And Then There Were Two: Closing the Gap on State-Level Data Breach Notification Requirements
Last Thursday, Governor Martinez of New Mexico signed into law the 48th state-level data breach notification law, bringing the requirements for notifying individuals affected by data breaches to this state.
Now, 48 states, as well as the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands, each maintain a statute compelling businesses that have experienced a data breach to notify the affected individuals. Often, these statutes also require notification of the state, as well as credit reporting agencies. With a similar bill currently moving through Alabama’s state legislature, it appears that South Dakota will soon be the lone holdout.
The latest addition to the nation’s patchwork notification scheme, New Mexico’s “Data Breach Notification Act,” requires that any person owning or licensing “personal identifying information” of a resident of the state of New Mexico must send notifications to every such resident whose personal identifying information is “reasonably believed to have been subject to a breach.” Notably, as the large majority of the data breach statutes provide, notification is not required where the breached entity determines that there is no risk of harm to the affected individuals. In this case, notification is not required upon a determination that the breach “does not give rise to a significant risk of identity theft or fraud.” However, in a case where notification is required by New Mexico’s statute, specific content requirements must be adhered to, including the inclusion of advice regarding the individual’s rights under the Fair Credit Reporting Act, and directions to review credit reports and bank statements for any unusual activity.
Also noteworthy in New Mexico’s statute is the scope of protection it extends to certain types of information. “Personal identifying information” includes the standard Social Security number; driver’s license number; government-issued identification number; and account, credit or debit card number, in combination with any required security code or password. Following the precedent set by four other states, New Mexico’s statute also includes biometric data, which is defined to include fingerprints, voice prints, iris or retina prints, facial characteristics and hand geometry.
Since the enactment of the first data breach notification law in California fifteen years ago, states across the country have enacted, and subsequently amended, their own statutes. While similar in various respects, the statutes also sometimes differ in terms of the timing of required notifications, among other nuances. For example, a small but growing group of states, which now includes New Mexico, requires that notifications must be sent out within 45 days of the discovery of the breach.
Although we are getting very close to the day that every state will have its own data breach notification law, that will not end legislative discussion of the constantly evolving topic of privacy and data security. Just last week, the Governor of Tennessee signed into law an amendment to a portion of that state’s data breach notification law that had already been changed as recently as one year ago. The most recent amendment now provides that encrypted personal information that is breached will not trigger notification unless the encryption key is also acquired. In total, the National Conference of State Legislatures reported last November that at least 26 states had considered amendments consisting of various substantive changes to their existing data breach notification laws in 2016. Until the day that a uniform federal standard exists, businesses that maintain locations in multiple states and suffer a data breach must still remain vigilant when it comes to meeting the requirements of state-specific notification.