As the onslaught of data breaches and ransomware attacks continues, state governments are grappling with ways to bolster the impact and reach of breach notification laws. All fifty states, Puerto Rico, Guam, the Virgin Islands, and the District of Columbia have some form of data breach notification law, generally triggered by the discovery that personally identifiable information (“PII”) has been compromised. Recently, however, several states have made notable changes to their definitions of PII, notification requirements, and scope of liability. The federal government has also focused on cybersecurity legislation following the high profile SolarWinds and Microsoft Exchange hacks, and the Colonial Pipeline and Kaseya ransomware attacks. Although there is no overarching breach notification law in the United States, members of Congress have introduced a number of competing cyber incident notification bills mostly aimed at addressing threats to critical infrastructure and national security. In a deeply divided Congress, this area is one where there is bipartisan agreement on some type of federal action. However, the disagreement over the scope and reach of that action makes it difficult to discern what, if any, federal breach notification requirement will make it into law.

Recent Expansions in State Data Breach Notification Laws

Connecticut

Connecticut recently made substantial revisions to its breach notification scheme, which became effective October 1, 2021,¹ by reducing the notification window from 90 to 60 days and broadening the definition of “personal information” that would trigger notification if subject to a breach. Connecticut added taxpayer identification numbers, and medical, health insurance, and biometric information to the definition of “personal information.” It further added user name or email address in combination with a password or security question to the definition.

The new law also expands the scope of entities that must provide notice to “any person who owns, licenses or maintains computerized data that includes personal information . . . .” The previous version applied to any person who “conducts business in [Connecticut] and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data . . . .” Finally, the law adds taxpayer identification numbers to the categories of data that require the provision of 24 months of identity theft mitigation services.

Additionally, Connecticut passed a law incentivizing the use of certain cybersecurity frameworks by shielding companies from punitive damages in data breach-related tort suits.² The law provides that the Connecticut courts “shall not assess punitive damages” in cases that allege “the failure to implement reasonable cyber security controls resulted in a data breach concerning personal information or restricted information” where an entity maintains and complies with a recognized cybersecurity framework.³

Utah

Utah adopted a law designed to encourage entities to implement specified cybersecurity frameworks by creating three affirmative defenses for those entities that have implemented such frameworks.⁴ The law creates affirmative defenses against: (1) claims alleging the failure “to implement reasonable information security controls that resulted in the breach of system security[;]” (2) claims that the person failed to appropriately respond to a breach; and (3) claims that the person failed to appropriately notify an individual whose personal information was compromised. The cybersecurity framework must be in place at the time of the breach and must be reasonably complied with for the affirmative defenses to be operative.

Texas

Texas’s data breach notification scheme requires disclosure to the Attorney General within 60 days after determining that a breach involved 250 or more Texas residents. Effective September 1, 2021, Texas added “the number of affected residents that have been sent a disclosure of the breach” to the list of items that must be disclosed to the Attorney General.⁵

California

California requires disclosure to residents following breaches of personal information. “Personal information” was already defined broadly to include medical information, health insurance information, biometric information, and data collected through automated license plate recognition. Last week, California’s Governor Newsom signed AB 825, which adds “genetic data” into the definition.⁶

Indications of a CISA Reporting Requirement on the Horizon

Members of Congress have introduced a series of bills that would create a federal cyber incident notification requirement, though it remains uncertain whether any will make its way into law. While the Senate in particular has a number of competing proposals — some more aggressive than others — they all share some basic themes. The first is the attempt to make central and strengthen the Cybersecurity and Infrastructure Security Agency (“CISA”). The bills would require notification of certain breaches to CISA, and give the agency rulemaking authority over reporting requirements. Some proposals would also vest CISA with the power to assess civil penalties for violations. A second theme is a focus on threats to critical infrastructure and national security, as opposed to PII. And a third theme is that the bills represent a genuine effort to encourage covered entities to assess the cyber incident, identify the information taken, the tactics of and vulnerabilities exploited by the hackers, and centralize those lessons learned at CISA.

The most aggressive bill was introduced by Senator Mark Warner in July 2021.⁷ The bill would require notice of a “cybersecurity intrusion or potential cybersecurity intrusion” to CISA within 24 hours after discovery — a timeline many believe to be ill-advised or unfeasible. But even more aggressive than the reporting timeline is that the bill empowers the CISA Director to assess a daily civil penalty of up to .5 percent of an entity’s prior year gross revenue. The bill directs the Secretary of Homeland Security, via the CISA Director, to define those entities covered by the reporting requirement. The definition must include, at a minimum, “federal contractors, owners or operators of critical infrastructure, as determined appropriate by the [CISA] Director based on assessment of risks posed by compromise of critical infrastructure operation, and nongovernmental entities that provide cybersecurity incident response services.” CISA rulemaking also must define exactly what the notification must include, but at a minimum, the bill requires a description of the intrusion, affected systems, description of vulnerabilities leveraged, information that could help identify the cyber actor, and actions taken to mitigate the intrusion.

Senators Gary Peters and Rob Portman introduced a competing bill in September.⁸ This proposal would require reporting to the CISA Director within 72 hours after an entity “reasonably believes that a covered cyber incident has occurred.” The bill does not contain fines for violators, but gives the CISA Director subpoena power to obtain information on unreported incidents. Like the Warner bill, this proposal gives the CISA Director rulemaking authority to (1) determine which entities are covered entities, with a focus on the consequences to national security, economic security, or public health and safety, and (2) decide what information must be reported, which must include identification of affected systems, estimated date range, tactics used, and each actor reasonably believed to be responsible for the incident.

A substantially similar proposal has already cleared the House as an Amendment⁹ to the National Defense Authorization Act (“NDAA”) for Fiscal Year 2022.¹⁰ The NDAA provision establishes a Cyber Incident Review Office at CISA, gives rulemaking authority to the CISA Director to establish reporting procedures and to define covered entities. The Director must consider the consequences of disruption to national security, economic security, or public health and safety, likelihood that such an entity will be targeted, possible disruption to critical infrastructure, and the extent an entity or sector is already subject to other reporting requirements. The Director can also establish the reporting timeline, which cannot be earlier than 72 hours after discovery of the incident, and the Director is given subpoena power. The NDAA provision does not include penalties.

Other proposals include bills targeting ransomware, such as those introduced by Senator Marco Rubio,¹¹ and Senator Elizabeth Warren and Representative Deborah Ross in early October 2021.¹² These bills aim to fight ransomware on a number of fronts, but each contain a CISA or DHS disclosure requirement.

What This Means for You

As companies draft or update their incident response plans and perform tabletop exercises amid the recent uptick in ransomware attacks, they should consider the expanding scope of information that may need to be covered by those plans as well as incorporate the new reporting requirements into their playbook. Although the federal proposals outlined above all share bipartisan support, the patchwork of state data breach notification laws will not be going away any time soon. In addition, for those that have not already done so, companies and organizations should consider whether their operations and assets may be considered critical to national security, economic security, or public health and safety, such that they would be considered a “covered entity” and subject to a federal reporting requirement.

Vinson & Elkins will continue to monitor and provide updates on these issues.

¹ 2021 Conn. Pub. Act No. 21-59.

² 2021 Conn. Pub. Act No. 21-119.

³ The frameworks listed are: (1) the Framework for Improving Critical Infrastructure Cybersecurity; (2) NIST SP 800-171, 800-53 and 800-53a; (3) FedRAMP Security Assessment Framework; (4) the Center for Internet Security’s “Center for Internet Security Critical Security Controls for Effective Cyber Defense”; and (5) ISO/IEC 27000-series.

⁴ 2021 Utah Laws Ch. 40 (H.B. 80).

⁵ 2021 Tex. Sess. Law Serv. Ch. 496 (H.B. 3746).

⁶ 2021 Cal. Legis. Serv. Ch. 527 (A.B. 825).

⁷ Cyber Incident Notification Act, S.2407, 117th Cong. (2021).

⁸ Cyber Incident Reporting Act, S.2875, 117th Cong. (2021).

⁹ Amendment to Rules Comm., National Defense Authorization Act for Fiscal Year 2022, H.R. 4350, 117th Cong. (2021).

¹⁰ Press Release, House Committee on Homeland Security, House Passes Cyber Incident Reporting Legislation, Critical Cybersecurity and Homeland Security Provisions in NDAA, (Sep. 24, 2021), https://homeland.house.gov/news/legislation/house-passes-cyber-incident-reporting-legislation-critical-cybersecurity-and-homeland-security-provisions-in-ndaa.

¹¹ Sanction and Stop Ransomware Act, S.2666, 117th Cong. (2021).

¹² Press Release, Congresswoman Deborah Ross, Ross, Warren Introduce Bill to Require Disclosures of Ransomware Payments (Oct. 5, 2021), https://ross.house.gov/media/press-releases/ross-warren-introduce-bill-require-disclosures-ransomware-payments.