States enact data breach notification requirements
On May 10, the New Jersey governor signed S 52, which amends the state’s data breach notification provisions. The amendments expand the definition of “personal information” to include “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.” The amendment further permits breached entities to provide individuals, whose account access credentials have been compromised, with the opportunity to promptly change online account information, so long as the notification is not sent to an email account subject to the security breach. The amendments take effect on September 1.
On May 7, the Washington governor signed HB 1071, which amends the state’s data breach notification law to, among other things, (i) narrow the window for post-breach notification to affected individuals and to the state Attorney General, if applicable, from 45 days to 30 days after discovery; (ii) require notifications to contain the date of the breach and the date of the discovery of the breach, if known; (iii) permit electronic notification to affected individuals, which must instruct them to promptly change passwords and security questions or answers, as applicable; and (iv) significantly expand the items included in the notice to the Attorney General, including a summary of steps taken to contain the breach. In addition, HB 1071 expands the definition of “personal information” to include, among other things, the full birth date; a private key unique to an individual that is used to authenticate or sign electronic records; student, military, or passport ID numbers; health insurance identification numbers; biometric data or medical history; and user names and email addresses combined with passwords or security questions. The amendments take effect March 1, 2020.