With different and sometimes conflicting state data breach notification statutes, it was nearly inevitable that 2016 would see changes to the notification rules. Below is a quick summary of some of the bigger changes those who deal with Personally Identifiable Information:
As of January 1, 2016, California’s data breach notification statute requires a specific notification format. Individual notices must include the title “Notice of Data Breach,” be in at least 10-point font, be written clearly and conspicuously and in plain language, and be organized under the specific headings set forth in the statute’s model form. The definition of “personal information” also expanded to include “information or data collected through the use or operation of an automated license plate recognition system.”
Effective July 1, 2015, Nevada’s data breach notification statute expanded its definition of “personal information” to include:
- driver authorization card numbers;
- medical identification or health insurance identification numbers; and
- user names, unique identifiers, or email addresses, in combination with passwords, access codes, or security questions and answers permitting access to an online account.
“Data collectors” (as defined under the statute) and businesses are not required to comply with this new definition until July 1, 2016.
As of June 26, 2016, Rhode Island’s data breach statute will expand the definitions of “personal information” and “breach of the security of the system,” modify the definition of “encryption,” alter the time period to notify consumers, and require notification to the Rhode Island Attorney General in certain circumstances, and mandate a risk-based information security program.
- Personal Information: This definition will expand to include tribal identification numbers, medical or health insurance information, and e-mail addresses with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial account.
- Breach of the security of the system: Previously, a “breach of the security of the system” occurred upon unauthorized acquisition of unencrypted computerized data. Under the new definition, unauthorized access is enough to constitute a breach of the security of the system.
- Encryption: “Encryption” is now defined as the transformation of data through the use of an 128 bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
- Notification: Notification of a data breach must be made in the most expedient time possible but no later than 45 calendar days after the breach is confirmed. If more than 500 Rhode Island residents must be notified, the Attorney General and the major credit reporting agencies must also be notified.
- Risk-based information security program: Entities must implement and maintain a risk-based information security program that contains reasonable security procedures and practices to protect personal information.
As of January 1, 2016, Oregon’s data breach notification law expanded the definition of “personal information” and altered notification requirements.
- Personal information: This definition now includes biometric information used for authentication purposes, health insurance information, and information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment.
- Notification: The Oregon Attorney General must be notified whenever a data breach affects more than 250 Oregon residents. Entities must also provide consumer reporting agencies with the police report number assigned to a breach.