Companies in Texas, Illinois, and Oregon will have new notification obligations if they experience a data breach, under amendments to state laws taking effect Jan. 1.
States have been updating data breach notice statutes in recent years to broaden the definition of personal information and change requirements for when and how to notify affected individuals or the state attorney general. All 50 states and the District of Columbia require companies to notify people of security breaches of personal information.
The amendments taking effect Jan. 1 are “building on the trends we’ve been seeing,” Brian Kint, an attorney at Cozen O’Connor P.C. in Philadelphia who advises companies on privacy and cybersecurity issues, said.
State attorneys general around the country have ramped up privacy and data security actions, including investigating data breaches and if companies are following notice requirements.
The state regulators can receive complaints about data breaches from individuals, but the attorneys general “prefer to find out about these from companies themselves,” said Jennifer Hennessy, a cybersecurity attorney with Foley & Lardner LLP who advises organizations on compliance with federal and state data security laws.
The Oregon measure (S.B. 684) extends some data breach notice obligations to vendors and expands the definition of personal information to include information used to access an online account.
The Oregon law is “quite unique” in requiring vendors to notify the state attorney general if a breach involves the personal information of more than 250 Oregon residents, Hennessy said. Vendors don’t currently have many responsibilities under state data breach laws so it will be interesting to see if other states take the same route, she said.
Illinois will require “data collectors” to notify the state attorney general for breaches affecting more than 500 Illinois residents under the bill (S.B. 1624) amending the state’s personal information protection law.
Texas will require businesses to notify affected individuals within 60 days of determining a breach occurred, rather than notifying them “as quickly as possible,” under the current law. The bill (H.B. 4390) also adds an obligation to notify the state attorney general if the breach involves at least 250 residents and creates a privacy protection council that will make recommendations for future state privacy laws by Sept. 1, 2020.
The varying timelines and reporting thresholds in state data breach notice laws makes it “imperative on companies to get ahead” before a breach, Kint said.