April Brings Showers … and Changes to State Data Breach Notification Laws

Over the past few weeks there have been noteworthy changes to data breach notification acts within several states. Of importance, New Mexico enacted its first notification law while Tennessee and Virginia amended existing legislation.

New Mexico

On April 6, 2017 New Mexico enacted HB 15, the Data Breach Notification Act, making it the 48th state to pass a notification law. The Act goes into effect on June 16, 2017, leaving Alabama and South Dakota as the only states without notification requirements. The Act, drawing on other state’s recent amendments, included biometric data (fingerprints, facial characteristics, retina patterns, etc.) in its definition of personal identifying information. The Act’s three components include: (1) Disposal of personal identifying information; (2) Security Measures for Storage of personal identifying information; and (3) Notification of a Security Breach. A full copy of the Act can be found here.

Tennessee

The Tennessee legislature enacted HB 454 on April 4, 2017, amending its 2016 data breach notification statute. This amendment clarifies that notification is required only if an unauthorized person has accessed either unencrypted files, or encrypted files along with the decryption key. A full copy of HB 454 can be found here.

Virginia

In response to a W-2 phishing scheme costing Virginians millions in payments and investigations relating to fraudulent tax returns, the State’s data breach notification statute was amended to ensure that the Attorney General and Department of Taxation remain advised when employers and payroll service providers experience a breach involving taxpayer identification numbers and withholding information. This amendment does not, however, require that the individual taxpayer be notified of any breach, unless the breach involves the taxpayer’s Social Security information. The amendment goes into effect on July 1, 2017, and can be found here.