United States: State Legislatures Continue To Update Breach Notification Laws

While the California Consumer Privacy Act ("CCPA") has inspired many states to consider their own consumer privacy bills, including Nevada which recently enacted a new law, not to be lost in the CCPA-focused frenzy is the fact that states continue to revise their data breach notification statutes. In recent weeks, the new Massachusetts breach notification amendment has gone into effect, New Jersey, Maryland, Oregon, Texas, and Washington have enacted their own breach notification amendments, and Illinois has proposed a bill that is poised to become law in the near term.

Recent Data Breach Notification Amendments (in order of effective date)

Massachusetts H 4806 (Effective April 11, 2019)

Signed into law by Governor Charlie Baker on January 10, 2019, the Massachusetts amendment enhances the content requirements for breach notifications to state residents by requiring disclosure of the parent company of the entity breached, if applicable, and the fact that security freezes are now available for no charge. More substantially, Massachusetts now requires businesses to offer free credit monitoring services for at least 18 months to residents whose social security numbers have been affected by a breach. Where an offer of free credit monitoring services is required, the breached entity must also provide all information necessary for the resident to enroll in the services and cannot condition the services on the resident's waiver of his or her right to a private right of action.

The amendment also creates new content requirements for breach notifications to the Massachusetts Attorney General and Director of Consumer Affairs and Business Regulation, including disclosure of the person responsible for the breach, the contact information of the entity that experienced the breach and the person who reported the breach, the type of personal information compromised, whether the breached entity maintains a written information security program, and a sample copy of the notice sent to state residents. The amendment further clarifies that notice may not be delayed on the grounds that the total number of Massachusetts residents affected is not yet ascertained and places an affirmative duty on breached entities to provide supplemental notice upon learning of additional information that renders necessary an update or correction to required notice content.

New Jersey S 52 (Effective September 1, 2019)

When Governor Phil Murphy approved this amendment on May 10, 2019, New Jersey joined the minority of states that treat credentials for any online account, including a personal account, as "personal information" subject to state breach notification laws.

Specifically, a business or public entity's duty to notify New Jersey residents of a security breach now also applies where a breach involves an individual's first name or initial and last name linked with a "user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account." In an instance where a breach involves only this newly-defined online account information, businesses and public entities may meet their notice requirement by directing New Jersey residents, in electronic or other form, "to promptly change any password and security question or answer, as applicable, or to take other appropriate steps" to protect any and all online accounts the residents have with the business or public entity for which a resident uses the same user name or email address and password or security question or answer.

The law clarifies, however, that businesses and public entities may not provide notification to New Jersey residents through email accounts that have been affected by a security breach. In this case, businesses must instead use another notification method under the law or "clear and conspicuous notice delivered to the customer online when the customer is connected to the online account," whether via an IP address or another "online location from which the business or public entity knows the customer customarily accesses the account."

Maryland HB 1154 (Effective October 1, 2019)

Approved by Governor Larry Hogan on April 30, 2019, Maryland's amendment tailors investigation and notification obligations depending on a business's role in owning, licensing, or maintaining computerized data that includes personal information of Maryland residents. Businesses that merely maintain, rather than own or license, personal information of Maryland residents must now, upon discovery of a security breach, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. A business that owns or licenses personal information, however, bears the obligation of notifying Maryland residents (and Maryland's Attorney General), upon a determination that a security breach creates a likelihood that personal information has been or will be misused.

The amendment prohibits a breached business that is not the owner or licensee of the personal information from charging the owner or licensee a fee for providing the information needed to notify Maryland residents. The amendment also places a purpose limitation on information relative to the breach, restricting its use to only: (1) providing notification of the breach; (2) protecting or securing personal information; and (3) providing notification to national information security organizations created for information-sharing and analysis of security threats, to alert and avert new or expanded breaches.

Oregon SB 684 (Effective January 1, 2020)

Signed into law by Governor Kate Brown on May 24, 2019, Oregon's amendment expands the definition of "personal information" under the statute to include online account credentials on their own, joining the growing minority of states that consider even personal account credentials within the purview of breach notification laws. The amendment also breaks new ground by creating additional notification obligations for "vendors" who maintain or process personal information on behalf of other businesses. While states usually only require vendors to notify the respective business, starting on January 1, 2020, vendors discovering or having reason to believe that a security breach involving Oregon residents' personal information occurred will also be required to notify the Oregon Attorney General if the personal information of more than 250 residents (or an indeterminate number of residents) is involved.

Vendors are relieved of this obligation, however, if the business notifies the Attorney General in accordance with the statute. Thus, the amendment leaves some flexibility for the business and vendor to negotiate which party will notify the state Attorney General in the event of a breach. Regardless, a vendor must notify the relevant business, and a sub-vendor must notify the relevant vendor, within 10 days of discovering or having reason to believe a security breach occurred.

Texas HB 4390 (Effective Date January 1, 2020)

Signed by Governor Greg Abbott on June 14, 2019, the Texas amendment alters the time frame for notification to affected individuals from requiring notification "as quickly as possible" to requiring notification "without unreasonable delay" but not later than 60 days after the entity determines a breach occurred. Where the breach involves at least 250 Texas residents, the amendment also requires an entity to notify the Texas Attorney General no later than 60 days after determining that a breach occurred.

The amendment includes a content requirement for the notification to the Attorney General, which would include a detailed description of the breach, the number of affected Texas residents, the measures taken by the breached entity in response to the incident and whether law enforcement has been engaged.

Washington SHB 1071 (Effective March 1, 2020)

Approved by Governor Jay Inslee on May 7, 2019, the Washington amendment expands the scope of Washington's existing data breach notification law by revising the statutory definition of "personal information" to include an individual's first name or initial and last name in combination with data elements such as full date of birth, student ID number, passport number, medical information and biometric information. In addition, any online account credentials, including personal online accounts, with or without the resident's name are subject to the breach notification obligations.

Under the new amendment, businesses only have 30 days, rather than 45 days, to deliver the required notifications. The notifications delivered to Washington residents must now include a time frame of exposure, if known, including the date of the breach and the date the breach was discovered. In addition, notification to the Washington Attorney General must now include the types of personal information affected, the time frame of exposure, a summary of steps taken to contain the breach, and a sample copy of the breach notification sent to Washington residents. The amendment also requires a business to update the Attorney General if the information is unknown at the time notice is due.

Impending Data Breach Notification Amendments

Illinois SB 1624 (Anticipated Effective Date June 1, 2020 – if enacted)

The Illinois amendment has passed both Houses in the state legislature and would require "data collectors" that own or license personal information of Illinois residents to notify the Illinois Attorney General upon a security breach involving the personal information of more than 500 residents. Like the existing notice requirement to residents, a data collector would have to provide notice to the Illinois Attorney General "in the most expedient time possible and without unreasonable delay," but in no event later than when the data collector provides notice to residents.

The amendment also includes a content requirement for the notice to the state Attorney General, which must include a description of the breach, the number of affected Illinois residents and the steps taken in response to the breach. The description of the breach may need to include the date of the breach and the types of personal information compromised because the amendment would require the breached entity to send the Attorney General the date of the breach separately if not known at the time of notice and because the Attorney General would be authorized to publish the name of the breached entity, the types of personal information compromised and the date range of the breach.

Key Takeaways

  • Expanded scope of "personal information." States are expanding the definition of "personal information," thus increasing the likelihood that future security incidents will trigger a business' duty to notify affected residents and regulators. Businesses should familiarize themselves with these expanded definitions and take measures to properly secure this information to reduce the likelihood of unauthorized access or acquisition.
  • More in-depth notifications. States are requiring entities to provide more detail about the circumstances surrounding security incidents in notifications to both residents and regulators. These details are likely to invite greater scrutiny regarding an entity's activities pre- and post-breach, and further emphasize the importance of having counsel involved to protect privilege and accurately craft the narrative.
  • Stricter notification deadlines. States are shortening already-existing notification deadlines or are opting to replace more open-ended timeframes with specific deadlines. These stricter notification deadlines reinforce the need for a structured and efficient incident response plan that accommodates multi-jurisdictional demands.
  • Increased regulation of data vendors and service providers. States are starting to impose additional duties on data vendors and service providers beyond the common notice requirement to inform data owners or licensors of a security breach, including standalone investigative and direct-to-regulator notification obligations. In light of these new legal obligations, businesses may need to adjust their agreements with data vendors and service providers and expressly delegate sole notification responsibility to themselves as the data owner or licensor, to prevent data vendors and service providers from dictating the breach response.
  • Duty to provide remedial services. Massachusetts' requirement that entities provide free credit monitoring services to residents affected by a security breach involving social security numbers marks a growing trend among states to impose a duty on entities to remediate potential harm to consumers. Businesses need to understand the potential increased cost and burden associated with offering these remedial services and prepare accordingly.

As the U.S. data breach notification regulatory landscape remains in flux, active monitoring of the legal developments can help prevent businesses from unintentionally falling out of compliance with these revised laws. Check our website periodically for updates as this area of the law continues to evolve.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
10 Dec 2019, Seminar, Hong Kong, Hong Kong

This seminar examines the impact of recent CFIUS reforms on private investment funds. Orrick’s Sook Young Yeu and Scott Peterman will discuss the regulatory hurdles and filing requirements created under the Foreign Investment Risk Review Modernization Act (FIRRMA) and how best to structure foreign investments in private equity and other investment funds to minimize CFIUS risks.

13 Dec 2019, Speaking Engagement, Palo Alto, United States

Los Angeles partner Alyssa Caridis will lead the session on “Attorneys’ Fees” at the 20th Annual Berkeley – Stanford Advanced Patent Law Institute in Palo Alto on December 13th.

9 Jan 2020, Seminar, San Francisco, United States

Get ahead of workplace policy updates during this one-stop shop seminar hosted by Orrick's employment law team.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions