Data Privacy and Breach Reporting:compliance With Various State Laws
| Jurisdiction | United States,Federal,California |
| Publication year | 2008 |
| Citation | Vol. 4 No. 3 |
Constitutional & Regulatory
Cite as: G. Martin Bingisser,
©G. Martin Bingisser
Abstract
This Article discusses state laws requiring notification of a party whose personal information is held by a business or government agency when the third party's security is breached and an unauthorized person accesses the personal information. In the wake of the 2005 ChoicePoint data breach, over half of the states passed legislation requiring that companies notify the affected parties after breach of personal information. Most of the state statutes followed the model set forth by California's Security Breach Notification Act of 2002. However, significant variations exist between the different statutes, which can create compliance problems. This Article specifically illustrates the relevant differences, analyzes the effect of the statutes, and discusses the policy implications of such legislation.
Introduction
Introduction
[1] On February 16, 2005 ChoicePoint, a leading supplier of identification and credential verification services, announced that a flaw in their customer screening process had allowed unauthorized users access to the personal information of thousands of people stored on the ChoicePoint servers.2 ChoicePoint was required to notify the California residents affected by the breach in order to comply with a California law that was passed in the wake of such security breaches. California residents constituted approximately a quarter of the estimated 145,000 individuals affected.3 The Security Breach Notification Act4 ("The California Act") was the first legislation requiring that victims of security breaches be notified so that they will be aware of the elevated danger of identity theft and can take steps to protect themselves. While many companies did not publicly disclose security breaches prior to enactment of the California Act, disclosure has been quick under the new law.5 The success of the California Act and the fear of not having their own citizens notified has led other states to enact similar legislation.6
[2] The Act has brought information security problems into sharper focus. One organization calculated the number of records that have been breached in the United States since January 1, 2005 to be at least 158,937,228.7 However, these numbers may be overinclusive or underinclusive. Some entities take a maximal compliance approach, and "overnotify," while others may undernotify either to avoid embarrassment or because a breach was not detected.8 Even the initial estimate of individuals affected by the ChoicePoint breach was conservative because it was based on the number of individuals whose personal information was breached after the California Act went into effect in 2003. As the breaches occurred over a period of time, individuals whose data was breached before that date were not notified.
[3] Because of the increased attention given to security breaches, many other states have adopted similar legislation since the ChoicePoint breach. In March of 2005, Arkansas became the first state to follow California's lead and passed an act modeled on California's statute.9 As of October 2006, 36 states have passed such legislation,10 and the trend suggests that more states will be adopting such legislation in the future. Although most of these statutes are modeled after the California Act, some key differences warrant attention because they can create compliance problems for those storing personal information.
The Structure of California's Act
[4] In order to understand the recent legislation requiring notification, one must first understand the California Act that has served as a template for many other statutes.11 The California Act is one of the broadest in terms of entities covered, applying to all persons, businesses, and state agencies in California that own or license personal information.12 It requires notification of parties whose personal information is compromised in the event of a breach.13
[5] The California Act is also broad in terms of what data is covered. The key terms of the statute are the definition of "security breach," notification requirements, and the definition of "personal information." A security breach is defined as an unauthorized acquisition of data that compromises the security of personal information.14 Personal information is defined as the first name or initial and last name in combination with either a social security number, driver's license number, other information that would permit access to the individual's financial account (such as a password, PIN number, etc.), or medical information.15
[6] The statute mandates that a business, or person conducting business, notify individuals whenever there is a breach exposing those individuals' unencrypted16 personal information that was, or is reasonably believed to have been, acquired by an unauthorized party.17 Notification must be sent to all parties reasonably believed to have had their information breached.18 Notice may be made in writing, electronically, or, when either the costs of notification exceed $250,000 or 500,000 people have been affected, the Act allows for substitute notice, for instance, by notifying major media outlets and posting information about the breach online.19 Electronic notice is only allowed if it complies with the Electronic Signature Act.20 Notice must be given "[i]n the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement."21
Variations
[7] While nearly every state has used California's model as a basic template, some significant variations exist. States most commonly differ in the breadth of the statute, the immediacy of notice required, the significance of encryption, and whether or not notice is required when there is not a reasonable threat of harm to the individual.
i. Strict vs. Flexible Statutes
[8] Legislatures have adopted different approaches to the condition that triggers the notification requirement. California requires notification when personal information is acquired.22 Statues that follow the California Act in this respect are generally stricter in their application, requiring notification even if a breach may not lead to identity theft or financial exposure. In contrast, many states require notification only when the breach of personal information presents a risk of harm to the victims.23 Such statutes provide companies with more flexible notification requirements.24 Connecticut is representative of such "flexible" states...
To continue reading
Request your trial