With Memorial Day unofficially kicking off summer, those keeping up on recent changes to state data breach laws are eyeing their calendars, as a series of state amendments are due to come into effect.  Beginning on July 1, both Nevada and Wyoming will expand their definitions of personal information.  One month later on August 1, North Dakota will follow suit, slightly limiting its definition of personal information but expanding its reporting duties.  Key takeaways from the state amendments are detailed below.

The states’ legislative actions will likely up the ante at a time when Congress is considering a national data breach notification standard.  The recent flurry of activity reflects the states’ growing interest in how data breaches affect their residents.  Even in the face of national legislation, that interest is unlikely to subside.

Nevada (A.B. 179)

·         Nevada’s definition of “personal data” will expand to include medical, health insurance, or driver’s authorization identification numbers.  The law will now also apply to breaches of a “user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.”

Wyoming (SF-35 and SF-36)

·         Wyoming will become the only state to define personal information as including an individual’s name in combination with shared log-in authenticators or security tokens, as well as birth or marriage certificates.

·         Wyoming will also expand the information required in a breach notification.  Not only must the notification be “clear and conspicuous,” but it must also indicate the types of information reasonably believed to be comprised, include a summary of the incident, and describe the actions taken to prevent future breaches.

North Dakota (S. 2214)

·         In contrast to its Western brethren, North Dakota will actually limit its definition of personal information.  With the amendment, employer-assigned identification numbers will only trigger the notification law if the numbers’ breach is also accompanied by a breach of a “required security code, access code, or password.”

·         North Dakota will, however, expand its law in other ways.  It will now require notification of the state Attorney General, in addition to those individuals whose data was compromised.  Before the amendment, only individual notification was necessary.

·         Most notably, North Dakota is also expanding the pool of companies potentially subject to its notification law.  Previously, only those companies conducting business in the state were required to adhere to its breach notification procedures.  As written, the amendment now applies the law to any company who suffers a breach, regardless of where it conducts business.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate Growley Kate Growley

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations…

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations, and policy engagement. With a unique combination of legal, policy, and consulting experience, Kate excels in translating complex technical topics into advice that is practical and informed by risk and business needs.

Kate has extensive experience working with members of the U.S. government contracting community, especially those within the Defense Industrial Base. She has partnered with contractors from every major sector, including technology, manufacturing, health care, and professional services. Kate is an IAPP AI Governance Professional (AIGP) and a Certified Information Privacy Professional for both the U.S. private and government sectors (CIPP/G and CIPP/US). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Having lived in Greater China for several years, Kate also brings an uncommon understanding of digital and national security requirements from across the Asia Pacific region. She has notable experience with the regulatory environments of Australia, Singapore, Japan, and Greater China—including the growing regulation of data flows between the latter and the United States.

Kate is a partner in the firm’s Washington, D.C., office, as well as a senior director in the firm’s consultancy Crowell Global Advisors, to which she was seconded for several years. She is a founding member of the firm’s Privacy & Cybersecurity Group and part of the firm’s AI Steering Committee. She has been internationally recognized by Chambers and named a “Rising Star” by both Law360 and the American Bar Association (ABA). She has held numerous leadership positions in the ABA’s Public Contract Law and Science & Technology Sections and has been inducted as a lifetime fellow in the American Bar Foundation.

Read more about Kate Growley
Show more Show less
Related Posts
Impacts of the National Cybersecurity Strategy on Government and Private Sector Collaboration
June 15, 2023
Iowa to Introduce the Sixth Comprehensive State Privacy Law in United States
March 24, 2023
China’s New Standard Contractual Clauses and Impact on Data Intensive Businesses
March 20, 2023