Alabama’s breach notification law goes into effect June 1, 2018, bringing us one step closer to breach notification being the laws of the land from coast to coast. In March, Alabama and South Dakota, the final two holdouts, passed breach notification statutes which are both set to go into effect this summer (Alabama’s law goes live June 1, 2018 and South Dakota’s law goes into effect on July 1, 2018). While these new statutes largely follow what has become the standard approach to breach notification obligations, as with any state, both Alabama and South Dakota put their own unique spin on things, such as data disposal requirements and unique biometric triggers.
In addition, Oregon and Colorado both passed amendments to their breach notification statutes, adding new notification timing requirements and expanding the scope of information covered. Oregon’s updates will go into effect June 2, 2018, and Colorado’s updates will go into effect on September 1, 2018.
We’ve highlighted the key takeaways below, but you can see additional details on these and other data breach notification requirements on the DWT State Data Breach Notification Maps or by clicking on the individual state, below.
Starting June 1, 2018, 49 states will have active data breach notification statutes, as Alabama’s Data Breach Notification Act goes into effect. While this law carries many “standard” breach notification statute elements, there are some provisions that deserve a call-out:
- The definition of “Sensitive Personally Identifying Information” is more expansive than some states and includes medical history, health insurance policy number, as well as access credentials for a resident’s online account that is affiliated with the covered entity and is reasonably likely to contain or is used to obtain other sensitive personally identifying information.
- The statute does not apply to information that is truncated, encrypted, secured, or otherwise modified in a way that de-identifies the resident, unless the covered entity knows or has reason to know that the encryption key was also acquired during the breach.
- If third party agents discover a breach affecting sensitive personally identifying information that they maintain, store, process, or otherwise have access to in connection with providing services to a covered entity, then they are required to notify the covered entity no later than 10 days after discovery.
- Notification is not required if, after a prompt investigation in good faith, the covered entity determines that the breach is not likely to cause substantial harm to affected individuals.
- Notification must be made to affected individuals within 45 days after the covered entity is either notified of the breach from a third party agent or determines that the breach actually occurred and is likely to cause substantial harm.
- If over 1,000 Alabama residents are to be notified, then a covered entity must also notify the Alabama Attorney General and consumer reporting agencies.
- In addition, the statute requires both covered entities and third party agents working on their behalf to implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security. To determine the reasonableness of these security measures, the statute requires that the covered entities undertake an assessment to determine what measures are appropriate, and the statute includes factors that must be considered in conducting this assessment.
- The statute also contains a data disposal provision that requires covered entities and their third party agents to shred, erase, or otherwise modify records containing sensitive personally identifying information when the records are no longer needed.
South Dakota will have the distinction of being the only state without breach notification requirements for only a few weeks, until Senate Bill No. 62 goes into effect on July 1, 2018. As with Alabama, this statute generally follows other data breach notification laws, but contains some notable provisions:
- The statute applies to persons and businesses that conduct business in the state and own or license personal or protected information (as defined).
- The statute contains no notification obligations for third party entities that maintain or process covered information on behalf of an entity subject to the statute.
- The definitions of Personal and Protected Information (which are both subject to the statute) include standard data elements such as Social Security number and financial account information, but also include some non-universal elements, such as health information, employer-issued identification numbers in combination with a password, security code, or biometric data used for authentication purposes, and online account credentials.
Note: while biometric data is a data element that can trigger the statute, it only applies when associated with employee identification credentials.
- Notice to affected residents, if required, must be made within 60 days of discovery or notification of a breach. This timeline can be delayed if law enforcement determines that breach notification will impede a criminal investigation, but must then be made within 30 days of getting the all clear.
- If over 250 residents of South Dakota must be notified under the statute, the information holders must also notify the attorney general within the same 60 day timeframe.
- No notice required if after a reasonable investigation and notice to the Attorney General, the information holder determines that the breach will likely not result in harm to the affected person(s).
- Must notify all national consumer reporting agencies if any residents must be notified.
- Entities subject to HIPAA or GLBA are exempt from this statute.
Oregon’s amendments to its current breach notification statute go into effect on Saturday, June 2, 2018. Key elements of these amendments, found in Senate Bill 1551, include adding a notification deadline and restricting what affected consumers can be required to do in order to access identity protection services following the breach:
- The scope of the statute is expanded to include a person who “otherwise possesses” personal information and uses it in the course of their business or “received notice of a breach of security from another person that maintains or otherwise possesses personal information on the person’s behalf” (i.e., if your vendor notifies you that it had a breach, you are on the hook to provide any required notices); current law only applies to persons who own or license personal information.
- Notice must be issued to affected individuals within 45 days of discovery of a breach, though HIPAA covered entities are exempt from this timeline.
- Cannot require consumers to provide a credit card number or pay any fee to take advantage of “free” credit monitoring or identity theft prevention and mitigation services.
- Consumer reporting agencies are prohibited from charging a fee for a consumer to place or lift a security freeze (previously, such fees were capped at $10).
On May 29, 2018, Colorado Governor John Hickenlooper signed HB 18-1128 into law, which will go into effect on September 1, 2018. In addition to amending the general breach notification statute, these amendments also add requirements for the proper disposal and destruction of media containing personal identifying information and for the implementation and maintenance of reasonable security procedures and practices:
- The definition of “personal information” is expanded to include medical information, health insurance identification numbers, and biometric data.
- Covered entities must now initiate an investigation when it becomes aware that a security breach may have occurred and must provide notice to affected residents no later than 30 days after determining that a security breach occurred.
- Added content requirements for breach notifications to affected residents such as date of the breach, description of affected personal information, and contact information for the covered entity, CRAs, and the FTC; additional content requirements where the breach involves access credentials to an online account.
- Required to notify the Colorado Attorney General no later than 30 days after determining a security breach occurred if required to notify 500+ Colorado residents.
- The encryption safe harbor does not apply where the encryption key was, or was reasonably believed to have been, acquired during the breach.
- Additional requirements were also added to the Colorado breach notification statute that applies to governmental entities in the state.
- Written policies for destruction or proper disposal of paper or electronic materials containing personal identifying information are now required per the amendments.
- Covered entities are now required to implement and maintain reasonable security procedures and practices and must require the same of third-party service providers that process personal identifying information on behalf of the covered entity.