And Then There Was None – Alabama Becomes 50th State With Breach Notice Law
Posted on April 11, 2018
Alabama is the final US state to enact data breach notification legislation. The new law takes effect on June 1, 2018 and applies to electronic “sensitive” data. This includes full Social Security and government-issued identification numbers, account and payment card numbers (in combination with security or access codes or PIN numbers), health information, and a user name or email address (in combination with a password or security question). Exceptions exist for both encrypted and “truncated” information.
For a breach to occur, the information has to have been acquired. Companies are to conduct an investigation if they believe a breach may have occurred, and the law provides for several factors companies should consider when trying to determine if information has been subject to unauthorized acquisition. These include indications that the information is in the hands of an unauthorized person, that the information has become public, and evidence that the information has been downloaded or copied. Notice can be delayed if it interferes with law enforcement investigation.
The law provides for specific content to be included in notice to impacted individuals. This includes date or date range of the breach, type of information impacted, what the company has done to restore the security of the information, how the person can protect him or herself, and contact information for the company. Substitute notice is permitted if more than 100,000 people are impacted or the cost of notice is over $500,000. If more than 1,000 residents are impacted then the company also needs to notify Alabama’s Attorney General.
PUTTING IT INTO PRACTICE: For companies with national incident response plans, you may want to update your IRP generally, and in particular to include the notice to the Alabama attorney general.
Oregon Updates Its Data Breach Notification Law
Posted on March 29, 2018
Oregon’s governor recently passed into law S 1551. The bill amends the state’s existing breach notice law. The revision goes into effect in June. It adds to the definition of personal information that which would permit access to a financial account. It now also places the duty to notify not only on entities that own or license information and use it in the course of their business, but also on those that “otherwise possess” information and use it in the course of their business. Notice also has to be made if an entity [i.e. Entity A] “receive notice of a breach . . . from another person that maintains or otherwise possesses personal information” on Entity A’s behalf.
When providing notice, companies must notify affected individuals within 45 days of discovering or receiving notification of a breach. This changes the prior “expeditious” and “without undue delay” requirement. Companies must now also take “reasonable measures” to figure out what happened. They must also use reasonable measures to figure out impacted people’s contact information. Reasonable measures are also specifically required for restoring the integrity of the information.
Oregon previously had requirements for contents of notice. Added to the list of required content is the contact information for the entity that gave notice.
Oregon, like other states, provides for exemptions if companies are required to notify under federal laws. Now, however, those entities must also give the Oregon AG a copy of the notice sent to individuals and to the company’s regulator (if there are more than 250 impacted consumers). Finally, in a provision that does not exist in other similar laws, Oregon now specifically prohibits -if a company gives free credit monitoring- requiring individuals to give their credit card numbers to get the free credit monitoring.
PUTTING IT INTO PRACTICE: For companies with nationwide incident response plans, Oregon’s modified law will require some changes. Among these are the 45-day provision, the definition of personal information, and the process those who are otherwise regulated must follow.
                    Eye on Privacy 2018 Year in Review 26