It is midway through 2014 and there have been updates to four existing, and one new, state breach notification laws. Iowa and Florida have substantively amended their current breach notification laws, both of which went into effect on July 1, 2014, and Kentucky has become the 47th state to implement a breach notification law, which went into effect on July 14, 2014.
Idaho and Vermont also amended their data breach laws. Idaho’s amendments were merely technical and did not change the substance of the law. Vermont’s amendments were similarly technical, but a provision was added that requires a Vermont law enforcement agency to notify a business in writing if it has a reasonable belief that a security breach has or may have occurred at the business.
Iowa’s Breach Notification Law
Starting on July 1, 2014 Iowa’s amended breach notification law created a few changes that will impact when and who an individual or business must notify if there is a data breach. The highlights of the amendments are as follows:
- A “Breach of Security” now includes an unauthorized acquisition of Personal Information that was transferred from computerized form to any medium, including paper.
- “Personal Information” now includes encrypted, redacted, or otherwise altered data elements if the keys to unencrypt, unredact, or otherwise read the data elements were acquired through the security breach.
- An expiration date is now included as a data element for combination with account numbers or credit or debit card numbers.
- Notification must now be provided to the Director of the Consumer Protection division of the Office of the Attorney General if the breach includes more than 500 Iowa residents.
Florida’s Breach Notification Law
Florida implemented the Information Protection Act of 2014 that repeals the existing data breach law and implements strengthened notification requirements. The new law was signed by Governor Rick Scott on June 20, 2014, and went into effect on July 1, 2014. The new law redefines a Covered Entity, expands the definition of Personal Information, and expands the notification requirements if there is a data breach.
Florida’s new breach notification law redefines a “Covered Entity” as any sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity or governmental entity that acquires, maintains, stores, or uses Personal Information.
In addition to what the original law included, “Personal Information” now includes a username or email address in combination with a password or security question and answer that would permit access to an online account. Further, “Personal Information” includes the following new data elements:
- A passport number, military identification number, or other government issued number used to verify identity.
- The medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
- The health insurance policy number or subscriber identification number in combination with a unique identifier used by the health insurer.
The new Florida law also provides that Personal Information does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.
If there is a data breach, notice must be provided to individuals in Florida as expeditiously as practicable and without unreasonable delay, but no later than 30 days after the “Covered Entity” concludes that a breach occurred or has reason to believe a breach occurred. Notice of a data breach may be delayed by a federal, state, or local law enforcement agency if the agency believes notice of the data breach will interfere with a criminal investigation. Notice of a data breach must be provided to consumer reporting agencies without unreasonable delay if the data breach requires notification of more than 1,000 individuals at a single time. The new Florida law expands the notification requirement to include the Department of Legal Affairs. Notifying the Department of Legal Affairs is only required if the security breach affects 500 or more individuals in Florida (Florida’s breach notification law does not refer to residents, unlike other states’ breach notification laws). Notice to the Department of Legal Affairs must be provided as expeditiously as practicable, but no later than 30 days after the “Covered Entity” concludes that a breach occurred or has reason to believe a breach occurred.
The new Florida law also requires specific information to be included in a data breach notification, depending on to whom such notification is addressed. When notifying an individual of a data breach by written or email notice, the notice must include:
- the date, estimated date, or estimated date range of the breach;
- a description of the “Personal Information” accessed or reasonably believed to have been accessed during the breach; and
- the contact information for the individual to reach the entity.
When notifying an individual of a data breach by substitute notice, which method can be used if the written notice or email notice is not feasible because the cost of providing notice would exceed $250,000, the affected individuals exceed 500,000 persons, or the “Covered Entity” does not have a mailing address or email address for the affected individuals, the notice shall include:
- a conspicuous notice on the entity’s website, if the entity maintains a website; and
- notices in print media and in broadcast media, including major media in urban and rural areas where the affected individuals reside.
When notifying the Department of Legal Affairs of a data breach, the notice must be in writing and include:
- a synopsis of the breach;
- the number of Florida residents affected by the breach;
- any services being offered to the affected individuals;
- a copy of the notice to the individuals or an explanation of other actions taken; and
- the contact information of an employee or agent the Department of Legal Affairs may contact to obtain further information about the breach.
Kentucky’s Breach Notification Law
Kentucky became the 47th state to pass a breach notification law. Governor Steve Beshear signed H.B. 232 into law on April 10, 2014, and the law went into effect on July 14, 2014. The new law will require any individual or business entity that conducts business in Kentucky and maintains computerized data that includes Personal Information to notify residents of Kentucky of a Breach of Security. A “Breach of Security” is an unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of Personal Information maintained by the individual or business entity and actually causes, or leads the individual or business entity to reasonably believe has caused or will cause, identity theft or fraud against any resident of Kentucky.
“Personal Information” means an individual’s first name or first initial and last name combined with any one or more of the following data elements, when the name or data is not redacted:
- Social Security number;
- driver’s license number; or
- account number, credit or debit card number, in combination with any security code, access code, or password that would permit access to an individual’s financial account.
The timing of the breach notification shall comply with the following requirements:
- The breach notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measure necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
- The breach notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. The notification shall be made promptly after the law enforcement agency determines that it will not compromise the investigation.
With respect to the manner of the breach notification, the notice may be provided by one of the follow methods:
- written notice;
- electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code; or
- substitute notice, if the individual or business entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or that the individual or business entity does not have sufficient contact information. Substitute notice shall consist of the following: (a) email notice, when the individual or business entity has an email address for the subject persons; (b) conspicuous posting of the notice on the individual or business entity’s website, if the individual or business entity maintains a website; or (c) notification to major statewide media.
Notwithstanding the above, any individual or business entity that maintains its own notification procedures as part of an information security policy for the treatment of “Personal Information,” and is otherwise consistent with the timing requirements, shall be deemed to be in compliance with the notification requirements of the Kentucky statute if the individual or business entity notifies the subject persons in accordance with its policies in the event of a breach of security of the system.