North Dakota and Nevada organizations will soon face expanded requirements for reporting data breaches, after both states recently amended their breach notification laws.
The North Dakota law already required organizations to notify individuals following a breach of their unencrypted personal information. The amendment extends the law to require organizations to report breaches that involve the unencrypted information of 250 or more people to the state’s attorney general “in the most expedient time possible and without unreasonable delay” (51-30-02). North Dakota also struck a clause from its law, which had stated that only people and entities who conduct business in the state must disclose breaches to affected North Dakota residents; now all people and entities must abide by this notification requirement. The amendment also clarifies the definition of personal information, specifying that an employee identification number only qualifies as personal information if it is breached along with “any required security code, access code, or password” that will permit access to the employee’s account. The revised law will take effect on August 1, 2015.
The Nevada amendment broadened its definition of personal information to include a medical identification number or health insurance identification number, and a username or email address along with a password or security question answer that would permit access to an online account. Nevada’s revised law will take effect on July 1, 2015.
Nevada’s broadened definition of personal information and North Dakota’s strengthened reporting requirements mean more organizations that suffer data breaches will be required to report them. Organizations with operations in North Dakota or Nevada should lower their risk of a data breach by conducting penetration testing and vulnerability assessments, where cybersecurity professionals simulate the role of a cyberattacker in order to see how easily an attacker could gain access to sensitive data. Since attackers often find targeting employees to be a lucrative strategy, employee training is a critical cybersecurity step. Taking proactive steps to improve organizational cybersecurity can protect organizations from being the latest to gain the wrong sort of media attention due to a data breach.