All 50 states have enacted their own version of a data breach notification statute requiring notice to affected individuals and/or regulatory bodies in the event of data loss, unauthorized data access or data exfiltration of personally identifiable information (“PII”). Many states, however, do not require such notification when the data at issue is encrypted. But what “encryption” requirements trigger this “safe harbor” provision? Each state’s answer to this question is slightly different. Some states exclude disclosure or access of encrypted PII from the definition of “breach” requiring notice. In such states, notification is required only if the accessed or disclosed PII is unencrypted. In other states, including New York, a “breach” occurs only where there is unauthorized access of both encrypted information and the necessary encryption key. N.Y. Gen. Bus. Law § 899-aa (Westlaw through L. 2019, ch. 1 to 19) (effective Mar. 28, 2013). Unauthorized access of encrypted data alone, therefore, may not necessarily be a breach that requires notice.
Continue Reading

With Alabama’s recent enactment of the Alabama Data Breach Notification Act of 2018 (“Act”), all 50 states now have their own data breach reporting statutes. Given the complexity of the current U.S. data breach reporting regime, which also includes statutory reporting obligations in jurisdictions like Puerto Rico and the District of Columbia, businesses with customers in more than one state must coordinate with advisors who have experience navigating this patchwork quilt of statutes.

On March 28, 2018, Alabama became the 50th (and final) state to enact a data breach notification law. The Act requires notification where a “good faith and prompt investigation” results in a determination that “sensitive personally identifying information” (“SPII”) of an Alabama resident has been acquired or is reasonably believed to have been acquired by an unauthorized person, “and is reasonably likely to cause substantial harm to the individuals to whom the information relates.” 
Continue Reading

South Dakota is the latest state to add notice requirements for data breaches, mandating notice within 60 days of the breach. Like many others before it, South Dakota armed the mandate with steep monetary penalties of up to $10,000 per day, per violation.

Alabama — the sole remaining U.S. state without a data breach law

On December 3, 2017, the National Association of Insurance Commissioners (“NAIC”) Cybersecurity (EX) Working Group met and noted that the U.S. Department of the Treasury has recommended that states nationwide work to implement NAIC’s recently adopted Insurance Data Security Model Law (“Model Law”). The full text of the Model Law is available at NAIC.org and can be found here. The Model Law sets standards and best practices for insurers to follow as they safeguard consumers’ data, and it closely follows the New York State Department of Financial Services (“NYDFS”) Cybersecurity Regulation, 23 NYCRR 500, which was adopted earlier this year and applies to those regulated or licensed under New York insurance, banking or finance laws. In short, those in the insurance industry need to take action to develop cybersecurity programs and procedures.
Continue Reading