breach notification law
Subscribe to breach notification law's Posts

Update on State Breach Notification Laws

In the first few months of 2015, a number of states have introduced data breach notification bills and proposed legislative amendments designed to enhance consumer protection in response to increasingly high profile data breaches reported in the media.  This activity at the state level seems to indicate  that protecting consumers from data breaches is one area where democrats and republicans can find common ground.

From the text of these bills, some of which have already become law, we see two emerging trends:  (1) an expansion of the definition of personal information to include more categories of data that, if compromised, would trigger a notification requirement, and (2) the addition of a requirement to notify state agencies (such as attorneys general and state insurance commissioners) where none previously existed.

Here are developments in three states reflecting these emerging trends:


In late February, Wyoming passed two bills that amend its existing data breach notification law by specifying the content required in notices to Wyoming residents, modifying the definition of personal information, and providing for covered entities or business associates that comply with HIPAA to be deemed in compliance with the state individual notice requirements.

In particular, Wyoming’s definition of personal information will now include the following:

  • Shared secrets or security tokens that are known to be used for data-based authentication;
  • A username or email address, in combination with a password or security question and answer that would permit access to an online account;
  • A birth or marriage certificate;
  • Medical information (a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional);
  • Health insurance information (a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claims history);
  • Unique biometric data (data generated from measurements or analysis of human body characteristics for authentication purposes); and
  • An individual taxpayer identification number.

These changes to Wyoming law will become effective July 1, 2015.


Beginning October 1, 2015, amendments to Montana’s breach notification law will require entities that experience a data breach affecting Montana residents to notify the Montana Attorney General and, if applicable, the Commissioner of Insurance.  Notification must include an electronic copy of the notice to affected individuals, a statement providing the date and method of distribution of the notification, and an indication of the number of individuals in the state impacted by the breach.  Entities must provide notice to state regulators simultaneously with consumer notices.

The recent amendments to the Montana law also expand the definition of personal information to include medical record information, taxpayer identification numbers and any “identity protection personal identification number” issued by the IRS.  The law specifies that medical information is that which relates to an individual’s physical or mental condition, medical history, medical claims history or medical treatment, and is obtained from [...]

Continue Reading

read more

New Mexico Moves One Step Closer to Becoming the 47th State with a Breach Notification Law

46 states plus Washington, D.C. have data breach notification laws.  Alabama, Kentucky, New Mexico and South Dakota still do not have a comprehensive notification law outside of the public sector.  That may change soon though, because the New Mexico House of Representatives unanimously passed a bill on February 17, 2014, that would require companies to notify state residents of a breach of their unencrypted personal information.  The bill appears to resemble many existing state breach notification laws, and contains a number of exceptions under which companies would not be required to provide notice of a breach.

The definition of personal information is the standard definition we see in many state breach notification laws – defined as name plus another data element that could lead to identity theft or financial fraud: social security number; driver’s license number; government-issued ID; or account number, credit card number or debit card number, in combination with any required code or password that would permit access to a person’s financial account.

If the bill passes, New Mexico will join the handful of other states with specific timing provisions for notification—if the breach involves 1,000 or more residents, companies would be required to notify affected individuals within 45 days of discovering the breach, and the state attorney general (AG) within 14 days (like Vermont).

Companies can avoid notification to affected residents if there is no “significant risk of identity theft or fraud,” but when the incident involves 1,000 or more individuals, the company still must notify the state AG with a written explanation of its risk of harm analysis.  Like many other states, the bill also contains a “deemed in compliance” provision stating that companies in compliance with the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act would be deemed to be in compliance with the proposed law.

At the federal level, there have been increased demands for Congress to establish a national data breach notification standard, and several bills have been introduced that would create such a standard.  Most recently, on February 4, 2014, U.S. Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the Personal Data Protection and Breach Accountability Act, which seeks to establish a federal breach notification standard and impose minimum data security requirements for companies, like the approach taken in Massachusetts with 201 C.M.R. 17.00, et seq.  We will be watching these bills closely and reporting on any further developments.

read more




2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law