2022 Breach Notification Law Update: State and Federal Requirements Continue To Evolve | Perkins Coie

Overview

Cyberattacks proceed to plague companies, making the fallout of information breach notification and response as important as ever. This 12 months, like 2021, has been comparatively quiet because it pertains to state updates to breach notification legal guidelines. A lot of the joy has as an alternative been round omnibus privacy laws, a few of which cowl information safety as nicely. Solely Maryland made vital alterations to its common information breach notification regulation, whereas a number of different states made extra minor adjustments, as detailed under.

Whereas the state regulation entrance has been comparatively muted in 2022, the federal authorities has issued or proposed a number of new information safety and breach reporting necessities for sure varieties of entities. Corporations ought to be aware of the updates in federal legal guidelines and federal steering demanding cybersecurity measures as a way to keep enough safety posture to finest stop ransomware and different cyberattacks.

We focus on related state and federal updates under.

State Breach Regulation Updates

Maryland

On Could 29, 2022, Maryland’s governor signed into regulation a variety of changes to its breach notification regulation that turned efficient on October 1, 2022, most of which have comparatively minor affect. The adjustments in HB 962 embrace the next:

• Expanded definition of non-public info. The definition of “Private Data” was altered to incorporate “genetic info.”
• Alterations to notification deadlines. Adjustments have been made to a number of necessities:
  • Discover to people have to be given inside 45 days after the enterprise discovers or is notified of the breach of the safety of a system. (Beforehand, discover could possibly be given 45 days after the corporate’s investigation was accomplished.)
  • Companies that keep information on behalf of the info proprietor should notify the info proprietor inside 10 days of discovery or notification of the breach (beforehand, this was 45 days).
  • When these notices are delayed by a regulation enforcement request past the 45-day interval, they have to be supplied seven days after regulation enforcement determines discover won’t impede its investigation.
• Content material necessities for lawyer common notification. Discover to the Workplace of the Lawyer Normal should now embrace the variety of affected people residing within the state, an outline of the breach, “together with when and the way it occurred,” and remediation steps the enterprise has taken or plan to take, together with a replica of the discover.
• Substitute discover revised. Notification to a statewide media supply is not enough. As an alternative, notification have to be given to main print or broadcast media in geographic areas the place the people affected by the breach probably reside.
• Further word: Expanded software of information safety necessities. HB 962 additionally included a change to § 14–3503, which requires entities to use affordable safety to “private info.” The statute will now apply to entities that keep info, along with those who personal or license the data.

Different State Breach Regulation Adjustments

• Arizona House Bill 2146, efficient July 22, 2022, requires that in incidents involving greater than 1,000 Arizona residents, entities should notify each the lawyer common and the director of the Arizona Division of Homeland Safety, as an alternative of beforehand simply the previous.
• Indiana House Bill 1351, efficient July 1, 2022, provides a time restrict of not more than 45 days after the invention of the breach to inform people and the state lawyer common. Indiana didn’t beforehand impose a notification deadline, though the lawyer common’s workplace inspired notification inside 30 days.
• Maryland, Kentucky, and Vermont every handed a model of the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law, which has been carried out in 18 different states up to now a number of years. These legal guidelines require entities topic to a state’s insurance coverage licensing to develop an info safety program, examine cyber occasions, and notify the state insurance coverage commissioner of fabric cyber occasions. The latest legal guidelines will go into impact in 2023; related legal guidelines handed final 12 months in Hawaii and Minnesota have simply come into impact over summer time 2022.

Federal Motion: Forthcoming Federal Breach Reporting Necessities

Responding to waves of extremely advanced and damaging cyberattacks in recent times, two main new necessities are poised to considerably alter incident response for sure coated organizations.

Cyber Incident Reporting for Crucial Infrastructure Act of 2022 (CIRCIA). On March 15, 2022, President Biden signed CIRCIA into regulation following assaults on important infrastructure, such because the Could 2021 ransomware assault on Colonial Pipeline and the Russian authorities assaults in opposition to the vitality sector. Beneath CIRCIA, sure “Coated Entities” can be required to report varied classes of occasions, together with “coated cyber incidents” (CCIs) and ransom funds. We coated extra particulars relating to the scope of CIRCIA in a previous Update.

CIRCIA requires the Cybersecurity and Infrastructure Safety Company (CISA) director to suggest a rule inside two years of its enactment. This rulemaking is currently ongoing, with feedback due November 16.

SEC Proposes New Cybersecurity Disclosure Guidelines. On March 9, 2022, the U.S. Securities and Change Fee (SEC) issued proposed rules relating to cybersecurity threat administration, technique, governance, and incident disclosure for public firms topic to the reporting necessities of the Securities Change Act of 1934. Importantly, the SEC proposed to amend Type 8-Ok to require disclosure of “materials” cybersecurity incidents inside 4 enterprise days. The four-day interval would start after an organization determines {that a} cybersecurity incident was materials, and never from the date of the incident itself. For extra specifics relating to the proposed Cybersecurity Disclosure Guidelines, please learn this previous Update.

All firms holding information on U.S. residents—together with staff—ought to perceive the scope of state notification legal guidelines and the way they could have an effect on the businesses’ obligations in response to a breach. Perkins Coie’s Security Breach Notification Chart affords a complete and present abstract of state legal guidelines relating to such necessities. For additional questions on state or worldwide breach notification necessities or the federal steering described above, please contact skilled counsel.