Nine States Pass New and Expanded Data Breach Notification Legislation

With the recent news of the California Consumer Privacy Act being signed into law this past June, other states have ramped up their efforts in passing their own privacy and cybersecurity legislation. With no federal legislation akin to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) in the United States, state governments are expected to develop privacy and data protection legislation that governs privately held companies. With much attention on data breach incidents, nine states have passed new laws that either expand the definition of personal information or address company reporting obligations in the event of a data breach. They are as follows:

• Illinois’s Personal Information Protection Act proposes notification requirements to the Attorney General where a breach affects at least 500 Illinois residents;

• Maine’s new Act to Protect the Privacy of Online Consumer Information places new restrictions on internet service providers;

• Maryland’s Personal Information Protection Act features amendments coming into effect October 1 of this year that imposes new requirements on entities in the event of a security breach;

• Massachusetts’s passing of an Act Relative to Consumer Protection from Security Breaches brought into effect amendments to data breach notification laws this past April expanding obligations on businesses in the event of a security incident;

• New Jersey’s amendments to its disclosure of security breach legislation effective September 1 of this year expands the definition of personal information and revises its notification standards;

• New York’s Stop Hacks and Improve Electronic Data Security Act amendments broadens the scope of protection under the statute and also provides standards businesses must adhere to protect consumer information;

• Oregon’s Consumer Information Protection Act amendments (coming into force January 1, 2020) expand the definition of protected data and also extends certain data breach notification requirements to vendors;

• Texas’s Identity Theft Enforcement and Protection Act brings amendments into effect January 1 of next year that enumerate timelines for sending breach notifications and also establishes an advisory council of fifteen appointed members who are “to study data privacy laws in the state, other states and relevant foreign jurisdictions”; and

• Washington’s data breach notification law amendments expands the definition of personal information and establishes new data breach notification requirements in amendments effective March 1, 2020.

Summary By: Hashim Ghazi