Arkansas
In April, Arkansas’ Governor signed H.B. 1943 as Act 1030 expanding the scope of personal information, as used in the Personal Information Protection Act, to include “biometric data.” The Bill defines “biometric data” as “data generated by automatic measurements of an individual’s biological characteristics, including without limitation: (a) Fingerprints, (b) Faceprint, (c) A retinal or iris scan, (d) Hand geometry, (e) Voiceprint analysis, (f) Deoxyribonucleic acid (DNA), or (g) Any other unique biological characteristics of an individual if the characteristics are used by the owner or licensee to uniquely authenticate the individual’s identity when the individual accesses a system or account.”
The Bill also places additional notice requirements following a data breach. The Bill requires that a person or business disclose a security breach concerning 1,000 or more individuals to the state Attorney General at the time notifications are sent to the affected individuals or within 45 days after the person or business determines that there is a reasonable likelihood of harm to the affected individuals, whichever occurs first.
Finally, the Bill requires a person or business to retain a report concerning a security breach for five years, and also requires a person or company to submit to the state Attorney General a copy of the written report within 30 days of the Attorney General’s request.
The Bill becomes effective July 23, 2019.
Oklahoma
In May, Oklahoma’s Governor signed S.B. 584 amending 62 Okl. St. Section 34.32, relating to security risk assessments for certain state agencies. The Bill, for example, eliminates an exception for a state agency with internal expertise from conducting its own security risk assessment. The Bill instead mandates that the state agency have an independent firm conduct the assessment.
The Bill also requires a state agency with an information technology system not consolidated under the Information Technology Consolidation and Coordination Act “to have an information security audit conducted by a firm approved by the Information Services Division that is based upon the most current version of the NIST Cyber-Security Framework” and to submit a report regarding “information security audit findings to the Information Services Division” each year.
The “Agencies shall also submit a list of remedies and a timeline for the repair of any deficiencies to the Information Services Division within ten (10) days of the completion of the audit.” If a state agency is not able to comply with these requirements, the Bill requires that the agency “consolidate under the Information Technology Consolidation and Coordination Act.”
The Bill excludes certain organizations from following these requirements, such as state agencies subject to mandatory North American Electric Reliability Corporation (NERC) cybersecurity standards; institutions within The Oklahoma State System of Higher Education; the Oklahoma State Regents for Higher Education and the telecommunications network known as OneNet that follow the International Organization for Standardization (ISO); and the International Electrotechnical Commission (IEC)-Security techniques-Code of Practice for Information Security Controls or National Institute of Standards and Technology.
The Bill becomes effective November 1, 2019.
Maryland
On April 30, 2019, Maryland’s Governor signed HB 1154, SB 693 amending the Security Breach Notification Requirements in Maryland’s Personal Information Protection Act. The Bills seek to amend the scope of the breach notification requirements to businesses that maintain computerized data rather than limiting the requirements to the businesses that own or licenses such data. The Bills also prevent businesses maintaining such data from charging the owner or licensee of the data a fee for the information necessary to notify individuals of a breach. Additionally, the Bills prevent the owner or licensee of the data from using information about a breach for purposes other than (1) providing notification to individuals, (2) protecting or securing personal information, and (3) notifying national information security organizations to assist in an analysis of security threats.
The Bills become effective October 1, 2019.