By Mary Ellen Callahan and Heidi Wachs
This year has seen a spate of updates to state data breach notification laws. The most recent state to join the trend is Connecticut, whose new legislation was signed into law by Governor Daniel Malloy on July 1, 2015 and went into effect on October 1, 2015. The updated law adds biometric data to the definition of personal information and sets a 90-day deadline for companies to report data breaches to affected residents as well as the state Attorney General. The amendments also require companies to provide victims with one year of identity theft protection, making Connecticut the first state in the country to require identity theft protection. California enacted a similar law this January, requiring a full year of protection if a business elects to offer credit monitoring.
Montana, Nevada, North Dakota, Washington, and Wyoming also all approved updates to their laws earlier this year. Common updates across these new pieces of legislation include expanded definitions of personal information, incorporating additional data elements beyond the historically included first name or first initial and last name in combination with social security number, drivers license number, or “account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account,” and required notification to the state attorney general.
Wyoming and Nevada became the third and fourth states, along with California and Florida, to include email address or user name in combination with password to the definition of personal information.
These changes reflect the increasing complexity of complying with state data breach notification laws, which have created a confusing patchwork of legal triggers and duties across the country. In light of these impending changes to state breach notification laws, companies should review and update their programs and policies, including seeking help from outside counsel as necessary. Incident response and breach notification plans should reflect the most up-to-date notification requirements, including which Attorneys General must be notified and any applicable timelines. In addition, companies may want to review their information classification policies to ensure that as definitions of personal information expand, so do their policies and controls for the appropriate handling of the enumerated data elements. Link to full Client Alert