Page 25 - Sheppard Mullin Eye on Privacy 2018 Year in Review
P. 25
Arizona’s Notice Law Now In Effect
Posted on July 23, 2018
As we wrote when the law passed, Arizona has expanded its data breach notification law. The law’s effective date was July 20, and now includes several new elements. Included is a requirement to notify the state attorney general if more than 1,000 individuals have been impacted, and gives an expanded ability to notify by email. Timing of notification has changed from “most expedient” to within 45 days. The Arizona law also now has content requirements for notifications, and do not need to notify if an independent forensic firm or law enforcement determine that there has been no risk of “substantial economic loss.”
PUTTING IT INTO PRACTICE: Companies should keep in mind these new elements of Arizona’s law for their nationwide breach notice plans.
South Dakota’s Breach Notice Law Now In Effect
Posted on July 2, 2018
As we wrote when the law passed, South Dakota now has a data breach notification law, making it the last state to have a data breach notification statute on the books. (The breach notification law of the other hold-out state, Alabama, went into effect on June 1.) The law is now in effect, and as we reported, mirrors many facets of other states’ breach laws. Notification is required when there is an unauthorized acquisition of unencrypted computerized data (or encrypted data where the key is compromised). Encryption is defined in South Dakota (unlike many other states), and notification must occur within 60 days. If notification to more than 250 South Dakota residents is required a company must notify state authorities as well.
PUTTING IT INTO PRACTICE: Companies with a nation-wide breach notice law should keep in mind South Dakota’s 60-day timing requirements as well as its state authority notification provision.
Colorado Enacts Stringent Data Breach Notification Law
Posted on June 27, 2018
Colorado’s governor recently signed into law an update to the state’s breach notice law. As we reported yesterday the new law takes effect on September 1, 2018. As amended, the definition of “personal information” now also includes student, military or passport identification numbers, medical information, health insurance identification numbers, biometric data, and a resident’s username or email address (in combination with passwords or security questions). The law now calls for companies to conduct investigations when they become aware that a breach may have occurred (rather than when they become aware of a breach). Also modified is the window that companies have to provide notice, joining Florida in requiring notice within 30 days (as compared to the current “without unreasonable delay”).
The law will also join a handful of others (including California, Florida and Illinois) in requiring specific content in notices to impacted individuals. This includes the date or date range of the breach, type of information impacted, and contact information for the company, FTC, and credit reporting agencies. For breaches that impact usernames and passwords, companies will also need to tell people to change their passwords and as appropriate to take other steps to protect their account. Notice to the state Attorney General will be required if more than 500 residents are affected. If more than 1,000 residents are impacted then the company also needs to notify credit reporting agencies.
PUTTING IT INTO PRACTICE: Companies updating their nationwide incident response plans should take into account Colorado’s 30 day timing requirement, notice content requirements, and AG notification requirement (if more than 500 residents are impacted).
Eye on Privacy 2018 Year in Review 24