On September 1, the Colorado breach notification statute update became effective, the first of two developments that occurred over the weekend. As we wrote about when the modification was passed, Colorado’s updated statute expands the definition of “personal information” to include ID numbers, medical information, and biometric information and places a proactive obligation on companies to investigate potential breaches. If notification is required, it will now have to be provided within 30 days of the company determining that the breach has occurred, and Colorado now joins many other states in having content requirements for breach notices. In addition to the data breach notification changes, the law also creates a requirement to “reasonably” protect personal information.

Also on September 1, a portion of New York Department of Financial Services’ revised cybersecurity regulation became effective. As we previously wrote, the regulation applies to “covered entities” under New York’s Banking, Insurance, and Financial Services laws, and has rolling effective dates. The September 1 date brought into effect the need for covered entities to, inter alia, (1) conduct risk assessments for in-house developed and externally developed applications that are brought into the company’s environment, (2) have policies that limit retention of nonpublic personal information the entity no longer needs, (3) monitor access to nonpublic information in their systems, and (4) encrypt nonpublic information at rest and in transit.

Putting it into Practice: While many eyes in the US may be on the developments coming out of California, these two laws remind us that there continue to be changes across the US in the privacy and data security landscape