Statute

As of January 1, 2012, California will have specific requirements for the content of data breach notification letters, as well as a requirement to notify the attorney general.

Last Monday, Washington passed HB 1149 which holds payment processors, businesses, and vendors who fail to protect against unauthorized access to consumers' credit and debit card account information responsible for financial institutions' costs of reissuing credit and debit cards in the event of a breach. Payment processors, businesses, and vendors can, however, receive safe harbor under the statute if (1) the account information was encrypted at the time of the breach or (2) if the processor, business, or vendor was certified as PCI DSS compliant at the time of the breach. The law goes into effect July 1, 2010.

Editor's Note: Our initial report on the much anticipated demise of this Maine law was a bit premature. The bill is expected to pass but is a few weeks from its final demise. Our deepest apologies for this error. We are redoubling our strive for excellence. Corrected posting is below.

A controversial Maine law passed last year that banned the use of personal information about minors for marketing purposes is close to being repealed.  The new Maine law that would take its place is much more narrowly tailored to prohibit use of information collected online from minors for the purpose of marketing pharmaceuticals.

Today, the Massachusetts Office of Consumer Affairs and Business Regulation ("OCABR") filed its final amendments to the state's data security regulations, which impose specific requirements on entities for safeguarding the personal information of Massachusetts residents. The OCABR will make its amendments public next Monday, but has already stated that it didn't make any major changes and only clarified language regarding contracts between persons who own or license personal information and third-party service providers. The updated regulations are scheduled to take effect on March 1, 2010.

Missouri has become the 45th state to enact data breach notification legislation. Governor Jay Nixon signed House Bill 62 into law on July 9, 2009. The new law goes into effect on August 28, 2009.

Earlier this month, Senators Rockefeller, Snowe, and Nelson introduced S.773, the "Cybersecurity Act of 2009." The bill is primarily designed to address cybersecurity in the federal government, but various provisions could impact you or your business, particularly if you are designated as a "critical infrastructure information system or network," provide cybersecurity to the federal government, are a small- or medium-sized business, or are an institution of higher learning. The bill would (1) create new government agencies, work forces, and tasks; (2) create new priorities for existing federal agencies; and (3) implement new Presidential powers to address cybersecurity on a national scale.

In California, proposed legislation (SB 20) would significantly update the state's data breach notification statute. The bill would (1) delineate standard information that agencies, businesses, and individuals must include in any data breach notification and (2) require centralized reporting of certain breaches to the state's Attorney General. In 2003, California became the first state to pass a data breach notification statute. That statute then served as a model for more than 40 other similar statutes. Given the impact of California's initial statute, these changes, if adopted, could prompt similar updates in numerous other states across the country.

On March 24, 2008, Indiana Governor Mitch Daniels signed House Bill 1197, an amendment to Indiana's security breach notification statute, into law. The new version of the law, which goes into effect July 1, 2008, has a higher threshold for exclusion than the prior version.

With the advent of 2007, five new state security breach notification laws -- in Hawaii, Kansas, New Hampshire, Utah and Vermont -- have come into effect. Additionally, the Michigan legislature has passed security breach notification legislation that, as of this writing, awaits the governor's signature.

Pending approval of the Michigan law, thirty-four states and Puerto Rico require notification to individuals whose personally identifiable information is compromised. For summaries of these laws, please refer to the chart that we maintain at www.perkinscoie.com/statebreachchart/chart.pdf.