State of the (State) Data Breach Laws: 2017 Legislative Update, Part II
Maryland, New Mexico, and Tennessee
As we noted in Part I of our series, state legislatures across the country continued to refine and reshape their respective data breach notification requirements during the 2017 legislative session. While a handful of states were successful in passing new data breach notification legislation, some of those states significantly revised just when, how, and under what circumstances an entity has to notify affected consumers of a data breach. For instance, Maryland amended its Personal Information Protection Act to require consumer notification to be made within 45 days of an entity concluding that residents’ personal information was affected by a breach, while Tennessee passed a bill to restore the encryption safe harbor to its breach notification statute, a provision that was arguably eliminated from its statute in 2016.
Digital Insights brings you Part II in our series, State of the (State) Data Breach Laws, examining the major amendments passed in Maryland, New Mexico, and Tennessee, and how those changes may affect your organization’s breach notification requirements.
Maryland: On May 4, 2017, Maryland Governor Larry Hogan signed H.B. 974 into law, formally approving substantial revisions to the Maryland Personal Information Protection Act passed by the Maryland General Assembly. Among its important changes, H.B. 974 significantly revises the definition of “personal information” under the Old Line State’s data breach notification statute to include, among other new data sets, health information created by an entity covered by the Health Insurance Portability and Accountability Act (HIPAA).
Before H.B. 974 goes into effect on June 1, 2018, entities should take note of the following revisions the bill makes to the state’s breach notification statute:
- “Personal Information” Expanded: H.B. 974 amends Maryland’s definition of “personal information” to include the following additional data sets when combined with an individual’s first name or first initial and last name:
- A passport number, or other identification number issued by the federal government;
- A state identification card number;
- Health information, including information about an individual’s mental health;
- A health insurance policy or certificate number, or heath insurance subscriber identification number, in combination with a unique identifier that permits access to an individual’s health information; and
- Biometric data, generated by automatic measurements of an individual’s biological characteristics, that can be used to uniquely authenticate an individual’s identity when accessing a system or account.
H.B. 974 also adds an individual’s username or email address in combination with a password or security question and answer permitting access to the individual’s email account to the definition of “personal information.” Unlike the data sets above, however, a username or email address does not need to be linked to an individual’s name to qualify as “personal information.”
- “Health Information” Defined: H.B. 974 defines “health information” as any information created by an entity covered by HIPAA regarding an individual’s medical history, medical condition, or medical treatment or diagnosis. Consequently, a company may need to notify affected Maryland residents about the unauthorized disclosure of health information that was created by an entity covered by HIPAA, even if the notifying company is not subject to HIPAA itself.
- 45 Days to Provide Notification: Under the revised breach notification statute, an entity must provide notice to affected Maryland residents of a data breach within 45 days after discovering the breach of the security of its system. The statute anticipates that the entity will conduct, in good faith, a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused as a result of the breach. If it is determined that the information has been or is likely to be misused, notification of affected residents must occur. Entities that maintain data containing personal information must notify the data owner within 45 days of discovery of a breach.
Importantly, if notification is subject to a law enforcement delay under the statute, notice to affected residents must be no later than 30 days after the law enforcement agency determines notification will not impede a criminal investigation, or will not jeopardize homeland or national security.
- “Encryption” Revised: H.B. 974 revised the statute’s definition of “encryption” to mean the protection of data using an encryption technology that renders it indecipherable without an associated encryption key. This amendment removed language that previously qualified encryption as the transformation of data using an algorithmic process “in which there is a low probability” of assigning meaning without a key.
- Expanded Data Destruction Provisions to Cover Current and Former Employee Data: While the previous Maryland statute required entities to take reasonable steps in protecting against unauthorized access to personal information when destroying customer records, H.B. 974 expands those provisions, requiring employers to take similar precautions when destroying current and former employee records containing personal information.
- Special Notification Method for Username/Email Breaches: Under the amendments, if only a username or email address (along with the password or security question and question permitting access to the compromised email account) and no other personal information is affected, an entity can notify affected individuals by providing directions on how to change the account’s password or security question and answer, or providing additional steps to protect the compromised email account.
New Mexico: As we wrote earlier this year, New Mexico became the 48th state to require notification to consumers following a data breach when Governor Susana Martinez signed the Data Breach Notification Act (H.B. 15) into law on April 16, 2017.
The Data Breach Notification Act bears similarities to many of the state data breach notification statutes already enacted: for instance, like the majority of state breach laws, the act only covers electronic data that contains personal information. And similar to the revised Maryland Personal Information Protection Act, New Mexico requires consumer notification to be made within 45 days after discovery of a breach.
Like many other states, New Mexico also requires notification to state regulators, under certain circumstances, when its residents are notified of a data breach. Under H.B. 15, an entity must notify the New Mexico Attorney General if more than 1,000 residents have to be notified. Importantly, an entity must also notify the New Mexico Attorney General if it provides notification to residents via substitute notice, regardless of the number of residents notified.
Tennessee: Back in 2016, the Tennessee Legislature passed S.B. 2005, a bill that made several amendments to the state’s notification statute, including requiring notice of a data breach within 45 days. But surprisingly, one of the main purposes and stated aims of S.B. 2005 was to eliminate the statute’s encryption safe harbor, which had previously exempted entities from notifying individuals about a data breach if the data affected was encrypted. Thanks to a quirk of legislative drafting, it was unclear whether the amendment as enacted actually eliminated the encryption safe harbor in the Volunteer State. The ambiguity, however, gave little comfort to entities that took measures to make their clients’ personal information indecipherable to any bad actor that might obtain it.
On April 4, 2017, Tennessee unambiguously reinstated its encryption safe harbor by enacting S.B. 547. Effective the same day, S.B. 547 defined a “breach of system security” as the acquisition of “unencrypted computerized data; or encrypted computerized data and the encryption key,” and defined encrypted as “computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2.” As written, entities can take heart that encrypted data will fall outside of the Tennessee statute’s scope so long as the encryption key is not compromised.
Please check back to Digital Insights in the coming days for Part III in our series, State of the (State) Data Breach Laws: 2017 Legislative Update, examining data breach-related legislation in Virginia and Washington state, other data security and privacy-related statutes passed in 2017, and how these changes may impact your breach notification, data security, and privacy requirements.