As the number of data breaches continues to rise, states are responding with increasingly frequent and divergent changes to their data breach notification laws. Delaware and Maryland join the growing number of states to continue this trend based on recent amendments that were made to those states’ respective statutes. Below is a summary highlighting the key statutory amendments warranting particular attention before the new state laws take effect next year.
The Maryland General Assembly recently amended the Maryland Personal Information Protection Act, which will take effect on January 1, 2018, to:
i. Expand the definition of “Personal Information”;
ii. Provide a 45-day timeframe for notification to affected individuals;
iii. Allow alternative notice for breaches that enable an individual’s email to be accessed;
iv. Establish exemptions for HIPAA-compliant entities and business associates; and
v. Increase the class of information subject to Maryland’s destruction of records laws.
Expanded Definition of Personal Information
Maryland’s data breach notification statute—Md. Code Com. Law § 14-3501 et seq.—currently defines “personal information” as a person’s first name or first initial and last name combined with any of the following data elements:
- Social Security number;
- Driver’s license number;
- Financial account number, including a credit or debit card number that, in combination with any required security code, access code, or password, would permit access to an individual’s financial account; or
- Individual taxpayer identification number.
Notably, the new law expands that definition to include:
- Passport numbers and other identification numbers issued by the federal government;
- State identification card numbers;
- Health information (defined to include any information created by an entity covered by HIPAA regarding an individual’s medical history, condition, treatment, or diagnosis, including information about an individual’s mental health);
- A health insurance policy, certificate number, or health insurance subscriber identification number, in combination with a unique identifier that permits access to an individual’s health information;
- Biometric data, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic that can be used to uniquely authenticate a person’s identity upon accessing a system or account; and
- A username or email address in combination with a password or security question and answer that permits access to an individual’s email account.
(a) 45-Day Timeframe for Notification.
The new law also amends the timeframe during which notification must be provided. Under the current version of Maryland’s law, breached entities are allowed to provide notice “as soon as reasonably practical”, a relatively flexible standard for such entities to adhere to.
However, beginning in 2018, notice must be provided no later than 45 days after the business has concluded its investigation and determined that that the breach creates a likelihood that personal information has been or will be misused.
Despite this shortened notification time frame to individuals, the requirement to provide notice of a breach of the security of the system to the Maryland Attorney General before notifying affected state residents remains unchanged.
(b) Alternative Form of Notice When a Breach Permits Access to Individual’s Email Account.
The new law allows entities to provide a substitute form of notice when a breach involves only the loss of personal information that enables access to an individual’s email account. Subject to certain exceptions, the business may:
- Provide notice electronically that directs the person to change the password and security questions and answers; and
- Take other steps appropriate to protect the email account with the business and all other online accounts for which the individual uses the same username or email and password or security questions or answers.
This form of substitute notice must be given by a clear and conspicuous notice delivered to the individual online while the individual is connected to the affected email account from an internet protocol address or online location from which the business knows the individual customarily accesses the account.
Beginning in 2018, HIPAA-covered entities and business associates will be considered to be in compliance with Maryland’s new law. Under current law, no such explicit exemption appears in the statutory text.
Record Destruction Requirements
Finally, the new law amends Md. Code Com. Law § 14-3502 to expand the class of information subject to Maryland’s destruction of records laws. The current version law covers only customer records, whereas the amended law covers records relating to employees and former employees that contain personal information.
On August 17, 2017, Delaware Governor John Carney signed a bill amending the state’s data breach notification law, which had remained unchanged since 2005. The amended state law is set to take effect on April 14, 2018, in order to allow businesses time to adapt to the new requirements. The amendments include several key provisions, such as:
i. Maintaining reasonable procedures and practices to protect personal information;
ii. Broadening the definition of “Personal Information”;
iii. Providing a 60-day timeframe for notifying affected state residents;
iv. Requiring notice to the State Attorney General in certain circumstances;
v. Modifying the risk of harm threshold for notification;
vi. Providing credit monitoring to affected residents; and
vii. Establishing limited exemptions from Delaware’s law.
Data Security Requirements
The new law will mandate that all persons and entities doing business in Delaware implement and maintain reasonable security procedures and practices to “prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.” Delaware will be one of only 14 states to impose explicit data security obligations on the private sector.
Failure to implement required measures can result in enforcement action by the Attorney General and may form the basis for individual causes of action for harm caused by failure to implement reasonable security. This new law does not define or otherwise elaborate on the specific procedures or practices that will be deemed acceptable.
Broader Definition of “Personal Information”
Under the amended law, the definition of “personal information” has been expanded and now includes a Delaware resident’s first name or first initial and last name in combination with any one or more of the following data elements:
1. Social Security number;
2. Driver’s license or state or federal identification card number;
3. Account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a financial account;
4. Passport number;
5. A username or email address in combination with a password or security question and answer that would permit access to an online account;
6. Medical history, mental or physical condition, medical treatment, or diagnosis by a health care professional, or deoxyribonucleic acid profile;
7. Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person;
8. Unique biometric data; and
9. An individual taxpayer identification number.
Expanded Notice Obligations
Under Delaware’s current law, companies are required to give notice of a breach to affected Delaware residents “as soon as possible” after determining that, as a result of the breach, “misuse of information about a Delaware resident has occurred or is reasonably likely to occur.” The law also does not require regulator notification.
However, Delaware’s amended law will drastically change how and when companies provide notice of a breach to affected Delaware residents.
(a) 60-Day Timeframe for Notification (with a caveat). Companies will be required to notify affected any affected Delaware residents of a data breach within 60 days of determining a breach has occurred, unless (i) federal law requires faster notification or (iii) law enforcement requests notice be delayed to prevent impeding a criminal investigation.
(b) Notice to the State Attorney General. Companies will be required to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents.
(c) Risk of Harm Threshold. Notification to affected individuals (and the Attorney General, if applicable) is required unless, after an appropriate investigation, the company reasonably determines that the breach is unlikely to result in harm to affected individuals.
(d) Substitute Notice. For breaches involving compromised login credentials, notice of the breach cannot be sent to a compromised email account. Instead, notice can be provided by writing or telephone, or by “clear and conspicuous notice delivered to the resident online when the resident is connected to an online account from an Internet Protocol address or online location from which the person knows the resident customarily accesses the account.”
(e) Providing Credit Monitoring. In cases where a Delaware resident’s Social Security number has been compromised in a data breach, the new law will require that the breached entity provide one year of free credit monitoring services to the affected Delaware resident. Connecticut contains a similar requirement in its respective state breach notification law.
There also will be a carve-out for those entities that are subject to other laws on breach notification, such as HIPAA or the GLBA, so that compliance with those other laws will be deemed to be compliance with the Delaware’s amended breach notification law.
As organizations in all industries seek to comply with their existing and future data privacy protection and breach notification obligations, understanding the latest amendments to states’ data breach notification laws is essential for incident response and breach preparedness. Now is the time to update your incident response plans and procedures.