In the continuing void at the federal level, more and more states are being proactive in adopting legislation that seeks to protect US residents’ personal data, and to impose stricter guidelines on companies that experience a data breach.

Although Washington State did not pass its previously pending bill that would have been more stringent on data controllers and processors than the looming Consumer Privacy Act of California, Washington did adopt new terms for its breach notification statute.  Effective as of March 2020, a “breach” requiring notice will include unauthorized access, disclosure, alteration and/or compromise of biometric and/or health data (previously excluded from the definition of personal information). Further, the window in which the entity suffering a breach must give notice has been reduced from 45 days to 30 days.

Many states, including New Jersey, New York, Florida, and Texas, have either adopted or are considering proactive legislation that will require those controlling and/or processing personal data to take “reasonable” measures to protect that data while under that entity’s control.

Without a consistent definition of “personal information,” what constitutes a “breach,” and what are “reasonable” measures, it is challenging for businesses to prepare.  That said, businesses that fail to take “some” measure to protect data will likely find themselves subject to liability even without its jurisdiction having in place proactive legislation. As discussed in the Dittman case, a data breach is a “foreseeable risk” against which companies have a “common law duty” to protect personal data.

Resources are available to help companies to take steps toward being “reasonable” in collecting, receiving, storing, processing, sharing and destroying data.  Looking for those resources is the first step toward being a responsible data controller and processor.  In New Jersey, the NJCCIC offers insights weekly into the latest threats.  NIST has frameworks for small and midsize businesses, as well as for larger entities.  SANS has forms that serve as useful starting points for developing policies and procedures.  The process can be done, but it can no longer be ignored.

For guidance on how to begin, please contact our offices.