2021's noteworthy changes to state breach notification laws
A handful of states have made changes to their breach notification laws during 2021, imposing stricter requirements either through expanding the definition of “personal information,” tightening notice deadlines, or calling for entities that experienced a breach to be named publicly on the Attorney General’s website.
While all of these laws are set to go into effect before the year’s end, one state’s proposed amendment moves in the opposite direction, seeking to prolong the notice deadline and afford entities additional time before making notice to impacted residents.
We address each of these changes below.
Connecticut HB 5310 was signed into law on June 16, 2021 and will go in effect on October 1, 2021. The revised law broadens the definition of “personal information” while shortening the notification deadline.
Connecticut’s breach notification law has now been expanded to include the following data elements to its definition of “personal information,” when combined with first name or first initial and last name:
- Taxpayer identification number
- Identity protection personal identification number issued by the IRS
- Passport number, military identification number or other identification number issued by the government that is commonly used to verify identity
- Medical information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
- Health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual
- Biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina or iris image.
Additionally, “user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account,” will also be added to Connecticut’s revised definition of “personal information.”
Following the discovery that a breach to a Connecticut resident’s personal information has occurred, the revised law requires notice to be made no later than 60 days, as opposed to the previous 90 day notification requirement. In the event it may take a company longer than 60 days to identify the full impacted population, the entity is nonetheless required to notify the residents that have been identified within those first 60 days and then proceed in good faith to identify the remaining population as expediently as possible.
The revised law also partially exempts entities that are giving notice in compliance with the Health Insurance Portability and Accountability Acts (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). However, entities making notice to Connecticut residents pursuant to HIPAA and HITECH must still provide notice to the Attorney General at the same time notice is given to the residents.
Mississippi HB 277, enacted March 18, 2021, now recognizes a Tribal identification card as a valid form of identification. The revision expands the state’s definition of “personal information” requiring notice in the event of a breach to include Tribal identification card numbers.
This law went into effect on July 1, 2021.
Texas HB 3746, passed on June 12, 2021, requires entities reporting a breach to the Texas Attorney General to include the number of affected residents that have been notified of the breach. The new law also requires the Attorney General to post the names of the entities that report a breach to its publicly accessible website within thirty (30) days of the Attorney General’s office receiving notice. The list shall remain on the public site for one year before being removed, so long as the same entity does not report any additional breaches throughout the duration of the year-long posting.
These changes will go into effect on September 1, 2021.
A proposed amendment to Tennessee’s breach notification law was introduced by legislators in early February 2021, passing the first consideration phase on February 11, 2021. If passed, the amendment would change the state’s current reporting deadline from 45 days to 60 days – providing entities with an additional 15 days to prepare and effectuate notice to individuals affected by a “breach of a system security.”
If your organization needs assistance analyzing the above revisions, or any other state breach notification statute, contact any of the members of McDonald Hopkins’ national data privacy and cybersecurity practice.