United States: States Amend Data Breach Notification Obligations

With varying effective dates, eight states recently passed amendments to their data breach notification laws.

Nevada passed an amendment (A.B. No. 179) expanding the definition of "personal information" to include a name in combination with a driver authorization card number, a medical identification number, a health insurance number, or a user name, unique identifier, or email address, along with a password, access code, or security question and answer.

Wyoming passed two amendments (S.F. No. 35 and S.F. No. 36) requiring notice to affected persons to be "clear and conspicuous" with certain content requirements, allowing for a compliance exemption for covered entities or business associates that comply with HIPAA, and expanding the definition of "personal information" to include, for example, an account number, credit card number, or debit card number in combination with any security code, access code, or password.

Washington passed an amendment (H.B. No. 1078) broadening the notification obligations to include breaches involving noncomputerized personal information and requiring data breach notification to affected consumers not later than 45 days after the breach was discovered.

North Dakota passed an amendment (S.B. No. 2214) expanding the definition of "personal information" to include a name in combination with an identification number assigned to the individual by the individual's employer in combination with any required security code, access code, or password and requiring notification to the attorney general of data breaches involving more than 250 individuals.

Connecticut passed an amendment (S.B. No. 949) requiring data breach notification to individuals within 90 days after discovery of a breach and if applicable, providing identity theft mitigation services at no cost to the consumer for a period of not less than 12 months.

Montana passed an amendment (H.B. No. 74) expanding the definition of "personal information" to include a name in combination with medical record information or a taxpayer identification number and requiring notification to the attorney general's consumer protection office.

Oregon passed an amendment (S.B. No. 601) expanding the definition of "personal information" to include biometric and health insurance information and requiring notification to the attorney general of data breaches involving more than 250 Oregon residents.

Rhode Island passed an amendment ( S.B. No. 134) expanding the definition of "personal information," requiring data breach notification to individuals not later than 45 days after confirmation of a breach, and mandating notification to the attorney general and major credit reporting agencies for breaches involving more than 500 Rhode Island residents.

Illinois's Congress approved an amendment (S.B. No. 1833) to its data breach notification bill by adding "biometric data" to the definition of personal information. The proposed amendment awaits signature from the state governor before it becomes effective.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.