Several States Aggressively Address Data Security


Legislative action abound!  The nation’s several states have been busy this year attempting to protect the citizenry’s protected personal and private information.

This blog previously explored Kentucky’s place as the 47th state to pass data security laws.  That state’s new law requires notification of the affected class of a data beach “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement”.

bill-schoolhouse-rockNew Mexico is one of the three remaining states without data breach notification laws in place. However, H.B. 224, the newly proposed legislation would require businesses to notify customers of any breach allowing access to unencrypted personal information within 45 days.  The law also requires notification to the state attorney general if more than fifty residents of the state are affected.  Should New Mexico’s bill be made law, Alabama and South Dakota would be the only states left without data protection laws in place.

Multiple states have also proposed legislation to strengthen laws already in place.

Florida recently enacted more stringent data privacy laws to bolster its existing statutes. Under the new Florida Information Protection Act of 2014 (FIPA), written notice to the Attorney General is required within thirty days for a data breach affecting more than 500 Floridians. Prior legislation allowed entities 45 days to provide such notice in instances where personal information was compromised.

FIPA also expands the definition of personal information to include user names and email addresses when passwords, security questions, or alternative information that allow access to an online account are also accessed. FIPA requires reporting to appropriate consumer protection agencies when a breach results in notification to an affected class of 1,000 or more people.  FIPA took effect July 1, 2014.

That same day, Delaware’s reinforced data laws went into effect.  In particular, the new law affirmatively requires businesses to take “reasonable steps” when disposing consumers’ personal identifying information to destroy or erase or otherwise make the protected data indecipherable.  Notably, the Delaware’s new law does not apply to financial institutions, credit reporting agencies or healthcare providers which are all subject their respective federal statutes.

Minnesota also recently proposed an amendment to its data breach notification statute which would require notification to individuals whose personal information had been breached within 48 hours of such a discovery. Minnesota law currently only requires notification “without unreasonable delay”.  The bill would expand notification requirements beyond Minnesota residents to “any individual” affected by the breach. The amendment further requires businesses to make available one year of free credit monitoring services to affected individuals within thirty days of the breach.

This push by state legislatures to pass notification laws has also created an urgency to pass federal legislation regarding cybersecurity. The U.S. Senate Intelligence Committee is debating a cybersecurity bill that promotes “sharing” of cyber threat information and expedites alerts to customers when personal information is compromised in the event of a breach.

We look forward to following the rest of 2014.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Traub Lieberman Straus & Shrewsberry LLP | Attorney Advertising

Written by:


Traub Lieberman Straus & Shrewsberry LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.