Multiple States Toughen Data Breach and Cybersecurity Requirements
It has been a busy summer for data breach and cybersecurity laws. Several states have shortened their data breach notification timelines, expanded their definitions of personal data breaches triggering notification requirements, or added provisions related to companies' cybersecurity programs.
We summarize the notable changes below. Clients are advised to carefully review these changes and assess whether their existing information security policies and procedures should be updated.
Connecticut
Cybersecurity Standards
The most significant recent changes to data breach and cybersecurity laws1 have occurred in Connecticut. On July 6, 2021, Connecticut enacted P.A. 21-119, (H.B. 6607), "An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses." The law does not require businesses to adopt any particular cybersecurity measures or controls, but rather provides a limited safe harbor for "covered entities" that maintain and comply with a written cybersecurity program that conforms to an "industry recognized" framework.
The law lists the following as acceptable industry recognized frameworks:
- The National Institute for Standards and Technology (NIST)'s Framework for Improving Critical Infrastructure Cybersecurity (commonly referred to as the NIST Cybersecurity Framework);
- NIST special publications 800-171 or 800-53 and 800-53a;
- Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework;
- Center for Internet Security (CIS) Controls; (DWT recently discussed some notable changes to the CIS Controls, which were previously called the CIS Critical Security Controls); and
- The ISO/IEC 27000-series.
If a covered entity maintains a written cybersecurity program that conforms to one of the above "industry recognized" frameworks and is sued in tort under Connecticut law or in a Connecticut court for data breach, that entity cannot be liable for punitive damages for alleged failure to implement reasonable cybersecurity controls.
Covered entities also can receive safe harbor protection if they are subject to and in compliance with the cybersecurity program requirements of HIPAA, Gramm-Leach-Bliley, the Federal Information Security Modernization Act (FISMA), or HITECH. Covered entities may also comply with the Payment Card Industry Data Security Standard (PCI DSS) and one of the industry recognized frameworks listed above.
Personal Data Definition
On June 16, 2021, Connecticut enacted H.B. 5310,2 titled "An Act Concerning Data Breaches," which expands the state data breach law's definition of "personal data" and shortens its breach notification deadline. With this expansion, Connecticut's law will have one of the broadest definitions of personal information in any data breach law in the nation.
Under the new law, "personal information" triggering data breach reporting requirements is defined as first name or first initial and last name in combination with any one or more of the following:
- Social Security number;
- Individual taxpayer identification number or identity protection personal identification number issued by the IRS;
- Driver's license number or state identification card number;
- Passport numbers, military identification numbers, or other government issued identification numbers
- Credit card or debit card number;
- Financial account number in combination with any required security code, access code, or password that would permit access to such financial account;
- Medical information regarding an individual's medical history, mental or physical condition, or medical diagnosis by a healthcare professional;
- Health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual;
- Biometric information used to authenticate an individual's identity such as a fingerprint, voice print, or retina or iris image; or
- Username or email address when connected to a password or security question and answer that would permit access to an online account.
The new data breach law also shortens the deadline to notify the Connecticut Attorney General's Office of a data breach from not later than 90 days to not later than 60 days. Companies that are subject to and in compliance with the privacy and security standards under HIPAA and HITECH are deemed compliant with Connecticut's breach notification law. However, if a breach notification is necessary under HIPAA, the Connecticut Attorney General must be notified at the same time as affected individuals, and identity theft protection or mitigation services must also be offered.
Texas
On June 14, 2021, Texas enacted H.B. 3746,3 updating the state data breach law's requirement to notify the Texas Attorney General. Texas law already required companies to notify the Texas Attorney General within 60 days of data breaches affecting 250 or more residents. Under the new law, companies must include in their notifications to the attorney general "the number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication at the time of … notification."
H.B. 3746 also requires the Texas Attorney General to now post notice of a data breach on the "attorney general's publicly accessible Internet website" within 30 days of receiving notification of the breach. The notice must remain available on the public website for a year and will be removed after that period only if the business reporting the breach does not report another breach within that period. This new requirement is in line with the practices of some other state attorneys general that maintain a publicly available record of data breaches.4
Nevada
On June 2, 2021, Nevada enacted A.B. No. 61. This act amends Nevada's Security of Information chapter, Nev. Rev. Stat. Ann. § 603A, by adding a provision making a violation of Nevada's data security or data breach reporting requirements a deceptive trade practice under state law.
Under this amendment, the Nevada attorney general could impose civil and criminal penalties for violations of those requirements.
Mississippi
On March 18, 2021, Mississippi enacted H.B. 277, adding tribal identification card numbers to the definition of "personal information" under Miss. Code. Ann. § 75-24-29. As a result, "personal information" now includes an individual's first name or first initial and last name in combination with the individual's tribal identification card number.
Hawaii, Iowa, Maine, Minnesota, North Dakota, Tennessee, Wisconsin: NAIC Insurance Data Security Model Law
In October 2017, the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law (MDL-668), which seeks to establish national standards for insurers' cybersecurity and incident response programs. Under the model law, licensees—defined as persons that a state licenses or otherwise authorizes or registers according to its insurance laws and regulations—must develop, implement, and maintain a comprehensive written information security program.
This security program must include a number of components, including a formal cyber risk assessment, appropriate security measures based on that risk assessment, oversight of third-party service providers, and an incident response plan and procedures, among others. The model law also requires licensees to report a "Cybersecurity Event" affecting data of more than 250 consumers to the state insurance commissioner, typically within 72 hours (although some states have altered this deadline). Licensees also must notify affected consumers in accordance with the state's data breach notification law.
In 2021 alone, seven states have enacted a version of the Insurance Data Security Model Law, bringing the total number of states to do so to 19.5 The states that have enacted a version of the NAIC Insurance Data Security Model Law in 2021 are Hawaii (S.B. 1100), Iowa (H.F. 719), Maine (H.P. 17) (L.D. 51), Minnesota (HF 6, Article 3, Section 5), North Dakota (S.B. 2075), Tennessee (HB 766), and Wisconsin (SB 160).
It is important to note that although these state laws are based on the model, the specific enactments in each state vary in scope and details.
FOOTNOTES
1 Of course, some robust state privacy laws have been enacted in the last several months as well, most notably in Virginia and Colorado. DWT discussed new Virginia and Colorado privacy laws in prior posts.
2 On October 1, 2021, when H.B. 5310 become effective, it will modify Conn. Gen. Stat. Ann. § 36a-701b.
3 On September 1, 2021 when H. B. 3746 becomes effective, it will modify Tex. Bus. & Com. Code Ann. § 521.053.
4 In addition to H.B. 3746, Texas passed a law aimed at increasing communication and transparency surrounding cyber attacks. S.B. 1696 was passed on June 14, 2021, and focuses on cyber attacks targeting schools. It requires the Texas Education Agency, in coordination with the Department of Information Resources, to establish and maintain a system to coordinate the anonymous sharing of information concerning cyber attacks or other cybersecurity incidents between participating schools and the state.
5 Alabama (Ala. Code §§ 27-62-1 to 27-62-11); Connecticut (HB 7424); Delaware (18 Del. C. §§ 8601 to 8611); Hawaii (SB 1100); Indiana (Ind. Code §§ 27-2-27-1 to 27-2-27-32); Iowa (H.F. 719); Louisiana (HB 614); Maine (H.P. 17); Michigan (MCL 500.550 to 500.565); Minnesota (HF 6, Article 3, Section 5); Mississippi (Miss. Code Ann. §§ 83-5-801 to 83-5-825); New Hampshire (N.H. RSA § 420-P:1 to 14); New York (23 NYCRR 500.0 to 500.23); North Dakota (SB 2075); Ohio (Ohio R.C. 3965.01 to 3965.11); South Carolina (S.C. Code Ann. § 38-99-10 to 38-99-100); Tennessee (HB 766); Virginia (Va. Code Ann. §§ 38.2-621 to 38.2-629); Wisconsin (SB 160).