Round-up of recent changes to US state data breach laws
While most US state data breach notification laws have similar aspects, there are also notable differences. By Caleb Skeath and Brooke Kahn of Covington & Burling LLP.
Over the past several months, many states, including Illinois, New York, Texas, and Washington, have passed significant amendments to their state data breach notification laws that will expand the scope of notification obligations under these laws in the event of a breach. Currently, most state data breach notification laws only require notification of residents (and possibly state regulators or others) following a “breach,” usually defined as unauthorized access to or acquisition of personally identifiable information (PII). PII, in turn, is often defined by state law as a state resident’s name along with a Social Security number, driver’s license or state identification card number, or a financial account, debit, or credit card number with any required security code, access code, or password to access a financial account. The recent changes to state data breach notification laws expanded the categories of PII that may trigger notification obligations if breached, imposed new requirements to notify regulators (in addition to affected individuals) in the event of a breach, and implemented specific timing requirements for how soon after a breach individuals and regulators must be notified, among other changes. These changes are summarized in additional detail below, followed by a few additional thoughts on what these actions may mean for future legislative action regarding data breach notification at the state or federal level.