As we watch the tsunami of state comprehensive consumer privacy laws now spreading from California across the U.S., it’s time to revisit the flood zone of state-level PII breach notification statutes, which also flowed forth from California back in 2002. By 2018 that wave had reached every state, along with the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. Each state has its own unique approach. And the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications. Changes since 2018 are in bold below, reflecting how the tide continues to rise.
Remember, these laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when businesses with employees and customers in many states suffer a data breach, they must stay above water with a wide variety of conflicting and evolving state-level PII breach notification laws.
Scope of PII
State PII breach notification laws generally apply to a state resident’s name combined with another identifier useful for traditional identity theft, such as the individual’s Social Security number, driver’s or state identification number, or financial account number with access credentials. But an ever-growing number of states include additional “name +” combination elements in their PII definition (again, bold indicates changes since 2018):
- Medical information (Alabama, Arkansas, Arizona, California, Colorado, Connecticut, Delaware, D.C., Florida, Illinois, Maryland, Missouri, Montana, Nevada, North Dakota, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Dakota, Texas, Vermont, Washington, and Wyoming)
- Health insurance information (Alabama, Arizona, California, Colorado, Connecticut, Delaware, D.C., Florida, Illinois, Maryland, Missouri, Montana, Nevada, North Dakota, Oregon, Pennsylvania, Rhode Island, Texas, Vermont, Washington, and Wyoming)
- Unique biometric data (Arizona, Arkansas, California, Colorado, Connecticut, Delaware, D.C., Iowa, Illinois, Louisiana, Maryland, Nebraska, New Mexico, New York, North Carolina, Oregon, Vermont, Washington, Wisconsin, and Wyoming)
- Genetic data (Arkansas (used for identification purposes), California, Delaware, D.C., Maryland, Vermont, and Wisconsin)
- Shared secrets or security token for authentication (Wyoming)
- Taxpayer ID or other taxpayer information (Alabama, Arizona, California, Connecticut, Delaware, D.C., Maryland, Montana, Puerto Rico, Vermont, Virginia (employee TIN plus withholding), and Wyoming)
- IRS identity protection PIN (Arizona, Connecticut, and Montana)
- Employee ID number with access code or password (North Dakota and South Dakota)
- Email address or Internet account number, with security access information (Alabama, Delaware, Florida, Maryland, Nevada, New Jersey, Pennsylvania, Rhode Island, and Wyoming)
- Digital or electronic signature (Arizona, North Carolina, North Dakota, and Washington)
- Employment ID number combined with security access information (North Dakota and South Dakota)
- Birthdate (North Dakota and Washington)
- Birth or marriage certificate (Wyoming)
- Mother’s maiden name (North Dakota)
- Work-related evaluations (Puerto Rico)
- Information collected by automated license plate recognition system (California)
And in Arizona, California, Colorado, Connecticut, the District of Columbia, Florida, Georgia, Illinois, Indiana, Maine, Maryland, Nebraska, New York, North Carolina, Oregon, South Dakota, Texas, Vermont, and Washington, notification requirements can attach to specified identification data even without the individual’s name (in some such states with the proviso that such information would sufficiently enable unauthorized account access or identity theft).
PII media & encryption/redaction safe harbors
All of the state breach notification laws apply to PII in electronic or computerized form. But in several states, including Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina, Rhode Island, Washington, and Wisconsin, a breach of PII in any medium, including paper records, can trigger notification requirements.
Effective encryption of PII is an explicit safe harbor from notification obligations in virtually every jurisdiction, but 22 states now add the condition that the encryption key must not have been compromised in the breach. Thirty-three states now explicitly provide “redaction” as a safe harbor (with six states adding the condition that the means to un-redact are uncompromised), as do 23 states if other means are used to render the information unreadable or unusable.
The mandated time frame for notifying affected individuals has commonly been the most “expeditious” or “expedient” time possible, “without unreasonable delay,” considering such factors as the need to determine the scope of the breach, to restore system integrity, and to identify the affected individuals. But increasingly, states are imposing or tightening outside deadlines for notifications:
- 60 days: Connecticut (formerly 90 days), Delaware, Louisiana, South Dakota, and Texas (formerly no day limit)
- 45 days: Alabama, Arizona, Indiana (formerly no day limit), Maryland, New Mexico, Ohio, Oregon, Rhode Island, Tennessee, Vermont, and Wisconsin
- 30 days: Colorado, Florida, Maine (formerly no day limit), and Washington (formerly 45 days)
- 10 days: Puerto Rico
Twenty-nine jurisdictions’ statutes now contain prescribed minimum content for breach notifications to individuals, and various states have unique content requirements for such notices.
Thirty-seven of the jurisdictions now require breach reporting to the state’s Attorney General or other designated state agencies, triggered at various specified thresholds of affected individuals, ranging from one to over 1,000. And a similar majority of the states require breach reporting to credit agencies, triggered at differing thresholds, from one to over 10,000.
And all but eight jurisdiction’s statutes now contain some notion of a “risk of harm” exclusion to notification duties, either imbedded in the statute’s breach definition, or as an independent exception to the duty to notify.
… and the changes keep flowing
The floodplain of these state PII breach notification statutes remains in motion. Notable trends since 2018 include the ongoing rise in states that include biometric data, genetic data, medical information, health insurance information, and taxpayer information as PII, and the continuing increase of states establishing, or shortening, deadlines for making notifications. States are also becoming yet more directive in specific content requirements for notifications, such as the manner in which credit monitoring and identity theft protection services are offered.
The life raft of a preempting federal law for PII breach notification remains slim, largely because of states’ concerns about such preemption. So, businesses must continue to wade through the various compliance requirements in these state laws. Yes, it continues to be a struggle to stay above water. But keeping up with the changes is crucial — both for security incident response readiness, and also for compliantly defining the scope of information subject to the organization’s security safeguards and controls.