States aren’t static when it comes to data privacy and security laws. This is Part One of a two-part series about several new state privacy and data security laws that took effect within the last year. In this article, we’ll focus on the following items:
- changes to how some key terms are defined by some states;
- new data breach notification requirements in a few states; and
- changes to the scope and reach of some states’ data privacy and security laws, impacting which entities are subject to them.
A few states have begun to revise definitions within data privacy rules and regulations with a general aim towards enlarging (or narrowing exceptions to) the scope of protected information and data subject to notification requirements if a breach occurs.
“Personally Identifiable Information”
Some states have updated their definitions of protected personally identifiable information (“PII”) to include a broader scope of data subject to notice requirements in the event of a breach.
Oregon updated its definition to include medical information, as well as biometric information, such as an image of a fingerprint, retina or iris, used to authenticate the consumer’s identity in the course of a transaction.
Illinois, as a part of its broader revisions to its Personal Information Protection Act, revised “personal information” to include “medical information,” “health insurance information,” “biometric data,” and user names and email addresses with a password or security question and answer.
Nebraska expanded its definition to include a username or email in combination with a password or security question and answer granting access to an online account.
Further, Nevada enlarged its PII definition to include driver authorization card numbers, medical or health insurance identification numbers, and usernames, unique identifiers or e-mail addresses, in combination with a password, access code, or security question and answer permitting access to an online account.
At the same time that some states are expanding the list of personal information to include in the definition of protected PII, there is also an effort to narrow the definition of personal information that is excluded from the definition of protected PII. For example, Nevada’s data security law previously excluded from protected PII “publicly available information lawfully made available to the general public”. Nevada has narrowed that exclusion, so that its PII definition excludes information available “from federal, state or local governmental records.”
Definitions of what is considered “encrypted data” are also narrowing. For example, Nebraska no longer considers data to be “encrypted” if the breach includes acquisition of the encryption key or confidential encryption method.
California made a similar change, treating encrypted personal information like unencrypted information if an encryption key or security credential was also acquired.
Tennessee has eliminated its exemption of encrypted data from notification requirements; now, notification obligations may be triggered even where the accessed or acquired data elements are encrypted.
Tennessee has expanded the scope of those identified as “unauthorized persons” to include employees of businesses who use the information in an unlawful manner.
Other Definition Changes
New York recently added a definition of “Third-Party Service Provider” to its data and cybersecurity regulations, as well as modified the definition of “Nonpublic Information.”
Data Breach Notice Requirements
Time for Notification
Rhode Island now requires notification to affected individuals within 45 calendar days after discovery of a breach.
Tennessee has implemented the same notification time frame requirement, with standard exceptions for law enforcement needs.
Notice to Law Enforcement
Several states have added or strengthened provisions requiring notice to the states’ Attorney General (“AG”) when a data breach requires notification to affected individuals. For example, Nebraska recently established a requirement that the state’s AG be noticed concurrent with the affected individuals.
Oregon has the same requirement, if the number of affected persons exceeds 250.
Rhode Island also newly requires notification to the AG, if the breach affects more than 500 Rhode Islanders.
Illinois now requires any state agency that “suffers a single breach of the security of the data concerning the personal information of more than 250 Illinois residents” to provide notice to the AG within 45 days of discovery, or when the state agency “provides any notice to consumers . . . whichever is sooner.”
Florida’s 2016 legislation requires that “all information technology security incidents and breaches” must be reported to the Cybercrime Office of the Department of Law Enforcement, in addition to the Agency for State Technology.
Notice to the Public
Massachusetts began 2017 with an announcement that it will post its Data Breach Notification Archive online. This is a notable change, as this information was only previously available to the public through a public records request. Earlier in 2016, the same Office of Consumer Affairs and Business Regulation created an online portal to access this information, but noted that its use “does not relieve businesses of their legal obligation to separately notify the Attorney General’s Office and affected Massachusetts residents.”
On the other hand, Florida passed a bill which exempts state agency records “which identify detection, investigation or response practices for suspected or confirmed information technology security incidents” from its public record requirements. A similar exemption applies to “portions of risk assessments, evaluations, external audits, and other reports of a state agency’s information technology security program.”
Content of Notice
Illinois now allows notice to be provided in electronic or other form directing the subject to change the information or take steps necessary to protect the affected online accounts. Illinois also revised its definition of “substitute notice” to include notice to prominent local media if the breach impacted residents in one geographic area.
Look for Part Two of this article in the next few days. In that article, we will discuss the trend towards increased privacy and data security regulations regarding personal information of students, laws addressing violations and punishment of these privacy laws, and recent miscellaneous changes pertinent to this topic. Stay tuned!