Written by Joelle P. Hong and Amelia M. Gerlicher

During their spring 2015 legislative sessions, Washington, Wyoming, Montana, and North Dakota expanded their data security breach notification laws as follows:  

• • Washington expanded the types of data triggering notice, defined required elements for individual notification letters, and added attorney general notification.
  • Wyoming passed two pieces of legislation that expand the definition of personal information and increase the types of information that must be included in breach notifications.
  • Montana broadened its statute to include medical records in its definition of personal information and added attorney general notification.
  • North Dakota added attorney general notification.

Further details on each state’s new requirements are below.

Washington

Washington Governor Jay Inslee signed H.B. 1078 into law on April 23, 2015.  The legislation amends Wash. Rev. Code §§ 19.255.010 and 42.56.590 and creates a new section.  The new law goes into effect on July 24, 2015.

Under the current law, businesses that own or license computerized data containing personal information about Washington residents must disclose any breach involving unencrypted personal information.  Beginning July 24, 2015, this requirement expands to include both computerized and hard copy (e.g., paper) data containing personal information that is not “secured,” and encrypted information where the person gaining unauthorized access to the data had access to the encryption key or an alternative means of deciphering the data.  “Secured” means data was encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard or is otherwise modified so that the personal information is rendered unreadable, unusable or undecipherable by an unauthorized person.

Under the new law, if a breach affects more than 500 Washington residents, the business must notify the state’s attorney general and the affected consumers in the most expedient time possible and without unreasonable delay and within 45 days of discovering the breach.  In setting the 45-day notice window, Washington joins the handful of states that effectively define unreasonable delay to mean more than 45 days after discovery of breach.  The attorney general notice must include a copy of the notice sent to consumers as well as an estimated number of Washington residents affected by the breach.  The legislation also grants authority to the attorney general to bring action on behalf of the state or residents, thus adding state action to the existing private right of action under the pre-amendment law.

The legislation also requires consumer notifications to include the name and contact information of the reporting business; a list of the types of personal information affected; and contact information for the major credit reporting agencies. These requirements are similar to those found in many other states.

Unlike a number of other data breach notification laws, the Washington legislation does not include medical information or health data within the definition of personal information, and it deems HIPAA covered entities compliant with the new law if they comply with applicable federal guidelines, although  such entities must still notify the attorney general in the event of a qualifying breach.  Similarly, financial institutions are deemed compliant with the new law if they follow applicable federal guidelines, but they  must notify the attorney general in addition to notifying their primary federal regulator.

Wyoming

Governor Matthew Mead signed Senate File Numbers 35 and 36 into law on March 2, 2015, and both go into effect July 1, 2015.  The two laws amend Wyo. Stat. §§ 40-12-502 and 6-3-901.  The new law expands the definition of personal information to include the following:

• • Shared secrets or security tokens known to be used for data based authentication;
  • A username or email address, in combination with a password or security question and answer that would permit access to an online account;
  • A birth or marriage certificate;
  • Medical information, meaning a person's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
  • Health insurance information, meaning a person's health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the person, or information related to a person's application and claims history;
  • Unique biometric data, meaning data generated from measurements or analysis of human body characteristics for authentication purposes; and
  • An individual taxpayer identification number.

In addition, the new law specifies that the required clear and conspicuous notice to individuals includes the following:

• • The types of personal identifying information affected;
  • A general description of the breach incident;
  • The approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided;
  • The actions taken, in general terms, by the individual or commercial entity to protect the system containing the personal identifying information from further breaches;
  • Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports; and
  • Whether notification was delayed as a result of a law enforcement investigation, if that information is reasonably possible to determine at the time the notice is provided.

As with Washington’s amendments, these requirements are consistent with those found in other states.

The new law also clarifies that HIPAA-covered entities that comply with applicable federal guidelines will be deemed compliant under the new law, mirroring the current law’s treatment of financial institutions that comply with applicable federal requirements.

Montana

Signed into law by Montana Governor Steve Bullock in late February, H.B. 74 will go into effect on October 1, 2015.  The new law, which amends Mont. Code Ann. § 33-19-104, broadens the definition of personal information to include medical record information, taxpayer identification number and U.S. Internal Revenue Service-issued identity protection personal identification number.  Medical record information includes personal information that relates to an individual’s physical or mental condition, medical history, medical claims history or medical treatment, and the information is obtained from a medical professional, medical care institution, the individual or the individual’s spouse, parent or legal guardian.  

In addition, businesses required to give breach notice to consumers under the law now must also notify the state’s attorney general in all instances.  Insurance entities and support organizations must also give notice to the state’s insurance commissioner. The notice must include a copy of the individual notification, the date and method of distribution of that notice and the number of Montana individuals receiving notice.

North Dakota

On April 13, 2015, North Dakota Governor Jack Dalrymple signed S.B. 2214 into law.  Beginning August 1, 2015, businesses experiencing breaches that affect more than 250 individuals must notify the state’s attorney general by mail or email.

In light of the above changes, all entities that conduct business with residents of these states should assess their current data security procedures and breach protocols.

For a summary of current breach notification requirements in each state, Washington, D.C., and Puerto Rico, please see Perkins Coie’s newly updated Security Breach Notification Chart.    

© 2015 Perkins Coie LLP

---

Sign up for the latest legal news and insights  >

---