As people become more aware of the importance of data security and privacy, states have started passing more laws regarding breaches and notifications. We’ll be seeing many go into effect in 2020. Make sure you’re up to date on the newest regulations and requirements in your state, and any state in which you operate!
We’ve listed below the main state laws to be aware of, with links to the text of the bills and some additional information found on the states’ legislative websites or LegiScan.
California Consumer Privacy Act AB 375
Effective January 1, 2020
Purpose: “The California Constitution grants a right of privacy. Existing law provides for the confidentiality of personal information in various contexts and requires a business or person that suffers a breach of security of computerized data that includes personal information, as defined, to disclose that breach, as specified.”
Delaware Insurance Data Security Law HB 174
Effective July 31, 2020
“This Act establishes standards for data security for Title 18 licensees and standards for the investigation of and notification to the Commissioner of a cybersecurity event affecting Title 18 licensees.”
Texas HB 4390
Effective January 1, 2020
“An Act relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council.”
New Hampshire Insurance Data Security Law
Effective January 1, 2020
“This bill establishes the insurance data security law. This bill is a request of the insurance department.”
New York Shield Law S5575B
Effective March 1, 2020
Purpose: “New York’s data breach notification law needs to be updated keep pace with current technology. This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information. It also requires reasonable data security, provides standards tailored to the size of a business, and provides protections from liability for certain entities.”
Oregon SB 684
Effective January 1, 2020
Summary: “Specifies requirements for covered entities that own, license, maintain, store, manage, collect, process, acquire or otherwise possess personal information, and for vendors that provide services to covered entities, to notify consumers of breach of security. Specifies exemptions for certain covered entities that are subject to other laws governing protections and disclosures.”
Virginia Breach of Personal Information Notification § 18.2-186.6
Effective January 1, 2020
The Office of the Attorney General released a memo detailing the types of personal information considered protected under the statute.
Washington HB 1071
Effective March 1, 2020
“The legislature recognizes that data breaches of personal information can compromise financial security and be costly to consumers. The legislature intends to strengthen the data breach notification requirements to better safeguard personal information, prevent identity theft, and ensure that the attorney general receives notification when breaches occur so that appropriate action may be taken to protect consumers. The legislature also intends to provide consumers whose personal information has been jeopardized due to a data breach with the information needed to secure financial accounts and make the necessary reports in a timely manner to minimize harm from identity theft.”