Washington amended its data breach notification law to impose new notification requirements on businesses exposed to a data breach. The amended law requires businesses to notify affected individuals within 45 days after the breach whenever the breach is reasonably likely to subject consumers to a risk of harm. It also specifies the information that must be included in customer notifications, including basic information to help consumers secure or recover their identities, such as the contact information for consumer reporting agencies. The amended law also expands coverage to include hard copy data (in addition to computerized data) and removes a blanket exemption for encrypted data, clarifying that a breach of encrypted data can trigger notification requirements if the encryption key or other decryption tools are acquired during the breach. The full text of Washington’s law as amended, which becomes effective in July 2015, is available here.
North Dakota amended its security breach notification law to require any person or business that experiences a breach of its security system affecting more than 250 individuals to disclose the breach to the state Attorney General. The amendment narrows the definition of “personal information” as it pertains to employee data. Now, a breach that compromises an individual’s employee identification number will only give rise to notification obligations if the breach also affected “any required security code, access code, or password” accompanying the number. The full text of North Dakota’s amended law is available here.
Virginia announced the creation of the first state-level Information Sharing and Analysis Organization (ISAO), a new governmental organization intended to facilitate the collection and sharing of information related to cybersecurity threats and attacks. In addition, Virginia’s governor signed the “Securing Consumer Transactions” directive on May 5, which encourages statewide adoption of advanced electronic payment security technologies, including “chip-and-pin” authentication features. It directs the state’s technology and finance secretaries, treasurer, and comptroller to (1) update the state’s main purchase card program to include chip-and-pin technology by the end of the year, and (2) develop a plan to enhance the security features of merchant and prepaid debit card programs by October 1, 2015. The full text of the governor’s directive on payment security is available here. The governor’s press release announcing Virginia’s ISAO is available here.