Data Breach Notification Laws: The Changing Landscape in Early 2006

By Kaustuv M. Das, Ph.D.
[March 2006]

The first data breach notification law in the nation, California’s S.B. 1386, was enacted in August 2002 and went into effect in July 2003. Since then, 22 other states have adopted similar data breach notification laws. Of the remaining 27 states, eight have introduced data breach notification legislation this year, and 10 have considered data breach notification legislation in the past two years. Remarkably, only nine states appear not to have considered any data breach notification legislation at all. It is likely, however, that the number of states that have not considered data breach notification legislation at all will shrink in 2006. The table below summarizes the state data breach notification legislation.

Main features of state data breach notification laws

Because California’s S.B. 1386, the California Security Breach Notification Act, was the first data breach notification law in the nation, many of the states that have adopted or considered data breach notification laws have modeled their laws after S.B. 1386. California requires any person, business, or state agency that owns or licenses computerized data that includes personal information to notify a resident of California whose unencrypted personal information was, or is reasonably believed to have been, accessed by an unauthorized person. Other states have extended their data breach notification laws to cover personal information data that are not maintained in electronic form, created safe harbors not just for encrypted data but also for redacted data, or have defined personal information data more broadly than California. Most of the enacted state laws and pending bills have the following five features in common:

• Personal Information—typically personal information consists of a person’s name, or their first initial and last name, together with an identifying data element such as: social security number, driver’s license number, identification card number, account or credit card number with access code or password, date of birth, or biometric data.

Interestingly, although there are numerous reverse directories on the web that allow a person to look up a person’s name if they know that person’s address, most of the current data breach notification laws do not require notification as long as a person’s name is not disclosed to an unauthorized person (although Georgia’s and Maine’s data breach laws address this issue). The most extensive definition of personal information are Nevada’s and North Carolina’s data breach notification laws.

• Encryption—none of the laws require notification if the data that were lost, stolen, or accessed by an unauthorized person are encrypted. In contrast to the Payment Card Industry (PCI) Data Security Standard, however, very few of the data breach notification laws define what the encryption standard has to be.
  
  
• Notification Requirements—any person or business, and usually any state agency, that owns, licenses, or is responsible for personal information data and reasonably believes that such data have been accessed by an unauthorized person has to notify affected residents of the state.

There is a great deal of variance in the notification requirements. Some laws only require notification if the entity responsible for the data believes that there is a reasonable possibility that the loss of data will lead to harm, injury, fraud, or identity theft. See, e.g., the data breach notification laws of Arkansas, Connecticut, Delaware, Florida, Louisiana, New Jersey, North Carolina, Pennsylvania, Rhode Island, and Washington. Others require notification in almost all circumstances. See, e.g., the laws of California, Georgia, Illinois, Indiana, Maine, Minnesota, Montana, Nevada, New York, North Dakota, Tennessee, and Texas.

• Notification Procedures—individuals whose personal information data has been compromised must be informed. This notification can be provided either in writing or electronically. In case of very large breaches, most of the laws allow for substitute notice. Further, many of the laws require the entity responsible for the data to notify state agencies, often including the attorney general, and credit reporting agencies if a sufficiently large number of individuals are affected.
  
  
• Notification Timelines—many of the statutes simply require notification within a reasonable timeline. For example, California’s S.B. 1386 requires notification within “the most expedient time possible and without unreasonable delay.” Other laws have specific timelines, including some that require notification within seven days of discovery of the data breach. Almost all of the laws toll the notification timeline to allow cooperation with law enforcement efforts.

Only Florida’s and Ohio’s laws appear to have a set period after discovery of a data breach by which businesses must notify their customers. New York’s data breach law has a 120-day timeline for state agencies and entities.

Many of the data breach notification laws are part of a broader effort to address identity theft and the security of personal information data. It is not uncommon for these data breach security laws to be part of legislation that address, among other things: (a) credit freeze legislation; (b) legislation addressing the use of social security numbers as a form of identification; (c) legislation addressing consumer’s rights relating to credit reporting; and (d) legislation criminalizing identity theft.

Additionally, some of the state laws have exemptions for entities covered by federal legislation, including the Health Information Portability and Accountability Act (HIPAA), the Graham-Leach-Bliley Act (GLB), or the Department of Treasury’s Interagency Guidelines Establishing Standards for Safeguarding Customer Information, 12 C.F.R. Part 30, Appx. B; Part 208, Appx. 208; Part 364; Appx. B; and Part 568.

Some of the data breach notification laws create private causes of actions. Others restrict enforcement to the attorney general’s office. Yet others make a breach of the notification law a per se violation of the state’s unfair competition law. Although most of the states’ data breach notification laws have adopted the core of California’s S.B. 1386, currently there are as many approaches to data breach notification as there are laws, and it is likely that the number of different approaches will only continue to grow as more and more states enact these laws.

BNA has compiled a chart of the differences in selected major provisions of the state data breach notification laws. See “State Breach Notice Laws Have Similarities, But Significant Differences Require Attention,” 89 BNA Analysis & Perspective 176 (Aug. 12, 2005) (chart included on p. 180). A more informal, but also more up-to-date, chart has been created by VigilantMinds, Inc. and is available at http://www.vigilantminds.com/files/vigilantminds_state_security_breach_legislation_summary.pdf.

Federal data breach notification legislation

Because of the plethora of approaches to data breach notification at the state level, there has been a strong push by businesses for Congress to enact a federal data breach notification law. Numerous data security and data breach notification laws were introduced in the 109th Congress (S. 115; S. 500; S. 751; S. 768; S. 1216; S. 1326; S. 1332; S. 1408; S. 1594; S. 1789; S. 2169; H.R. 1069; H.R. 1080; H.R. 3140; H.R. 3374; H.R. 3375; H.R. 3397; H.R. 4127). Three of the bills in the Senate, S. 1326; S. 1408; and S. 1789, have been reported by Senate committees. In November 2005, the Senate Judiciary Committee approved bill S. 1789. In the House, H.R. 4127 has the widest support and has been approved by its initial House subcommittee.

There are various differences between the House and Senate bills, including for example their approach to preemption of state data breach notification laws, adoption of specific encryption standards, penalties for breach of the law, and what triggers notification requirements. Additionally, in light of the Congressional hearings on the National Security Agency’s electronic surveillance of United States citizens, the discussion of data security and data breach notification legislation has become significantly more politicized. It appears unlikely that a federal data security or data breach notification law will be enacted any time soon.

The FTC’s de facto data security standards

Although Congress may not soon pass a data breach notification law any time soon, the Federal Trade Commission (FTC) has adopted de facto national data security standards for companies covered by the federal FTC Act. In 2005 and 2006, the FTC has announced significant settlements with companies that have had personal information data under their control breached or compromised.

These announcements include a settlement with ChoicePoint, Inc., under which ChoicePoint agreed to pay a $10 million civil penalty and another $5 million in consumer redress; the largest settlement ever between the FTC and a business. The settlement also requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to submit to third-party audits for 20 years, and to establish and enforce a comprehensive information security program. See FTC Jan. 26, 2006 Press Release available at http://www.ftc.gov/opa/2006/01/choicepoint.htm.

The FTC has also settled data breach actions against BJ’s Wholesale Club, Inc. and Discount Shoe Warehouse. Each of these settlements requires the company to establish and implement a comprehensive information security program and to submit to third party audits for 20 years. As recently as Feb. 23, 2006, the FTC announced that it is close to settling its action for data breach against CardSystems Solutions, now owned by Pay By Touch.

In all of these cases, the FTC instituted the action not as a “deceptive practice,” but as an “unfair practice.” The FTC did not charge each of these companies with having misstated its standard for data security, rather these companies were charged because they did not adopt a minimal level of security for personal information data, thus leading to data breaches. As Deborah Platt Majoras, Chairman of the FTC, stated “Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security.” Quoted in the FTC’s June 16, 2005 press release available at http://www.ftc.gov/opa/2005/06/bjswholesale.htm.

The FTC charged BJ’s Wholesale Club with:

• Not encrypting consumer information when it was transmitted or stored in computers in BJ’s stores;
  
  
• Creating unnecessary risk to personal information data by storing it for longer than allowed under bank security rules, and longer that it needed the data;
  
  
• Storing the information in files that could be accessed using commonly known default user IDs and passwords;
  
  
• Failing to use readily available security measures to prevent unauthorized wireless connections to its network; and
  
  
• Failing to use reasonable measures to detect unauthorized access to its network or to conduct security investigations.

FTC June 16, 2005 press release available at http://www.ftc.gov/opa/2005/06/bjswholesale.htm.

Although the loss of personal information data was egregious in each of these four cases, commentators have noted that the FTC’s charges against BJ’s Wholesale Club create, at least for now, de facto data security standards by specifying what the FTC considers an “unfair act or practice.” If companies comply with the FTC’s de facto standards, they must, among other things, encrypt consumer data. If, despite complying with the standards, consumer data are lost or stolen, state data breach laws will not require the companies to notify consumers about the breach since current state laws do not require notification if disclosed data are encrypted. Until there is federal legislation that creates a uniform data breach notification law, businesses that are subject to FTC oversight should abide by the FTC’s de facto standards, both to avoid potential problems with the FTC and because complying with the FTC standards would bring them within each of the state’s data breach notification law’s encryption safe harbor.

DWT Privacy & Security Group

Privacy and security issues touch virtually every aspect of an organization’s operations-from online activities, to cross-border commerce, to workplace policies. DWT offers clients the expertise necessary to successfully navigate the laws and obligations in the privacy and security arena.

Contact Information

Author: Kaustuv M. Das, Ph.D. Seattle, Washington (206) 628-7687 kmdas@dwt.com

Other DWT contacts:
Randy Gainer, Seattle, (206) 628-7660, randygainer@dwt.com
Bruce E.H. Johnson, Seattle, (206) 628-7683, brucejohnson@dwt.com
Lance Koonce, New York, (212) 603-6467, lancekoonce@dwt.com
Ronald G. London, Washington, D.C., (202) 508-6635, ronnielondon@dwt.com

This Advisory is a publication of the Privacy and Security Group of Davis Wright Tremaine LLP. Our purpose in publishing this Advisory is to inform our clients and friends of recent privacy and security developments. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

Copyright © 2006, Davis Wright Tremaine LLP.

return to Advisory Bulletins main page