Overview[]
Starting with the first such statute enacted in California in 2002,[1] 46 states[2] currently have statutes patterned on the California law. These statutes generally require any entity that has suffered a security breach (i.e., an unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information ("PI")) promptly to notify any state resident whose unencrypted PI was or is reasonably believed to have been acquired by an unauthorized person.
“ | State security breach notification laws generally follow a similar framework and can be categorized into several standard elements: (1) delineating who must comply with the law; (2) defining the terms "personal information" and "breach of security"; (3) establishing the elements of harm that must occur, if any, for notice to be triggered; (4) adopting requirements for notice; (5) creating exemptions and safe harbors; (6) clarifying preemption and relationships to other federal laws; and (7) creating penalties, enforcement authorities, and remedies.[3] | ” |
Elements of security breach notification laws[]
State security breach notification laws vary regarding who is subject to the law — covered entities may include businesses, state agencies, for profits, non-profits, information brokers, or persons conducting business within the state that own, license, or maintain the personal information of state residents. Twenty-nine states impose similar duties for the public and private sectors, 14 states do not, and Oklahoma's law applies only to the public sector.[4] State security breach notification laws generally apply to electronic or computerized data.
Security breach notification laws typically include definitions for "personal information" or "personally identifiable information." In information privacy law, there is no uniform definition of "personally identifiable information."[5] A common definition includes an individual's first name or initial and last name combined with SSN; driver's license or state ID number; account number, credit or debit card number, combined with any required information that allows access to account or any other financial information.
A few states include medical information and/or health insurance information. Many states exclude from the definition of personal information any publicly available information that is lawfully made available to the general public from federal, state, or local government records. The term "sensitive personally identifiable information" is a subset of personally identifiable information (PII), the meaning of which also varies, but typically includes any information about an individual (including education, financial transactions, medical history, and criminal or employment history) along with information that can be used to distinguish or trace the individual's identity (including name, address, or telephone number; date and place of birth; mother's maiden name; Social Security Number or other government-issued unique identification number; biometric data; or unique account identifiers).
The standard definition for "breach of security" is unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity.
In some states, the standard trigger for notice is the unauthorized access and acquisition of personal information. Some states require a risk assessment to determine the level of harm or the risk of misuse involved. The results of the risk assessment determine whether notice is required.
State security breach notification laws describe who must provide notice (some require third-party service providers to notify the owner or licensor of the data when a breach occurs); recipients of notification (individuals, consumer reporting agencies for large scale breaches, state attorneys general); timing (following discovery or following unauthorized access, promptly, without unreasonable delay); methods (written, mail, email, substitute, mass media); content of notice; and delayed notification for law enforcement or national security purposes.
Forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands exempt encrypted information from notification requirements.
Thirteen states, the District of Columbia, and Puerto Rico permit an individual to bring a private right of action to recover damages and/or obtain equitable relief from businesses for injuries from the breach, for failure to notify customers of a security breach in a timely manner, or under state consumer protection statutes (e.g., unfair or deceptive practices). In some cases, prevailing plaintiffs are permitted to recover reasonable attorney's fees and court costs. Some permit the state attorney general to bring an action; other states only allow attorney general enforcement.
Penalties may be included for failure to promptly notify customers of a security breach. Penalties vary from imposition of a civil penalty of up to $500, but not to exceed $50,000 for each state resident who was not notified; a civil penalty not to exceed $10,000 per breach; assessment of appropriate penalties and damages; $1,000 per day per breach, then up to $50,000 for each 30-day period up to 180 days not to exceed $500,000; $2,500 per violation and for any actual damages; state attorney general actions under state consumer protection laws which permit the imposition of significant fines, injunctive relief, and attorneys' fees; and identity theft penalties.
Many states provide a safe harbor for entities that are regulated under the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA) and accompanying regulations and guidance. The safe harbor is generally available to entities that are in compliance with those laws, rules, regulations, or guidelines.
References[]
- ↑ Cal. Civ. Code §§ 1798.80 et seq.
- ↑ Alaska Stat. §45.48.010 et seq.; Ariz. Rev. Stat. §44-7501; Ark. Code §4-110-101 et seq.; Cal. Civ. Code §§56.06, 1785.11.2, 1798.29, 1798.82; Colo. Rev. Stat. §6-1-716; Conn. Gen Stat. 36a-701(b); Del. Code tit. 6, §12B-101 et seq.; Fla. Stat. §817.5681; Ga. Code §§10-1-910, -911; Haw. Rev. Stat. §487N-2; Idaho Stat. §§28-51-104 to 28-51-107; 815 ILCS 530/1 et seq.; Ind. Code §§24-4.9 et seq., 4-1-11 et seq.; Iowa Code §715C.1; Kan. Stat. 50-7a01, 50- 7a02; La. Rev. Stat. §51:3071 et seq.; Me. Rev. Stat. tit. 10 §§1347 et seq.; Md. Code, Com. Law §14-3501 et seq.; Mass. Gen. Laws §93H-1 et seq.; Mich. Comp. Laws §445.72; Minn. Stat. §§325E.61, 325E.64; Mississippi 2010 H.B. 583 (effective July 1, 2011); Mo. Rev. Stat. §407.1500; Mont. Code §§30-14-1704, 2-6-504; Neb. Rev. Stat. §§87-801, -802, -803, -804, -805, -806, -807; Nev. Rev. Stat. 603A.010 et seq.; N.H. Rev. Stat. §§359-C:19, -C:20, -C:21; N.J. Stat. 56:8-163; N.Y. Gen. Bus. Law §899-aa; N.C. Gen. Stat §75-65; N.D. Cent. Code §51-30-01 et seq.; Ohio Rev. Code §§1347.12, 1349.19, 1349.191, 1349.192; Okla. Stat. §74-3113.1 and §24-161 to -166; Oregon Rev. Stat. §646A.600 et seq.; 73 Pa. Stat. §2303; R.I. Gen. Laws §11-49.2-1 et seq.; S.C. Code §39-1-90; Tenn. Code §47-18- 2107, 2010 S.B. 2793; Tex. Bus. & Com. Code §521.03; Utah Code §§13-44-101, -102, -201, -202, -310; Vt. Stat. tit. 9 §2430 et seq.; Va. Code §18.2-186.6, §32.1-127.1:05 (effective January 1, 2011); Wash. Rev. Code §19.255.010, 42.56.590; W.V. Code §§46A-2A-101 et seq.; Wis. Stat. §134.98 et seq.; Wyo. Stat. §40-12-501 to -502; D.C. Code §28- 3851 et seq.; 10 Laws of Puerto Rico §4051 et. seq.; V.I. Code §2208. For a current listing of the enacted laws, see National Conference of State Legislatures, Security Breach Notification Laws (full-text).
- ↑ Data Security Breach Notification Laws, at 5.
- ↑ Kristen J. Mathews, "Breach Notification Obligations In All 50 States?" (full-text).
- ↑ Paul M. Schwartz & Daniel J. Solove, "The PII Problem: Privacy and a New Concept of Personally Identifiable Information," 86 N.Y.U. L. Rev. 1814, 2011 (Dec. 2011) (abstract).