Latest Installment of our Mintz Matrix!

Please visit here to visit our Mintz Matrix page with the latest edition of the Mintz Matrix, which is a 50-state resource we have maintained since 2009 to break down and summarize requirements of U.S. state data breach notification laws. State governments continue to update their statutes as sharing of personal data remains an ever-present feature of everyday life, and the Mintz Matrix is designed to be a comprehensive resource for organizations and for practitioners trying to understand the contours of data breach notification obligations across the United States.

Since every state has its own version of a data breach notification statute, we monitor developments around the country and regularly update the Mintz Matrix. Several states have modified their data breach notification statute since our last update:

• New York lawmakers recently passed two separate bills (S2659B and S2376B) to amend portions of its data breach notification statute, Section 899-AA of Article 39-F of the New York General Business Law:

  S2376B expanded the statute’s definition of “Private Information” to include medical information and health insurance information, meaning breaches of these categories of information could trigger notification requirements to individuals and state regulators, subject to the statute’s limited exemption with respect to notifying individuals for breaches involving data regulated by HIPAA. Notably, in the event of a breach of HIPAA-regulated data, the covered entity will still need to notify required state regulators. These changes will become effective on March 21, 2025.

  S2659B created a maximum window of thirty (30) days for businesses to provide notification of a breach to affected individuals. Previously, there was no clear timing requirement, merely that the required notification was provided “in the most expedient time possible and without unreasonable delay,” which might be interpreted as providing as much as a 60-day window. Second, S2659B (as modified by a subsequent chapter amendment S804) clarified that any covered entities licensed or otherwise requiring authorization to operate under New York’s Banking Law, Insurance Law, or Financial Services Law must notify New York’s department of financial services of a breach in compliance with New York’s Cybersecurity Regulation (23 NYCRR Part 500) in addition to notifications already required under the data breach notification statute to the state attorney general, the department of state, and the division of state police. These changes became effective as of December 21, 2024.

• Pennsylvania enacted its own substantial amendments to its Breach of Personal Information Notification Act (BPINA) under Senate Bill 824. These changes addressed procedural and operational items, such as (i) requiring notification to Pennsylvania’s Attorney General for breaches affecting more than 500 individuals, (ii) requiring notifications be made via an online portal maintained by the AG’s office, (iii) creating an obligation to provide credit monitoring services and access to free credit reports in many breach circumstances, and (iv) reducing the threshold for triggering notification to consumer reporting agencies from 1,000 to 500 affected individuals. The changes also impact the legal analysis necessary to assess when the statute applies. For example, the definition of personal information has been narrowed with respect to breaches involving medical information, potentially creating an exemption for private sector entities handling this category of information unless they are engaged in contract work for a state agency. These changes became effective as of September 26, 2024. 
   
• Florida passed its Digital Bill of Rights back in 2023 that modified the definition of “personal information” in Florida’s data breach notification statute, Section 501.171 of Title XXXIII of the Florida Statutes. The bill aimed to expand the scope of the “personal information” definition to include an individual’s biometric data and “any information regarding an individual’s geolocation,” which are categories of data with potentially broad application. These changes were deferred initially and only became effective as of July 1, 2024. 
   
• Utah’s Senate Bill 98 expanded the scope of required information that must be included in notices to the Utah’s Attorney and Cyber Center following a data breach. The following details about breaches will be required: the date of the breaches occurrence and discovery, the total number of people and total number of Utah residents affected, the type of personal information involved in the breach, and a short description of the breach of system security. Notices submitted to the Attorney General or Utah Cyber Center can also be deemed confidential and classified if specific conditions are met. These changes became effective as of May 1, 2024.

Subscribe To Viewpoints