Legislative and regulatory activity continues apace, with four states making changes to their data privacy and cybersecurity legislation in the past month alone. West Virginia and Mississippi enacted new legislation while Virginia and Utah amended their existing data breach notification laws.
On March 18, 2019, Virginia amended its data breach notification statute. (VA HB 2396). The amendment expands the reach of Virginia’s breach notification statute to include where passport number or military identification number are accessed in combination with an individual’s first name or first initial and last name. The amended statute goes into effect on July 1, 2019.
On March 25, 2019, West Virginia created a Cybersecurity Office through the enactment of West Virginia House Bill 2452. The new office sits within the existing Office of Technology and is aimed at assessing the vulnerabilities of state agencies, having the authority to set standards for cybersecurity and to manage the cybersecurity framework for those agencies. The law also creates a Chief Information Security Officer to oversee the Cybersecurity Office. The Chief Information Security Officer is authorized to create a cybersecurity framework and to assist and provide cybersecurity guidance to agencies. The new law requires agencies to undergo cyber risk assessments and to address cybersecurity deficiencies, and requires the Chief Information Security Officer to provide annual reports to the Governor and the Joint Committee on Government and Finance on the status of the state’s cybersecurity program. The new West Virginia law will go into effect on May 14, 2019.
On March 26, 2019, Utah amended its data breach notification statute in three significant ways. (SB 193). (1) Substitute Notice as Last Resort: Previously, the state allowed for notification to be provided in writing, electronically, by telephone, or by “publishing notice of the breach.” With the enactment of SB 193, published notice is only acceptable if notification in writing, electronically, or by telephone is not feasible, making published notice available only as a last resort. (2) No Civil Penalty Limit for Major Incidents: SB 193 eliminates the existing civil penalty limit of $100,000 for incidents affecting 10,000 or more consumers allowing for potentially higher penalties for major data breaches. (3) Five and Ten Year Statute of Limitations: SB 193 establishes a statute of limitations for administrative and civil actions for violations of the data breach notification law. A civil action must be brought within five years, and an administrative action must be brought within ten years, of the date of the alleged breach. These changes are effective May 14, 2019.
On April 3, 2019, Mississippi enacted its Insurance Data Security Law (MS S 2831). This law, consistent with the National Association of Insurance Commissioner’s (NAIC) Insurance Data Security Model Law, covers insurance licensees in the state. South Carolina was the first state to enact a version of the NAIC model law in May 2018 and several states have since followed suit. Mississippi’s version of the law broadly defines nonpublic information and requires licensees to establish an information security program, to complete ongoing risk assessments, and to develop a written incident response plan. The law requires licensees to investigate all cybersecurity events and to notify the Commissioner of Insurance after confirming the existence of such an event. Notably, the law exempts companies with fewer than 50 employees, less than $5 million in gross annual revenue, or less than $10 million in year-end total assets, as well as insurance producers and adjusters. The Mississippi Insurance Data Security Law will go into effect on July 1, 2019.