Data Breach Notification

With the recent enactment of data breach notification laws in South Dakota and Alabama, all 50 US states now have laws regulating data breach notification.   We’ve updated the Mintz Matrix (maintained by the Mintz Privacy Team for nearly 10 years) to provide you with the latest information.

Managing the differing requirements remains a challenge, and points to the need for updated incident response plans.   As an example, the chart below outlines the different timelines for notification.  The Mintz Matrix contains information on all of these, and more.

Continue Reading Mintz Matrix Updated – Data Breach Laws in All 50 States

Alabama has joined the “crazy quilt” of state data breach notification laws with the governor’s signature of the Alabama Data Breach Notification Act of 2018.

Things to take note of under the Alabama law:

  • The law requires entities to “implement and maintain reasonable security measures” and includes a granular list of what such security measures should include.   An interesting component of reasonable security measures is “keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.”
  • Notification to residents within 45 days after a breach has been discovered if it is reasonably likely to cause substantial harm.
  • The definition of “personal information” is expanded to include health information and user name or email address in combination with a password.
  • Notice to the Alabama Attorney General if notice is provided to more than 1,000 individuals at a single time.
  • No private right of action, but the AG may enforce violations of the Act as a deceptive trade practice.
  • The Act provides for civil penalties of not more than $5,000 per day for each consecutive day that a covered entity fails to take action to comply with notice provisions.  “Knowing” violations of the Act (including a “reckless disregard in failing to comply with notice requirements”) could subject a covered entity to civil penalties of up to $500,000 per breach.

 

 

 

 

 

 

Only one U.S. state without a data breach notification law, that is.

South Dakota as become the 49th state to enact a data breach notification law, which take effect on July 1.    The South Dakota law follows the pattern of the most recent notification laws, including an expansive definition of “Personal Information”.

The law defines personal information as a person’s first name/first initial and last name in combination with any one or more of the following:

  1. Social Security Number;
  2. Driver’s license number or other unique identification number created or collected by a government body;
  3. Account, credit or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person’s financial account;
  4. Health information;
  5. Identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.

There is an additional definition of “protected information” that includes (a) a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and (b) account number or credit/debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account.   The definition of “protected information” does not include a person’s name.

Again, South Dakota includes an encryption “safe harbor,” but does require notification if the encryption key is compromised.   Notice to the South Dakota Attorney General is required in any breach that exceeds 250 South Dakota residents.

Notification is required within 60 days of the discovery of the breach.  A violation of the notification law is considered a deceptive act under South Dakota consumer protection laws, and the Attorney General has noted that this violation has the effect of creating a private right of action.   The AG is also authorized to enforce the law and may impose a fine of up to $10,000 per day, per violation.

Alabama remains the sole U.S. state without a breach notification law, but the Alabama Data Breach Notification Act of 2018 passed the Alabama House unanimously and is now in the state Senate.

A update to the Mintz Matrix will be forthcoming this week with further details on this new South Dakota law, as well as some amendments to existing laws.  Watch this space.

 

 

As data breaches dominate national headlines it remains important as ever for businesses to invest in security and to be ready to respond if a breach occurs.  Part of your preparedness program should be staying current on data breach legislation at the state level and we are here to help with a new installment of our “Mintz Matrix,” a detailed survey of U.S. state data breach notification laws.

There have been a few notable developments since we last published an update of the Mintz Matrix and below we have provided a snapshot of these changes.  Before reading on please download a copy of our September 2017 edition of the Mintz Matrix by clicking here. Continue Reading The Mintz Matrix – September 2017

 

If you are one of the many businesses licensed by the New York Department of Financial Services (DFS), and cannot avail yourself of the (very) limited exemptions, you must be ready for the first compliance transition date for the stringent DFS cybersecurity regulations – August 28, 2017.

Just in case you’d forgotten, the DFS cybersecurity regulations became effective March 1, 2017 and you can refresh your memory here. Continue Reading Are You Ready for the New York August 28th Compliance Deadline?  

If you are a retailer with locations in New Jersey, you will need to review your procedures in anticipation of a new law effective October 1, 2017. 

New Jersey Governor Chris Christie has signed the Personal Information Privacy and Protection Act (we can now add #PIPPA to the alphabet soup of privacy acronyms…..), which limits the ability of retailers to collect PII scanned from customer driver’s licenses and identification cards and restricts the usage of any PII collected for the purposes identified in the Act.

Within recent years, retailers have commonly started a practice of scanning the barcodes on customer ID cards to verify the authenticity of an ID presented, verify identity when credit cards are used, or to prevent and control fraudulent merchandise return practices (or to identify consumers who abuse return policies).

Under PIPPA, retailers will only be permitted to scan ID cards to:

  • Verify the card’s authenticity or the person’s identity, if the customer pays for goods or services with a method other than cash; returns an item; or requests a refund or exchange.
  • Verify the customer’s age when providing age-restricted goods or services to the customer.
  • Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the retailer uses a fraud prevention company or service.
  • Establish or maintain a contractual relationship.
  • Record, retain, or transmit information as required by state or federal law.
  • Transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by federal laws, including the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Fair Debt Collection Practices Act.
  • Record, retain, or transmit information by a covered entity under HIPAA and related regulations.

PIPPA prohibits retailers from sharing the information with marketers or other third parties that are unknown to consumers.   It is unlikely that an online privacy notice describing sharing of scanned ID information with third parties would comply with PIPPA.  In-store notice of any such practices will likely be required.

The big “however” in this legislation is the restrictions on retention of the information when collected for the permitted purposes.  Under PIPPA businesses cannot retain information related to how the customer paid for the goods, whether the customer returned an item or requested a refund, and cannot store ages.   Retailers will only be permitted to collect the customer’s name, address, and date of birth; the issuing state; and the ID card number.    Any of this information collected from scanned ID cards Is required to be “securely stored” and PIPPA makes it clear that any security breach of this information is subject to New Jersey’s data breach notification law and must be reported to any affected individual and the New Jersey State Police.

And there are penalties.   PIPPA provides civil penalties of $2,500 for a first offense, and $5,000 for any subsequent offices.   Further the law allows for “any person aggrieved by a violation” to bring an action in NJ Superior Court to recover damages.

 

After a quiet winter there has been significant activity in state legislatures to enact, strengthen or clarify their data breach notification statutes. The latest happenings are summarized below and we have updated our “Mintz Matrix” to reflect these new and pending laws.  Continue Reading States Take Action! New Mexico, Tennessee and Virginia Pass New Data Breach Legislation

We are anxiously waiting to learn the fate of the data breach notification statute recently passed by state lawmakers in New Mexico. The bill remains on the desk of the governor who has until the end of the week to sign the legislation into law. If she does, New Mexico will join 47 other states (along with the District of Columbia, Puerto Rico, and the Virgin Islands) to impose at least some obligations on persons or entities holding personal information in the wake of a security incident.  We may need to update the Mintz Matrix soon. Continue Reading Better Late Than Never: New Mexico on the Cusp of Enacting Data Breach Notification Statute