United States: State Of The (State) Data Breach Laws: 2017 Legislative Update, Part I

With the summer winding down and children already heading back to school, most state legislators have already said "sine die" to the 2017 legislative session. And like in legislative sessions over the past few years, data security and data breach notification continued to occupy the legislative calendars of state houses across the country in 2017. During the past session, a myriad of bills affecting breach notification requirements were proposed in numerous state legislatures. While most did not become law, several states made important changes to their data breach notification statutes: for instance, Delaware and Maryland substantially redefined what "personal information" is under their respective statutes (among other important changes), while New Mexico passed its first-ever data breach notification statute, leaving Alabama and South Dakota as the only states without such laws on their books.

Businesses will thus need to take note of these important changes to ensure their continued compliance with the patchwork of breach notification statutes across the country.

Over the coming weeks, Digital Insights will examine in a series of blogs the changes made by states to their data breach notification laws, and analyze how the changes may affect your breach notification requirements. In the first part of our series, we look at amendments recently passed by Arkansas and Delaware.

Arkansas: During its 2017 legislative session, The Natural State passed S.B. 247, an omnibus bill concerning the state's Insurance Department and its functions. Tucked into its provisions was an amendment to Arkansas Code § 23-61-113, requiring all licensed insurers, health insurance entities, and health maintenance organizations regulated by the state Insurance Commissioner, as well as entities "engaged in the business of insurance"  — including but not limited to corporations, associations, reciprocal exchanges, inter-insurers, Lloyd's insurers, agents, brokers, and adjusters — to notify the Insurance Commissioner of a data breach. Under the amendment, which went into effect July 31, 2017, notice to the Insurance Commissioner must be "in the same time and manner as required" under Arkansas' breach notification statute — that is, in the most expedient time and manner possible and without unreasonable delay.

Delaware: On August 17, 2017, Delaware Governor John Carney signed H.B. 180 into law, amending The First State's breach notification statute in both small and substantial ways. The bill, which goes into effect on April 18, 2018, made the following revisions to Delaware's breach notification statute:

• Data security requirements: entities that conduct business in Delaware and own, license, or maintain personal information must now implement and maintain "reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business."
• "Personal information" definition expanded: H.B. 180 added the following additional data sets to its definition of "personal information," when combined with an individual's first name or first initial and last name:
  • Passport number;
  • Taxpayer identification number (TIN);
  • State or federal identification card numbers;
  • A username or email address, when combined with a password or security question and answer permitting access to an online account;
  • Medical history, DNA profile, medical treatment, or medical treatment or diagnosis by a healthcare professional;
  • Health insurance policy numbers;
  • Other health insurance identifiers; or
  • Unique biometric data.
• Notification Timeline: Under the revised breach notification statute, an entity must provide notice to affected Delaware residents within 60 days of determining a breach occurred.
• Rolling Notice Requirement: H.B. 180 also contains a provision that accounts for the fact that an entity may not be able to, through reasonable diligence, identify all affected state residents within the 60-day notification timeline. If more affected residents are found, the entity has to notify those newly discovered residents "as soon as practicable" after determining they too were affected, unless the entity has already provided substitute notice.
• Risk of Harm Analysis: The statute's current risk of harm analysis focuses on whether, after a reasonable and prompt investigation, the entity determines that misuse of a resident's personal information has or is likely to occur. H.B. 180 revises the analysis slightly, stating that notification is not required if, after an appropriate investigation, the entity reasonably determines the breach "is unlikely to result in harm" to the affected residents.
• Attorney General Notification: Under the amended statute, entities must notify the Delaware Attorney General if more than 500 residents are notified, and the notification must be made no later than when state residents are notified.
• Defining When a Breach is Discovered: H.B. 180 further refines when an entity discovers a security breach under the Delaware statute. The revised law states that "determination of the breach of security" means the point in time when an entity that owns, licenses, or maintains computerized data "has sufficient evidence to conclude that a breach of security of such computerized data has taken place."
• Expanding Electronic Notice: Under the previous version of the statute, an entity could notify Delaware residents of a breach through electronic notice if it complies with the provisions in the Electronic Signatures in Global and National Commerce Act (E-SIGN Act). Under the revised law, notice can also be made electronically if the entity's "primary means of communication with the resident is by electronic means."
• Changes to Substitute Notice: Previously, Delaware's substitute notice required an entity to give notice to "major statewide media." Per H.B. 180, notice to "major statewide media" is defined to include notifying "newspapers, radio, and television and publication on the major social media platforms of the [entity] providing notice."
• Credit Monitoring Required: An entity will soon be required under the revised Delaware statute to provide one year's worth of credit monitoring services at no cost to state residents when Social Security numbers were reasonably believed to have been breached.

Please check back to Digital Insights in the coming days for Part 2 in our series, State of the (State) Data Breach Laws: 2017 Legislative Update, examining data breach-related legislation in Maryland, New Mexico, and Tennessee.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.