State breach notification laws continue to be amended to (1) provide for notification of a state attorney general or regulator about a breach in addition to affected individuals, (2) cover breaches involving personal information in both electronic and paper formats, and (3) address identity theft prevention and mitigation services.

This article addresses recent changes in these three key areas.

State Attorney General or Regulator Breach Notification

Forty-seven states, plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, have breach notification laws. (Alabama, New Mexico, and South Dakota do not have these laws.)

The breach notification laws require notification of affected individuals of a breach. The Montana, North Dakota, Oregon, and Washington breach notification laws were amended to require a company also to notify a state attorney general or regulator about a breach in addition to affected individuals.

Twenty-two state breach notification laws—California, Connecticut, Florida, Hawaii, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri, Montana, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Oregon, South Carolina, Vermont, Virginia, and Washington, plus the Puerto Rico breach notification law—require notification of a breach to a state attorney general or regulator in addition to notifying the affected individuals.¹

The amendments to the North Dakota and Oregon breach notification laws require notification to the state attorneys general where the breach affects more than 250 individuals and 250 Oregon residents, respectively. The amendment to the Washington breach notification law requires notification to the state attorney general where the breach affects more than 500 Washington residents.

The California, Florida, Hawaii, Iowa, Missouri, and South Carolina breach notification laws also require notification to a state attorney general or regulator in addition to notifying the affected individuals where there are (1) 500 or more individuals in Florida or more than 500 California or Iowa residents, respectively; (2) more than 1,000 individuals in Hawaii; (3) more than 1,000 consumers in Missouri; and (4) more than 1,000 South Carolina residents affected, respectively.

The Connecticut, Indiana, Louisiana, Maine, Maryland, Massachusetts, Montana, New Hampshire, New Jersey, New York, North Carolina, Vermont, and Virginia breach notification laws, plus the Puerto Rico breach notification law, require notification of a breach to a state attorney general or regulator regardless of the number of affected individuals.

Notification for Electronic and Paper Breaches

State breach notification laws cover breaches involving personal information in electronic format. The Washington breach notification law was amended to cover breaches involving personal information in both electronic and paper formats. Eight state breach notification laws—Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina, Washington, and Wisconsin—cover breaches involving personal information in both electronic and paper formats. Interestingly, these state breach notification laws (other than the Alaska and Wisconsin breach notification laws) also require notification to a state attorney general or regulator in addition to notifying the affected individuals.²

The amendment to the Washington breach notification law deletes "computerized" with respect to data that includes personal information, addresses personal information that is not secured, and defines secured as encrypted in a manner that meets or exceeds the National Institute of Standards and Technology standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.

Identity Theft Prevention and Mitigation Services

The Connecticut breach notification law was amended to require an owner or licensor of personal information to offer appropriate identity theft prevention services and, if applicable, identity theft mitigation services to each Connecticut resident whose first name or first initial and last name, in combination with Social Security number, was breached or is reasonably believed to have been breached. These services must be provided at no cost for not less than 12 months. All information necessary for enrollment in these services must be provided, and information on how the Connecticut resident can place a credit freeze on his or her credit file must be included.³

The California breach notification law specifically addresses identity theft prevention and mitigation services, and the Florida breach notification law generally addresses services related to a breach. (See "California Privacy Laws Change: Identity Theft Prevention and Mitigation Services," October 2014.)

1   Cal. Civ. Code § 1798.82; Conn. Gen. Stat. § 36a-701b (Connecticut S.B. 949, effective date October 1, 2015); Fla. Stat. § 501.171; Haw. Rev. Stat. § 487N-2; Ind. Code § 24–4.9–3–1; Iowa Code § 715C.2; La. Rev. Stat. § 51:3074 and La. Admin. Code tit. 16, pt. III, § 701; Me. Rev. Stat. Ann. tit. 10, § 1348; MD Code, Com. Law § 14–3504; Mass. Gen. Laws ch. 93H; Missouri Rev. Stat. § 407.1500; MCA § 30–14–1704 (Montana H.B. 74, effective date October 1, 2015); N.H. Rev. Stat. § 359-C:20; N.J. Stat. Ann. § 56:8–163; N.Y. Gen. Bus. Law § 899-aa; N.C. Gen. Stat. § 75–65; North Dakota (North Dakota S.B. 2214, effective date April 13, 2015); Or. Rev. Stat. § 646A.604 (Oregon S.B. 601, effective date January 1, 2016); S.C. Code § 39–1–90; Vt. Stat. Ann. tit. 9, § 2435; Va. Code Ann. § 18.2–186.6; RCW § 19.255.010 (Washington H.B. 1078, effective date July 24, 2015) and 10 L.P.R.A. § 4052.
2   Alaska Stat. §§ 45.48.010 and 45.48.090; Haw. Rev. Stat. §§ 487N-1 and 487N-2; Ind. Code § 24–4.9–2; Iowa Code § 715C.1; Mass. Gen. Laws ch. 93H; N.C. Gen. Stat. § 75–61; RCW § 19.255.010 (Washington H.B. 1078, effective date July 24, 2015) and Wis. Stat. § 134.98.
3   Conn. Gen. Stat. § 36a-701b (Connecticut S.B. 949, effective date October 1, 2015).

This article was first published on IRMI.com and is reproduced with permission. Copyright 2015, International Risk Management Institute, Inc.