11 new state privacy and security laws explained: Is your business ready?

States from Maine to California have recently enacted privacy, data security, cybersecurity, and data breach notification laws. We break down what each of these laws entails.

1 2 Page 2
Page 2 of 2

The law also clarifies that any relevant entity may not provide data breach notifications through email accounts that have been affected by a security breach and must find some other notification method.

Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (House Bill 1154)

Approved by Governor Larry Hogan on April 30, 2019 and effective as of October 1, 2019, the law extends the state’s existing data breach requirements to personal information maintained by a business in addition to personal information owned or licensed by a business. These businesses are also now required to conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach.

Those businesses that simply maintain personal data may not charge the owner or licensee a fee for providing the information needed to notify Maryland residents. The law also places certain limitations on information relative to the breach.

Oregon Consumer Information Protection Act (OCIPA) SB 684

Signed into law by Governor Kate Brown on May 24, 2019 and effective as of October 1, 2019, the legislation amends state law by expanding the definition of personal information under the statute to include online account credentials on their own. The bill also creates, with some exceptions, additional notification obligations for "vendors" that maintain or process personal information on behalf of other businesses, who will also be required to notify the Oregon Attorney General if the personal information of more than 250 residents (or an indeterminate number of residents) is involved. However, all vendors must notify the relevant business, and a sub-vendor must notify the relevant vendor, within 10 days of discovering or having reason to believe a security breach occurred.

Texas – An Act relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council

Signed by Governor Greg Abbott on June 14, 2019 and effective as of January 1, 2020, the legislation amends state law to change the time period for breach notification from “as quickly as possible” to “without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred.” If the breach affects more than 250 residents of the state, a person who is required to disclose or provide notification of a breach of system security under this section shall notify the attorney general of that breach not later than the 60th day after the date on which the person determines that the breach occurred.

The notification must also contain a detailed description of the breach, the number of affected Texas residents, the measures taken by the breached entity in response to the incident and whether law enforcement has been engaged.

Washington – An Act Relating to breach of security systems protecting personal information (SHB 1071)

Approved by Governor Jay Inslee on May 7, 2019 and effective as of March 1, 2020, the law expands the scope of Washington’s existing data breach law by revising the statutory definition of personal information to include an individual's first name or initial and last name in combination with other data elements such as full date of birth, student ID number, passport number, health insurance policy or identification number, private key that is unique to an individual and that is used to authenticate or sign an electronic record, medical information and biometric information.

Under the amended law, businesses now only have 30 days, rather than 45 days, to deliver the required notifications. Notifications must include a timeframe of exposure, if known, including the date of the breach and the date of the discovery of the breach, the types of personal information affected, a summary of steps taken to contain the breach, and a sample copy of the breach notification sent to Washington residents. A business must update the attorney general if all this information is unknown at the time of the breach.

Copyright © 2019 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies