States Setting the Bar
The month of March saw the continuation of a trend of states taking a leading role in strengthening data privacy laws. Here are some recent developments at the state level:
1. Alabama wins the race to be last
At the beginning of March, only two states, Alabama and South Dakota, didn’t have data breach notification laws. As of yesterday, there are none. South Dakota narrowly edged out Alabama in the race not to be the last state without a data breach notification law, the governor signed theirs on March 21st. Alabama’s House passed theirs one day later, and their governor signed the bill into law on April 3.
2. Colorado proposes to join the 30-day club
Currently, the shortest breach notification timeline required by any state’s law is 30 days. Two states (Florida and Indiana) require consumer notification of data breaches within 30 days of discovering that a breach has occurred. The Colorado legislature is currently considering a bill to join them. It is worth noting that Colorado isn’t the only state considering shortening their notification timelines. Earlier this year, the North Carolina Attorney General proposed evaluating lowering that state’s notification timeline to 15 days.
3. Moving forward from Equifax
Meanwhile, Nebraska took major steps to strengthen consumer protections in response to recent data breaches. A new law that was signed at the end of February now requires any consumer credit reporting bureau to provide Nebraska residents with free credit freezes and temporary lifts. The new law also requires holders of personal information in the state to implement security safeguards to protect that information. Covered Entities can breathe easy. Complying with the HIPAA Security Rule is sufficient to comply with state law.