This spring has brought a particularly active round of revisions to state data breach notification laws. Most notably, as of July 1, 2018, every state will have a breach notification law. Alabama and South Dakota both passed laws within weeks of each other earlier this year with effective dates of June 1 and July 1, respectively.  

These laws, along with revisions to existing laws passed in four additional states, reflect national trends to require notification to both consumers and regulators within a stated time period and to trigger notification requirements based on a broader range of data, including online account credentials, health information, passport numbers and biometric data. As a result, while these changes do add complexity to the national landscape, they should not require substantial changes to existing procedures for handling multistate breaches. Notable features of each of the statutes are described below.  

Expanded Data Elements

• In addition to the standard elements of social security number, driver’s license number and financial account number, Alabama and South Dakota’s laws both cover usernames and passwords. South Dakota’s law also includes employee identification numbers “in combination with any required security code, access code, password, or biometric data.” It is also notable that Alabama’s law only protects usernames and passwords that are “affiliated with the entity” and where the account itself contains other defined personal information.
• Arizona’s amended law (effective August 20, 2018) significantly broadens the definition of personal information to include usernames and passwords, insurance numbers, health data, passport number, taxpayer identification number, biometric data and any private e-sign or authentication key unique to an individual.
• Louisiana’s amended law (effective August 1, 2018) changes the definition of “personal information” to include passport numbers, state identification numbers and biometric data.
• Colorado’s amended law (effective September 1, 2018) added student, military or passport identification number; medical information; health insurance identification number; biometric data; and usernames and passwords to its definition of personal information. Colorado also now requires notification for exposed financial account information even if no name was exposed.
•