In the first few months of 2015, a number of states have introduced data breach notification bills and proposed legislative amendments designed to enhance consumer protection in response to increasingly high profile data breaches reported in the media. This activity at the state level seems to indicate that protecting consumers from data breaches is one area where democrats and republicans can find common ground.
From the text of these bills, some of which have already become law, we see two emerging trends: (1) an expansion of the definition of personal information to include more categories of data that, if compromised, would trigger a notification requirement, and (2) the addition of a requirement to notify state agencies (such as attorneys general and state insurance commissioners) where none previously existed.
Here are developments in three states reflecting these emerging trends:
In late February, Wyoming passed two bills that amend its existing data breach notification law by specifying the content required in notices to Wyoming residents, modifying the definition of personal information, and providing for covered entities or business associates that comply with HIPAA to be deemed in compliance with the state individual notice requirements.
In particular, Wyoming’s definition of personal information will now include the following:
- Shared secrets or security tokens that are known to be used for data-based authentication;
- A username or email address, in combination with a password or security question and answer that would permit access to an online account;
- A birth or marriage certificate;
- Medical information (a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional);
- Health insurance information (a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claims history);
- Unique biometric data (data generated from measurements or analysis of human body characteristics for authentication purposes); and
- An individual taxpayer identification number.
These changes to Wyoming law will become effective July 1, 2015.
Beginning October 1, 2015, amendments to Montana’s breach notification law will require entities that experience a data breach affecting Montana residents to notify the Montana Attorney General and, if applicable, the Commissioner of Insurance. Notification must include an electronic copy of the notice to affected individuals, a statement providing the date and method of distribution of the notification, and an indication of the number of individuals in the state impacted by the breach. Entities must provide notice to state regulators simultaneously with consumer notices.
The recent amendments to the Montana law also expand the definition of personal information to include medical record information, taxpayer identification numbers and any “identity protection personal identification number” issued by the IRS. The law specifies that medical information is that which relates to an individual’s physical or mental condition, medical history, medical claims history or medical treatment, and is obtained from [...]