On May 10, New Jersey Bill S-52 was signed into law, which amends the state’s data breach notification law to expand the definition of personal information. Under the amended law, effective September 1, 2019, “personal information” that requires a company to notify individuals if breached now includes a “user name, email address, or any other account holder identifying information, in combination with any password or security questions and answer.”
In Washington, the state legislature passed an amendment to the existing data breach notification law that expands the list of data elements that require notification to individuals if breached in combination with an individual’s full name. The list now includes: Social Security numbers, driver’s license numbers, state ID numbers, financial account information, full birth dates, health insurance ID numbers, medical histories, student ID numbers, military ID numbers, passport ID numbers, username-password combinations, or biometric data. The amendment also shortens the window companies and government entities have to notify individuals from 45 days to 30 days.
Read more about these amendments here.