State Legislatures Continue to Update Breach Notification Laws

While the California Consumer Privacy Act (“CCPA”) has inspired many states to consider their own consumer privacy bills, including Nevada which recently enacted a new law, not to be lost in the CCPA-focused frenzy is the fact that states continue to revise their data breach notification statutes. In recent weeks, the new Massachusetts breach notification amendment has gone into effect, New Jersey, Maryland, Oregon, Texas, and Washington have enacted their own breach notification amendments, and Illinois has proposed a bill that is poised to become law in the near term.


Recent Data Breach Notification Amendments (in order of effective date)

Massachusetts H 4806 (Effective April 11, 2019)

Signed into law by Governor Charlie Baker on January 10, 2019, the Massachusetts amendment enhances the content requirements for breach notifications to state residents by requiring disclosure of the parent company of the entity breached, if applicable, and the fact that security freezes are now available for no charge. More substantially, Massachusetts now requires businesses to offer free credit monitoring services for at least 18 months to residents whose social security numbers have been affected by a breach. Where an offer of free credit monitoring services is required, the breached entity must also provide all information necessary for the resident to enroll in the services and cannot condition the services on the resident’s waiver of his or her right to a private right of action.

The amendment also creates new content requirements for breach notifications to the Massachusetts Attorney General and Director of Consumer Affairs and Business Regulation, including disclosure of the person responsible for the breach, the contact information of the entity that experienced the breach and the person who reported the breach, the type of personal information compromised, whether the breached entity maintains a written information security program, and a sample copy of the notice sent to state residents. The amendment further clarifies that notice may not be delayed on the grounds that the total number of Massachusetts residents affected is not yet ascertained and places an affirmative duty on breached entities to provide supplemental notice upon learning of additional information that renders necessary an update or correction to required notice content.

New Jersey S 52 (Effective September 1, 2019)

When Governor Phil Murphy approved this amendment on May 10, 2019, New Jersey joined the minority of states that treat credentials for any online account, including a personal account, as “personal information” subject to state breach notification laws.

Specifically, a business or public entity’s duty to notify New Jersey residents of a security breach now also applies where a breach involves an individual’s first name or initial and last name linked with a “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.” In an instance where a breach involves only this newly-defined online account information, businesses and public entities may meet their notice requirement by directing New Jersey residents, in electronic or other form, “to promptly change any password and security question or answer, as applicable, or to take other appropriate steps” to protect any and all online accounts the residents have with the business or public entity for which a resident uses the same user name or email address and password or security question or answer.

The law clarifies, however, that businesses and public entities may not provide notification to New Jersey residents through email accounts that have been affected by a security breach. In this case, businesses must instead use another notification method under the law or “clear and conspicuous notice delivered to the customer online when the customer is connected to the online account,” whether via an IP address or another “online location from which the business or public entity knows the customer customarily accesses the account.”

Maryland HB 1154 (Effective October 1, 2019)

Approved by Governor Larry Hogan on April 30, 2019, Maryland’s amendment tailors investigation and notification obligations depending on a business’s role in owning, licensing, or maintaining computerized data that includes personal information of Maryland residents. Businesses that merely maintain, rather than own or license, personal information of Maryland residents must now, upon discovery of a security breach, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. A business that owns or licenses personal information, however, bears the obligation of notifying Maryland residents (and Maryland’s Attorney General), upon a determination that a security breach creates a likelihood that personal information has been or will be misused.

The amendment prohibits a breached business that is not the owner or licensee of the personal information from charging the owner or licensee a fee for providing the information needed to notify Maryland residents. The amendment also places a purpose limitation on information relative to the breach, restricting its use to only: (1) providing notification of the breach; (2) protecting or securing personal information; and (3) providing notification to national information security organizations created for information-sharing and analysis of security threats, to alert and avert new or expanded breaches.

Oregon SB 684 (Effective January 1, 2020)

Signed into law by Governor Kate Brown on May 24, 2019, Oregon’s amendment expands the definition of “personal information” under the statute to include online account credentials on their own, joining the growing minority of states that consider even personal account credentials within the purview of breach notification laws. The amendment also breaks new ground by creating additional notification obligations for “vendors” who maintain or process personal information on behalf of other businesses. While states usually only require vendors to notify the respective business, starting on January 1, 2020, vendors discovering or having reason to believe that a security breach involving Oregon residents’ personal information occurred will also be required to notify the Oregon Attorney General if the personal information of more than 250 residents (or an indeterminate number of residents) is involved.

Vendors are relieved of this obligation, however, if the business notifies the Attorney General in accordance with the statute. Thus, the amendment leaves some flexibility for the business and vendor to negotiate which party will notify the state Attorney General in the event of a breach. Regardless, a vendor must notify the relevant business, and a sub-vendor must notify the relevant vendor, within 10 days of discovering or having reason to believe a security breach occurred.

Texas HB 4390 (Effective Date January 1, 2020)

Signed by Governor Greg Abbott on June 14, 2019, the Texas amendment alters the time frame for notification to affected individuals from requiring notification “as quickly as possible” to requiring notification “without unreasonable delay” but not later than 60 days after the entity determines a breach occurred. Where the breach involves at least 250 Texas residents, the amendment also requires an entity to notify the Texas Attorney General no later than 60 days after determining that a breach occurred.

The amendment includes a content requirement for the notification to the Attorney General, which would include a detailed description of the breach, the number of affected Texas residents, the measures taken by the breached entity in response to the incident and whether law enforcement has been engaged.

Washington SHB 1071 (Effective March 1, 2020)

Approved by Governor Jay Inslee on May 7, 2019, the Washington amendment expands the scope of Washington’s existing data breach notification law by revising the statutory definition of “personal information” to include an individual’s first name or initial and last name in combination with data elements such as full date of birth, student ID number, passport number, medical information and biometric information. In addition, any online account credentials, including personal online accounts, with or without the resident’s name are subject to the breach notification obligations.

Under the new amendment, businesses only have 30 days, rather than 45 days, to deliver the required notifications. The notifications delivered to Washington residents must now include a time frame of exposure, if known, including the date of the breach and the date the breach was discovered. In addition, notification to the Washington Attorney General must now include the types of personal information affected, the time frame of exposure, a summary of steps taken to contain the breach, and a sample copy of the breach notification sent to Washington residents. The amendment also requires a business to update the Attorney General if the information is unknown at the time notice is due.

Impending Data Breach Notification Amendments

Illinois SB 1624 (Anticipated Effective Date June 1, 2020 – if enacted)

The Illinois amendment has passed both Houses in the state legislature and would require “data collectors” that own or license personal information of Illinois residents to notify the Illinois Attorney General upon a security breach involving the personal information of more than 500 residents. Like the existing notice requirement to residents, a data collector would have to provide notice to the Illinois Attorney General “in the most expedient time possible and without unreasonable delay,” but in no event later than when the data collector provides notice to residents.

The amendment also includes a content requirement for the notice to the state Attorney General, which must include a description of the breach, the number of affected Illinois residents and the steps taken in response to the breach. The description of the breach may need to include the date of the breach and the types of personal information compromised because the amendment would require the breached entity to send the Attorney General the date of the breach separately if not known at the time of notice and because the Attorney General would be authorized to publish the name of the breached entity, the types of personal information compromised and the date range of the breach.

Key Takeaways

    • Expanded scope of “personal information.” States are expanding the definition of “personal information,” thus increasing the likelihood that future security incidents will trigger a business’ duty to notify affected residents and regulators. Businesses should familiarize themselves with these expanded definitions and take measures to properly secure this information to reduce the likelihood of unauthorized access or acquisition.
    • More in-depth notifications. States are requiring entities to provide more detail about the circumstances surrounding security incidents in notifications to both residents and regulators. These details are likely to invite greater scrutiny regarding an entity’s activities pre- and post-breach, and further emphasize the importance of having counsel involved to protect privilege and accurately craft the narrative.
    • Stricter notification deadlines. States are shortening already-existing notification deadlines or are opting to replace more open-ended timeframes with specific deadlines. These stricter notification deadlines reinforce the need for a structured and efficient incident response plan that accommodates multi-jurisdictional demands.
    • Increased regulation of data vendors and service providers. States are starting to impose additional duties on data vendors and service providers beyond the common notice requirement to inform data owners or licensors of a security breach, including standalone investigative and direct-to-regulator notification obligations. In light of these new legal obligations, businesses may need to adjust their agreements with data vendors and service providers and expressly delegate sole notification responsibility to themselves as the data owner or licensor, to prevent data vendors and service providers from dictating the breach response.
    • Duty to provide remedial services. Massachusetts’ requirement that entities provide free credit monitoring services to residents affected by a security breach involving social security numbers marks a growing trend among states to impose a duty on entities to remediate potential harm to consumers. Businesses need to understand the potential increased cost and burden associated with offering these remedial services and prepare accordingly.

As the U.S. data breach notification regulatory landscape remains in flux, active monitoring of the legal developments can help prevent businesses from unintentionally falling out of compliance with these revised laws. Check our website periodically for updates as this area of the law continues to evolve.