Six States Enact Personal Information Security Breach Notification Laws
Arkansas, Georgia, Indiana, Montana, North Dakota, and Washington have all recently enacted laws requiring notice to consumers when the security of stored personal information is compromised. These new laws have arisen against the backdrop of widely publicized reports that identity thieves and hackers accessed and used personal information maintained by ChoicePoint and LexisNexis. Most of these new laws are similar to the landmark provisions enacted by California in 2003 (see News Update dated June 13, 2003) which have been credited as forcing the security breach disclosures made by ChoicePoint and LexisNexis. Twenty other states have introduced or have similar legislation pending and three bills have been introduced in Congress on the subject, all with different pre-emption provisions.
California’s law, known as SB 1386, requires businesses that maintain personal information in a computerized database to disclose any breach of the security of such database to any California resident whose personal information was, or is reasonably believed to have been, acquired by a hacker, following a business’s discovery or notification of the breach. Under SB 1386, such a breach occurs when an unauthorized individual acquires computerized data in a way that compromises the security, confidentiality, or integrity of personal information maintained by the business. This does not include situations where employees or agents of the business acquire personal information in good faith for the purposes of fulfilling business activities.
Under California’s SB 1386, “Personal information” means an individual’s first name, or first initial, and last name in combination with any of the following data elements: (1) Social Security number; (2) driver’s license number or California I.D. card number; or (3) a financial account number, credit card number, or debit card number (when coupled with the account access code such that a hacker could gain unauthorized access to individual financial accounts). “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. SB 1386 contains a safe harbor allowing businesses to forego notice if the personal information in the breached database is encrypted.
Businesses can provide the requisite notice to consumers through written or electronic means, but if too costly (more than $250,000), too many (more than 500,000), or sufficient contact information is lacking, a business can provide substitute notice through email, conspicuous posting on the businesses’ website and notification to major statewide media.
Of the recently enacted state laws, only Arkansas, Montana, North Dakota, and Washington’s security breach statutes are widely applicable to businesses. Indiana’s new statute only applies to state government agencies. Georgia’s legislation only applies to data brokers (entities like ChoicePoint) that are engaged in the collection and sale of personal information to unaffiliated third parties.
The Arkansas, Montana, North Dakota, and Washington laws largely follow the approach of California’s SB 1386. Washington’s law in particular, closely tracks SB 1386. Among the others, however, there are some noteworthy differences. For example:
- Arkansas’ law does not require notification if, after conducting an investigation, a business determines that there is no reasonable likelihood of harm to customers. This could be a significant exception, alleviating the notice requirement in some circumstances, although the determination that harm is not reasonably likely to occur may be difficult to reach. Arkansas also adds document destruction requirements, has a definition of personal information that is slightly broader than California’s (by including medical information and by not excepting publicly available information from government records), and imposes an affirmative obligation on businesses to implement and maintain reasonable security measures to protect personal information.
- Montana’s data breach notification provisions are part of broader privacy legislation that also limits the printing of all but the last five digits of a credit card number on electronically printed receipts, imposes document destruction requirements, and prohibits credit reporting agencies that receive notice of identify theft from including on a credit report adverse information from such theft.. Significantly, Montana’s law defines the “breach of the security of the data system” as the “unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information” or that is “reasonably believed to cause loss or injury.” The modifier “materially,” like the Arkansas provision regarding a determination that there is no “reasonable likelihood of harm,” may alleviate the notice obligation in some circumstances.
- North Dakota’s law is similar to California’s SB 1386, but expands the definition of personal information to add date of birth, mother’s maiden name, an employer assigned ID number, or an individual’s digitized or other electronic signature.
The state laws applicable to businesses generally (AR, CA, MT, ND, WA) contain a safe harbor that makes the laws’ provisions inapplicable if the business has its own information security policy that includes a procedure for notifying consumers of security breaches.
None of the state laws clearly define the circumstances for determining that a “breach of security” has occurred requiring notice. These new laws generally define such a breach as the unauthorized acquisition that actually compromises the confidentiality of personal information, leaving the standard somewhat subjective. Ultimately, a satisfactory interpretation of these provisions will be needed to meet notice obligations, but the scope or frequency of any notice must be tailored to avoid creating exaggerated consumer fears or undermining investor confidence through unnecessary disclosures of attempted hacks or similar events that do not actually compromise the security of the stored personal information. Although many companies have been complying with the requirements imposed by California’s security breach law, it is likely that new laws (state and/or federal) will make the process for determining when and where to give notice of a security breach more complicated.
If you would like further details or guidance concerning existing privacy and security laws or legislation that has been proposed in the states or Congress, please contact us.