Recent Hacks Spur States to Pass More Data Security Breach Notification Laws

The recent hack of Equifax, one of the country's three major credit-reporting companies, is the latest example of Americans' personal information under attack from foreign governments, organized criminals, and mischievous hackers. Equifax's data breach has placed roughly 143 million people's names, addresses, birth dates, and Social Security numbers at risk of being accessed by hackers and criminals all over the world.

In this new age of cybercrime, political organizations, government agencies, companies, and anyone else that collects and stores personal information can be a target. Subsequently, new questions have emerged regarding the legal procedures for organizations that have suffered data breaches. What are the legal obligations of an organization that has experienced a breach? Is there a requirement to let consumers know their information has been compromised?

While there are federal laws that protect information in certain industries, such as HIPAA in the health industry, there is currently no federal law requiring organizations to notify consumers of a personal information breach. However, in the wake of the Equifax breach, there have been a number of new data breach notification bills put forth in Congress. This includes a renewed effort by Rep. Jim Langevin (D-R.I.) to pass the Personal Data Notification and Protection Act (US HR 3806).

There have also been a number of bills proposed in Congress in recent years (including House Resolutions 1704, 1770, 2205, and 2977, and Senate Bills 177, 961, 1027 and 1158) but so far, the states have taken the only real action on data breach protections, not Congress.

In April, the National Conference of State Legislatures (NCSL) identified laws in 48 states and the District of Columbia requiring notification of data security breaches. The National Association of Attorneys General has pushed back on any federal legislation that would preempt these state laws, leading to a patchwork of laws in different jurisdictions.

These state laws typically spell out:

1. What is protected information;
2. Which entities are subject to the breach requirements;
3. When notice should be given to consumers;
4. How notice should be given and what notice should include;
5. Exceptions and penalties.

Many of these state bills require entities to notify the regulating government agencies in the event of data breaches. Typically, these bills have required the breached organization to send notifications to the office of the state attorney general, but some have mandated that they notify governors' offices and state and local law enforcement offices as well. Mandated notification recipients can differ depending on the size of the breach or whether the institution breached was under public or private control. Over the course of the 2016-2017 session, MultiState identified 27 data breach notification bills with provisions requiring additional notification requirements.

Additionally, as technology has evolved, lawmakers in many states have updated data breach laws to include new forms of personal information, such as biometric data, within the scope of legally protected information. Some states are also requiring protection of student data for any educational institutions or entities working with schools.

Prior to the Equifax breach, state lawmakers introduced 48 bills in 2016-2017 related to data security notification requirements, seven of which were enacted into law.

Download Infographic on Data Breach Notification Laws Here

Bills Enacted

DE HB 180
Paul Baumbach (D - Majority)

Updates the definition of breach of security by including the unauthorized access, use, modification, or disclosure of personal information and the information that is included in the definition of personal information. Adds definitions for encryption. Creates a "safe harbor" if the data included in a breach is encrypted or protected by an encryption key that prevents the data from being read or used. Requires that the entity that experienced the breach provide identity theft protection services if Social Security numbers were included in the information breached.

IL SB 707
Michael Hastings (D - Majority)

Establishes notification procedures for various kinds of state agency data breaches.

• Requires that if a State agency determines the identity of the actor that perpetrated a breach, the agency shall report that information to the Subcommittee on Cybersecurity of the Senate Telecommunications and Information Technology Committee and the House Cybersecurity, Data Analytics, and IT Committee;
• Requires that State agencies directly responsible to the Governor subject to a single breach concerning more than 250 Illinois residents or an instance of aggravated computer tampering shall notify the Chief Information Officer of the Department of Innovation and Technology and the Attorney General within 72 hours of discovering the incident. Requires the Department of Innovation and Technology to take specified actions in response to the incident;
• Requires the Attorney General may disclose information regarding the breach. Removes requirement that the report be published on the website of the Attorney General and the State agency;
• Requires that a State agency that suffers a breach of security shall report to the General Assembly, rather than to specific House and Senate committees.

MD HB 974
Ned Carey (D - Majority)

Requires a business to notify the individual target of a breach notification as soon as reasonably practicable, but not later than 45 days after the business has concluded its investigation into the breach's authenticity.


NM HB 15
Bill Rehm (R - Minority)

Creates the Data Breach Notification Act, which requires that notice be given to persons who are affected by a security breach involving their personal identifying information in the most expedient time possible, but not later than 45 calendar days following discovery of the security breach.


TN SB 547
(companion bill TN HB 545)
Bill Ketron (R - Majority)

Clarifies that the consumer protection violation of failing to disclose a security breach of personal consumer information applies to a breach of unencrypted data or encrypted data when the encryption key has also been acquired by an unauthorized person.


VA HB 2113
Mark Keam (D - Minority)

Requires that any employer or payroll service provider that owns or licenses computerized data relating to income taxes shall notify the attorney general without unreasonable delay after the discovery of unauthorized access of computerized data that compromises confidentiality and creates a reasonable belief that an unencrypted and unredacted version of such information was accessed by an unauthorized person.


VA SB 1033
Janet Howell (D - Minority)

Requires that any employer or payroll service provider that owns or licenses computerized data relating to income taxes shall notify the attorney general without unreasonable delay after the discovery of unauthorized access of computerized data that compromises confidentiality and creates a reasonable belief that an unencrypted and unredacted version of such information was accessed by an unauthorized person.

What Lawmakers Are Saying

Despite these new protections, millions of people were still affected by the Equifax hack. Since the hack was disclosed on September 7, there have been at least four state bills and one regulation introduced.

Some lawmakers took to social media to announce their plans for protecting consumers against future data breaches.

With data security breaches continuing to make headlines, and technology ever-shifting, expect more state legislation in the 2018 sessions.

The data in this article was identified, analyzed, and compiled by MultiState's public policy experts. For more information on how our experts can help you track legislative and regulatory activity, please contact us or visit our Issue Management Services website.