United States: Data Breach Notification Statute Amendments Take Effect In July And August

Data breach notification requirements in Arizona, Nebraska, and Tennessee took effect in July and August.

On July 1, Tennessee S.B. 2005 took effect, which amends Tennessee's breach notification law to require notification of a breach even if the personal information involved in the breach was encrypted. The law was further amended to include employees of the information holder as "unauthorized persons" and requires disclosure of the breach no later than 45 days from the discovery or notification of the breach.

• On July 20, Nebraska L.B. 835 took effect, which amends Nebraska's Consumer Notification of Data Security Breach Act. The bill amended the definition of "personal information" to include a user name or email address in combination with a password or security question and answer, requires notice to the Nebraska Attorney General, and lays out an exception to the exemption for encrypted data.
• On August 6, Arizona H.B. 2363 took effect, which amends Arizona's data breach law to ensure it does not apply to business associates of covered entities as defined under regulations implementing HIPAA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.