Several US states have recently passed or proposed new or amended data breach notification laws, making a total of 47 states that now have laws requiring businesses to notify individuals when data security breaches compromise their personal information. The changes, and proposed changes, range from a broader definition of personal information to expanding the notification requirement to include all affected individuals rather than just affected state residents. The following is a summary of recently enacted breach notification laws, as well as other proposed laws being considered.
Kentucky: New Law Provides Protection for Student Data in the Cloud
Kentucky’s new breach notification law becomes effective on July 15, 2014. It differs from other state breach notification laws in that it also provides protection for student data that is stored in the cloud. Cloud computing service providers should be aware of the new requirements, as they must certify in their agreements with educational institutions that they will comply with these provisions. “Student data” means any information “in any medium or format” that concerns a student and is created or provided by the student in the course of their use of the cloud computing services or “by an agent or employee of the educational institution.” Stuent data includes names, email addresses and messages, phone numbers, photos, and other unique identifiers relating to the student. The law prohibits cloud computing service providers from processing student data “for any purpose other than providing, improving, developing, or maintaining the integrity” of their computing services (unless the parents give express permission). Cloud computing service providers also may not process student data for advertising purposes, nor sell, disclose, or otherwise process student data for any commercial purpose.
Florida: Amended Law Expands Definition of Personal Information
Florida recently amended its data breach notification law, which became effective on July 1, 2014. The Florida Information Protection Act of 2014 expands the law’s definition of personal information to also include user names and email addresses in combination with passwords or security questions and answers that permit access to an online account (similar to California’s recently amended law, discussed below), health insurance policy numbers, and medical history.
The amended law requires businesses to notify affected individuals within 30 days of a breach (unless good cause is shown, in which case a business may receive an additional 15 days to provide notice). Businesses must also notify the Florida Attorney General within 30 days if a breach affects 500 or more individuals. Additionally, if a business is required to notify more than 1,000 individuals at a single time as a result of a breach, it must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
Iowa: Amended Law Expands Scope To Include Paper Documents
S.F. 2259, which was signed into law in April 2014, modifies Iowa’s breach notification law in two significant ways. First, the legislation expands the definition of “breach of security” to include the unauthorized acquisition of personal information maintained in any medium—including on paper—that was transferred to that medium from computerized form. Second, the law requires covered businesses to notify the Iowa Attorney General’s office if a security breach affects more than 500 Iowa residents. This written notice must be given within five business days after notifying consumers of the breach. The amended law takes effect July 1, 2014.
Minnesota: Proposed Law Expands Scope of Notification and Would Make Businesses Liable for Other Data-Breach-Related Costs
Minnesota is proposing legislation that would considerably expand the scope of its current breach notification law. Minnesota’s current law requires notification of security breaches to state residents when their unencrypted personal information has been compromised. The proposed legislation would expand notification requirements to any individual whose unencrypted personal information was compromised by a covered entity’s security breach. Entities conducting business in Minnesota potentially would be required to notify individuals across the country of breaches. Additionally, these notifications would need to occur within 48 hours of discovery or notification of a security breach.
The Minnesota bill, if passed, would also make businesses responsible for other costs related to data breaches. After giving notice to individuals, businesses would need to provide one year of credit monitoring services at no charge to those affected by the breach. Retailers or wholesalers of consumer goods and services would be required to provide each individual a $100 gift card for future use, valid for at least one year. Finally, businesses would need to reimburse individuals who incur any charges or fees as a result of the breach.
California: Proposed Law Increases Encryption Standard and Requires businesses To Provide Theft Prevention and Mitigation Services
California recently amended its data breach notification statute to expand the definition of personal information to include online account information (such as an email address and password). California is now considering amending its data breach statute further. Currently, California law does not require businesses to notify individuals affected by security breaches if the data was encrypted (using any encryption method). However, if A.B. 1710 is passed in its current form, it will require businesses to notify California residents of any data breach unless the data is encrypted “in conformance with the Advanced Encryption Standard of the National Institute of Standards and Technology.” This higher encryption standard, along with the requirement that businesses provide theft prevention and mitigation services to affected persons after a breach, aims to address increased retailer breaches in a manner similar to Minnesota’s proposed approach. A.B. 1710 would also prohibit the sale, advertisement for sale, or offer to sell any individual’s social security number.
New Mexico: Proposed Law Includes Payment Card Breach Notification Requirements
New Mexico, one of three states that currently does not have a breach notification law, has proposed legislation that would require businesses to notify New Mexico residents of security breaches involving their unencrypted personal information within 45 days after discovering a breach. In cases where a breach would require notice to more than 1000 residents, businesses would also need to notify the New Mexico Attorney General and consumer reporting agencies.
The proposed law also contains payment card breach notification requirements. Credit or debit card issuers would need to notify all merchants to which credit or debit card numbers were transmitted, if there was a breach of payment card information.
Because data breach notification laws are continually changing, businesses should consider the statutes of all states in which they do business or of whose residents they have personal information.
We wish to thank Mayer Brown summer associate McKay Harline for his contribution on this article.