In 2004, Mintz Levin created a compendium of state data breach notification laws and has been updating it on a regular basis ever since.
Our latest update is available here, and it should be part of your incident response “toolbox” and part of your planning.
Some changes of note
Tennessee is our most recent state to amend its existing state data breach notification law. Last week, the Governor signed an amendment into law that takes effect on July 1, 2016:
- Joins several other states in tightening the notice period to “no later than 45 days from the discovery or notification of the breach…”
- Eliminates the “encryption safe harbor,” i.e., notification obligations are triggered even where the accessed or acquired data elements are encrypted.
- Specifically defines “unauthorized person” to include an employee “who is discovered … to have obtained personal information and intentionally used it for an unlawful purpose.”
California, Connecticut, Montana, Nevada, North Dakota, Oregon, Rhode Island, Washington and Wyoming all amended data breach laws in 2015. Some amendments signed into law in 2015 do not take effect until later this year, so make sure to note the effective dates on the Mintz Matrix when consulting various states.
What should you do now?
Spring cleaning. Given the number of changes at the state level (and no prospect for federal legislation easing this pain….), spring is a good time to review your incident response plan and data privacy policies to bring everything in line. In particular:
- Note tightened response deadlines (Rhode Island, Tennessee)
- Add identity theft prevention or identity theft mitigation services (Connecticut, California)
- Review data classification to take into account expanded definitions of personal information (Montana, Wyoming)
- Revise notice templates to comply with the new California format
As always, the Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Hat tip to the newest member of the Mintz Levin Privacy team, Michael Katz, for great work on this update!