October 19. 2021

Over the last several months, a minority of states amended their data breach notification statutes or enacted sector-specific breach notification requirements. Specifically, nine states amended their state statutes to (1) impose notice requirements on state entities, (2) broaden existing definitions (e.g., expand the definition of “personal information”), (3) increase reporting content requirements, (4) regulate the insurance industry, (5) regulate the tax industry, (6) require stricter notification timeframes, and (7) allow the Attorney General to publish data breach information. Below is a high-level overview of each state’s data breach notification statute amendments, which are further summarized in the chart below.

Arkansas passed a law (Ark. Code Ann. § 10-4-429) that requires state entities (including political subdivisions and schools) to report data security incidents to the Arkansas Legislative Auditor within five (5) business days after learning of the incident. State entities also must provide regular updates to the Auditor about the incident until the investigation is closed. The Auditor must maintain a list of all reported security incidents, annually report (by December 15th of each year) such information to the legislative council and certain committees, and, if the incident significantly compromised citizens' data, created a significant security concern, or involved significant theft, notify certain government officials. 

Bill: H.B. 1110
Passed: March 4, 2021
Effective: July 30, 2021

Connecticut amended its data breach notification statute (Conn. Gen. Stat. § 36a-701b) to shorten the breach notification timeframe to which entities must notify impacted individuals and the Connecticut Attorney General from ninety (90) days to sixty (60) days. The amendment also broadens the definition of “personal information” to include biometrics, medical information, passport data, military and state identification cards, health insurance policy numbers, taxpayer identification numbers, and online account credentials. The amendment further requires businesses to provide twenty-four (24) months of complimentary credit identity theft prevention and mitigation services not only to individuals with an impacted Social Security number, but also to those with an impacted tax identification number. Lastly, the amendment exempts entities that are subject to and in compliance with HIPAA and HITECH. 

Bill: H.B. 5310
Passed: June 16, 2021
Effective: October 1, 2021

Hawaii passed a National Association of Insurance Commissioners (“NAIC”) model insurance data protection law to establish insurance data security standards for insurance licensees (Hawaii Acts, L 2021, c 112). The law requires licensees to develop and implement written information security programs, submit data breach notifications (to both the Insurance Commissioner and consumers), and monitor third-party vendors. Of note, the law requires licensees to notify the Insurance Commissioner of a data security incident no later than three (3) business days after learning of an event.
Bill: S.B. 1100
Passed: June 29, 2021
Effective: July 1, 2021

Maine enacted a NAIC-inspired insurance data protection law. The law requires licensees to investigate, notify, and report cybersecurity events to the Superintendent of the Maine Bureau of Insurance (within three (3) days). Consumers must be notified of cybersecurity events in accordance with Maine’s general data breach notification law. The law also requires the development and implementation of a written information security program and other proactive security measures.

Bill: LD 51
Passed: March 17, 2021
Effective: January 1, 2022

Mississippi amended its data breach notification statute (Miss. Code § 75-24-29) to expand the definition of “personal information” to include tribal identification card numbers.

Bill: H.B. 277
Passed: March 13, 2021
Effective: July 1, 2021

Oregon passed a tax security breach law mandating reporting requirements on tax professionals in the event of a breach of security. The law requires tax professionals to report security breaches associated with tax return preparation to the Oregon Department of Revenue within five (5) days. The law pertains only to breaches occurring on or after January 1, 2022.  

Bill: H.B. 2128
Passed: June 23, 2021
Effective: September 23, 2021

Tennessee passed an NAIC model insurance data protection law (Tenn. Code Ann. § 56-2-1001, et seq.). The law requires insurance licensees to develop, maintain, and implement an information security program by July 1, 2022; comply with standards for data security; identify cyber threats; and investigate any cybersecurity incident. In the event of a breach, licensees must notify the Commissioner of the Department of Commerce and Insurance within three (3) days and notify consumers within forty-five (45) days. 

Bill: H.B. 766
Passed: May 6, 2021
Effective: July 1, 2021

Texas amended its data breach notification law (Tex. Bus. & Com. Code § 521.053) to require the Texas Attorney General's office to post on its website a list of the notifications it receives when a breach affects at least two hundred-fifty (250) Texans. Entities must include the number of impacted residents who were notified (in addition to the other notice content requirements already in the statute).  The amendment provides that the Texas Attorney General can remove a notification from the website after one year, but only if no additional breaches have been reported by the entity.

Bill: H.B. 3736
Passed: June 14, 2021
Effective: September 1, 2021

Wisconsin enacted the Wisconsin Insurance Data Security Law (Wis. Stat. § 601.95, et seq.) to regulate those licensed under Wisconsin insurance laws.  The law requires licensees to develop an information security program that protects its systems and data. By November 1, 2022, licensees must conduct a risk assessment and address any areas that put their consumer's data at risk. The Act further requires licensees to develop an incident response plan and provide timely notice of a security incident to impacted consumers (and in some cases to the insurance commissioner and consumer reporting agencies). 

Bill: S.B. 160
Passed: July 15, 2021
Effective: November 1, 2021