Apr 232019

From the Washington Attorney General’s Office yesterday, a press release on an expansion of the breach notification requirements. Of special note, under the new law, a hacker acquiring a name in combination with a student ID would trigger notification obligations, but only if the information was not secured or made unusable (e.g., by encryption) AND  the breach is reasonably likely to subject consumers to a risk of harm. If there’s no reasonably likely risk of harm, then there is still no notification obligation, it seems — unless I’m reading the bill text incorrectly. I expect a number of law firms will be blogging about these amendments to the state law.

OLYMPIA — Today, with a unanimous, bipartisan vote, state legislators passed a bill requested by Attorney General Ferguson that strengthens data breach notification laws.

The bill expands consumer data breach notification requirements to include more types of consumer information. It also reduces the deadline to notify consumers to 30 days from 45 days. Rep. Shelley Kloba, D-Kirkland, sponsored the bill, which passed the House in a unanimous, bipartisan vote on March 1.

“My office has seen the number of Washingtonians impacted by data breaches increase year after year,” Ferguson said. “Data breaches are a serious threat to our privacy, and this law will arm consumers with information to protect their sensitive data.”

“Not only is the amount of data being collected and stored about consumers increasing, the number of breaches of secure storage of the data is increasing at an alarming rate as well.“ Kloba said. “This bill updates our consumer protection laws to shorten the notification time from 45 days to 30 days, so that consumers are made aware of a breach more quickly and can take protective action.  Additionally, companies who collect and store data will need to pay more attention to safeguarding it against internal and external threats.”

Sen. Joe Nguyen, D-White Center, sponsored a companion bill in the Senate.

“Time and time again, millions of Americans have had their most private information stolen and abused due to poor corporate stewardship over the data we entrust them with,” Nguyen said. “This legislation will ensure that we have mechanisms for accountability put in place so that when a data breach occurs, we can act quickly and decisively to mitigate further harm.”

Without this new law, a business or government organization affected by a data breach is only required to notify consumers if a hacker obtains a consumer’s name in combination with social security numbers, driver’s license numbers, state ID numbers or financial account information.

The new law requires organizations to also notify consumers if a hacker accesses a consumer’s name in combination with the following:

  • Full birth dates
  • Health insurance ID numbers
  • Medical history
  • Student ID numbers
  • Military ID numbers
  • Passport ID numbers
  • Usernames and passwords
  • Biometric data, such as DNA profiles or fingerprints
  • Electronic signatures

The bill also requires notice to the Attorney General within 30 days of the discovery of a data breach.

Data breaches are a growing threat to Washington residents, businesses and agencies. Data breaches affected nearly 3.4 million Washingtonians between July 2017 and July 2018, a 26 percent increase over the previous year, according to the Attorney General’s Office third annual data breach report.

Source: Washington Attorney General’s Office

Apr 042019

Thomas S. Markey writes:

On Feb. 19, a bill was introduced in the Pennsylvania Senate proposing to amend the Pennsylvania Breach of Personal Information Notification Act to add new breach notification requirements for state agencies and political subdivisions of the commonwealth.

Enacted in 2005, the act (73 P.S. Section 2301 et seq.) applies to commonwealth agencies; political subdivisions, which include counties, cities, boroughs, incorporated towns, townships and school districts; and persons doing business in Pennsylvania, including nonprofit organizations and financial institutions (collectively, entities). Under the act, an entity must notify Pennsylvania residents whose unencrypted and unredacted personal information stored on a computerized system was, or was reasonably believed to have been, accessed and acquired by an unauthorized person. The act requires that residents are notified of a data breach “without unreasonable delay.”

Senate Bill 308, sponsored by Pennsylvania Sen. Kristin Phillips-Hill, proposes significant changes to the definition of personal information, the timing and contents of breach notice requirements and state agencies’ obligation to develop information security policies.

Read more on The Legal Intelligencer.

Mar 262019

Sydny Shepard reports:

District of Columbia Attorney General Karl A. Racine has introduced the Security Breach Protection Amendment Act of 2019, which would modernize the District’s data breach law and strengthen protections for residents’ personal information.

Racine introduced the bill in response to the major data breaches that have put tens of millions of consumers, and hundreds of thousands of District residents, at risk of identity theft and other types of fraud, according to a press release.

The new legislation would expand legal protections to cover additional types of personal information, require companies that deal with personal information to implement safeguards, include additional reporting requirements for companies that suffer a data breach, and require companies that expose consumers’ social security numbers to offer two years of free identity theft protection.

Read more on Security Today.

Mar 212019

Amber Thomson, Liisa Thomas, Elfin Noce, and Kari Rollins of SheppardMullin write:

Ohio recently followed South Carolina as the second state to adopt cybersecurity legislation modeled after the NAIC’s Insurance Data Security Model Law. The Ohio law, Senate Bill 273,applies to insurers authorized to do business in Ohio and goes into effect today, March 20, 2019 (the first day of Spring). Companies have, under the law, a year to put the security measures into place. The law, like the NAIC model, requires insurance providers to take several steps to protect personal information, including conducting risk assessments and having a written information security program and incident response plan.

Read more on Eye on Privacy.

Mar 152019

David Krebs and Jacey Safnuk of Miller Thomson LLP write:

… Data breach reporting obligations in Saskatchewan are influenced by a total of four relevant pieces of legislation, covering both public and private sectors. These laws will not all apply to every potential breach, of course, but it is crucial for organizations to understand that more than one of them may apply depending on the specific circumstances of the data breach:

  1. The Freedom of Information and Protection of Privacy Act (“FOIP”) applies to Government Institutions, such as ministries, Crown corporations, agencies, boards and commissions.
  2. The Local Authority Freedom of Information and Protection of Privacy Act (“LA FOIP”) applies to Local Authorities, such as school boards, post-secondary institutions, rural municipalities and regional health authorities.
  3. The Health Information Protection Act (“HIPA”) applies to wide range of organizations listed under 2(t) of HIPA who have custody or control over Personal Health Information.
  4. Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to any organization that collects, uses, or discloses personal information in a “commercial activity.” Saskatchewan does not have “substantially similar” privacy legislation, and, therefore, in Saskatchewan PIPEDA applies to all personal information used, collected, or disclosed in commercial activities and all personal information processed by “federal undertakings,” which then includes personal employee information of those organizations. Personal information of employees in the private sector is not governed by a provincial or federal law.

Read more on Lexology.