Nebraska and Illinois Update Breach Notice Requirements
The data breach notification laws for Nebraska and Illinois have been updated to expand the definition of “personal information” to include usernames and email addresses in combination with a password or security question and answer allowing access to an online user account.
In addition to expanding the scope of covered information, Nebraska’s L.B. 835 will require notification to the Attorney General in the event of any breach that requires notice to a Nebraska resident in the first instance. Illinois’ H.B. 1260 further expands the definition of PI to include a resident’s medical information, health insurance information, and unique biometric data, specifies required notice content when consumers’ usernames or email addresses are affected by a breach, and imposes new data security requirements.
Nebraska’s new law will go into effect on July 21, 2016, while Illinois’ new law will become operative on Jan. 1, 2017. Changes to these laws are summarized below, and can be compared to other states requirements on our website.
Changes to Nebraska’s Breach Notification Statute
- New PI Data Elements. The definition of Personal Information or “PI” is expanded to include a resident’s online username or email address, combined with a password or security question and answer allowing access to an online account.
- Compromised Encryption Key. Nebraska’s breach notification statute currently includes a safe harbor that allows a business to forego data breach notification when affected PI is encrypted, redacted or otherwise made unreadable. L.B. 835 clarifies that data is not considered encrypted when the encryption process or key itself is compromised in the breach.
- AG Notice. Nebraska’s data breach notification law will soon require businesses and other entities to notify the Nebraska Attorney General whenever notice to any state resident is required, and must be given no later than the time when the resident is notified.
Changes to Illinois’ Breach Notification Statute
- New PI Data Elements.B. 1260 will enlarge the definition of PI to include:
- A resident’s medical information, health insurance information, and unique biometric data when combined with a consumer’s first name or first initial and last name; and
- A resident’s online username or email address, combined with a password or security question and answer allowing access to an online account.
- Notice Content for Breach of Username or Email Address. Businesses will be permitted to notify Illinois residents of a breach affecting usernames or email addresses via electronic or other form directing residents to promptly change their username or password and security question or answer or take “other appropriate steps” to protect all affected online accounts which use the same username or email address and security question or answer.
- Compromised Encryption Key. H.B. 1260 clarifies Illinois’ safe harbor does not apply when the key to unencrypt, unredact, or otherwise read the data elements is itself compromised in the breach.
- Substitute Notice to “Local Media.” If a breach impacts Illinois residents in one geographic area, affected businesses otherwise permitted by the statute to give notice via substitute notice (i.e. if notification costs exceed $250,000 or if the affected business would have to notify more than 500,000 residents) will be allowed to notify prominent local media instead of major statewide Businesses should note that such localized notice is in addition to the other substitute notice requirements (i.e. email notice if residents’ addresses on file, and conspicuous posting of the notice on the business’ website), and must be “reasonably calculated” to give residents actual notice.
- Data Security Requirements. In addition, H.B. 1260 expands the current Illinois statute to include data security requirements very similar to those demanded by Nevada’s data breach notification laws (NRS 603A.210). When the statute goes into effect next year, all entities that own, license, maintain or store records containing residents’ PI will be required to:
- Implement and maintain “reasonable security measures” to protect from unauthorized access, acquisition, destruction, use, modification, or disclosure; and
- Require all third parties to implement and maintain similar security measures when PI will be disclosed pursuant to a contract.
- Entities Covered by other Federal Privacy and Data Security Regimes
- Covered entities and business associates subject to and in compliance with the Health Insurance Portability and Accountability Act as amended (HIPAA) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act will be deemed complaint with the Illinois statute for data security purposes, but any covered entity or business associate required to provide notification of a breach to the Secretary of Health and Human Services pursuant to HITECH must provide notice to the Illinois Attorney General within 5 business days of notifying the Secretary.
- Financial institutions subject to applicable provisions of the Gramm-Leach-Bliley Act will also be deemed in compliance with Illinois’ new data security requirements.
What’s Next for Businesses?
The Nebraska and Illinois updates are just the latest changes in the patchwork of state-level data breach notification requirements. Tennessee recently passed substantive amendments to its breach notification statute that will which go into effect on July 1 and the amendments to Rhode Island’s statute will take effect on July 2.
Some of Nebraska’s and Illinois’ expanded requirements mirror those that already exist under other states’ notice regimes, however, all entities that collect consumer information should:
- Review breach notification policies and procedures and update as needed. As with any change to state data breach notification statutes, businesses and other entities are strongly encouraged to revisit, review, and revise their breach notification policies and procedures where needed to be in compliance with the alterations to these statutes.
- Don’t Store Data and Encryption Keys in the Same Place. The tweaks to Nebraska’s and Illinois’ encryption safe harbors are good reminders that encrypting or taking other measures to make sensitive data unreadable will not do much if the keys to decode the data are compromised as well. Companies should not store their encryption keys on the same machine or in the same location as the data that the keys secure. More importantly, when transmitting encrypted files, companies should use alternate methods of transmitting the encryption keys. For instance, don’t email an encrypted file and include the encryption key in the same email.
Cut: Companies required by other state or federal laws to implement greater protections to safeguard records with PI, as well as those subject to and in compliance with the Gramm-Leach-Bliley Act, will be deemed in compliance.