Mark L. Krotoski and W. Scott Tester of Morgan Lewis remind entities that duty to notify of a breach depends on state definitions of personal information, and more states are now including usernames or email addresses as personal information:
Illinois, Nebraska, and Nevada are the latest to add usernames or email addresses to the definition of PI when they are combined with information that would permit access to an online account. The Illinois law took effect on January 1, 2017, while the respective laws in Nebraska and Nevada took effect in 2016.
Three other states (California, Florida, and Wyoming) had previously enacted laws mandating that either a username or email address constitutes PI when combined with a password or security question and answer that would permit access to an online account.
Read more on Lexology