With varying effective dates, eight states recently passed
amendments to their data breach notification laws.
Nevada passed an amendment (A.B. No. 179) expanding the definition of
"personal information" to include a name in combination
with a driver authorization card number, a medical identification
number, a health insurance number, or a user name, unique
identifier, or email address, along with a password, access code,
or security question and answer.
Wyoming passed two amendments (S.F. No. 35 and S.F. No. 36) requiring notice to affected
persons to be "clear and conspicuous" with certain
content requirements, allowing for a compliance exemption for
covered entities or business associates that comply with HIPAA, and
expanding the definition of "personal information" to
include, for example, an account number, credit card number, or
debit card number in combination with any security code, access
code, or password.
Washington passed an amendment (H.B. No. 1078) broadening the notification
obligations to include breaches involving noncomputerized personal
information and requiring data breach notification to affected
consumers not later than 45 days after the breach was
discovered.
North Dakota passed an amendment (S.B. No. 2214) expanding the definition of
"personal information" to include a name in combination
with an identification number assigned to the individual by the
individual's employer in combination with any required security
code, access code, or password and requiring notification to the
attorney general of data breaches involving more than 250
individuals.
Connecticut passed an amendment (S.B. No. 949) requiring data breach
notification to individuals within 90 days after discovery of a
breach and if applicable, providing identity theft mitigation
services at no cost to the consumer for a period of not less than
12 months.
Montana passed an amendment (H.B. No. 74) expanding the definition of
"personal information" to include a name in combination
with medical record information or a taxpayer identification number
and requiring notification to the attorney general's consumer
protection office.
Oregon passed an amendment (S.B. No. 601) expanding the definition of
"personal information" to include biometric and health
insurance information and requiring notification to the attorney
general of data breaches involving more than 250 Oregon
residents.
Rhode Island passed an amendment (
S.B. No. 134) expanding the definition of "personal
information," requiring data breach notification to
individuals not later than 45 days after confirmation of a breach,
and mandating notification to the attorney general and major credit
reporting agencies for breaches involving more than 500 Rhode
Island residents.
Illinois's Congress approved an amendment (S.B. No. 1833) to its data breach notification
bill by adding "biometric data" to the definition of
personal information. The proposed amendment awaits signature from
the state governor before it becomes effective.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.