With the recent enactment of data breach notification laws in South Dakota and Alabama, all 50 US states now have laws regulating data breach notification.   We’ve updated the Mintz Matrix (maintained by the Mintz Privacy Team for nearly 10 years) to provide you with the latest information.

Managing the differing requirements remains a challenge, and points to the need for updated incident response plans.   As an example, the chart below outlines the different timelines for notification.  The Mintz Matrix contains information on all of these, and more.

Continue Reading Mintz Matrix Updated – Data Breach Laws in All 50 States

As has become typical in the data security space, there was quite a bit of activity in state legislatures over the previous year concerning data breach notification statutes.  Lawmakers are keenly aware of the high profile data breaches making headlines and the increasing concerns of constituents around identity theft and pervasive cybercrime.  In response, states are beefing up their data security statutes in order to provide greater protection for a broader range of data, to require notification to Attorneys General, and to speed up the timeline companies have to advise residents when their personal information has been compromised, to name a few steps. Please review our updated Mintz Matrix to make sure you understand the latest rules applicable to your business!

According to a recent summary published by the National Conference of State Legislatures, more than 25 states in 2016 have introduced or are currently considering security breach notification bills or resolutions.  While much legislation remains pending in statehouses across the country, statutory amendments passed in four states took effect over this past summer alone.  Here is a brief summary of significant amendments to data breach notification rules in Nebraska, Nevada, Rhode Island and Tennessee. Continue Reading Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way

In 2004, Mintz Levin created a compendium of state data breach notification laws and has been updating it on a regular basis ever since.imitated

Our latest update is available here, and it should be part of your incident response “toolbox” and part of your planning.

Some changes of note

Tennessee is our most recent state to amend its existing state data breach notification law.  Last week, the Governor signed an amendment into law that takes effect on July 1, 2016:

  • Joins several other states in tightening the notice period to “no later than 45 days from the discovery or notification of the breach…”
  • Eliminates the “encryption safe harbor,” i.e., notification obligations are triggered even where the accessed or acquired data elements are encrypted.
  • Specifically defines “unauthorized person” to include an employee “who is discovered … to have obtained personal information and intentionally used it for an unlawful purpose.”

California, Connecticut, Montana, Nevada, North Dakota, Oregon, Rhode Island, Washington and Wyoming all amended data breach laws in 2015.  Some amendments signed into law in 2015 do not take effect until later this year, so make sure to note the effective dates on  the Mintz Matrix when consulting various states.

What should you do now?

Spring cleaning.   Given the number of changes at the state level (and no prospect for federal legislation easing this pain….), spring is a good time to review your incident response plan and data privacy policies to bring everything in line.    In particular:

  • Note tightened response deadlines (Rhode Island, Tennessee)
  • Add identity theft prevention or identity theft mitigation services (Connecticut, California)
  • Review data classification to take into account expanded definitions of personal information (Montana, Wyoming)
  • Revise notice templates to comply with the new California format

As always, the Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

Hat tip to the newest member of the Mintz Levin Privacy team, Michael Katz, for great work on this update!

State legislatures are not waiting for Congressional action on a national data breach notification standard.

Montana — Montana has amended its 10-year old breach notification law (see Mintz Matrix) to expand the definition of “personal information” and require notice to the state attorney general’s consumer protection office.  H.B. 74, signed into law by Governor Bullock, adds medical record information and “identity protection personal identification number” issued by the Internal Revenue Service to the definition of “personal information.”   The amended statute takes effect October 1.

New Jersey — Governor Christie recently signed legislation into law requiring health insurance companies in that state to encrypt personal information of policyholders.  All health insurance carriers that compile computer records that contain personal information must protect those records through encryption or “by any other method or technology rendering it unreadable, undecipherable, or otherwise unusable by an unauthorized person.”    In November 2013, two laptops with unencrypted information about 840,000 policyholders were stolen from an office at Horizon Blue Cross Blue Shield of New Jersey in Newark. The Barnabas Health Medical Group’s Pediatric branch in Livingston and the Inspira Medical Center in Vineland also had breaches in 2013, according to a NJ Advance Media report in September.

Connecticut — In the aftermath of the massive Anthem data breach, legislation has been introduced in the Connecticut General Assembly requiring a wide swath of insurance businesses to implement data security technology that encrypts personal information of insureds. The covered entities include health insurers, healthcare centers – similar to an HMO under Connecticut’s insurance laws, and “other entities licensed to do health insurance business in Connecticut,” pharmacy benefits managers, third-party administrators that administer health benefits, and utilization review companies.   The requirement is similar to that of New Jersey’s new law, except that the bill requires that entities subject to the law update their technology as necessary to ensure compliance.   Anthem is one of Connecticut’s largest health insurers, and reportedly that breach impacted more than 1 million people in the state. See “Act Concerning the Security of Consumer Data”.

Washington — The Washington House has unanimously passed a bill that would make the failure to notify consumers of a breach as required by the state’s data breach notification law (again, see the Mintz Matrix) a violation of the state’s Consumer Protection Act.  Washington’s House of Representatives has passed a bill (H.B. 1078) that would make the failure to notify consumers of a breach in the security of their personal information a violation of the state Consumer Protection Act. The measure would require notification to consumers — and the state’s AG — as quickly as possible and no later than 45 days after discovery of a breach of personal information such as a person’s name in combination with a Social Security number, driver’s license number or payment card number and payment card access code or password. Under the bill, the attorney general could bring an action on behalf of the state or consumers living in Washington.

New Mexico — New Mexico is only one of three holdouts from the state data breach notification crazy quilt (again, see the Mintz Matrix), but HB 217, the Data Breach Notification Act, is working its way through the state legislature.   The bill only applies to computerized data, and uses an “acquisition” trigger for breach notification.   “Personal information” under HB 217 is defined as the “usual suspects” and does not include username/password or other login credentials. The bill requires “reasonable security” and includes disposal provisions that apply to paper records as well as electronic.   Similar legislation failed in the 2014 session of the legislation, thus it remains to be seen whether New Mexico will join the Mintz Matrix this year.

 

Make sure to get your January 2015 Mintz Matrix!    

Available here for downloading and always linked through the blog right hand navigation bar.

Things you will not want to miss:

  • California has significantly amended its breach notification requirements
  • Kentucky’s new data breach law (2014) is expanded effective January 1
As always, this chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Credit – Photobucket: bjaco6

Not only the last Monday in June, but the last day of June.    There are quite a few privacy-related things taking effect tomorrow, July 1.   Some reminders:

Florida Amendments to Data Breach Notification Law

The Florida Information Protection Act of 2014 (“FIPA”) takes effect tomorrow.   The FIPA essentially repeals Florida’s existing data breach notification law and replaces it with one of the nation’s most extensive laws relating to data security and notification.

  • The definition of “personal information” now includes “a user name or e-mail in combination with a password or security question and answer that would permit access to an online account.
  • Notice must be provided within 30 days of the incident.
  • When a breach affects more than 500 Florida residents notice must be provided to the Attorney General’s office (see more below).
  • If you rely on Florida’s “risk of harm” exception to avoid providing notice, it will require that the entity investigate the incident, consult with federal, state or local law enforcement and report to the AG of such determination within 30 days.

The Attorney General notice requirement differs in a material way from the other states that have a regulatory reporting requirement.  The notice must contain information about “[a]ny services related to the breach to be offered or scheduled to be offered…”   Although the AG is specifically required to be notified of credit monitoring or identity theft services to be offered, most notices to consumers contain all the information required by FIPA.   Attention must be paid to the second requirement:   Upon request, the entity must provide: (1) “a police report, incident report, or computer forensics report”; (2) “a copy of the policies in place regarding breaches”; and (3) “steps that have been taken to rectify the breach.”    When launching into an investigation of a data breach, remember that attorney-client privilege is important when engaging with investigatory service providers who will create documentation such as “incident” reports or “computer forensics” reports.

Kentucky’s New Data Breach Notification Law

Kentucky became the 47th state to enact a data breach notification law.   Consult the latest version of the Mintz Matrix for the details of the Kentucky law (and all the other July 1 effective amendments).

Canada’s Anti-Spam Law

Canada’s draconian anti-spam law (known as CASL) goes into force tomorrow.   U.S. companies should have compliance programs in place and should have been carefully examining email lists to either obtain express consent or at least determining whether they could be subject to CASL.  Fines of up to CSD$10 million can be imposed under CASL and the Canadian Radio-Television and Telecommunications Commission has already announced its intention to enforce.  Take it seriously.

 

Happy Canada Day (July 1) to our Canadian readers and Happy Independence Day (July 4) to our US readers!

 

 

 

 

 

 

As our readers know, we maintain a summary of the US state data breach notification laws, which we refer to as the “Mintz Matrix.”   We update the Mintz Matrix on a quarterly basis, or more frequently if developments dictate.

We’ve updated the Mintz Levin State Data Breach Notification Matrix to reflect recent changes to Kentucky’s law and Iowa’s law.   The Mintz Matrix is available here.

Continue Reading Get your updated Mintz Matrix!

There has been so much news swirling in the data privacy and security world in the last few days, that it has been difficult to keep up.    We’ll give you a roundup here for your Friday and weekend reading.

Heartbleed – Where Are We?   

By now, you should know whether your web-facing applications (customer log-in, secure web portals, shopping carts) were affected by the Heartbleed vulnerability, and patches should have been applied.    If you have not checked into this yet, you can test your URL at any number of sites, but here is one.  Test it now!

  • Upgrade any software using OpenSSL to the latest, patched version. (should be done)
  • Communicate with any hardware and software vendors to ensure they’ve also upgraded. 
  • Once that is secured, have everyone within your company change their passwords, or notify customers that passwords should be changed.
  • Explain to employees and customers what you are doing and what you have done to take precautions against this bug.
The second bullet was the biggest nut to crack for many this week.  Make sure that your network appliances (routers, conferencing, any hardware/software that connects to the Internet) are all checked.  SANS (the security institute) has been keeping a running list of Heartbleed vendor patches and communications.  Many vendor sites also are posting technical communications with updates and notices regarding the availability of upgrades, patches or hotfixes.  Further, many enterprises don’t know how many sites they own, such as external cloud-hosted sites, sites acquired via mergers and acquisitions – and temporary sites that everyone forgot about.   All of those should be checked for the Heartbleed vulnerability, because if the door is open, it could allow malicious intruders in.   Just ask Canada’s Revenue Agency or the UK’s popular site, Mumsnet.

Continue Reading Privacy & Security Bits and Bytes

As we all ponder the potential for the first U.S. government shut down in 18 years, here are some Monday privacy tidbits to change the subject a bit.

September Mintz Matrix

As our readers know, we maintain a summary of the US state data breach notification laws, which we refer to as the “Mintz Matrix.”   We update the Mintz Matrix on a quarterly basis, or more frequently if developments dictate.

We’ve updated the Mintz Levin State Data Breach Notification Matrix to reflect changes to California’s law.   The Mintz Matrix is available here.

California SB 46 and AB 1149 have brought about the following changes:

(1)   The definition of PI has been expanded to include username or email in combination with password or security question and answer that would permit access to an online account.

(2)   The law specifies when electronic notice can be provided.

Now, for today’s disclaimer: This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

Press Roundup

Last week was a busy one for members of the Mintz Levin privacy team – here’s a peek at our clipping file:

Law360 (registration may be required) – Va. Tech Breach Reveals Info on 145K Job Applicants – quotes Cynthia Larose

FierceCIO – How a decent risk assessment could save you a lot of money – Interview with Cynthia Larose

Law 360 (registration may be required) – Calif. Initiative Could Unleash Wave of Privacy Fights – quotes Jake Romero

E-Commerce Times – Judge Cuts Google No Slack in Gmail Wiretap Case – quotes Cynthia Larose

 

 

 

 

Or as Navin R. Johnson might say …….  *

Our updated Mintz Levin State Data Breach Notification Matrix (fondly known as the “Mintz Matrix”) is available here.   We update this resource quarterly, or as events dictate.    Legislatures have been quiet on the data breach notification front since the end of 2012.   Since our last update, North Dakota, Texas and Vermont have amended their data breach notification laws.

In a nutshell — Effective now, Vermont now requires that Vermont-regulated financial institutions notify the state’s Department of Financial Regulation in the event of a breach.  Such notice is in addition to any notice required by applicable federal regulations.

North Dakota — Effective August 1, the definition of “personal information” has been expanded to add both “health insurance information” and “medical information.”

Texas— Effective now, Texas amended its breach notification law to (a) remove language limiting the application of the data breach notification requirement to Texas residents and residents of states that do not require notification, (b) permit for residents of states other than Texas that require notification of a breach, notice to be provided to such individuals under the states’ law or under Texas law, and (c) clarify that written notice of a security breach must be provided to the last known address of the individual.

Now, for today’s disclaimer: This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

 

*(Sound clip from The Jerk starring Steve Martin, 1979)