Every year at this time there are new laws and this year is no exception.
Illinois, Nebraska and Nevada have added usernames or email to data elements that are considered personal information if that information is combined with other information that would let a hacker access your online account. In other words, a username with a password or an email address with the answers to online security questions would be considered personal information.
California, Florida and Wyoming had already passed laws adding these items to the list of personal information in 2014 and 2015. In some of these states, an email address with the password OR security questions and answers EVEN if a person’s name is not attached to those items is considered personal information.
What this means is that businesses that collect email addresses need to be concerned about the fact that email addresses, when combined with certain other information, may be considered protected information.
Some states including Nevada, Rhode Island and Wyoming say that in order for an email address to be considered personal information it must be associated with at least a last name and first initial. This means that the rules are different between, say, Florida and Nevada. This makes things difficult for companies to be compliant.
Nevada and Rhode Island have added something called, in the law,
“access code” to the list of potential personal information, even though they do not define what an access code is.
Come the middle of 2018, American companies that do business in the European Union – meaning that they collect data on EU residents – will be required to follow the General Data Protection Regulation or GDPR.
Under the GDPR companies are required to notify the appropriate data protection officials WITHIN 72 HOURS of a data breach unless it is unlikely that people will be at risk.
There have been a number of attempts to create a national data privacy/data breach law, but in all cases, those proposed federal laws would supersede state laws and offer less protection then the state laws that they would replace. The proposed federal laws, for the most part, are the least common denominator of state privacy laws. None of these attempts to pass a law have been successful and all have been met with strong opposition.
This does not mean that a federal law will not be passed at some point in the future because complying 47 or so state laws in the day of the Internet is really extremely difficult. The JDSupra article below has a list of resources that will help people as they wrestle with the privacy law challenge.
Information for this post came from JDSupra.