As the frequency of data breaches continues, so do legislative developments on notification requirements that must be met in the event of a breach of Personally Identifiable Information (PII). Even as of now, not every state has enacted such legislation. Until April, there were three holdouts. Now, however, we are down to two: Alabama and South Dakota are the only remaining states that do not have data breach notification legislation. New Mexico, previously the third holdout, has recently joined the majority and enacted its own statute. On April 6, 2017, the Governor of New Mexico signed into law the Data Breach Notification Act (“Act”), 2017. The Act will become effective on June 16, 2017, with several exemptions and carve outs, and inclusion of data protection requirements, discussed below.
In another recent development, Tennessee has clarified that the new breach notification statute it enacted last year will include a safe harbor for encrypted PII after all, at least in most situations.
While broad in the scope of PII to which it applies and specific in the number of days in which notification of a breach must be provided (45 days), the New Mexico statute has several exemptions and allows for a “risk of harm” analysis in the decision of whether notification is necessary. It also includes data protection requirements, and thus goes beyond just breach notification. It is also noteworthy in its deference to federal reporting requirements, providing an exemption for persons subject to certain federal statutes.
The statute exempts the State of New Mexico and its political subdivisions from its provision (Section 12). The provisions of the Act do not apply to a person subject to the federal Gramm-Leach Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) (Section 8). This provision of the Act reflects deference to the federal reporting requirements under those two statutes.
While the Act contains similar provisions to those of other states, the following Sections are noteworthy:
* The definition of PII: The statute defines PII as including “biometric data”. This is consistent with the growing trend among states to include biometric data, e.g. the Illinois Personal Information Protection Act, which took effect on January 1, 2017 (Section 2)
* Notification of a Security Breach: –Section 6 requires that notification be made in the “most expedient time possible, but not later than forty-five (45) calendar days following the discovery of the security breach, except as provided by Section 9. Section 9, entitled- Delayed Notification, is typical of breach notification statutes in providing that notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation or is necessary to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system. Significantly, Section 6 also includes a risk of harm provision, in that it provides that notwithstanding the provisions of that Section, notification to affected New Mexico residents is not required, if after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud. However, the Act does not define what constitutes an “appropriate investigation” or “a significant risk of identity theft or fraud.” When notification it is required, it is also to be provided to the office of the attorney general (with additional information required including the number of affected residents) and major consumer reporting agencies (Section 10).
* Disposal of PII: –As part of its security provisions, the statute requires that persons who own or license records containing PII of a New Mexico resident arrange for “proper disposal” of records when they are no longer reasonably needed for business purposes, which in turn is defined as meaning shredding, erasing or otherwise modifying the personally identifying information to make it unreadable or indecipherable. (Section 3)
* Security Measures for Storage of Personal Identifying Information: – The statute requires that a person that owns or licenses PII of a New Mexico resident “implement and maintain security procedures and practices appropriate to the nature of the information to protect the personally identifying information from unauthorized access, destruction, use, modification or disclosure.” (Section 4) While this gives some discretion as to what is appropriate, it remains to be seen what will end up being considered appropriate by the regulator.
* Service Provider Use of PII – Implementation of Security Measures: The statute mandates that a person that discloses PII of a New Mexico resident pursuant to contract with a service provider require “by contract” that the service provider also implement and maintain reasonable security procedures. (Section 5)
Attorney General Enforcement – Civil Penalty – Section 11 allows for the Attorney General to bring an action on behalf of individuals and in the name of the state of New Mexico for alleged violations of the Act and seek injunctive relief, as well as damages for actual costs or losses, including consequential financial losses. In addition, for knowing or reckless violations of the Act, the court may impose civil penalties up to a maximum of $150,000.
The Tennessee legislature recently amended its data breach notification statute to add back in the encryption safe harbor in the definition of “personal information.” When Tennessee initially amended its data breach notification statute last year, it eliminated the encryption safe harbor provisions from the existing statute. Without this recent amendment, Tennessee would have required data breach notification even when the personally identifiable information lost was encrypted. While this was apparently out of concern arising from reports of situations in which hackers were able at times to decrypt files, it gave rise to a counterbalancing concern that it would disincentivize companies from encrypting data. A reasonable level of encryption is still considered a good safeguard to most hacking, and thus the safe harbor was added, at least where the key to encryption is not also taken.
Keep an Eye on State Legislative Developments
As data breaches of Personally Identifiable Information continue to expand the type of information targeted and the security measures circumvented, state legislatures in an effort to protect their residents are now often reviewing their statutes directed at data security and breach notification to see if they are keeping up with those developments. Definitions of protected personal information are being expanded by many states, and many are also adding data security requirements either by way of safe harbors from breach notification or by express directives as to minimal data security procedures. Entities that own or hold Personally Identifiable Information need to monitor legislative developments that may impact data breach security and notification requirements and take them into account in their breach preparedness and response plans. This ongoing monitoring will help ensure compliance with statutory requirements and minimize regulatory and legal liability issues that may arise in the event of a data breach when requirements are not satisfied.