State Data Breach Legislation Update: Creation, Clarification, and Expansion State Data Breach Legislation Update: Creation, Clarification, and Expansion

State Data Breach Legislation Update: Creation, Clarification, and Expansion

The first part of 2017 has seen a flurry of activity regarding state data breach legislation, including enactment of new laws, clarification of laws already on the books, and expansion of laws into a new category of notification requirements. We take a look at the three states which have most recently created, clarified, or expanded their data breach laws: New Mexico, Tennessee, and Virginia.

New Mexico

New Mexico joined the vast majority of states with data breach legislation, becoming the 48th state to enact such laws, leaving only Alabama and South Dakota as the remaining holdouts. The Data Breach Notification Act of New Mexico (the “Act”), which can be reviewed here and will go into effect on June 6, 2017, is a fairly typical data breach law relative to those laws in other states. 

In particularly, the Act stipulates that a business must provide notification to each New Mexico resident whose personal identifying information is reasonably believed to have been subject to a security breach. However, the Act does not apply to businesses subject to HIPAA or the Gramm-Leach-Bliley Act. The New Mexico Act defines “personal identifying information” as the resident’s first name or first initial and last name in combination with any one or more of the following:

  • Social security number;
  • Driver’s license number;
  • Government-issued identification number;
  • Account number, including debit or credit card numbers, along with any required security code or password to allow access to the financial account; or
  • Biometric data, such as fingerprints or voice data used for voice recognition.
The Act contains the typical encryption safe harbor, which provides that notification requirements only apply if the data breached was unencrypted. If the breach involves only encrypted data, companies are not required to notify individuals of the breach unless the confidential process or encryption key used to access the information is also part of the breach.

Additionally, the Act spells out the required content for the notice, which includes the usual information such as date of breach, type of data breached, and general description of the incident.  However, the Act also requires the notice to contain contact information for the major consumer reporting agencies and information about the individual’s rights pursuant to the federal Fair Credit Reporting Act.

The notification must be sent in the “most expedient time possible” but not later than 45 days after the discovery of the data breach. The Act also contains a typical risk of harm analysis to determine if notification is required. If, after investigation, the company determines that the breach does not give rise to a significant risk of identity theft or fraud, then no notification is required.

The Act also requires businesses to notify the state attorney general and credit reporting agencies if notification must be sent to more than one thousand individuals. Again, the attorney general and credit agency notification must be sent no later than 45 days after the data breach discovery.  This notice is required to contain the number of residences that received notification as well as a copy of the notification that was sent.

Tennessee

Tennessee’s clarification of its current data breach notification statute became effective on April 4, 2017, and the full text of the act can be reviewed here. The clarification came about due to a 2016 amendment of the legislation that removed certain language regarding encryption.

Tennessee’s original legislation contained a typical encryption safe harbor, meaning that businesses were exempt from giving notice to individuals if the data breached was encrypted unless the encryption key was also obtained. The legislation was amended in 2016 to remove the exemption, making Tennessee the only state with data breach notification legislation that did not provide an explicit encryption safe harbor.
However, the 2016 amendment left reference to encryption as a suggested means to protect data, which, in turn, permitted encryption to be considered as part of the risk analysis that a business would conduct to determine whether notification should be given. As such, it left many scratching their heads as to whether encryption could still provide a safety net for businesses.

The new legislation removes any doubt as to the applicability of the encryption exemption by defining “breach of system security” as the acquisition of “unencrypted computerized data” or “encrypted computerized data and the encryption key.” The amended statute also defines encryption as requiring the security to comply with the current version of the Federal Information Processing Standard 140-2.
Therefore, if the business’s encryption does not meet the federal standard, then the encryption safe harbor is not available.

Virginia

In response to the rampant and successful W-2 phishing scams plaguing businesses across the country, Virginia has extended its data breach notification laws to encompass payroll information breaches. The new law is the first of its kind. You can review the text of the amended legislation here.

The new notification requirements apply to employers or payroll-service providers if there is a data breach related to certain types of state income tax information. Notice under the new law must be given to the Office of the Virginia Attorney General “without unreasonable delay” if there is unauthorized access to both an unencrypted taxpayer identification number as well as the income tax withheld for that taxpayer. This notice is subject to the same risk analysis as Virginia’s already-existing data breach laws. That is, notification is only required if the employer or payroll provider reasonably believes the breach is likely to lead to identity theft or fraud. In addition, for employers, this notification requirement only applies to data concerning its employees, not information regarding the employer’s customers or other non-employees.

If notice is required, the employer or payroll provider must provide the attorney general with the name and federal employer identification number of the employee who may be affected by the breach. Once the attorney general receives notification from the employer, it will then notify the state Department of Taxation regarding the compromise in confidentiality.

This new payroll breach amendment does not require the employer or payroll provider to provide notice to the affected employees unless the data breached also triggers Virginia’s other general data breach notification requirements. For example, Virginia law requires data breach notification to affected individuals if the information breached includes the name along with any one of the following: social security number, driver’s license number, state identification number, or financial account number along with access pin or password. If the information breached involves only the employee’s social security number and tax withholding information, then notification to the attorney general is required but not required for the individual employee because no name was included in the data.

Virginia’s payroll notification law will go into effect on July 1, 2017.

It is important to stay up-to-date on data breach notification laws to ensure that your business is in compliance with all relevant and applicable provisions. Ice Miller’s Data Security & Privacy Practice helps clients stay abreast of the emerging laws. Stephen Reynolds, a former computer programmer and IT Analyst, is a co-chair of Ice Miller’s Data Security and Privacy Practice. Stephen can be reached at stephen.reynolds@icemiller.com or (317) 236-2391. Nicole Woods is an associate in Ice Miller’s Data Security and Privacy Practice, where she focuses her practice on complex commercial litigation, including contract disputes, business torts, and financial services litigation.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
View Full Site View Mobile Optimized