data breach notification

Colorado’s governor recently signed into law an update to the state’s breach notice law.  As we reported yesterday the new law takes effect on September 1, 2018. As amended, the definition of “personal information” now also includes student, military or passport identification numbers, medical information, health insurance identification numbers, biometric data, and a resident’s username or email address (in combination with passwords or security questions). The law now calls for companies to conduct investigations when they become aware that a breach may have occurred (rather than when they become aware of a breach). Also modified is the window that companies have to provide notice, joining Florida in requiring notice within 30 days (as compared to the current “without unreasonable delay”).
Continue Reading Colorado Enacts Stringent Data Breach Notification Law

Louisiana has joined the growing list of states updating their data breach notification law in 2018.  Others include, as we have reported, Arizona and Oregon. The law has now been amended to include biometric information, state ID number, and passport number in the definition of personal information. It also adds a 60-day notice timeline from “the discovery of the breach.” If the 60-day timeline is not met because of a law enforcement request or because it takes longer to find out the scope of the breach and restore company’s systems, the law requires that the company explain the delay to the state Attorney General. The law now also permits companies not to notify if, after a reasonable investigation, they determine that “there is no likelihood of harm to the residents of this state.” Companies must keep a written record – for five years – of breaches it did not report.  This record must be given to the AG, if requested, within 60 days. The amendments to the Louisiana law go into effect on August 1st, 2018.
Continue Reading Louisiana Joins the Breach Notice Update Law Fray

Oregon’s governor recently passed into law S 1551. The bill amends the state’s existing breach notice law. The revision goes into effect in June. It adds to the definition of personal information that which would permit access to a financial account. It now also places the duty to notify not only on entities that own or license information and use it in the course of their business, but also on those that “otherwise possess” information and use it in the course of their business. Notice also has to be made if an entity [i.e. Entity A] “receive notice of a breach . . . from another person that maintains or otherwise possesses personal information” on Entity A’s behalf.
Continue Reading Oregon Updates Its Data Breach Notification Law

South Dakota recently became the 49th US state to enact data breach notification legislation. The new law takes effect July 1, 2018 and mirrors other states’ breach notice laws. Information that if breached, gives rise to a duty to notify is defined to include Social Security and government-issued identification numbers, account and payment card numbers (in combination with security or access codes or PIN numbers), health information, and employer-issued identification numbers (in combination with security or access codes, biometric data, or passwords). Protected information includes user names or email addresses (in combination with passwords or security question answers), and account or payment card numbers (in combination with security or access codes or PIN numbers).
Continue Reading And Then There Was One: South Dakota Passes Breach Notice Law, Alabama May Not Be Far Behind