12 new state privacy and security laws explained: Is your business ready?

States from Maine to California have recently enacted privacy, data security, cybersecurity, and data breach notification laws. We break down what each of these laws entails.

1 2 Page 2
Page 2 of 2
  • Amends the content requirements for breach notifications to state residents by requiring disclosure of the parent company of the entity breached
  • Requires businesses to offer free credit monitoring services for at least 18 months to residents whose social security numbers have been affected by a breach and the breached entity must provide all necessary information for enrolling in credit monitoring services. The breached entity cannot condition the services on the resident’s waiver of his or her right to a private right of action.
  • Requires a range of new content requirements for breach notifications, including the disclosure of the person responsible for the breach in breach notifications, the contact information of the entity that experienced the breach and the person who reported the breach, the type of personal information compromised, whether the breached entity maintains a written information security program, and a sample copy of the notice sent to state residents.
  • Stipulates that breach notification may not be delayed on grounds that the total number of residents affected is not yet ascertained.

New Jersey — An ACT concerning disclosure of breaches of security and amending P.L.2005, c.226 (S. 51)

Approved by Governor Phil Murphy on May 10, 2019 and effective as of September 1, 2019, the bill treats credentials for any online account, including a personal account, as personal information subject to state breach notification laws.

Specifically, the bill treats any of the following as personal information:

  • Social Security number;
  • driver's license number or state identification card number;
  • account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
  • username, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.
  • Dissociated data that, if linked, would constitute personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.

The law also clarifies that any relevant entity may not provide data breach notifications through email accounts that have been affected by a security breach and must find some other notification method.

Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (House Bill 1154)

Approved by Governor Larry Hogan on April 30, 2019 and effective as of October 1, 2019, the law extends the state’s existing data breach requirements to personal information maintained by a business in addition to personal information owned or licensed by a business. These businesses are also now required to conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach.

Those businesses that simply maintain personal data may not charge the owner or licensee a fee for providing the information needed to notify Maryland residents. The law also places certain limitations on information relative to the breach.

Oregon Consumer Information Protection Act (OCIPA) SB 684

Signed into law by Governor Kate Brown on May 24, 2019 and effective as of October 1, 2019, the legislation amends state law by expanding the definition of personal information under the statute to include online account credentials on their own. The bill also creates, with some exceptions, additional notification obligations for "vendors" that maintain or process personal information on behalf of other businesses, who will also be required to notify the Oregon Attorney General if the personal information of more than 250 residents (or an indeterminate number of residents) is involved. However, all vendors must notify the relevant business, and a sub-vendor must notify the relevant vendor, within 10 days of discovering or having reason to believe a security breach occurred.

Texas – An Act relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council

Signed by Governor Greg Abbott on June 14, 2019 and effective as of January 1, 2020, the legislation amends state law to change the time period for breach notification from “as quickly as possible” to “without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred.” If the breach affects more than 250 residents of the state, a person who is required to disclose or provide notification of a breach of system security under this section shall notify the attorney general of that breach not later than the 60th day after the date on which the person determines that the breach occurred.

The notification must also contain a detailed description of the breach, the number of affected Texas residents, the measures taken by the breached entity in response to the incident and whether law enforcement has been engaged.

Washington – An Act Relating to breach of security systems protecting personal information (SHB 1071)

Approved by Governor Jay Inslee on May 7, 2019 and effective as of March 1, 2020, the law expands the scope of Washington’s existing data breach law by revising the statutory definition of personal information to include an individual's first name or initial and last name in combination with other data elements such as full date of birth, student ID number, passport number, health insurance policy or identification number, private key that is unique to an individual and that is used to authenticate or sign an electronic record, medical information and biometric information.

Under the amended law, businesses now only have 30 days, rather than 45 days, to deliver the required notifications. Notifications must include a timeframe of exposure, if known, including the date of the breach and the date of the discovery of the breach, the types of personal information affected, a summary of steps taken to contain the breach, and a sample copy of the breach notification sent to Washington residents. A business must update the attorney general if all this information is unknown at the time of the breach.

Editor's note: This article, originally published on August 8, 2020, has been updated to include information on the CPRA.

Copyright © 2020 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)