Along with changes brought by the CCPA, companies should be aware of other important privacy developments that went into effect in early 2020. Notable changes to data breach notification laws in California, Illinois, Oregon, and Texas promise to have a significant impact on businesses experiencing security incidents and signal a movement towards stricter and more demanding requirements in this space.
California Amends Definition of Personal Information for Breach Notification
The definition of personal information under California’s breach notification law now includes more data elements that can trigger breach notification obligations. That is, in addition to the data elements included in the previous definition, the following unencrypted data elements in combination with an individual’s first and last name constitute personal information:
- tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual;
- unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
This broader definition is particularly important in California because a data breach can now trigger a private right of action under the CCPA. Therefore, by expanding the categories of personal information that can trigger a breach notification obligation, the amendment also expands the situations in which an impacted individual can seek damages for an incident.
Illinois Adds Attorney General Notification Requirement
The Illinois Personal Information Protection Act (“PIPA”) was amended to require “data collectors,” which includes entities that, for any purpose, handle, collect, disseminate, or otherwise deal with nonpublic personal information, to notify the state Attorney General of data breaches that affect more than 500 Illinois residents. Such notifications must be made “in the most expedient time possible without unreasonable delay” and before (or at the same time as) notifying the impacted individuals. While, PIPA had already required notification of a data breach to the Attorney General’s office, it was only in the event of data breach affecting state agencies, and only for incidents impacting more than 250 Illinois residents.
Oregon Imposes Additional Obligations on Vendors and Data Owners
The Oregon Consumer Information Protection Act was amended to impose additional obligations on both vendors (i.e., service providers) and data owners with respect to breach notification but also provide a safe harbor from civil suits in certain circumstances. The amendment – a first of its kind – requires vendors to notify the state Attorney General of data breaches affecting more than 250 Oregon residents, unless the data owner has already provided such notice. This is a significant departure from all other US federal (under HIPAA) and state breach notification laws, which generally only require vendors or service providers to notify the data owners in an expedient manner. In addition to the Attorney General notification requirement, vendors must notify the data owner within 10 days. Following which, the data owner must provide notice to affected individuals within 45 days. All other notice obligations flow to data owners. These amendments seem to be in recognition of the fact that many data breaches originate with vendors who service multiple customers, such that more responsibility placed on such vendors may be appropriate. To help maintain control of data breaches, companies will need to consider the new obligations and scrutinize contracts with vendors, to make sure that the contracts have appropriate provisions regarding timing of breach and ability for companies to consult with the vendor before the vendor notifies regulatory authorities.
In addition to the added regulations, the amended law also provides businesses and vendors with a safe harbor provision for implementing reasonable information security practices. More specifically, a data owner or vendor may affirmatively defend against certain private right of action claims in the event of a data breach by showing that the data owner or vendor developed, implemented and maintained reasonable security measures that would be required for personal information.
Texas Updates Breach Notification Requirements and Creates Privacy Protection Advisory Council
Texas amended § 521.053 of its Business and Commerce Code making it necessary for businesses to notify the state Attorney General of data breaches affecting 250 or more residents no later than 60 days after the discovery of a breach. In addition, businesses must now notify impacted individuals of a data breach “without unreasonable delay and, in each case, not later than the 60th day after the date on which the person determined that the breach occurred.” Previously, businesses were only required to notify impacted data subjects “as quickly as possible” with no corresponding Attorney General notification requirement.
Further, a new council to study, develop and propose recommendations to the Texas Legislature on data privacy laws was created. The purpose of the council is to study the data privacy laws of other states and foreign jurisdictions, and propose recommended legislation by September 1, 2020. Based on the report’s findings, it is expected that Texas will draft a comprehensive privacy law to protect state residents’ data privacy in 2021.
The changes described above are part of an ongoing trend of states strengthening data breach obligations and providing for general regulatory action in new and different ways. It is critical for companies to monitor and factor these obligations into their incident response plans, take steps to prevent data breaches, and prepare for the inevitable lawsuits and public scrutiny that come with it.