Security breach notification obligations vary by state, including how a security breach is defined, the method for providing notice of the breach, and any requirements to notify state regulators.  The following summarizes recent amendments and newly effective amendments to security breach notification laws in three states, California, Rhode Island, and Illinois. 

California – On July 22, 2016, California amended the state’s security breach notification laws for the sixth time since it became effective in 2003.  The amendments clarify the language of the law.  Most notably, the amendment clarifies California’s good faith exception to notification for employees or agents. The good faith exception excuses notification of a security breach if particular elements are met.  Based on the amendment, the good faith exception is only available if any of the breached information is not used or subject to further unauthorized disclosure.  The previous version only required that the “personal information” not be subject to further disclosure.  Cal. Civ. Code §1798.82(g).  The revision arguably makes the good faith exception more narrow than was previously written.  

These amendments come on the heels of more substantive changes enacted in 2015 and effective January of this year.  California defined “encrypted” as when data is “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” Id.  This was important for informing the analysis of whether an incident was a breach under the statute, which requires that a person’s first name or first initial and last name coupled with unencrypted data be subject to an unauthorized acquisition.  Cal. Civ. Code §1798.82(h)(1).  California also expanded the definition of “personal information” to include “information or data collected through the use or operation of an automated license plate recognition system.”  Cal. Civ. Code §1798.82(h)(1)(F).

Rhode Island – On June 26, 2016, Rhode Island’s 2015 far-reaching amendments to its state breach notification laws became effective.  The new law now only requires notification of a security incident if it “poses a significant risk of identity theft to any resident of Rhode Island”.  R.I. St. §11-49.3-4(a)(1).  This limits the statutes application.  If the incident is a breach, notification must now be made “no later than forty-five (45) calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements”.  Id. at §11-49.3-4(a)(2).  The previous version of the statute only required notice to be “prompt and reasonable.”   The amended statute also imposes new notification content requirements, which requires a brief description of the incident, the type of information subject to the breach, the known or estimated date or date range of the breach, the date the breach was discovered, a description of remediation services being offered, and instructions for filing a police report.  Id.   §11-49.3-4(d). 

Illinois – Looking ahead, Illinois amended its notification statute to broaden the definition of personal information to include medical and health information, unique biometric data, and e-mail with password combinations. BUSINESS—PERSONAL INFORMATION PROTECTION, 2016 Ill. Legis. Serv. P.A. 99-503 (H.B. 1260) (WEST). It has further made changes to the notification form, which now may be electronic, and requires notification via a local media outlet if the breach impacts residents in a concentrated geographic area.  Id.  These changes are slated to become effective January 1, 2017. 

There are many more states with proposed changes before the legislature that may come into effect in 2017.