Two states enacted new laws in May that will add significant new compliance burdens on companies doing business with customers in those states.
On May 13, Nevada Governor Brian Sandoval signed legislation (A.B. 179) that requires companies to employ encryption to protect personal information transferred electronically outside of a business and to notify state residents if that information is compromised in a data breach. The legislation, which will go into effect on July 1, also expands the definition of personal information to include a “user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.”
According to an online report from the law firm of Morrison & Foerster, the Nevada legislation will apply the state’s encryption requirements to online account credentials, which means companies will not be able to “(1) transfer ‘personal information’ through an electronic, non-voice transmission (other than a fax) to a person outside of the company’s secure system unless the transmission is encrypted in accordance with certain standards; or (2) move a ‘data storage device’ containing ‘personal information’ beyond the logical or physical controls of the company or its data storage contractor unless the information is encrypted.”
A month earlier, North Dakota Governor Jack Dalrymple signed legislation (SB 2214) to require any person or entity, including those not located in the state, to disclose a security breach affecting the personal information of any residents of the state. The new law, which takes effect on August 1, 2015, also includes a state attorney general notification requirement for any breach that affects more than 250 individuals.
States are continuing to act in the absence of legislative action in Congress to create a single federal breach notification standard to replace the patchwork of state laws. North Dakota and Nevada became the fourth and fifth states this year to expand the scope of their state data breach laws. The other states to do so are Montana, Washington, and Wyoming.
More than a dozen breach notice bills have been introduced in Congress this year. The one that has advanced the farthest, H.R. 1770, was passed by the House Energy and Commerce Committee on April 15. However, that legislation has been stymied by opposition from business groups, which argue that the pre-emption provisions are insufficient to prevent class action litigation based on state common law, and consumer advocates and state law enforcement officials, who believe the legislation would diminish protections for individuals under many state breach notice laws.