A pair of states have revised their data breach notification laws. North Dakota has amended its law to clarify that the obligation to disclose a breach pertaining to employer identification numbers only apply if the numbers are leaked in conjunction with any required security code, access code, password; or the person's “digitized or other electronic signature.”
The obligation to notify others of a breach is also extended to any entity that “owns or licenses computerized data” that contains personal information. The amendment also specifies that any breaches affecting 250 or more individuals must be reported to the attorney general in a timely manner.
Nevada has also expanded its breach notification laws to include as personal information, usernames, unique identifiers and emails in combination with passwords, access codes or security questions that would allow access to an online account. The broader definition also includes medical or health identification numbers as well.
North Dakota's and Nevada's revisions go into effect on August 1, 2015, and July 1, 2015, respectively.