Though a national data breach notification bill is in its draft stages, some states aren't waiting around for Congress to make up its mind. In particular, Montana, New Jersey, Washington, Connecticut, and New Mexico are revising or creating their own notification laws, even though a national law would supersede them.
Right now, 47 states have slightly different data breach notification laws on the books (usually requiring notification within 30 or 60 days) and definitions of what constitutes as a data breach. The number of states could jump to 48 if New Mexico's bill passes. The nice thing about a national law is that instead of following different data breach rules for each state you do business in, you would just have to know the federal standards.
Why that matters to you: as a business owner, you must comply with your state's data breach laws if your sensitive information is ever compromised. Failure to comply could result in steep fines or legal action, so it's important to know the rules and account for them in your business's data breach response plan.
The Data Breach Notification Laws, They Are A-Changin'
Here's what you need to know about the following five states' data breach notification laws, according to a report by Advisen:
- Montana: The state's amended statute, which takes effect October 1, 2015, expands the definition of "personal information" to include medical records and IRS-issued identification numbers. It also requires entities to notify the state attorney general's consumer protection office about the breach.
- New Jersey: New Jersey's revised law is a direct response to several data breaches that exposed hundreds of thousands of medical records because the records weren't encrypted. The law requires NJ-based health insurance companies to encrypt policyholders' personal information.
- Connecticut: Connecticut's latest legislation was inspired by Anthem's catastrophic data breach, and it has similar goals to New Jersey's law: to require insurance businesses to protect insured information through encryption. Health insurers, healthcare centers, pharmacy benefits managers, health benefits administrators, and review companies would be subject to the law and need to update their technology to stay in compliance.
- Washington: The newest bill categorizes the failure to notify consumers about a breach as a violation of the state's Consumer Protection Act. The law requires consumers and the state attorney general to be notified within 45 days after the breach was discovered. Any exposure of personal information, such as a person's name in combination with a Social Security number or credit card number and payment password is considered a breach. Violating the law means the attorney general can bring legal action against your business.
- New Mexico: New Mexico is one of the last states to hop on the data breach law bandwagon, and the bill has yet to pass. The act isn't too ambitious, though – it applies only to computerized data and defines a breach as the acquisition of personal information (e.g., name and Social Security number, not login credentials). Affected parties must be notified about the breach. The bill also requires paper and electronic records to be disposed of in a responsible way.
To stay current on the latest data security news, be sure to check out our data breach blog series.