We have updated our summary of state data breach notification laws in light of recent amendments to some of the laws since our last update in September 2015.

Notably, Tennessee amended its data breach notification law, the Identity Theft Deterrence Act, effective July 1, 2016, by eliminating an encryption safe harbor and requiring that affected residents be notified of a breach affecting their personal information immediately, and no later than 45 days after discovery of the breach.  Thus, the notification obligation extends to all computerized data that is subject to unauthorized acquisition, regardless of whether the data is encrypted or unencrypted.  Tennessee is the first state to extend data breach notification obligations to encrypted data.

Illinois also amended its data breach notification law, the Personal Information Protection Act (PIPA), effective January 1, 2017.  Consistent with some other state laws, the amendments to PIPA expand the definition of “personal information” to include medical information, health insurance information, and unique biometric data when used with an individual’s first and last name, as well as a user name or e-mail address plus a password or security question and answer that would provide unauthorized access to an online account.  In addition, covered entities and business associates that are subject to the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act and are required to notify the Secretary of Health and Human Services of a breach will be deemed to be in compliance with PIPA if they notify the Illinois Attorney General of the breach within five business days of notifying the Secretary.

To view the latest summary on our website and/or download a copy, click here.