New Mexico became the 48th state to adopt a data breach notification law when its Data Breach Notification Act was signed on April 6, 2017. The law is effective June 16, 2017.
Under the new law, notification is required in the event a security breach compromises the security, confidentiality or integrity of personal identifying information on New Mexico residents. Personal identifying information includes name, Social Security number, driver’s license number, government-issued identification number, or financial account number and required access code or password. The term also includes biometric data, including fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry.
Notification must be made without unreasonable delay, but not later than 45 calendar days following discovery of the breach. The law allows the breached entity to conduct a risk of harm analysis and does not require notification if there is no significant risk of identity theft or fraud. The law requires specific content to be included in the notification letter, including the types of personal identifying information affected by the incident, the date of the breach, a general description of the breach, contact information for the consumer reporting agencies and advice on steps the recipient can take to protect himself or herself.
If notification is required to go out to more than 1,000 New Mexico residents, the breached entity is also required to notify the New Mexico attorney general and consumer reporting agencies. Such notification should also be made within 45 calendar days.
The Data Breach Notification Act also includes provisions requiring the safe storage and disposal of personal identifying information. In addition, the disclosure of personal identifying information to a service provider must be made pursuant to a contract that requires the service provider to implement and maintain reasonable security procedures to protect the data from unauthorized access, destruction, use, modification or disclosure.
On April 4, 2017, the most recent amendments to Tennessee’s data breach notification law became effective. The defined term for a breach in Tennessee is now “breach of system security” and it is limited to unencrypted computerized data or encrypted computerized data coupled with the encryption key. Tennessee now defines the term “encryption” to mean “computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2.”
As originally drafted, the Tennessee law included safe harbor for data that was encrypted. In 2016, the law was amended, and that encryption safe harbor was seemingly removed. The latest revision to the definition of “breach of system security” is meant to clarify and correct last year’s amendment by once again providing a safe harbor for encrypted data.
The definition of “personal information” has also been amended. The new law makes clear that the term does not include information that has been redacted or otherwise made unusable.
An entity that is not the data owner must notify the data owner of any breach of system security within 45 days of discovery. Tennessee had previously amended its law to require notification from the breached entity to affected individuals within 45 days, and this additional amendment brings that requirement full circle.
In Virginia, beginning on July 1, 2017, any employer or payroll service provider that suffers a breach the compromises tax information must notify the Office of the Virginia Attorney General. Specifically, notification must be made when there has been unauthorized access to and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer. Notification is only required if the access to this tax information causes, has caused, or will cause identity theft or other fraud.
Upon receipt of any such notice, the Office of the Attorney General is required to notify the Virginia Department of Taxation.
As of June 16, 2017, there will be 48 data breach notification state statutes. There is a federal data breach notification requirement under the Health Insurance Portability and Accountability Act (HIPAA) for protected health information. There are data breach notification guidelines from the U.S. Securities and Exchange Commission for its regulated entities, and from state insurance regulators for their regulated insurance companies. And that is just a small taste of the patchwork of laws and regulations facing businesses in the U.S. While some of the legal requirements and best practice advice is similar from law to law and regulator to regulator, there are many significant differences that can trip up even the most sophisticated entity. Incident response is becoming increasingly more difficult as new laws, amendments, regulations, and industry best practices are added to the mix.