Nevada amended its data breach notification laws in May 2015 to expand the scope of "personal information" the release of which, if the information is unencrypted, triggers a breach notification requirement. Under the statute, "personal information" is defined as certain data elements combined with an individual's name. The newly added data elements include a driver authorization card number, a medical identification number or health insurance identification number, and any username, email address, or unique identifier accompanied by a password, access code, or security question response, so as to permit access to an online account. The new law also clarifies a public availability exemption, which eliminates the notification requirement when the same information has already been released to the general public by means of federal, state, or local governmental records.
Oregon enacted an amendment to the Oregon Consumer Identity Theft Protection Act in June 2015 that expands the definition of "personal information" to include certain biometric and medical data. The amended law also imposes a new duty on entities that own or license consumer information to notify the Oregon Attorney General of any breach that results in notification to more than 250 residents, but relaxes the standard for notifying consumers in the first place by releasing entities of notification requirements if the affected individuals are "unlikely to suffer harm." The amendment similarly lowers the threshold for notifying consumer reporting agencies by requiring notice to such agencies when the breach affects more than one thousand residents.
Rhode Island passed the Rhode Island Identity Theft Protection Act (RIITPA) in June 2015, which amends the state's existing breach notification laws by expanding the definition of "personal information" to include medical and health insurance information, as well as certain email address information. RIITPA requires notification to individuals affected by a data breach within 45 days of discovery, as well as notification to the state Attorney General within the same time frame if the breach involves more than 500 individuals. RIITPA also requires that any person or entity that does business in Rhode Island and "stores, collects, processes, maintains, acquires, uses, owns or licenses personal information" about residents implement a "risk-based information security program" to protect consumer data. Such a person also must execute a written contract specifying reasonable security measures before such information can be divulged to a third party, and may store personal information for only a limited length of time.
Connecticut enacted amendments to its data security breach laws that will take effect in October of 2015 and 2017, and will require notification to individuals affected by a data security breach within 90 days of discovery of the breach (with a permissible delay as necessary to allow additional time to fully investigate the breach). If the breach affects social security numbers, entities must also offer one year of complimentary identity theft prevention and mitigation services, as well as information on signing up for such services and implementing credit freezes. The amendments also establish new standards for protecting data in the health insurance industry, requiring health insurance entities to implement, maintain, and update annually a "comprehensive information security program" to protect personal information that incorporates specific access controls. Additional requirements apply to entities contracting with state agencies to retrieve confidential information about individuals.