06.24.2015
|
Updates
Written by Joelle P. Hong and Amelia M. Gerlicher
Four state legislatures closed their sessions with changes to their data breach notification laws, potentially imposing significant new compliance burdens:
- Nevada now includes driver authorization card numbers, medical and insurance identification numbers, and online account credentials in its definition of personal information—for the purposes of both its data breach notification and data security statutes.
- Connecticut now requires that companies notify consumers and its regulators within 90 days after a breach. Connecticut is also the first state to require companies to provide at least one year of identity theft protections to individuals affected by a breach of social security numbers.
- Oregon’s law expands the definition of personal information to include biometric, health insurance and medical information. The law also requires attorney general notification for breaches affecting more than 250 residents.
- Illinois’ law, which is still awaiting the governor’s signature, would expand the definition of personal information, adding medical information, biometrics, online account credentials and, for some purposes, marketing and geolocation information. The law would also require attorney general notification, by both data owners and vendors, within 30 business days after discovery of a breach.
Each of these changes makes compliance with data breach notification requirements nationwide more individualized and complicated. We describe the changes made by Nevada, Connecticut and Oregon below. Because the changes in Illinois are part of broader data security legislation that has yet to become law, we will bring you more details on those changes in coming weeks. Earlier this spring, changes were made by Washington, Wyoming, North Dakota and Montana, which we covered previously in this update.
Nevada
Nevada Governor Brian Sandoval signed AB 179 into law on May 13, 2015. This legislation amends Nev. Rev. Stat. § 603A.040.
Effective July 1, 2015, Nevada’s definition of personal information expands to include an individual’s first name or initial and last name in combination with the following new data elements:
- driver authorization card number;
- medical identification number or health insurance identification number; or
- user name, unique identifier or email address in combination with a password, access code or security question and answer that would permit access to an online account.
However, although the definition changes next month, businesses and data collectors are not required to comply with the amended provisions of the statute until July 1, 2016.
With these changes, Nevada joins a wave of states including medical information and online account credentials in its data breach notification requirements. But in Nevada’s case, the change has additional significance because it also applies to the state’s data encryption requirements. Since 2008, Nevada has imposed specific personal data security requirements on companies conducting business within the state. For example, companies must encrypt personal data before transferring such data from within their secured physical and logical boundaries. With the expanded definition of personal information, Nevada has become the first state to mandate companies to encrypt online account credentials when accompanied with the person’s name.
Specifically, as of July 1, 2015, companies will be precluded from engaging in the following with respect to personal information that includes name and account credentials:
- electronically transferring personal information (other than via facsimile) to a person outside of the company’s secure system unless the transmission is encrypted in accordance with certain standards; or
- moving hardware or mobile information storage devices containing personal information beyond the logical or physical controls of the company or its data storage contractor unless the information is encrypted.
Connecticut
Connecticut’s SB 949 is expected to be signed by Governor Dannel Malloy by June 30, 2015 (or become law without his signature). This legislation amends Conn. Gen. Stat. § 36a-701b.
Effective October 1, 2015, the bill will require companies to provide notifications to affected Connecticut consumers within 90 days of discovering the breach. The requirement that the Connecticut attorney general be notified no later than individuals receiving notice remains intact, effectively requiring that notification be accomplished within 90 days as well. The Connecticut attorney general has stated in his press release regarding this bill that he sees this as “a floor” and that the statute’s continuing requirement that notification occur “without unreasonable delay” means that his office may continue to investigate instances of unreasonable delay even where notification occurs in less than 90 days.
Connecticut will also become the first state to require companies to provide at least one year of “appropriate identity theft prevention services and, if applicable, identity theft mitigation services” to Connecticut residents affected by a breach. This requirement only applies when social security numbers are believed to be affected. However, the attorney general’s press release also states that, “in matters involving breaches of highly sensitive information, like Social Security numbers, my practice has been to demand two years of protections. I intend to continue that practice.”
Oregon
On June 10, 2015, Oregon Governor Kate Brown signed SB 601 into law, amending the Oregon Consumer Identity Theft Protection Act. The law will apply to breaches that occur on or after January 1, 2016.
Under the new law, Oregon’s definition of personal information expands to include an individual’s first name or initial and last name in combination with any of the following new data elements:
- data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial or other transaction;
- a consumer’s health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer; and
- any information about a consumer’s medical history or mental or physical condition, or about a health care professional’s medical diagnosis or treatment of the consumer.
Consistent with the current law, the above data elements will also constitute personal information when not combined with the consumer’s name if the data would enable identity theft.
The bill also requires companies to notify the Oregon attorney general of breaches affecting over 250 residents “in the most expeditious manner possible.” Oregon’s law already has several requirements for the contents of consumer notice, and this bill adds the requirement that the consumer notice include advice to report suspected identity theft to law enforcement, “including the Attorney General” and the Federal Trade Commission.
The new law further makes a violation of the breach notification laws an unlawful trade practice under ORS 646.607 and exempts entities governed by the Health Insurance Portability and Availability Act, if the entity sends the Oregon attorney general a copy of the notice that was sent to consumers or the primary federal regulator.
With the changes to the Nevada, Connecticut and Oregon statutes, seven states have expanded the scope of their state breach law in the first half of 2015.
Additionally, Illinois is poised to expand its definition of personal information, adding medical information, biometrics, online account credentials and, for some purposes, marketing and geolocation information. It will also require attorney general notification by both data owners and vendors. A separate analysis focused on Illinois' expansive amendments will follow in the near feature.
In light of the above expansive changes, all companies that conduct business with residents in these states should assess their current data security procedures and breach notifications.
For a full list of state laws regarding security breach notification, please visit Perkins Coie's newly updated Security Breach Notification Chart.
© 2015 Perkins Coie LLP
