States Aggressively Amend Data Breach Notification Obligations
In his State of the Union Address earlier this year, President Obama emphasized an urgent need for comprehensive cybersecurity and privacy legislation. The President's statement capped a week-long promotional effort in support of various White House privacy and cybersecurity initiatives, perhaps most notably including the creation of a national data breach notification standard. Citing the cost and confusion caused by 47 different state data breach notification statutes, the President proposed the Personal Data Notification and Protection Act, which would preempt state notification statutes and establish a 30-day notification requirement from the discovery of a data breach. In the face of various political impediments, however—namely, concerns over preemption and/or weakening of existing state standards—a national data breach notification scheme has proven an elusive goal.
Where Congress is Thwarted, State Legislatures May Be Encouraged
As noted by the President, 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted data breach notification laws that generally require, with certain exceptions, that individuals affected by data breaches be notified of the breach. Kentucky is the latest state to do so. Alabama, New Mexico, and South Dakota are the lone holdouts. These laws generally identify the entities required to provide notification to others of a data breach, those who should receive such notification, the circumstances that trigger notification obligations, the types of personal information to which the laws pertain, and exceptions to and/or exemptions from notification obligations. The laws differ from state to state, however, and are amended with increasing regularity.
As set forth in the attached table, a number of notable amendments to state data breach notification laws have recently taken effect, or may do so soon. From the amendments, clear trends emerge:
- Illinois, Montana, Nevada, North Dakota, Oregon, Rhode Island, and Wyoming have expanded the definition of "personal information" to protect a greater number of data types, such as medical and insurance information, biometric data, and email addresses.
- Illinois and Rhode Island, like Massachusetts and others before them, have enacted or may enact data protection laws as a complement to existing data breach notification laws.
- Illinois, Montana, North Dakota, Oregon, Rhode Island, and Washington have joined or may join a large list of states that require that state attorneys general and/or other government bodies be notified of data breaches.
- Connecticut, Rhode Island, and Washington require that individuals be notified of data breaches within an express deadline, either 45 or 90 days from "confirmation" or "discovery" of a breach.
These states are the most recent to amend their existing data protection and breach notification laws. But they will not be the last. Companies should monitor future data breach legislation and remain mindful of their incident readiness and response programs, which should be reviewed regularly to ensure compliance with this evolving legislative framework.
One thing is certain: The previously noted trends signal greater government scrutiny of corporate cybersecurity practices, not less.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
Daniel J. McLoon
Mauricio F. Paez
Nicole M. Perry
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.