Virginia, Tennessee and New Mexico Are the Latest States to Amend Breach Notification Laws


Breach notification statutes remain one of the most active areas of the law. Seldom does a month go by without a new bill or amendment addressing privacy or data security, and this month is no exception.


The state of Virginia recently expanded its breach notification statute to include income tax information among the types of information that require notification to the Office of the Attorney General. Likely a reaction to the increase in W2 tax fraud discussed in greater detail by my colleague here, this new amendment does not require notification to the individual taxpayers. Instead, affected entities must notify the Virginia attorney general, who in turn must notify the Department of Taxation. Of course, if the incident involves Social Security numbers, which the majority of W2 tax fraud incidents do, then the existing provisions would require notification to affected individuals.


In Tennessee, lawmakers are amending the state’s notification statute for the second time in less than a year. Tennessee’s original 2005 breach notification law included a safe harbor for encrypted data. In 2016, that exemption was removed from the definition of “breach” but remained in the definition of “personal information.” This led to some confusion as to whether unauthorized access to encrypted data still required notification. This latest amendment revises both definitions, and clarifies that notification is required if an unauthorized person acquires either unencrypted data or encrypted data and the corresponding decryption key.

New Mexico

Finally, although it has not signed the statute yet, New Mexico is on the verge of becoming the 48th state to enact a breach notification statute. Last month, the New Mexico legislature passed the Data Breach Notification Act (HB 15). Pending Governor Martinez’s signature, HB 15 would require notification to affected individuals within 45 days from the date of discovery. If the incident affects more than 1,000 New Mexico residents, notice must also be provided to the state attorney general and the three major credit bureaus. There is a risk-of-harm threshold and an exception for entities subject to the Gramm-Leach-Bliley Act or HIPAA.  For a detailed analysis of HB 15, see: New Mexico passes data breach notification and protection bill.

For additional information regarding data breach notification statutes enacted in the United States and worldwide, please refer to BakerHostetler’s State-by-State Survey of Data Breach Notification Laws, and Key Issues in State Data Breach Notification Laws.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.