breaches of geolocation and of third-party marketing information would require notice to the Attorney General’s Office only, and not to consumers.
Finally, SB 1833 would add to the definition of breach notice personal information name plus home address, telephone number and email address in combination with mother’s maiden name or full date of birth. Breaches of this information would require notice to both the AG and to consumers.
Additionally, the bill would require companies to notify the state Attorney General within 30 days of the discovery of a single breach affecting 250 or more Illinois residents. It would also create a new requirement for some companies who use, but do not own, records containing personal information to implement a security plan to protect those records.
Finally, SB 1833 would require operators of websites that collect personal information to conspicuously post privacy policies so that can be easily found by consumers. This would make Illinois the second state, after California, to require online privacy policies and its requirements for privacy policies mirror those found in the California Online Privacy Protection Act (CalOPPA).
It is possible that that SB 1833 will be partially vetoed by the governor. If enacted, SB 1833 could go into effect on June 1, 2016.
California SB 570
SB 570 addresses the readability of breach notices by requiring notices to convey information grouped under the following specified headings:
- What Happened
- What Information Was Involved
- What We Are Doing
- What You Can Do
- For More Information
It also provides a sample one-page format for the notice, though use of the above headings would be sufficient (e.g., in an electronic notice).
This bill will also clarify that to “conspicuously post” notices on a website under the breach notice law’s substitute notice provision. Current law dictates that there be a link to the notice from the home page, but this bill would clarify that providing a link to the notice on the “first significant page after entering the Internet Web site” would also suffice.
This bill passed the Senate on May 28, 2015 and is currently being considered before the Assembly Appropriations Committee.