- Notice to individuals must be given within 45 days after the business discovers or is notified of the breach of the security of a system. (Previously, notice could be given 45 days after the company's investigation was completed.)
- Businesses that maintain data on behalf of the data owner must notify the data owner within 10 days of discovery or notification of the breach (previously, this was 45 days).
- When these notices are delayed by a law enforcement request beyond the 45-day period, they must be provided seven days after law enforcement determines notice will not impede its investigation.
Other State Breach Law Changes
- ArizonaHouse Bill 2146, effective July 22, 2022, requires that in incidents involving more than 1,000 Arizona residents, entities must notify both the attorney general and the director of the Arizona Department of Homeland Security, instead of previously just the former.
- IndianaHouse Bill 1351, effective July 1, 2022, adds a time limit of no more than 45 days after the discovery of the breach to notify individuals and the state attorney general. Indiana did not previously impose a notification deadline, although the attorney general's office encouraged notification within 30 days.
- Maryland, Kentucky, and Vermont each passed a version of the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law, which has been implemented in 18 other states in the past several years. These laws require entities subject to a state's insurance licensing to develop an information security program, investigate cyber events, and notify the state insurance commissioner of material cyber events. The newest laws will go into effect in 2023; similar laws passed last year in Hawaii and Minnesota have just come into effect over summer 2022.
Federal Action: Forthcoming Federal Breach Reporting Requirements
Responding to waves of highly complex and damaging cyberattacks in recent years, two major new requirements are poised to significantly alter incident response for certain covered organizations.
Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). On March 15, 2022, President Biden signed CIRCIA into law following attacks on critical infrastructure, such as the May 2021 ransomware attack on Colonial Pipeline and the Russian government attacks against the energy sector. Under CIRCIA, certain "Covered Entities" will be required to report various categories of events, including "covered cyber incidents" (CCIs) and ransom payments. We covered more details regarding the scope of CIRCIA in a previous Update.
CIRCIA requires the Cybersecurity and Infrastructure Security Agency (CISA) director to propose a rule within two years of its enactment. This rulemaking is currently ongoing, with comments due November 16.
SEC Proposes New Cybersecurity Disclosure Rules. On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) issued proposed rules regarding cybersecurity risk management, strategy, governance, and incident disclosure for public companies subject to the reporting requirements of the Securities Exchange Act of 1934. Importantly, the SEC proposed to amend Form 8-K to require disclosure of "material" cybersecurity incidents within four business days. The four-day period would begin after a company determines that a cybersecurity incident was material, and not from the date of the incident itself. For more specifics regarding the proposed Cybersecurity Disclosure Rules, please read this previous Update.
All companies holding data on U.S. residents—including employees—should understand the scope of state notification laws and how they may affect the companies' obligations in response to a breach. Perkins Coie's Security Breach Notification Chart offers a comprehensive and current summary of state laws regarding such requirements. For further questions on state or international breach notification requirements or the federal guidance described above, please contact experienced counsel.
© 2022 Perkins Coie LLP
