July 3, 2019 - Since the beginning of the year, 13 states have made modifications their data breach laws. That's great news because all of those modifications made requirements for reporting better from a consumer perspective. And a few of the modification stand out among the crowd. Here are those that are particularly important in our eyes.

Tweet

The State of Arkansas has added biometric data to its list breaches that require consumer notification. Biometric data consists of physical and biological data that can be used to identify a particular individual. That data includes, but is not limited to DNA, fingerprints, retinal scans, facial scans, etc… It is widely considered the holy grail for identification and is becoming increasingly important in computer applications used to identify people and give them access to buildings and computer systems.

Cloud computing is becoming more and more common in business and personal applications, and it has been important for data storage for some time now. Many large companies use third party, off site data storage facilities to manage their customer data. Maryland has updated its data breach law to make it illegal for these third-party facilities to charge the actual owner of the data for providing information needed to make consumer notifications of the breach.

Oregon has broadened its definition of what constitutes  "personal information" requiring data breach notification to include a user name or other identifying information used in combination with any other information to positively identify an individual. That means that in most cases, biometric information is covered.

All of these changes are noteworthy. ACCESS is calling on state legislatures nationwide to include biometric data in their breach notification requirements. We applaud the efforts of both Arkansas and Oregon to do so. 

byJim Malmberg

Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.

Follow ACCESS