In October 2023, Perkins Coie published an update to existing state breach notification laws.
Pennsylvania
The first major update to Pennsylvania’s Breach of Personal Information Notification Act was passed earlier this year. The updates include a range of changes consistent with those adopted in other states in the last several years, so these updates are unlikely to substantially change nationwide compliance for most private sector companies (Pennsylvania government entities, on the other hand, will face substantial new requirements and tight deadlines). The amendments took effect on May 2, 2023.
- Expanded definition of personal information.
- Additions of “discovery” and “determination” of a breach.
- Deadlines for governments, agencies, and schools.
Included with the breach notification amendments were two new provisions requiring state agencies and their contractors to implement policies and procedures regarding the proper encryption and storage of personal information held “on behalf of the commonwealth.”
Utah
New attorney general notice requirement. Utah passed Cybersecurity Amendments creating a new “Utah Cyber Center” with a variety of cyber policy-related responsibilities.
Texas
New attorney general notice deadline. As of September 1, 2023, Texas shortened the deadline for organizations to notify the state attorney general from 60 days to “as soon as practicable and not later than 30 days,” while leaving in place the 60-day deadline to notify individuals.
Florida
New types of personal information. Florida’s Digital Bill of Rights includes, among its many changes to various consumer privacy protections, a change to the definition of “personal information” in the breach notification statute.
California
Expanded private right of action.
For details on the above updates, see the Perkins & Coie update on their website.