Tag Archives: Personal Information

Illinois Amends Breach Notification Statute

Illinois Governor Bruce Rauner signed HB1260 into law, amending the state’s Personal Information Protection Act and adding to the law’s breach notification requirements. The new law will be in effect January 1, 2017.


Personal Information

The amendments expand the definition of personal information to include the bolded items below:

Individual’s first and last name in combination with any of the following:

  • Social Security number
  • Driver’s license number
  • State identification card number
  • Financial account number with password to access the account
  • Medical information
  • Health insurance information
  • Unique biometric information
  • Username or email address in combination with the password or security question and answer to allow access to the account


The amendments provide some clarity to the encryption safe harbor provision. If personal information is encrypted, but the data can be read through the decryption key or other means, the safe harbor does not apply.

Notice Requirements

There are several changes to the requirements when issuing notice of a breach:

Individuals: If personal information that falls under the username or email address category of personal information has been breached, notice should be provided in electronic form, prompting the individual to change the username, password, or security question and answer to protect the security of the account.

Attorney General: If an entity is required to notify HHS of a breach under HITECH, they must also notify the Illinois Attorney General within five days of notifying HHS.

State Agencies: If a State agency suffers a breach affecting more than 250 Illinois residents, it shall notify the Attorney General within 45 days of discovery of the breach or when it notifies affected individuals, whichever is sooner. The notice shall include the following:

  • The types of personal information compromised;
  • The number of Illinois residents affected;
  • Any steps the State agency has taken to notify affected individuals; and
  • The date and time-frame of the breach.

Data Security

The amendments create a new provision in the law requiring any entity that controls personal information about an Illinois resident to maintain reasonable safeguards to protect the information from unauthorized access.

A similar provision applies to contracts between entities that control the personal information and any third-party to whom they disclose the information. The contracts must include a provision requiring the third-party to adhere to the same standards of maintaining reasonable safeguards to protect the information from unauthorized access.


Under the new law, entities complying with the following regulations are considered compliant with the law’s standards:

  • GLBA: An entity compliant with the Gramm-Leach-Bliley Act is deemed compliant with this law.
  • HIPAA: A covered entity or business associate compliant with HIPAA and HITECH is deemed compliant with this law.

Nebraska Amends Breach Notification Statute

Nebraska Governor Pete Ricketts signed into law LB 835, amending the state’s breach notification statute by expanding the definition of personal information and adding notification requirements.


The definition of personal information is expanded to include – in combination with first and last name – a user name or email address in combination with the password or security question and answer that would allow access to an online account.

Additionally, the law requires notice to the Nebraska Attorney General no later than notice is provided to Nebraska residents.

The amendments also provide clarification that data is not considered encrypted if the encryption key was reasonably believed to have been obtained during the breach.

The changes will be in effect July 20, 2016.

California Amends Data Breach Notification Law

Governor Jerry Brown recently signed three bills into law, amending California’s breach notification statute. The new laws expand the definition of personal information, add clarity to the term encryption, and add requirements for notification letters.

Personal Information Definition

S.B. 34 expands the definition of personal information to include information or data collected through the use or operation of an automated license plate recognition system.

License plate recognition systems use optical character recognition on images to read license plate numbers and store that data. Many police departments have adopted this technology, creating concerns regarding the use and safety of that data.

The amendment requires entities using the technology to maintain reasonable safeguards to protect the license plate recognition data from unauthorized use or disclosure. The law also has a provision allowing private right of action for anyone harmed by violations of the statute.

Encryption Definition

A.B. 964 provides a bit of clarity on the definition of encryption. Most state laws, including California’s, allow for a safe harbor for encrypted information that is accessed by an unauthorized person. The grey area of the law is what qualifies as acceptable encryption.

The amendment defines encryption as information that is “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”

Notification Letter Changes

S.B. 570 updates the requirements for breach notification letters that are sent to individuals affected by a security breach.

Additional requirements include:

  • The notification must be titled “Notice of Data Breach.”
  • The information must be presented under the following headings – “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”
  • The title and headings must be clearly and conspicuously displayed.
  • The text should be at least 10-point font size.

The new law also provides a model security breach notification form that complies with the requirements listed above.

The amendments are effective January 1, 2016.

Amended State Student Privacy Laws – Georgia and Maryland


Georgia’s Student Data Privacy, Accessibility, and Transparency Act – SB 89 – creates new policies to help safeguard student data and personal information. Key provisions of the bill include:

  • A Department of Education leader to serve as Chief Privacy Officer;
  • An inventory of data elements collected with purpose or reason for collection;
  • Development of a data security plan for the state data system;
  • Providing parental rights to inspect and correct student data;
  • Establishing and implementing policies and requirements with respect to the collection and disclosure of student data; and
  • Requiring third-parties working with schools to develop appropriate security procedures and prohibiting them from selling student data or using it for targeted advertising.

The law’s comprehensive approach is reflective of the SOPIPA law California passed and puts important provisions in place to protect student data.


Maryland’s Student Data Privacy Act – HB 298 – also takes influence from California’s SOPIPA law and creates additional provisions for online service providers. The law adds more protections for student data by prohibiting third parties from using student data in targeted advertising or creating personal profiles for non-educational purposes.

Five Important Changes to Canada’s PIPEDA

The Canadian government passed the Digital Privacy Act to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) which governs the collection, use, and disclosure of personal information by private organizations in Canada. There are several important changes for Canadian organizations to take note of.

It’s also worth noting that these amendments expand the situations in which organizations are allowed to share personal information without consent. However, organizations should be aware that PIPEDA requires use or disclosure of personal information to be reasonable, and appropriate safeguards must be in place when personal information is transferred from one entity to another.

1. Data breach notification requirements

PIPEDA now includes data breach notification requirements that will come into effect at a later date to be announced. Organizations affected by a data breach will be required to disclose the incident to the Office of the Privacy Commissioner of Canada (OPC) and to affected individuals when a reasonable expectation of harm exists as a result of the breach. Violations may result in fines up to C$100,000. Additionally, the OPC will be able to publicize data breaches as they see fit.

2. Sharing personal information during business transactions

Organizations are now allowed to use and disclose personal information without consent in a situation when it is necessary to determine whether to proceed with the business transaction or not. This does not apply when the purpose of the transaction is to buy, sell, or lease personal information. And if the transaction is not completed, all personal information must be returned or destroyed within a reasonable amount of time.

3. Notice required for using employee information

Federal works, undertakings (FWUB), or businesses are now allowed to collect, use, and disclose the personal information of an individual without his or her consent in situations where it’s necessary in order to establish, maintain, or terminate an employment relationship with that individual. However, the FWUB is required to inform the individual of the purpose of the collection, use, and disclosure.

4. Sharing personal information during investigations

Organizations are now allowed to disclose personal information to another organization without consent when it is reasonable for the purposes of investigations relating to a breach of agreement or Canadian law and when it is reasonable to expect that obtaining consent from the individual would compromise the investigation.

5. OPC enforcement actions include compliance agreements

The OPC now has the authority to enter into compliance agreements with organizations where they believe an organization is likely to violate PIPEDA. Compliance agreements are voluntary for organizations and can be entered with the intent to demonstrate a commitment to privacy protection.

Oregon Amends State Breach Notification Statute

Oregon Governor Kate Brown signed into law SB 601, updating the Oregon Consumer Identity Theft Protection Act of 2007. The amendment broadens the definition of personal information (PI) and includes additional requirements to notify the state Attorney General.

PI has been expanded to include the following elements in combination with first and last name:

  • Biometric information (fingerprint, retina, or iris);
  • Health insurance; and
  • Medical information

Additionally, the act now requires written or electronic notice to the Attorney General if the number of consumers affected by the breach exceeds 250 individuals.

The bill will take effect on January 1, 2016, and apply to data breaches occurring on or after that date.

Nevada Amends State Breach Notification Statute – More Stringent Encryption Requirements

Nevada Governor Sandoval signed AB 179, expanding the definition of personal information (PI) for the state’s data breach notification requirements and data safeguard laws.

PI has been expanded to include the following elements in combination with first and last name:

  • Driver authorization card number;
  • Medical identification number or health insurance number; or
  • User name, unique identifier or email address in combination with a password, access code or security question and answer that would permit access to an online account.

The other significant part of the amendment is the application to data security safeguards. Nevada’s overarching data security law now includes a provision requiring the encryption of PI and online account credentials that are transferred electronically outside of the organization. Organizations are now required to encrypt a broader range of transmitted information.

The amendments are effective July 1, 2015.

Montana Amends State Data Breach Notification Statute

Montana’s governor signed into law HB 74, amending the state’s data breach notification statute to broaden the definition of personal information (PI) and include additional requirements.

PI has been expanded to include the following elements in combination with first and last name:

  • Medical record information;
  • Taxpayer identification number; or
  • An identity protection personal identification number issued by the U.S. internal revenue service.

Additional requirements include submitting an electronic copy of the notification, along with a statement providing the date and method of distribution of the notification and the number of residents impacted by the breach, to the state Attorney General’s Consumer Protection Office.

The bill was enacted on February 27, 2015 and will take effect on October 1, 2015.