Washington, North Dakota, and Virginia Deepen Commitment to Data Breach Prevention and Cybersecurity

Continuing a national trend to enact or bolster state data breach notification laws, two more states signed new amendments into law this month that expand notification requirements for businesses that experience a data security breach. In addition to increasing notification obligations, both states also refined the scope of data that will trigger those obligations. In addition, Virginia established a new governmental organization to collect and share information on cybersecurity threats and took action to encourage statewide adoption of technologies that will enhance financial data security.

Washington amended its data breach notification law to impose new notification requirements on businesses exposed to data breach. The amended law requires businesses to notify affected individuals within 45 days after the breach is discovered whenever the breach is reasonably likely to subject consumers to a risk of harm. It further specifies the information that must be included in customer notifications, including basic information to help consumers secure or recover their identities, such as the contact information for consumer reporting agencies. Businesses must also notify the State Attorney General within 45 days of discovery whenever a data breach affects more than 500 Washington residents. Finally, the amended law expands coverage to include hard copy data (in addition to computerized data) and removes a blanket exemption for encrypted data, clarifying that a breach of encrypted data can trigger notification requirements if the encryption key or other decryption tools are acquired during the breach. The full text of Washington's law as amended, which becomes effective in July 2015.

North Dakota amended its security breach notification law to require any person or business that experiences a breach of its security system affecting more than 250 individuals to disclose the breach to the State Attorney General. The amendment narrows the definition of "personal information" as it pertains to employee data. Now, a breach that compromises an individual's employee identification number will only give rise to notification obligations if the breach also affects "any required security code, access code, or password" accompanying the employee identification number.

Virginia rolled out several initiatives in April and May to enhance security protections for financial data and to address cybersecurity threats, becoming the first state to address these issues in response to the President's executive orders in October 2014 and February 2015. On April 20, Virginia announced the creation of the first state-level Information Sharing and Analysis Organization (ISAO), a new governmental organization intended to facilitate the collection and sharing of information related to cybersecurity threats and attacks. This news comes on the heels of multiple high-profile data breach incidents and just two months after the Commonwealth of Virginia established the Virginia Cyber Security Commission to develop expertise in the area of cybersecurity. In addition, Virginia's governor signed the "Securing Consumer Transactions" directive on May 5, which encourages adoption throughout Virginia of advanced electronic payment security technologies, including "chip-and-pin" authentication features. This directive instructs the Commonwealth's technology and finance secretaries, treasurer, and comptroller to (1) update the state's main purchase card program to include chip-and-pin technology by the end of the year, and (2) develop a plan to enhance the security features of merchant and prepaid debit card programs by October 1, 2015. The governor's press release announcing Virginia's ISAO is available here.

With these latest developments, data breach prevention and cybersecurity continue to be top priorities among states looking to address privacy concerns raised by their constituents. With new data breaches coming to light on a regular basis and a renewed national attention to consumer privacy, we can expect more legislative action on the horizon.

© Arnold & Porter Kaye Scholer LLP 2015 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.