Louisiana Joins the Breach Notice Update Law Fray
Posted on June 26, 2018
Louisiana has joined the growing list of states updating their data breach notification law in 2018. Others include, as we have reported, Arizona and Oregon. The law has now been amended to include biometric information, state ID number, and passport number in the definition of personal information. It also adds a 60-day notice timeline from “the discovery of the breach.” If the 60-day timeline is not met because of a law enforcement request or because it takes longer to find out the scope of the breach and restore company’s systems, the law requires that the company explain the delay to the state Attorney General. The law now also permits companies not to notify if, after a reasonable investigation, they determine that “there is no likelihood of harm to the residents of this state.” Companies must keep a written record – for five years – of breaches it did not report. This record must be given to the AG, if requested, within 60 days. The amendments to the Louisiana law go into effect on August 1st, 2018.
PUTTING IT INTO PRACTICE: Companies that maintain a nationwide incident response plan will want to look at their definitions of personal information, the timing of notification, as well as the need to keep a written record of decisions not to notify.
More Breach Law Changes – Arizona Updates Notice Law
Posted on April 26, 2018
Arizona’s Governor recently signed HB2154, which expands Arizona’s data breach notice law. The law will go into effect July 20, and will require companies to notify the state attorney general when more than 1,000 individuals have been impacted. It also allows email notice if the company has the individual’s email address. This removes the need to have email be the “primary method of communication” or be consistent with the eSign Act. Timing of notice has also changed, and must occur within 45 days instead of “in the most expedient time necessary and without unreasonable delay.” Notice in Arizona now also needs to include specific information, including the date of the breach, type of information impacted, as well as consumer reporting agencies’ and FTC contact information. In another change, companies do not need to notify under the law if an independent forensic firm or law enforcement determine that there has been no risk of “substantial economic loss.”
The mechanism for providing substitute notice has also changed under the amendment. Now, if a company provides substitute notice, it only needs to post the notice on its website, and no longer needs to send an email or notify statewide media. This is different from most other states’ substitute notice provisions. Also unlike other states that allow substitute notice, the company must give a letter to the attorney general explaining why substitute notice was needed. The law now indicates that notices to the AG under the law are confidential as provided for under Arizona law.
Finally, among other changes, the definition of personal information has been expanded. Biometric information, health insurance ID number and health information, passport number, and tax ID number, and a “private key” used to authenticate an electronic signature have been added to definition of personal information. Personal information now also includes online account credentials.
PUTTING IT INTO PRACTICE: Companies with nationwide incident response plans should consider the new elements of the Arizona law the different approach to substitute notice and the independent “no economic loss” assessment exception.
                    25 Eye on Privacy 2018 Year in Review