Just when you thought the state breach notification laws could not get more cumbersome, states continue to amend their breach notification laws in an effort to expand the content and reach of the notice. 

Texas Amendment Requires Notification to Affected Residents in All 50 States

Texas recently amended its data breach notification law by expanding the notification requirements to cover affected non-residents.  Prior to the amendment, Texas required that entities conducting business in Texas notify residents when sensitive personal information was believed to have been acquired by an unauthorized person.  The amended law, which becomes effective September 1, 2012, now requires notification to affected persons residing in all 50 states if affected non-residents live in a state that does not already require notification of the data breach.  The Texas amendment is a novel use of the state breach notification laws, essentially requiring national notification of the breach.  Penalties are incurred if non-residents are not appropriately notified.  The Texas law also expands state health privacy requirements, imposing further notification requirements for a breach of health information. 

California Amendment Requires More Specificity in the Breach Letter

California also recently amended its data breach notification law.  Effective January 1, 2012, California requires greater specificity for breach notification letters, requiring information be disclosed about the type of information breached, the estimated dates of the breach, contact information for credit reporting agencies and whether notification was delayed due to law enforcement investigation.  Businesses suffering a breach will also have to notify the California Attorney General if the breach affects more than 500 residents.

The complicated and ever expanding requirements of each state’s breach notification laws, as well as the HIPAA breach notification rules for health information, necessitate businesses to retain experienced counsel to appropriately address the unfortunate, but inevitable data breach.