Posted on July 23, 2008 by Tanya Forsheit

Northern Disclosure: Alaska Enacts 44th State Breach Notification Law

Alaska passed a breach notification law in June, making it state number 44 to do so.  As most are aware by now, Alaska's new law, Alaska Stat. § 45.48.010 et seq., includes breach notification requirements, restrictions on use of Social Security numbers, and allows consumers to place a security [deep] freeze on their credit reports.  Notification of a breach is not required if, after an appropriate investigation and written notification to Alaska’s attorney general, the covered entity determines that there is not a reasonable likelihood that harm to consumers has resulted or will result from the breach.  By popular demand, following is our updated list of security breach notification laws.

Continue Reading...
Tags: , , , , , ,
Posted on May 12, 2008 by Tanya Forsheit

Iowa Enacts 43rd State Breach Notification Law

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer's personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach.  Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

Continue Reading...
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted on April 7, 2008 by Tanya Forsheit

More Breach Notification Laws -- 42 States and Counting

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma).  Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).

Continue Reading...
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted on December 1, 2007 by Clifford Davidson

Updated Breach Notification Laws

Following is an updated list of citations to state data breach notification laws. We also note that as of January 1, 2008, California’s data breach notification law, Civil Code § 1798.82, will include "medical information" and "health insurance information" in the definition of personal information. Also, any business "maintained for the purpose of managing medical information" must comply with the prohibitions of California’s Confidentiality of Medical Information Act, effective January 1. These changes were enacted through A.B. 1298, signed by Governor Schwarzenegger on October 14, 2007.

Continue Reading...
Tags: , ,
Posted on October 14, 2007 by Tanya Forsheit

Governor Schwarzenegger Says No to California A.B. 779

On Saturday, California Governor Arnold Schwarzenegger vetoed AB 779, legislation that would have amended California’s landmark data security breach legislation. The bill would have been the first to follow law enacted by Minnesota earlier this year and effective August 1, 2007, discussed here, that amended Minnesota’s security breach notification law by, among other things, prohibiting businesses from retaining certain payment card data after authorization of a transaction.

As discussed in our previous posts here and here, AB 779 was proposed in the wake of the massive security breach at the TJX Companies and would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards, debit cards, or other payment devices from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. The bill also incorporated certain liability-shifting provisions that would have made such businesses liable to the owner or licensee of the information for the reimbursement of reasonable and actual costs of providing notice to consumers as required by existing law and for the reasonable and actual cost of card replacement as a result of the breach of the security of the system. It also would have mandated the inclusion of specific kinds of information about a breach in notices provided to individuals affected by the breach.

Continue Reading...
Tags: , , , , , , , , , , , , ,
Posted on August 16, 2007 by Tanya Forsheit

Massachusetts Is 39th State to Mandate Breach Notification

Massachusetts is now the 39th state to enact a personal data breach notification law. On August 2, Governor Deval Patrick signed the law, requiring that businesses and government agencies notify residents of data breaches in certain situations. The law requires that a person or agency that owns or licenses personal information about a resident of the commonwealth notify the attorney general, the director of consumer affairs and business regulation, and the affected resident if it "knows or has reason to know of a breach of security" or "knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose." Notice also must be provided to consumer reporting agencies and state agencies identified by the director of consumer affairs and business regulation.

Unlike the majority of state breach notification laws, Massachusetts defines a "breach of security" to include hard copy, as well as electronic data. A breach is defined as "the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth." The only other states that currently require notification in the event of a breach involving hard copy data are Hawaii, Indiana, North Carolina, and Wisconsin.

Continue Reading...
Tags: , , , ,
Posted on August 3, 2007 by Tanya Forsheit

Breach Law Data

We thought it might be helpful to provide citations to the 37 state (plus D.C. and Puerto Rico) breach notification laws that cover private entities (Oklahoma’s law, that only addresses state agencies, is not included).  We also provide links, or uploaded copies, where available.

Continue Reading...
Tags: , , , , ,
Posted on July 31, 2007 by Tanya Forsheit

Oregon Becomes 38th State to Adopt Breach Notification Law

On July 12th, Oregon Governor Theodore R. Kulongoski signed into law S.B. 583, an omnibus data security bill scheduled to take effect on October 1. Oregon is the 38th state to enact a breach notification law (37 states have legislation that applies to private entities); the District of Columbia and Puerto Rico also have similar legislation. Continuing a five-year-old national legislative trend, Oregon lawmakers greenlit provisions requiring state businesses and government agencies to notify residents of certain kinds of data breaches.

Continue Reading...
Tags: , , , ,
Posted on June 14, 2007 by Tanya Forsheit

Consumer Unable to Demonstrate Injury Based on Credit Monitoring Costs in Data Breach Case

A recent decision from the Southern District of Ohio echoes prior decisions of district courts addressing negligence claims against companies that have experienced a data breach. The court held that the cost of obtaining credit monitoring services does not count as damages without evidence of identity fraud. Kahle v. Litton Loan Servicing LP, case no. 1:05cv756.   

On August 27, 2005, the defendant, Litton Loan Servicing LP, experienced a break-in involving the theft of more than $60,000 of computer equipment. The perpetrators took six unmarked hard drives, four of which contained the personal information of 229,501 people, including the plaintiff Patricia Kahle. The police conducted an investigation and Litton hired a private investigator who conducted a separate investigation. Litton provided notice of the theft to each person whose information was on the stolen hard drives approximately four weeks after the break-in. The notice included the type of information stolen, a Federal Trade Commission website that could be of assistance, and a toll free contact number at Litton. The notice also recommended that affected consumers place a fraud alert on their credit file.

Continue Reading...
Tags: ,
Posted on May 29, 2007 by Timothy P. Tobin

In Response To TJX Data Breach, One State Enacts Legislation Imposing New Security and Liability Obligations; Similar Bills Pending in Five Other States

Lawmakers in six states have responded quickly to the massive data breach at TJX Companies, Inc. with various bills designed to strengthen merchant security and/or render companies liable for third party companies’ costs arising from data breaches. These latest bills – introduced in California, Connecticut, Illinois, Massachusetts, Minnesota and Texas – represent a new front of state legislative activity to regulate privacy and data security and expand requirements beyond the current data breach notification and data security laws that many states have enacted in recent years. To date, Minnesota is the only state to enact such legislation, which was signed into law by its Governor on May 21, 2007.

Continue Reading...
Tags: ,
Posted on May 11, 2007 by Brendon Tavelli

New York Attorney General Tags Worker's Compensation Claims Service Provider for Seven Week Delay in Security Breach Notification

On April 26, 2007, New York Attorney General Andrew Cuomo announced that his office entered into a settlement with CS STARS LLC for violating the state’s Information Security Breach and Notification Law, which is codified at N.Y. Gen. Bus. Law § 899-aa. Cuomo’s office targeted CS STARS for delaying, for seven weeks, the issuance of legally required notification regarding the theft of a computer which contained the personal information of approximately 540,000 worker’s compensation recipients.

Continue Reading...
Tags: , , , ,
Posted on March 6, 2007 by Clifford Davidson

110th Congress Proposes Sweeping Federal Data Security Legislation

Senators and Representatives from both sides of the aisle have introduced several new pieces of legislation proposing sweeping new frameworks for data privacy law:

            S. 239 (“Notification of Risk to Personal Data Act”);
            H.R. 958 (“Data Accountability and Trust Act”);
            H.R. 836 (“Cyber-Security Enhancement and Consumer Data Protection Act of 2007”); and 
            S. 495 (“Personal Data Privacy and Security Act of 2007”).   

S. 495 and H.R. 958 establish requirements for data security, as well as breach notification standards; S. 239 is limited to breach notification requirements; and H.R. 836 criminalizes the concealment of data breaches, enhances penalties for identity theft, and requires the reporting of breaches to federal law enforcement agencies. Whatever the final text of data privacy legislation, we are likely to see this Congress pass federal data security legislation. Congressional leaders have emphasized that data privacy and breach notification are top priorities.

Federal legislation is necessary, some believe, in order to standardize what currently is a patchwork of requirements among the 35 states with data security and breach notification requirements.                 

Following are some of the more notable provisions of the proposed bills:

Continue Reading...
Tags: , , , , ,
Posted on December 21, 2006 by Tanya Forsheit

New Congress May Seek To Preempt State Data Privacy Laws

A number of recent developments indicate that the 110th Congress, to be seated in January, may seek to federalize data privacy laws and preempt state legislation in that area. Several data security bills were introduced in the 109th Congress; however, to date, none have passed.

Sen. Patrick Leahy of Vermont, the incoming chair of the Committee on the Judiciary, recently reiterated his commitment to enacting privacy legislation. One of Leahy’s aides noted that he expects the reintroduction of S. 1789, a bill heard by the Judiciary Committee that did not progress. In addition to creating requirements for protection of data and notification of breaches, S. 1789, at least as revised in 2005, contains the following clause: "No State may require any business entity subject to this subtitle to comply with any requirements with respect to administrative, technical, and physical safeguards for the protection of sensitive personally identifying information."

Senator Diane Feinstein of California, incoming chair of the Senate Committee on the Judiciary Subcommittee on Terrorism, Technology and Homeland Security, also plans to introduce legislation concerning notification of data breaches. Feinstein introduced similar legislation in 2005. That bill, which was referred to the Committee on the Judiciary, would have preempted state law only to the extent it was inconsistent.

For more on other data security bills introduced in the 109th Congress, see this Alert.

Continue Reading...
Tags: