Two New Breach Notification Laws Usher in the (Unofficial) Beginning of Summer
As the unofficial start of summer begins, Washington and New Jersey have recently enacted two new pieces of cybersecurity legislation. While both laws expand the responsibilities of organizations when it comes to notifying individuals of unauthorized access or disclosure of their data, Washington state’s simultaneous failure to pass a different, hotly-contested privacy bill reveals that the debate over organizational accountability for cybersecurity and data privacy is far from settled.
Washington’s Breach Notification Law
Prior to the enactment of the new Washington law, organizations were required to notify state residents of a data breach only in the event that the incident exposed a user’s name in combination with their Social Security number, driver’s license number, state ID number or financial account information. See RCW 19.255.010, et seq.
Now, the new law requires organizations that have suffered a breach to notify consumers if an unauthorized individual obtains a user’s name in combination with their full birth dates, health insurance ID numbers, medical history, student ID numbers, military ID numbers, passport ID numbers, usernames and passwords, biometric data (such as DNA profiles or fingerprints) or electronic signatures.
Further, the law modifies the method and content of breach notices. In particular, if the exposed data involves information including a user name and password, the law allows for an entity to notify its affected users via email. Further, notifications must provide greater detailed information regarding the breach, including the time frame during which the personal data was compromised and the date that data breach were discovered (to the extent either are known).
Finally, the law reduces the deadline for organizations to issue breach notifications from 45 days to 30 days from the time the organization became aware of the data breach, making it more important than ever for an organization to react swiftly to investigate potential breaches and determine their notification obligations.
Washington’s new breach notification requirements will be in effect March 1, 2020.
New Jersey’s Breach Notification Law
Similar to Washington’s new law, New Jersey’s recently enacted breach notification law expands the definition of “personal information” that falls within the scope of the law – requiring an organization to issue breach notifications in a wider variety of instances. Under the new law, a breach notification is required whenever an individual’s “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer” is compromised. Previously, New Jersey only required a breach notification when the information involved an individual’s Social Security number, driver’s license number, state identification card number, financial account number, or credit or debit card number. The new law also allows for email notification in instances when a user name or password is disclosed in a data breach – so long as the email address receiving a breach notification was not itself subject to the breach.
New Jersey’s newest law is in effect beginning on September 1, 2019.
A Look at the Privacy and Cybersecurity Landscape in the U.S.
While both of the new laws indicate that the definition of “personal information” is expanding to include information beyond “traditional” identifiers such as Social Security and credit card numbers, the fact that the laws only address breach notification obligations – rather than larger issues of data privacy – should not be overlooked.
Through the late winter and early spring, Washington state appeared on track to pass comprehensive privacy legislation. Senate Bill 5376 attempted to regulate the collection, sorting, using, and selling of personal information. In its original form, the bill also contained provisions relating to the use of facial recognition software by public agencies. However, multiple organizations opposed the bill, demanding stronger consumer data privacy protections. The Washington State House ultimately declined to pass the bill by the April 17 deadline – signaling that the bill will never be considered.
If passed, Washington would have become the fourth state, behind Massachusetts, California, and Colorado, to enact more sweeping data privacy regulations that go beyond breach notification requirements. Some of these states’ laws require covered organizations to create and implement certain policies regarding their handling and protection of personal information; the California Consumer Privacy Act (“CCPA”) grants additional rights to individuals to control their information when it is in the possession of others. Colorado’s law, H.B. 18-1128, went into effect on September 1, 2018, and in addition to expanding the definition of “personal information” to include biometric data, it requires a breach notification when a Colorado resident’s username (or e-mail address), in combination with a password or security questions and answers are revealed to unauthorized parties. See C.R.S. § 6-1-716. Further, Colorado now requires breach notifications to inform individuals of the estimated date of the security breach, a description of the information compromised, and “[a] statement that the resident can obtain information from the federal trade commission and the credit reporting agencies about fraud alerts and security freezes.” C.R.S. § 6-1-716.
Similar to Massachusetts’s law, 201 CMR § 17.03, the Colorado law also requires covered entities to maintain and implement policies governing the destruction and disposal of records (paper and electronic) that contain personal identifying information. See C.R.S. § 6-1-713. Further, all covered entities are required to “implement and maintain reasonable security procedures and practices” to protect personal identifying information. C.R.S. § 6-1-713.5. “What is ‘reasonable’ will be further defined through the case law that evolves as a result of the enforcement of this law as well as other state laws with the same or similar standard,” stated Annie Skinner, a spokeswoman with the Colorado Attorney General’s Office.
Comparatively, Washington’s failed privacy legislation would have created obligations for organizations similar to those created by the EU’s General Data Protection Regulation (“GDPR”) as well as those found under the CCPA. Even though the legislation failed to pass, Washington’s consideration of such legislation may indicate a growing demand for even greater data privacy protections than those found under currently enacted models.
Saul Ewing Arnstein & Lehr’s cybersecurity and privacy law practitioners regularly assist in determining if organizations are taking appropriate actions to protect against – and respond to – cybersecurity threats. We regularly assist organizations in responding to data breaches. For more information, contact the authors or the attorney at the Firm with whom you are regularly in contact.