In October 2023, Perkins & Coie published an update to state laws for data security requirements:
In addition to revisions to breach notification statutes, states are making a variety of changes to substantive data security obligations. Changes applicable to private companies include:
- Security obligations in comprehensive privacy laws. To date, 12 states have passed comprehensive privacy laws regulating “personal information,” very broadly defined (as opposed to the narrower definitions traditionally used by state breach notification and data security statutes).
- Affirmative defenses. Iowa became the fourth state (after Connecticut and Utah, described in our 2021 update, as well as Ohio) to add a law establishing an affirmative defense to data breach cases brought in tort law, if the company maintains a written cybersecurity program designed to address reasonably foreseeable risks, estimate the company’s probable loss, and communicate to affected parties following a data breach.
- Insurance data security requirements. In June 2023, Illinois became the 23rd state to pass a law focused on the state’s insurance licensees. Illinois licensees must develop and implement a written information security program, investigate cybersecurity events, and notify the Illinois Department of Insurance as promptly as possible, but no later than three business days after determining a cybersecurity event has occurred.
- New York Department of Financial Services updates. In June 2023, the New York Department of Financial Services (NYDFS) proposed revised amendments to its cybersecurity regulations. Among other changes, the proposed regulations would expand the cybersecurity event notification requirement to expressly cover new types of cybersecurity events and introduce a new notification requirement for ransom payments.
For details on the above, see the Perkins & Coie article on their website.