State Breach Notification Laws Continue To Change

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/state-breach-notification-laws-continue-78883/

State breach notification laws continue to be amended to (1) provide for
notification of a state attorney general or regulator about a breach in
addition to affected individuals, (2) cover breaches involving personal
information in both electronic and paper formats, and (3) address identity
theft prevention and mitigation services.

This article addresses recent changes in these three key areas.

State Attorney General or Regulator Breach Notification

Forty-seven states, plus the District of Columbia, Guam, Puerto Rico, and
the Virgin Islands, have breach notification laws. (Alabama, New Mexico,
and South Dakota do not have these laws.)

The breach notification laws require notification of affected individuals
of a breach. The Montana, North Dakota, Oregon, and Washington breach
notification laws were amended to require a company also to notify a state
attorney general or regulator about a breach in addition to affected
individuals.

Twenty-two state breach notification laws—California, Connecticut, Florida,
Hawaii, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri,
Montana, New Hampshire, New Jersey, New York, North Carolina, North Dakota,
Oregon, South Carolina, Vermont, Virginia, and Washington, plus the Puerto
Rico breach notification law—require notification of a breach to a state
attorney general or regulator in addition to notifying the affected
individuals.1

The amendments to the North Dakota and Oregon breach notification laws
require notification to the state attorneys general where the breach
affects more than 250 individuals and 250 Oregon residents, respectively.
The amendment to the Washington breach notification law requires
notification to the state attorney general where the breach affects more
than 500 Washington residents.

The California, Florida, Hawaii, Iowa, Missouri, and South Carolina breach
notification laws also require notification to a state attorney general or
regulator in addition to notifying the affected individuals where there are
(1) 500 or more individuals in Florida or more than 500 California or Iowa
residents, respectively; (2) more than 1,000 individuals in Hawaii; (3)
more than 1,000 consumers in Missouri; and (4) more than 1,000 South
Carolina residents affected, respectively.

The Connecticut, Indiana, Louisiana, Maine, Maryland, Massachusetts,
Montana, New Hampshire, New Jersey, New York, North Carolina, Vermont, and
Virginia breach notification laws, plus the Puerto Rico breach notification
law, require notification of a breach to a state attorney general or
regulator regardless of the number of affected individuals.

Notification for Electronic and Paper Breaches

State breach notification laws cover breaches involving personal
information in electronic format. The Washington breach notification law
was amended to cover breaches involving personal information in both
electronic and paper formats. Eight state breach notification laws—Alaska,
Hawaii, Indiana, Iowa, Massachusetts, North Carolina, Washington, and
Wisconsin—cover breaches involving personal information in both electronic
and paper formats. Interestingly, these state breach notification laws
(other than the Alaska and Wisconsin breach notification laws) also require
notification to a state attorney general or regulator in addition to
notifying the affected individuals.2

The amendment to the Washington breach notification law deletes
"computerized" with respect to data that includes personal information,
addresses personal information that is not secured, and defines secured as
encrypted in a manner that meets or exceeds the National Institute of
Standards and Technology standard or is otherwise modified so that the
personal information is rendered unreadable, unusable, or undecipherable by
an unauthorized person.

Identity Theft Prevention and Mitigation Services

The Connecticut breach notification law was amended to require an owner or
licensor of personal information to offer appropriate identity theft
prevention services and, if applicable, identity theft mitigation services
to each Connecticut resident whose first name or first initial and last
name, in combination with Social Security number, was breached or is
reasonably believed to have been breached. These services must be provided
at no cost for not less than 12 months. All information necessary for
enrollment in these services must be provided, and information on how the
Connecticut resident can place a credit freeze on his or her credit file
must be included.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!