Data Breach Notification Laws 2.0
Recently, Alabama 1 and South Dakota 2 joined the other 48 States by enacting data breach legislation that requires entities (private or public) to notify individuals of security breaches of information involving personally identifiable information. While the South Dakota’s law followed the majority of its predecessors, the Alabama law imposes a data security standard on individuals, entities, and third parties that is almost identical to the HIPAA Security Rule standard. 3 This data security standard is a characteristic of the next generation of data breach notification law (“2.0 Laws”). In the several months following the Alabama law’s enactment, the following states have amended and updated their data breach laws to 2.0 Laws by including, among other things, a data security standard: Louisiana 4, Colorado 5, Nebraska 6, and California 7.
Alabama
Security Measures Requirement: Although Alabama was the last of the 50 states to pass a data breach notification law, the Alabama Act is one of the first to impose mandatory data security measures. It requires each covered entity and third-party agent to “implement and maintain reasonable security measures” to protect SPII. To determine whether security measures are reasonable, covered entities must consider the following: (1) designation of an employee or employees to coordinate the covered entity’s security measures (i.e., a security officer); (2) conduct a risk assessment, considering and identifying the internal and external risks of a breach; (3) implementation of appropriate information safeguards; (4) use of third-party service providers to maintain appropriate safeguards; (5) monitor and audit security measures, adjusting and accounting for changes in circumstances affecting the security of SPII; and (6) involvement of the covered entity’s board of directors by appropriately informing them of the overall status of the covered entity’s security measures.
Effective Date: June 1, 2018
Exempt if governed by HIPAA?: No
Louisiana
Security Measures Requirement: The Louisiana Law requires:
Any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information, shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Effective Date: August 1, 2018
Exempt if governed by HIPAA?: No
Colorado
Security Measures Requirement: The Colorado Law requires a “covered entity that maintains, owns, or licenses personal identifying information” (“Colorado Covered Entity”) of an individual residing in Colorado to protect personal identifying information from “unauthorized access, use, modification, disclosure, or destruction” and shall “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” The Colorado Law requires Colorado Covered Entities to:
[1] [P]rovide its own security protection for the information it discloses to a third-party service provider, [and]
[2] [R]equire that the third-party service provider implement and maintain reasonable security procedures and practices that are:
(a) Appropriate to the nature of the personal identifying information disclosed to the third-party service provider; and
(b) Reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.
Effective Date: September 1, 2018
Exempt if governed by HIPAA?: No.
Nebraska
Security Measures Requirement: The Nebraska Law requires any individual or commercial entity conducting business in Nebraska that “owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska” is required to:
implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations, including safeguards that protect the personal information when the individual or commercial entity disposes of the personal information.
Effective Date: July 19, 2018
Exempt if governed by HIPAA?: Yes.
California 8
Security Measures Requirement: The California Law creates an affirmative duty for businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect [] personal information[.]”
Effective Date: January 1, 2020
Exempt if governed by HIPAA?: Yes.
1 S.B. 318, Alabama Data Breach Notification Act of 2018, Reg. Sess. (Ala. 2018).
2 S.B. 62, Reg. Sess. (S.D. 2018).
3 See 45 C.F.R. § 164.316 (requiring covered entities and business associates to “[i]mplement reasonable and appropriate policies and procedures” to protect PHI and ePHI).
4 S.B. 361, Reg. Sess. (La. 2018).
5 H.B. 18-1128, Reg. Sess. (Colo. 2018).
6 L.B. 757, Reg. Sess. (Neb. 2018).
7 Assemb. B. 375, California Consumer Privacy Act of 2018, Reg. Sess. (Cal. 2018).