Legislative action abound! The nation’s several states have been busy this year attempting to protect the citizenry’s protected personal and private information.
This blog previously explored Kentucky’s place as the 47th state to pass data security laws. That state’s new law requires notification of the affected class of a data beach “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement”.
New Mexico is one of the three remaining states without data breach notification laws in place. However, H.B. 224, the newly proposed legislation would require businesses to notify customers of any breach allowing access to unencrypted personal information within 45 days. The law also requires notification to the state attorney general if more than fifty residents of the state are affected. Should New Mexico’s bill be made law, Alabama and South Dakota would be the only states left without data protection laws in place.
Multiple states have also proposed legislation to strengthen laws already in place.
Florida recently enacted more stringent data privacy laws to bolster its existing statutes. Under the new Florida Information Protection Act of 2014 (FIPA), written notice to the Attorney General is required within thirty days for a data breach affecting more than 500 Floridians. Prior legislation allowed entities 45 days to provide such notice in instances where personal information was compromised.
FIPA also expands the definition of personal information to include user names and email addresses when passwords, security questions, or alternative information that allow access to an online account are also accessed. FIPA requires reporting to appropriate consumer protection agencies when a breach results in notification to an affected class of 1,000 or more people. FIPA took effect July 1, 2014.
That same day, Delaware’s reinforced data laws went into effect. In particular, the new law affirmatively requires businesses to take “reasonable steps” when disposing consumers’ personal identifying information to destroy or erase or otherwise make the protected data indecipherable. Notably, the Delaware’s new law does not apply to financial institutions, credit reporting agencies or healthcare providers which are all subject their respective federal statutes.
Minnesota also recently proposed an amendment to its data breach notification statute which would require notification to individuals whose personal information had been breached within 48 hours of such a discovery. Minnesota law currently only requires notification “without unreasonable delay”. The bill would expand notification requirements beyond Minnesota residents to “any individual” affected by the breach. The amendment further requires businesses to make available one year of free credit monitoring services to affected individuals within thirty days of the breach.
This push by state legislatures to pass notification laws has also created an urgency to pass federal legislation regarding cybersecurity. The U.S. Senate Intelligence Committee is debating a cybersecurity bill that promotes “sharing” of cyber threat information and expedites alerts to customers when personal information is compromised in the event of a breach.
We look forward to following the rest of 2014.