Written by Jim Halpert and Anne Kierig
An active spring state legislative session has already produced a few new state data breach laws.
Notably, when New Mexico HB 15 was signed into law on April 6, the state became the 48th in the nation to have a data breach law on the books. The only holdouts: South Dakota and Alabama.
Unlike most state data breach laws, New Mexico includes “biometric data” in its list of “personal identifying information” that triggers breach notice. If a court determines that a person covered under the bill violated the statute knowingly or recklessly, the court can penalize the person the greater of either $25,000 or, in the case of failed notification, $10 per instance of failed notification, up to a maximum of $150,000.
The notice requirement both to residents and to the Attorney General (AG) (in the event of a breach to more than 1,000 New Mexico residents) is “in the most expedient time possible, but not later than 45 calendar days following discovery of the security breach.” The new law will take effect on June 16, 2017.
Updates across the states
A handful of other states also updated their data breach laws this year. In what may be a harbinger of bills in other states next year, Virginia HB 2113/SB 1033 requires employers and payroll service providers to notify the state AG when data that was breached includes tax information that can be linked to a specific individual. The AG will then provide notice of that breach to the state Department of Taxation. The law goes into effect on July 1, 2017.
Tennessee SB 547 clarifies that a breach of encrypted data does not require notice under Tennessee’s law. A law enacted last year in the state was somewhat unclear on this point. Tennessee’s breach notice law remains in the minority that do not include a “harm trigger,” meaning a breach of sensitive personally identifiable information requires notice, even if it does not create risk of identity theft or fraud. The new law went into effect on April 4, 2017.
Arkansas SB 247, which is scheduled to go into effect on August 3, 2017, requires entities engaged “in the business of insurance” (an undefined term), to provide breach notice to the Insurance Commissioner. The notice must be provided in accordance with the state’s breach notice law, “in the most expedient time and manner possible and without unreasonable delay . . . .” (Ark. Code § 4-110-105.)
A newly passed law in Maryland, HB 974, adds additional types of information to the “Personal information” that may trigger a breach notice obligation under that state’s breach statute. The newly enacted law adds the following data elements to the list:
- “Health Information,” defined as “any information created by an entity covered by the federal Health Insurance Portability and Accountability Act of 1996 regarding an individual’s medical history, medical condition, or medical treatment or diagnosis” (a different definition than in other state laws, but one that tracks HIPAA)
- “Biometric data of an individual generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual’s identity when the individual accesses a system or account” and
- “A user name or e-mail address in combination with a password or security question and answer that permits access to an individual’s e-mail account.”
The new law includes a provision requiring service providers who suffer a breach to share information relative to a breach with the party responsible for notification of the breach (i.e., the party that “owns or licenses” the personal information). The bill was signed into law on May 4 and takes effect on January 1, 2018.
 Biometric data is defined as “a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably identify authenticate an individual’s identity when the individual accesses a physical location, device, system or account.”