In the first half of 2018, on the heels of the Equifax breach last fall, a number of state legislatures addressed privacy and data security issues, and in particular, data breach notification. Most notably, Alabama and South Dakota passed their first breach notification laws, making it so there now breach notification laws in all 50 states. In addition, Arizona, Louisiana, Colorado and Oregon updated their existing laws.
Both the new laws and the revisions reflect national trends over the last several years to clarify (and shorten) notification periods, broaden the scope of information that prompts notification requirements, and increase engagement with regulators. The changes add complexity, but because they are in line with changes made by other states, they should not require substantial changes to existing procedures for responding to larger incidents.
More details regarding each of the laws can be found in our recent client update.