It's Not Too Late to Come to the Party: Mississippi Joins 45 Other States by Enacting a Security Breach Notification Law

Posted on April 13, 2010 by Andrew Hoffman

On April 7, 2010, Mississippi Governor Haley Barbour signed H.B. 583, making his state the forty-sixth state with a security breach notification law on the books.

 

Effective July 1, 2011, H.B. 583 will require any person who conducts business in Mississippi and who, in the ordinary course of the person’s business, functions, owns, licenses or maintains personal information of any Mississippi resident to notify certain individuals when the security of their unencrypted personal information may be at risk.Mississippi's new law is consistent with other states’ security breach notification laws in many respects, but deviates in at least one potentially significant way.Specifically, the law only requires notice to “affected individuals,” which are defined to mean residents of Mississippi whose personal information was, or is reasonably believed to have been, intentionally acquired by an unauthorized person through a breach of security. Like it or not (and the business community ought to like it), this qualification may allow a covered entity to avoid providing notice when electronic media containing personal information is simply lost, or when such information is inadvertently sent to the wrong person. (However, when the compromised information belongs to another business, there is still a requirement to notify that business.) H.B. 583 also does not require notification if a covered entity determines, after an appropriate investigation, that the security breach “will not likely result in harm to the affected individuals.” This latter provision, however, is not unlike provisions in other states’ laws that require a so-called material risk of harm” to trigger a notification obligation.

The enactment of H.B. 583 in Mississippi means only Alabama, Kentucky, New Mexico, and South Dakota have yet to adopt such a law. But as the saying goes, better late than never!
Tags: , , , ,

Proskauer Litigation Team Helps Secure Dismissal of Speculative Identity Exposure Claims Against BNY Mellon

Posted on September 2, 2009 by Brendon Tavelli

Where the only harm alleged is mere “speculation as to a possible risk of injury,” a claim cannot survive a 12(b)(6) motion to dismiss, according to a District of Connecticut decision issued on August 31, 2009. McLoughlin v. People’s United Bank, Inc., and Bank of New York Mellon, Inc., No. 3:08-cv-00944-VLB (D. Conn. Aug. 31, 2009), thus follows a long and growing line of cases which simply hold that where there is no actual harm, there can be no case. 

In February 2008, the archive vendor transporting back-up tapes associated with The Bank of New York Mellon Shareowner Services, a business unit of The Bank of New York Mellon (“BNY Mellon”), discovered that one of ten boxes was missing. Those tapes contained certain shareowner, plan participant, and payment information, including Social Security numbers and other personally identifying information. Customers of People’s United Bank, another financial institution and a client of Shareowner Services, were among the persons whose data was contained on the missing tapes. Shortly after the tape loss, BNY Mellon alerted affected individuals and offered them two years of credit monitoring, $25,000 in identity theft insurance, and a free credit freeze.

In May 2008, several individual plaintiffs brought a putative class action against People’s United Bank and BNY Mellon, claiming that the loss of the tapes compromised their personal information. They sought damages based on an alleged violation of the Connecticut Unfair Trade Practices Act (“CUTPA”), negligence, and breach of fiduciary duty. Notably, plaintiffs did not allege that any direct financial losses had occurred or that any member of the putative class had been the victim of identity theft as a result of the breach. Plaintiffs instead alleged that the increased risk of identity theft constituted cognizable harm because they would have to pay for future credit monitoring (beyond the two years offered by the defendants) and take other steps to protect against an increased risk of identity theft arising from the incident. Additionally, although not alleged in the complaint, Plaintiffs later argued that the fees paid to People’s United Bank represented additional actual harm (an argument which was roundly rejected by the court as an improper amendment of the pleadings in motion papers).

Judge Bryant rejected plaintiffs’ arguments and granted defendants’ motions to dismiss as to all claims. In dismissing the negligence claim, the court relied chiefly on two recent Southern District of New York decisions, Caudle v. Towers, Perrin, Forster & Crosby, Inc., 80 F. Supp. 2d 573 (S.D.N.Y. 2008) (dismissing claims for negligence and breach of fiduciary duty brought by plaintiffs whose identities had not been stolen), and Shafran v. Harley Davidson, Inc., 2008 WL 763177, at *3 (S.D.N.Y. Mar. 20, 2008) (“an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy. Plaintiff’s alleged injuries are solely the result of a perceived and speculative risk of future injury that may never occur.”). As Judge Bryant explained in her opinion:

[T]he Plaintiffs have pointed to no case decided anywhere in the country where a court allowed a negligence claim to survive absent an allegation of actual identity theft . . . . The Court concludes that the courts of Connecticut, like those of New York, would not recognize a negligence claim founded solely on the fear, unsupported by any allegation of malfeasance, of identity theft . . . .

 

Judge Bryant followed similar reasoning in dismissing the CUTPA and breach of fiduciary duty claims, both of which require an actual, ascertainable loss or harm.

 

McLoughlin is the latest in a series of data loss cases that refuse to recognize damages stemming from mere “increased risk of harm” absent some evidence of actual fraud or identity theft. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); Stollenwerk v. Tri-West Health Care Alliance, No. 05-16990, 2007 U.S. App. LEXIS 27164 (9th Cir. Nov. 20, 2007); Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009); Randolph v. ING Life Ins. & Annuity Co., No. 07-CV-791 (D.C. Jun. 18, 2009); Ruiz v. Gap, Inc., No. 07-5739 SC, 2009 WL 941162 (N.D. Cal. Apr. 6, 2009); Belle Chasse Auto. Care, Inc. v. Advanced Auto Parts, Inc., No. 08-1568, 2009 WL 799760 (E.D. La. Mar. 24, 2009); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (D. Minn. 2006); Bell v. Acxiom Corp., 4:06CV00485-WRW, 2006 U.S. Dist. LEXIS 72477 (E.D. Ark. Oct. 3, 2006); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476 (JBS), 2006 U.S. Dist. LEXIS 52266 (D.N.J. July 31, 2006).

 

Special thanks to this week’s guest author, Jason Gerstein, a member of Proskauer’s litigation team for the McLoughlin case, for preparing this post.
Tags: , , , , , , , , , , , , , , ,

Show-Me State Finally Shows Its Residents a Data Breach Notification Law, Other States (TX, NC, ME) Make Changes

Posted on July 30, 2009 by Brendon Tavelli

On July 9, 2009, Missouri Governor Jay Nixon signed House Bill 62 ("HB 62”), making the Show-Me State the 45th state with an information security breach notification law on the books. The new law takes effect on August 28, 2009. But Missouri’s new law isn’t the only new data breach notification requirement on the horizon. Amendments to existing data breach notice laws in three other states, Texas, Maine and North Carolina, will also become effective soon.

Missouri: HB 62 includes many provisions that are similar to other state laws requiring notice to individuals when the security of their personal information has been compromised. For example, HB 62 includes a “material risk of harm” trigger. In other words, a business is not required to notify Missouri residents if, after an appropriate investigation or consultation with relevant law enforcement authorities, the business determines that identity theft is not likely to result from the breach. In addition, a business is not required to notify state residents if the personal information compromised was encrypted. Like some other state laws, HB 62 also requires notice to the Missouri Attorney General and national consumer reporting agencies if more than 1,000 Missouri residents are notified, and allows the Attorney General to seek actual damages or civil penalties from persons that fail to comply with the law.

HB 62 applies to the “typical” categories of personal information, including Social Security numbers, driver’s license numbers and information that would permit access to an individual’s financial accounts. But unlike most other state data breach notification laws, HB 62 also applies to medical and health insurance information, including an individual’s medical history, mental or physical condition, treatment or diagnosis, health insurance policy number and any other unique identifier used by a health insurer. Previously, only laws in California, Arkansas and Texas (see below) applied to this kind of information.

Texas:  On June 19, 2009, Texas Governor Rick Perry signed House Bill 2004 (“HB 2004”), which expanded the scope of Texas’ data breach notification law to include public sector entities and health information. Specifically, HB 2004 amends the definition of “sensitive personal information” to include health care information, such as information about an individual’s physical or mental health or payment for health care services. The bill also amends the definition of “breach of system security” to reach breaches of encrypted information “if the person accessing the data has the key required to decrypt the data.” Finally, HB 2004 makes the state’s breach notice obligations applicable to public sector entities and nonprofit athletic and sports associations.

North Carolina: As of October 1, 2009, entities doing business in North Carolina will be required to both provide more detailed data breach notices to individuals and be more forthcoming with the state’s attorney general. North Carolina Senate Bill 1017 (“SB 1017”), signed by Governor Bev Perdue on July 27, 2009, amends North Carolina’s data breach notification law in two significant ways. First, SB 1017 requires notice to the attorney general anytime a business notifies North Carolina residents of a breach. Previously, such notice had been required only for breaches affecting more than 1,000 people. Second, notices to individuals affected by a breach will now be required to include a telephone number for the business providing the notice; toll-free numbers and addresses for the national credit reporting agencies; and toll-free numbers, addresses and web site addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office along with a statement that individuals can learn about preventing identity theft from these sources. These new requirements build on top of existing mandates to (1) describe the incident, the type(s) of personal information unlawfully obtained and the actions being taken to prevent further unauthorized access; (2) provide a telephone number that the recipient may call for further information and assistance; and (3) advise affected individuals to remain vigilant by reviewing account statements and monitoring free credit reports.

MaineFor information about the recent amendment to Maine’s breach notification law, soon to become effective, see our prior blog post.

Since Missouri’s new law and these important updates need to be added to the smorgasbord of state data breach notification laws, it is probably a good time to revisit “The List” of such laws. Here it is!

Alaska (ALASKA STAT. § 45.48.010 et seq.)

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (D.C. CODE § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (HAW. REV. STAT. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (IOWA CODE § 715C.1 et seq.)

Kansas (KAN. STAT. ANN. § 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.; see also L.D. 970)

Maryland (MD. CODE ANN., COM. LAW § 14-3501 et seq.)

Massachusetts (MASS. GEN. LAWS ANN. ch. 93H, § 1 et seq.)

Michigan (MICH. COMP. LAWS ANN. § 445.72)

Minnesota (MINN. STAT. § 325E.61)

Missouri (HB 62, tentatively codified at MO. REV. STAT. § 407.1500)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT. § 75-65; see also SB 1017)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (OKLA. STAT. § 74-3113.1)

Oregon (OR. REV. STAT. § 646A.600 et seq.)

Pennsylvania (73 PA. STAT. § 2303)

Puerto Rico (P.R. LAWS ANN. tit. 10, § 4051)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3)

South Carolina (S.C. CODE ANN. § 39-1-90)

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COM. CODE ANN. § 521.001 et seq.; see also HB 2004)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia (Va. Code Ann. § 18.2-186.6)

U.S. Virgin Islands (V.I. CODE ANN. tit. 14, § 2209)

Washington (WASH. REV. CODE § 19.255.010)

West Virginia (W. Va. Code § 46A-2A-101 et seq.)

Wisconsin (WIS. STAT. § 134.98)

Wyoming (WYO. STAT. ANN. § 40-12-501 et seq.)
Tags: , , , , , , , , , , ,

Decrypting HHS Guidance on Breach Notification and Security under the HITECH Act: NIST, FIPS, and More

Posted on June 5, 2009 by Sara Krauss

Two months after Congress mandated notification for the breach of unsecured protected health information (PHI), the Secretary of Health and Human Services (HHS) defined what it means to be “unsecured.” As required by Section 13402 of the HITECH Act, H.R. 1, 111th Cong. (1st Sess. 2009) (which was part of the American Recovery and Reinvestment Act of 2009), the Secretary issued guidance and a request for comments on the technologies and methodologies rendering information unusable, unreadable or indecipherable. 74 Fed. Reg. 19006 (Apr. 27, 2009) (to be codified at 45 C.F.R. pts. 160, 164).

As we previously reported, the HITECH Act’s notification requirements for breaches of unsecured PHI apply to entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), their business associates, and non-HIPAA covered vendors of personal health records (PHR). To constitute a breach, the acquisition, use, access or disclosure of the PHI must “compromise[] the security or privacy of such information.” HITECH Act at §13400(1)(A). The newly issued HHS guidance lists technologies and methodologies that secure information, rendering the data unusable, unreadable, or indecipherable. If PHI is secured according to the HHS guidance, unauthorized access to such information will not trigger the HITECH breach notification requirements, although these breaches may still be subject to state law notification requirements.

This HHS guidance also is to be used to render identifiable health information unusable, unreadable, or indecipherable for purposes of the temporary breach notification requirements that apply to vendors of PHRs, the requirements for which are to be administered by the Federal Trade Commission (which in turn issued proposed regulations, on April 16, 2009, addressing consumer notice for breaches of electronic health information by PHRs).

The HHS guidance provides two methods of securing information for the purposes of the HITECH Act: destruction and encryption. Destruction may secure information that was found in either paper format or in electronic media. In order to satisfy the destruction method, the paper or other hard copy media must be shredded or destroyed such that the PHI cannot be read or otherwise reconstructed. Electronic media must be cleared, purged, or destroyed in accordance with the specifications set forth in National Institute of Standards and Technology (NIST) Special Publication 800-88. 74 Fed. Reg. at 19010.

According to the guidance, the effectiveness of encryption depends on the strength of the algorithm and the security of the decryption key or process. PHI is not secure if the decryption key or process has been breached. Encryption only secures PHI if, in accordance with the HIPAA Security Rule, an algorithm “transform[s] data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key.” 45 C.F.R. § 164.304. Accordingly, the HHS guidance only specifies encryption processes that have been tested and approved by NIST. Data at rest, which is filed or stored in a database, should be encrypted according to the processes outlined in NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Encryption processes for data in motion, including that being transmitted or moving through a network, should comply with Federal Information Processing Standards (FIPS) 140-2. Some examples of conforming processes for data in motion are outlined in NIST Special Publications 800-52 (relating to Transport Layer Security (TLS) Implementations); 800-77 (addressing IPsec VPNs); and 800-113 (SSL VPNs), and may include others which are FIPS 140-2 validated.

Since the technologies and methodologies in the guidance are intended to be exhaustive, the Secretary of HHS sought comments regarding additional technologies or methodologies for inclusion in future guidance. HHS also requested comments on various other related issues, including instances when specified technologies and methodologies would fail to secure information, how the federal notice requirements affect existing state law requirements, and whether and how limited data sets (created in accordance with the HIPAA Privacy Rule) could be included in this guidance. This HHS guidance will be closely watched not only as it relates to federal law, but also as to how it informs state law interpretations. Encryption remains undefined under state law, and the HHS guidance provides a potentially important source of interpretation.

This guidance will apply to breaches that occur at least thirty days after publication by HHS of the interim final regulations on breach notification (which have not yet been issued). Any modifications to this guidance based on comments received are expected to be made prior to or concurrent with those regulations.

Proskauer summer associate Katrina McCann contributed to this post.
Tags: , , , , , , , , , , , , ,

Seven Days Is All She Wrote . . .

Posted on May 25, 2009 by Proskauer Rose LLP

As our readers know, many of the 44 state data breach notification laws allow for (and may even require) a brief delay in notifying affected individuals of the breach if that notification would interfere with or impede a law enforcement investigation.  Last week, the governor of Maine, emphasizing the importance of providing notice "as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement," as articulated in the existing statute, amended that state's data breach notification law.  The amendment clarifies that notification may be delayed for no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.  The amended language can be found here.  It becomes effective 90 days following adjournment of Maine's 124th Legislature.

Tags: , , , , , , , , , ,

Third Time's a Charm for "Data Accountability and Trust"? Federal Breach Notification Bill Introduced in the House. Again. This Time With Data Security Provisions.

Posted on May 12, 2009 by Jennifer Roche

On April 30, 2009, Representative Bobby Rush (D-Ill) introduced H.R. 2221, the Data Accountability and Trust Act. The bill is nearly identical to H.R. 958, introduced by Rep. Rush in the 110th Congress, and is similar to the Data Accountability and Trust Act, introduced by Rep. Stearns (R-FL) in the 109th Congress. Of course, the newest “Data Accountability and Trust Act” is only the most recent of dozens of bills proposed over the last several years that would implement uniform federal breach notification requirements and preempt the 44 state laws requiring notification. Rep. Rush’s latest bill also includes data security provisions and would preempt the growing number of state laws imposing such requirements.

H.R. 2221 provides for notification following discovery of a breach of security of a system maintained by any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information. The bill would require notification to each individual whose personal information was acquired by an unauthorized person as a result of such a breach of security, and to the Federal Trade Commission. The bill includes special notification requirements for third party agents, telecommunications carriers, cable operators, information services, and interactive services, and for a breach involving health information.

Personal information, as defined in the bill, is an individual’s first name or initial and last name, or address, or phone number, in combination with any one or more of the following: the individual’s social security number, driver’s license number or other State identification number, or a financial account number or credit card number and any security or access code needed to access the account. Breach notification would be exempted, however, where the person that owns or possesses the data determines that there is “no reasonable risk of identity theft, fraud or unlawful conduct” from the unauthorized data access. Breaches of encrypted data would presumptively be exempt.

Importantly, the bill expressly preempts state laws regarding data breach notification. Preemption of state laws, such as those in California that contain different “trigger” language governing when notification is required, was one reason the bill struggled when initially introduced in 2005.

Where notification is required, the bill specifies methods for and required content of notification. Written, or in some circumstances, email, notification is required; the notice must include a description of the information acquired, notice of the right to receive free consumer credit reports, and certain relevant telephone contact numbers. Substitute notification, allowing notification to be posted on the entity’s website and in print and broadcast media, is allowed for those persons owning or possessing the data of fewer than 1,000 individuals.

Other provisions in the bill call for regulations to be promulgated governing the establishment of policies and procedures regarding practices to protect data containing personal information by those who own or possess such information. State laws regarding information security practices on the treatment of such data also would again be subject to preemption. Additionally, the bill contains specific provisions covering information brokers – requiring that brokers supply their security policies to the FTC either in conjunction with a breach notification or upon the Commission’s request. Under the proposed Act, information brokers would be required to allow each individual whose personal information it maintains to review his or her own data for accuracy.

Rep. Boucher (D-Va), who is planning to introduce a bill addressing how information collected online is stored and used, and Rep. Rush are planning to hold a hearing this summer to discuss how their bills “intersect.”

Stay tuned.
Tags: , , , , , , , , ,

2008 Study: Cost of Data Breaches Continues to Rise

Posted on February 25, 2009 by S. Montaye Sigmon

A new benchmark study released by the Ponemon Institute indicates that the costs associated with data breaches in the U.S. continue to rise. The Fourth Annual U.S. Cost of Data Breach Study (“Study”) found that the average cost of a data breach has risen to $202 per customer record lost or stolen, up from $138 per customer record lost of stolen in 2005, the first year that the study was conducted. According to the Privacy Rights Clearinghouse, since 2005, more than 250 million customer records containing confidential personal information have been lost or stolen.

The Study surveyed 43 U.S. companies that experienced a breach involving the loss or theft of customer or consumer data over the past year. The surveyed companies experienced breach events involving loss or theft of 4,200 to 113,000 records. The cost of individual breach incidents ranged from a minimum of $613,000 to a maximum of $32 million, and averaged $6.65 million per company. The Study concluded that the cost of a breach is proportional to the size of a breach in terms of the number of customer/consumer records lost or stolen. 

Lost Business Largest Component of Data Breach Costs
The results of the Study suggest that companies are learning to manage costs associated with detecting and responding to data breaches, but have not yet learned how to prevent loss of business after a data breach occurs. According to the Study, the largest component of data breach costs continues to be the cost of lost business, which results from both the abnormal turnover of customers following a data breach and the diminished rate of acquisition of new customers.[1] In 2008, the lost business component comprised almost 69% of the breach costs – that percentage represents a continuing trend of lost business comprising an increasingly higher proportion of data breach costs. 

Costs of Detecting and Responding to Breach Steady

Meanwhile, the costs of detecting and reporting a breach, providing notifications after a breach, and responding to a breach (activities like credit card monitoring, communicating recommendations to customers to minimize the harm cause by a breach, or re-issuing a new card or account number), either remained flat or slightly decreased from 2007 to 2008, possibly due to companies having a more mature privacy or information security programs allowing them to detect and respond to data breaches more efficiently than a few years ago. 

 

Additional Study Facts:

  • Approximately 35% of all data breach incidents involved lost or stolen laptop computers or other mobile data devices, such as memory sticks.
  • More than 88% of all cases in the 2008 Study involved insider negligence.
  • Data breaches involving malicious acts are more expensive than breaches involving negligent acts, costing some $26 per customer record.
  • First-time data breaches are more expensive than subsequent breaches, costing some $243 per customer record versus $199 per customer record for companies that have experienced previous data breaches.

Knowing the potential cost of a data breach should allow companies to more accurately weigh the potential cost against the cost of putting policies, training, and other security measures such as encryption in place before any breach happens.


[1] Perhaps not surprisingly, healthcare and financial service companies that experienced data breaches have the highest rate of customer turnover. The Study surmises that such higher rates of turnover are likely due to customers having a higher expectation of protection for and privacy of their financial and healthcare records.
Tags: , , , , , ,

Northern Disclosure: Alaska Enacts 44th State Breach Notification Law

Posted on July 23, 2008 by Proskauer Rose LLP

Alaska passed a breach notification law in June, making it state number 44 to do so.  As most are aware by now, Alaska's new law, Alaska Stat. § 45.48.010 et seq., includes breach notification requirements, restrictions on use of Social Security numbers, and allows consumers to place a security [deep] freeze on their credit reports.  Notification of a breach is not required if, after an appropriate investigation and written notification to Alaska’s attorney general, the covered entity determines that there is not a reasonable likelihood that harm to consumers has resulted or will result from the breach.  By popular demand, following is our updated list of security breach notification laws.

Alaska (ALASKA STAT. § 45.48.010 et seq.)

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (SF 2308)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (Okla. Stat. § 74-3113.1)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3)

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 521.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 134.98)

Wyoming (W.S. 40-12-501 through 40-12-509)
Tags: , , , , , ,

Iowa Enacts 43rd State Breach Notification Law

Posted on May 12, 2008 by Proskauer Rose LLP

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer's personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach.  Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (SF 2308)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (Okla. Stat. § 74-3113.1)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

More Breach Notification Laws -- 42 States and Counting

Posted on April 7, 2008 by Proskauer Rose LLP

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma).  Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §210-B-1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

H.B. 208 and S.B. 194)
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Updated Breach Notification Laws

Posted on December 1, 2007 by

Following is an updated list of citations to state data breach notification laws. We also note that as of January 1, 2008, California’s data breach notification law, Civil Code § 1798.82, will include "medical information" and "health insurance information" in the definition of personal information. Also, any business "maintained for the purpose of managing medical information" must comply with the prohibitions of California’s Confidentiality of Medical Information Act, effective January 1. These changes were enacted through A.B. 1298, signed by Governor Schwarzenegger on October 14, 2007.

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h)

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (S.B. 2290, Act 135)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §210-B-1346 et seq.)

Maryland (

H.B. 208 and S.B. 194)

Massachusetts (H. 4144)

Michigan (S.B. 309)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-42-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Washington (WASH. REV. CODE § 19.255.010)

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)
Tags: , ,

Governor Schwarzenegger Says No to California A.B. 779

Posted on October 14, 2007 by Proskauer Rose LLP

On Saturday, California Governor Arnold Schwarzenegger vetoed AB 779, legislation that would have amended California’s landmark data security breach legislation. The bill would have been the first to follow law enacted by Minnesota earlier this year and effective August 1, 2007, discussed here, that amended Minnesota’s security breach notification law by, among other things, prohibiting businesses from retaining certain payment card data after authorization of a transaction.

As discussed in our previous posts here and here, AB 779 was proposed in the wake of the massive security breach at the TJX Companies and would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards, debit cards, or other payment devices from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. The bill also incorporated certain liability-shifting provisions that would have made such businesses liable to the owner or licensee of the information for the reimbursement of reasonable and actual costs of providing notice to consumers as required by existing law and for the reasonable and actual cost of card replacement as a result of the breach of the security of the system. It also would have mandated the inclusion of specific kinds of information about a breach in notices provided to individuals affected by the breach.

The Governor’s veto was based on concerns that AB 779 would potentially conflict with private sector data security standards such as the Payment Card Industry Data Security Standard and would increase the costs of compliance.

In his veto message, available here, the Governor stated that, while he is "committed to strong laws that safeguard every individual’s privacy and prevent identity theft, . . . this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information. This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace. This measure creates the potential for California law to be in conflict with private sector data security standards." The Governor also noted that the bill "fails to provide clear definition of which business or agency ‘owns’ or ‘licenses’ data, and when that business or agency relinquishes legal responsibility as the owner or licensee. This issue and the data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses." The Governor encouraged "the author and the industry to work together on a more balanced legislative approach that addresses the concerns outlined above."

It remains to be seen whether Governor Schwarzenegger's veto effectively puts to an end efforts in other states to pass such legislation.
Tags: , , , , , , , , , , , , ,

Massachusetts Is 39th State to Mandate Breach Notification

Posted on August 16, 2007 by Proskauer Rose LLP

Massachusetts is now the 39th state to enact a personal data breach notification law. On August 2, Governor Deval Patrick signed the law, requiring that businesses and government agencies notify residents of data breaches in certain situations. The law requires that a person or agency that owns or licenses personal information about a resident of the commonwealth notify the attorney general, the director of consumer affairs and business regulation, and the affected resident if it "knows or has reason to know of a breach of security" or "knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose." Notice also must be provided to consumer reporting agencies and state agencies identified by the director of consumer affairs and business regulation.

Unlike the majority of state breach notification laws, Massachusetts defines a "breach of security" to include hard copy, as well as electronic data. A breach is defined as "the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth." The only other states that currently require notification in the event of a breach involving hard copy data are Hawaii, Indiana, North Carolina, and Wisconsin.

The law defines "personal information" as a resident's first name and last name or first initial and last name in combination with any one or more of the following: 1) Social Security number, 2) driver's license number or state-issued identification card number, or 3)  financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

The new law can be found here.

Tags: , , , ,

Breach Law Data

Posted on August 3, 2007 by Proskauer Rose LLP
We thought it might be helpful to provide citations to the 37 state (plus D.C. and Puerto Rico) breach notification laws that cover private entities (Oklahoma’s law, that only addresses state agencies, is not included).  We also provide links, or uploaded copies, where available.

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h)

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (S.B. 2290, Act 135)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 4-1-11 et seq.)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §210-B-1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Michigan (S.B. 309)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-42-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Washington (WASH. REV. CODE § 19.255.010)

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

For a helpful compilation of state laws addressing credit freezes and Social Security numbers, and proposal federal legislation addressing identity theft, see Congressional Research Service Report for Congress, Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills, June 1, 2007.
Tags: , , , , ,

Oregon Becomes 38th State to Adopt Breach Notification Law

Posted on July 31, 2007 by Proskauer Rose LLP

On July 12th, Oregon Governor Theodore R. Kulongoski signed into law S.B. 583, an omnibus data security bill scheduled to take effect on October 1. Oregon is the 38th state to enact a breach notification law (37 states have legislation that applies to private entities); the District of Columbia and Puerto Rico also have similar legislation. Continuing a five-year-old national legislative trend, Oregon lawmakers greenlit provisions requiring state businesses and government agencies to notify residents of certain kinds of data breaches.

The bill defines "breach of security" as the "unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person" (emphasis added), and requires businesses to notify state residents if their computerized personal information is compromised unless, "after an appropriate investigation or after consultation with relevant federal, state or local agencies responsible for law enforcement, the person determines that no reasonable likelihood of harm to the consumers whose personal information has been acquired has resulted or will result from the breach."

For purposes of the bill, "personal information" is defined as a consumer’s first name or first initial and last name in combination with their 1) social security number, 2) driver’s license or state identification card number, 3) passport or other United States issued ID number or 4) financial account information along with password or security code information. An individual’s name need not be directly connected to the other data elements to trigger the notice requirements; notice is required if the compromised data "would be sufficient to permit a person to commit identity theft."

Under the new law, businesses and government agencies also must meet certain data security and disposal requirements. Specifically, they must "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information, including disposal of the data." An entity will be deemed to be in compliance if it implements an information security program that includes certain enumerated administrative, technical and physical safeguards.

Violations of the new law can result in civil penalties of not more than $1,000 for each violation. In the case of a continuing violation, each day’s continuance is a separate violation, but the maximum penalty for any occurrence shall not exceed $500,000.

The full text of S.B. 583 is available here.
Tags: , , , ,

In Response To TJX Data Breach, One State Enacts Legislation Imposing New Security and Liability Obligations; Similar Bills Pending in Five Other States

Posted on May 29, 2007 by Proskauer Rose LLP

Lawmakers in six states have responded quickly to the massive data breach at TJX Companies, Inc. with various bills designed to strengthen merchant security and/or render companies liable for third party companies’ costs arising from data breaches. These latest bills – introduced in California, Connecticut, Illinois, Massachusetts, Minnesota and Texas – represent a new front of state legislative activity to regulate privacy and data security and expand requirements beyond the current data breach notification and data security laws that many states have enacted in recent years. To date, Minnesota is the only state to enact such legislation, which was signed into law by its Governor on May 21, 2007.

Minnesota’s New Law

The Minnesota law, H.F. 1758, amends Minnesota’s data breach notification law and contains security and liability components. The security requirements take effect August 1, 2007 and apply to any “person or entity conducting business in Minnesota” that accepts credit cards, debit cards, stored value cards or similar cards “issued by a financial institution.” Such companies are prohibited from retaining the following card data after authorization of a transaction:

  • “the full contents of a track of magnetic stripe data” (which encompasses the “card verification value” or CVV – a unique authentication code embedded on the magnetic stripe);
  •  the three to four digit security code on the back of the card by the signature block (also known as CVV2); and
  • any PIN verification code number. If a debit card with PIN is used, a company is prohibited from retaining the data more than 48 hours after authorization of the transaction. 

The liability provision of H.F. 1758 applies to data breaches occurring after August 1, 2008. It requires companies to reimburse card-issuing financial institution for the “costs of reasonable actions” to both protect its cardholders’ information and to continue to provide services to its cardholders after a breach. The reimbursement would cover costs related to providing cardholders with notification of the breach, cancellation and reissuance of cards, closing or reopening of accounts and stop payments, and cardholder refunds for unauthorized transactions charged to their accounts. A financial institution may also bring an action to recover for the costs of damages it pays to cardholders resulting from a breach.         

The Five Pending Bills

The April 27, 2007 blog entry posted here discussed in detail California’s A.B. 779 as introduced. Since that posting, A.B. 779 has been amended in various California Assembly Committees and now resides with the Appropriations Committee. The amended bill extended the scope of the bill beyond just retailers to all persons or businesses conducting business in California that own or license computerized data containing personal information. The 90-day record destruction requirement in the original bill has been deleted, but the amended bill now has a host of other restrictions on storing payment card data. Among its requirements, the bill requires:

  • account numbers retained by businesses be “indecipherable” to unauthorized persons;
  • that payment related data sent across a network be encrypted;
  • that companies have role-based restrictions for employee access to such data; and
  • the bill also adds a provision that is broader than Minnesota’s financial institution reimbursement provision, requiring vendors that maintain, but do not own or license breached personal information, to reimburse data owners and licensees for “reasonable and actual costs” of providing data breach notification.                   

  

In the Texas legislature, the House passed H.B. 3222, which would require companies that accept, process or maintain credit card, debit card and other financial institution-issued cards to follow the Payment Card Industry’s Data Security Standard (“PCI DSS”). The PCI DSS are extensive industry security standards designed to prevent identity theft that the major credit card issuers impose on merchants that store, process or transmit cardholder data. While H.B. 3222 excludes financial institutions from the security standards, it empowers them, subject to certain conditions, with a right of action for actual damages against other companies they believe have violated the provision. 

The other pending bills, Connecticut S.B. 1089, Illinois S.B. 1675 and Massachusetts H. 213 all contain provisions similar to Minnesota’s liability provision making companies liable to banks or financial institutions that incur costs arising from a breach. It should be noted that the liability provisions of Massachusetts’ H. 213 were not included in omnibus versions of data breach notification, credit freeze and data security and disposal bills that have recently passed the Massachusetts House and Senate, and which await action by conference committee to resolve differences between the two versions.   
Tags: , , , , , , , , , , , , ,

Proposed California Legislation Would Require Retailers to Dispose of Personal Information Within 90 Days

Posted on April 27, 2007 by

Under legislation recently proposed in California, retailers doing business in the state would be subject to enhanced data destruction requirements, and all businesses would be affected by new data breach notification requirements.  In the wake of the TJX Companies data breach, which may have affected more than 46.2 million credit and debit cards, California Assemblyman Dave Jones introduced revised A.B. 779.  That legislation reiterates that retailers are subject to the same data safeguard requirements as other businesses that maintain customer records or own or license personal information, while significantly truncating the period of time retailers may retain personal information of customers.  The bill also would revise the data breach notification laws applicable to all businesses that own or license personal information.  

Proposed Data Destruction Requirements for Retailers

California currently requires all businesses to comply with several statutory provisions related to data security and destruction.  These provisions are contained in California Civil Code §§ 1798.80 – 1798.84 and concern three major topics: (1) destruction of customer records containing personal information; (2) the safeguarding of personal information; and (3) data breach notification.  A.B. 779 incorporates the data privacy laws by reference and expressly applies them to retailers that “collect[] or maintain[] personal information for any purpose.”

Under the bill, retailers would be required to dispose of records that contain personal information within 90 days.  Existing law, California Civil Code § 1798.81, provides general guidelines for records disposal for all businesses.  Under the current statute, a “record” is anything on or through which information is recorded or preserved, including written or spoken words, graphic depiction or electronic transmission.  “Personal information,” for purposes of this section, is:

any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information.  “Records” does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.

California Civil Code § 1798.80 (emphasis added).

The destruction requirements proposed in A.B. 779 reach far beyond those set forth in § 1798.81.  Existing law requires only that a business

take all reasonable steps to destroy, or arrange for the destruction of a customer’s records within its custody or control containing personal information which is no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.

Section 1 of A.B. 779, however, would require that “a retailer that sells goods or services to any resident of California . . . not retain personal information for longer than 90 days after the date of the original transaction, or the period of time during which goods may be returned for a refund or exchange, whichever is shorter.” (emphasis added).  Thus, should A.B. 779 be passed into law, it will significantly impact retailers’ records retention and disposal policies and procedures with respect to personal information of customers.

Proposed New Data Breach Notification Requirements for All Businesses.

 

California Civil Code § 1798.82, the first-in-the-nation security breach notification law, currently requires all businesses that own or license personal information to notify individuals if their data have been, or may have been, acquired by an unauthorized person.  Personal information is defined as the first name or initial and last name of an individual, with one or more of the following: 1) Social Security Number, 2) driver’s license number, 3) credit card or debit card number, or 4) a financial account number with information such as PINs, passwords or authorization codes that could gain access to the account.

A.B. 779 would amend California Civil Code § 1798.82 in three primary respects.  First, it would require that the following information appear in breach notices:

(A) The date of the notice.

(B) The name of the person or business that maintained the computerized data at the time of the breach.

(C) The date on which the breach occurred.

(D) A description of the categories of personal information that were, or are reasonably believed to have been, acquired by an unauthorized person.

(E) A toll-free telephone number or, if the primary method used by the person or business to communicate with the individual is by electronic means, an electronic mail address that the individual may use to contact the person or business or their agent, so that the individual may learn what types of personal information the person or business maintained about that individual.

(F) The toll-free telephone numbers and addresses for the major credit reporting agencies.

Second, according to the text of the bill, owners or licensees of personal data would be entitled to reimbursement from a third party person or business that maintains the data and that is actually responsible for the breach, for the “reasonable and actual costs” of providing required breach notification.  Data owners would remain responsible for providing notice.  Third, companies providing notice must send a copy of the notice provided to consumers to the California Office of Privacy Protection.  This requirement is similar to the laws of other states, including New York and New Jersey, that require notification to other governmental agencies.

A copy of A.B. 779 can be found here.
Tags: , , , , ,

110th Congress Proposes Sweeping Federal Data Security Legislation

Posted on March 6, 2007 by

Senators and Representatives from both sides of the aisle have introduced several new pieces of legislation proposing sweeping new frameworks for data privacy law:

            S. 239 (“Notification of Risk to Personal Data Act”);
            H.R. 958 (“Data Accountability and Trust Act”);
            H.R. 836 (“Cyber-Security Enhancement and Consumer Data Protection Act of 2007”); and 
            S. 495 (“Personal Data Privacy and Security Act of 2007”).   

S. 495 and H.R. 958 establish requirements for data security, as well as breach notification standards; S. 239 is limited to breach notification requirements; and H.R. 836 criminalizes the concealment of data breaches, enhances penalties for identity theft, and requires the reporting of breaches to federal law enforcement agencies. Whatever the final text of data privacy legislation, we are likely to see this Congress pass federal data security legislation. Congressional leaders have emphasized that data privacy and breach notification are top priorities.

Federal legislation is necessary, some believe, in order to standardize what currently is a patchwork of requirements among the 35 states with data security and breach notification requirements.                 

Following are some of the more notable provisions of the proposed bills:

1) Pre-emption

All four bills would pre-empt state laws pertaining to similar subject matter. However, the bills do allow states to specify additional information that must be included in data breach notifications. 

2) Regulatory enforcement and rulemaking

S. 239, H.R. 958 and S. 495 all delegate to the FTC the responsibility of establishing guidelines for data security and breach notification. Although the FTC’s mandate until now has not included breach notification, the FTC has a fair amount of experience with enforcing data security standards under its Section 5 (15 U.S.C. § 45) authority. 

The proposed legislation delegates authority to the FTC to promulgate regulations based on criteria similar to those the FTC already follows in its Section 5 cases: establishment of security policies, enforcement of those policies and monitoring of potentially vulnerable systems. See, e.g., H.R. 958, sec. 2.      

3) Breach notification duty belongs to data owner, not licensee or third-party data manager

H.R. 958 and S. 495 explicitly state that a third-party data manager’s only notification obligation after a breach is to alert the data owner, i.e., the entity on behalf of which the data is maintained, to the breach. S. 239 also imposes such an obligation, but notes that the proposed legislation does not prevent a data owner and a third party from allocating through contract the burden of notifying individuals’ whose data were compromised. The other two proposals are silent as to this issue.   

4) No private cause of action

All four bills explicitly state that they do not create new private federal causes of action. Furthermore, they note that violations of their provisions cannot give rise to private actions under state consumer protection laws. Rather, only state Attorneys General may sue for underlying violations of federal data privacy statutes under state consumer protection laws.   The FTC may join or move to stay such proceedings.
Tags: , , , , ,