States were busy updating their data breach notification statutes in 2016. With 2016 in the rear view, let’s take a look back at the legislative changes that will impact corporate incident response processes and what those trends portend going forward.
Expanded Definition of “Personal Information”
Login Credentials. In 2016, Rhode Island, Nebraska and Illinois (effective January 2017), joined the ranks of states that include usernames (or email addresses) and passwords in the definition of “personal information” that triggers notification obligations. As of this writing, the following eight states may require notification when login credentials are compromised: California, Florida, Illinois, Nebraska, North Dakota, Nevada, Rhode Island and Wyoming.
Biometric Data. Illinois (effective January 2017) and Oregon (effective January 2016) added biometric data to the list of triggering personal information. Both statutes define biometric data to include “measurements” of an individual’s physical characteristics used to authenticate that individual for a financial or other transaction, such as a “fingerprint, retina, or iris” image. Note that Oregon also requires notice to consumers if “medical” or “health insurance” information is compromised.
License Plate Data. In a novel move, California added “[i]nformation or data collected through the use or operation of an automated license plate recognition system” to the elements classified as “personal information” under its breach notification statute. This change took effect on January 1, 2016.
Encryption Defined. Rhode Island amended its statute in 2016 to clarify that information is “encrypted”—and therefore potentially exempt from notification—if it is obscured via a “one hundred twenty-eight (128) bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” Rhode Island is the first state to specifically denote a methodology that satisfies the encryption safe harbor from notification.
Effective January 1, 2016, California’s data breach statute defines “encrypted” information as “information [that] has been rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”
Encryption Key Compromises. California’s legislature passed yet another amendment to its notification statute in 2016: effective January 1, 2017, California will require companies to provide notice where an encryption key is compromised together with encrypted information. Nebraska and Illinois similarly revised their statutes to clarify that data is not considered to be “encrypted” if the encryption key was also compromised in the incident.
Notice Format and Contents
Under Rhode Island’s 2016 data breach statute amendments, the state will become the first in the nation to require that consumer notifications explicitly note the number of individuals affected. The amended Rhode Island statute also requires consumer notices to include (i) a brief description of the incident; (ii) the type(s) of information affected; (iii) an estimated date or date range during which the breach occurred; (iv) the date the breach was discovered; (v) “[a] clear and concise description of any remediation services offered to individuals” and contact information for the credit reporting agencies, remediation service providers and the attorney general; and (vi) a clear and concise description of the consumer’s ability to file a police report and request a security freeze, along with the information that must be provided when requesting the security freeze. Additionally, beginning in January 2016, California’s data breach statute required a specified format for notice to consumers.
Notice to State Attorneys General
Several more states added State Attorney General notification requirements. Companies are now required to provide notice to the Oregon Attorney General of all breaches affecting more than 250 Oregon residents. Notice to the Rhode Island Attorney General is now required for all breaches affecting more than 500 Rhode Island residents. Finally, under Nebraska’s statutory amendments, companies must provide notice to the Nebraska Attorney General for all breaches regardless of the number of affected individuals. The Nebraska amendment specifies that notice to the Attorney General must be provided no later than notice to consumers.
Beginning in June 2016, Rhode Island requires notice to consumers no later than 45 days from “confirmation” of a data breach. A month later, Tennessee’s amendments to its data breach statute went into effect, requiring notice to consumers within 45 days after “discovery or notification” of a breach.
In light of the patchwork of varying statutory requirements, responding appropriately when a breach occurs requires attention to detail and a nimble approach. Persistent monitoring of new legislation will continue to be important, as legislative activity does not appear to be slowing down.
Companies are also well advised to keep tabs on these statutory changes in the context of other critical notification-related dynamics:
- Courts have increasingly scrutinized statements made in post-breach notifications to infer that plaintiffs were “harmed” sufficiently to establish standing to sue. In this context, courts have relied on broad offers of credit monitoring (Neiman Marcus), admonishments to monitor credit reports (P.F. Chang’s), and most recently, a recommendation that consumers set up fraud alerts and place security freezes on credit reports, without an accompanying offer to pay for the security freeze itself (Nationwide). Companies should carefully craft breach communications to not only comply with statutory requirements, but also with an eye toward litigation-risk management.
- The U.S. District Court for the Northern District of Illinois held recently that the “nearly six weeks” it took Barnes & Noble to provide notice under California’s breach notification law was too long to satisfy the statutory “most expedient time possible” standard. While some states have specified timing deadlines, organizations must be careful to time notifications in a way that satisfies states with more flexible “as-soon-as-practicable” or “without-unreasonably-delay” type requirements.