BreachExchange mailing list archives
State Breach Notification Laws Continue To Change
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 29 Jun 2015 17:38:50 -0600
http://www.jdsupra.com/legalnews/state-breach-notification-laws-continue-78883/ State breach notification laws continue to be amended to (1) provide for notification of a state attorney general or regulator about a breach in addition to affected individuals, (2) cover breaches involving personal information in both electronic and paper formats, and (3) address identity theft prevention and mitigation services. This article addresses recent changes in these three key areas. State Attorney General or Regulator Breach Notification Forty-seven states, plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, have breach notification laws. (Alabama, New Mexico, and South Dakota do not have these laws.) The breach notification laws require notification of affected individuals of a breach. The Montana, North Dakota, Oregon, and Washington breach notification laws were amended to require a company also to notify a state attorney general or regulator about a breach in addition to affected individuals. Twenty-two state breach notification laws—California, Connecticut, Florida, Hawaii, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri, Montana, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Oregon, South Carolina, Vermont, Virginia, and Washington, plus the Puerto Rico breach notification law—require notification of a breach to a state attorney general or regulator in addition to notifying the affected individuals.1 The amendments to the North Dakota and Oregon breach notification laws require notification to the state attorneys general where the breach affects more than 250 individuals and 250 Oregon residents, respectively. The amendment to the Washington breach notification law requires notification to the state attorney general where the breach affects more than 500 Washington residents. The California, Florida, Hawaii, Iowa, Missouri, and South Carolina breach notification laws also require notification to a state attorney general or regulator in addition to notifying the affected individuals where there are (1) 500 or more individuals in Florida or more than 500 California or Iowa residents, respectively; (2) more than 1,000 individuals in Hawaii; (3) more than 1,000 consumers in Missouri; and (4) more than 1,000 South Carolina residents affected, respectively. The Connecticut, Indiana, Louisiana, Maine, Maryland, Massachusetts, Montana, New Hampshire, New Jersey, New York, North Carolina, Vermont, and Virginia breach notification laws, plus the Puerto Rico breach notification law, require notification of a breach to a state attorney general or regulator regardless of the number of affected individuals. Notification for Electronic and Paper Breaches State breach notification laws cover breaches involving personal information in electronic format. The Washington breach notification law was amended to cover breaches involving personal information in both electronic and paper formats. Eight state breach notification laws—Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina, Washington, and Wisconsin—cover breaches involving personal information in both electronic and paper formats. Interestingly, these state breach notification laws (other than the Alaska and Wisconsin breach notification laws) also require notification to a state attorney general or regulator in addition to notifying the affected individuals.2 The amendment to the Washington breach notification law deletes "computerized" with respect to data that includes personal information, addresses personal information that is not secured, and defines secured as encrypted in a manner that meets or exceeds the National Institute of Standards and Technology standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person. Identity Theft Prevention and Mitigation Services The Connecticut breach notification law was amended to require an owner or licensor of personal information to offer appropriate identity theft prevention services and, if applicable, identity theft mitigation services to each Connecticut resident whose first name or first initial and last name, in combination with Social Security number, was breached or is reasonably believed to have been breached. These services must be provided at no cost for not less than 12 months. All information necessary for enrollment in these services must be provided, and information on how the Connecticut resident can place a credit freeze on his or her credit file must be included.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- State Breach Notification Laws Continue To Change Audrey McNeil (Jul 06)