New 2018 Data Breach Compliance Obligations Begin Going into Effect

By Edward J. McAndrew on January 18, 2018

Posted in Compliance, Cybersecurity, Data Breach, Data Protection, Enforcement, Health Care, Health Information Technology for Economic and Clinical Health Act (HITECH), Health Insurance Portability and Accountability Act (HIPAA), Identity Theft, Incident Response, Legislation, Personal Information, Regulatory Compliance, State Attorneys General, State Law, State Legislatures

With the New Year comes new data breach compliance obligations! Two Mid-Atlantic states have cybersecurity related compliance statutes that have – or will soon – take effect. Are you ready?

New Year’s Day ushered into effect the amended Maryland Personal Information Protection Act, which expands the definition of “personal information,” creates a 45-day deadline for providing notice of a breach, allows for substitute service when the breach enables an individual’s e-mail to be accessed, and increases the class of information subject to Maryland’s destruction of records laws. To the customary litany of data elements comprising “personal information,” Maryland has added personal health and health insurance information, biometric data, online account credentials and passport/government ID numbers. The amended data destruction provision now applies to customer and employee/former employee records containing personal information. See our prior alert detailing the amendments here.

The First State is not far behind – its amended data breach law goes into effect on April 14, 2018. At about the same time most of us file our taxes, Delaware’s amended law will impose a new, widely applicable obligation to implement reasonable security measures, protect additional types of personal information, notify impacted parties and the State AG of breaches, and provide free credit monitoring to impacted Delawareans (No sales tax and free credit monitoring!). Every “person” subject to the amended law will be required to implement and maintain reasonable security procedures and practices. Newly protected types of “personal information” will include personal health information, biometric data, passport and taxpayer identification numbers, and online account credentials. There will be a 60-day consumer notification deadline; an “immediate[]” notification and cooperation requirement for third parties holding personal data for an owner licensor; and an Attorney General notification obligation for breaches involving more than 500 Delawareans. See our prior alert detailing the amendments here.

At least 30 state legislatures introduced security breach notification bills or resolutions in 2017, and 9 states enacted new or amended security breach laws. 2018 is likely to be even busier. Check back with us for new developments and compliance deadlines in data breach laws.

Menu

CyberAdviser

New 2018 Data Breach Compliance Obligations Begin Going into Effect

CyberAdviser

Contact

About