Four states update their breach notification laws

Over the past few months, five states – Connecticut, Mississippi, Nevada, and Texas – have enacted changes to their breach notification laws. We provide a brief overview of the changes below.

Connecticut HB 5310

Connecticut House Bill 5310 was signed into law by Connecticut’s Governor on June 16, 2021, enhancing consumer protections after data breaches by expanding the definition of personal data and shortening notification deadlines. The new law, effective October 1, 2021, now includes the following data as personal information, when in combination with the first name or first initial and last name: social security number, taxpayer identification number, driver’s license numbers, passport number or military identification number, financial or credit card numbers, medical data, health insurance identification numbers, or biometric information. Additionally, a username in combination with a password or other that would allow access to an online account is by itself considering personal information. The addition of biometric data, medical information, health insurance information and online credentials gives the law broad coverage of consumer data. The law covers any person who conducts business in the state, no matter the size or revenue of the business, and requires they provide notice following any breach of security. The shortened notice requirement with this new law is sixty (60) days, one month shorter than the previous ninety (90).

Mississippi HB 277

The State of Mississippi now recognizes tribal identification cards as a valid form of photo identification. The passage of Mississippi House Bill 277, which focused on this new legal recognition for tribal identification, also updated Mississippi’s data breach notification law to include tribal identification numbers in the definition of personal information, which if breached, triggers the notification requirements. Other personal information included in the law are the more typical data categories of name, driver’s license number, social security number and account or credit card numbers.

Nevada AB 61

Nevada increased the severity of penalties under its data breach notification law by expanding the state’s Deceptive Trade Practices Act through Nevada AB 61. The Deceptive Trade Practices Act now includes violations of the data breach notification law as a deceptive trade practice, making businesses potentially liable under both the data breach notification law and the Deceptive Trade Practices Act. The Nevada Attorney General has authority, under both the data breach notification law and the Deceptive Trade Practices Act, to impose civil penalties and issue injunctions against operators who violate either statute.

Texas HB 3746

Prior to the enactment of Texas House Bill 3746, Texas companies were required to notify the Texas Attorney General within 60 days of a data breach discovery which affected 250 or more residents. This new law, signed by the Governor in June 2021, amends the prior law by requiring additional information to be provided in  notifications to the AG. Now, a company must include the number of affected residents who have been sent a disclosure of the breach. This new requirement joins the previous notice requirements of a detailed description of the nature of the breach, the number of residents affected, the measures taken by the person regarding the breach, any other measures the person intends to take regarding the breach and information about whether law enforcement may be engaged in the investigation. Additionally, this new law requires the Attorney General to post online a listing of the notification received for public access and to update and maintain the listings, as necessary.