: breach : Privacy Law Blog

Breach Notification Obligations In All 50 States?

Posted on August 16, 2011 by Kristen J. Mathews

Did you know there are breach notification obligations in all 50 states (effective 9/2012), even though only 46 states have adopted them? How could that be, you ask? Because Texas said so. (Does that surprise you?)

Texas recently amended its breach notification law so that its consumer notification obligations apply not only to residents of Texas, but to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Texas's amended law (H.B. 300) specifically requires notification of data breaches to residents of states that have not enacted their own law requiring such notification (that is, Alabama, Kentucky, New Mexico and South Dakota).

The law covers what it defines as "sensitive personal information," which includes (A) an individual's name in combination with his (i) Social Security number, (ii) state driver's license number or government issued ID number, or (iii) financial account number along with credentials that would allow access to his financial account, and (B) personally identifying information relating to an individual's physical or mental health or condition, heath care provided to such individual, or payment therefor.

The law only applies to persons who "conduct business in" Texas, although the law does not elaborate on what that might include.

The amended law also increases the penalties for a failure to notify consumers of a data breach from a maximum of $50,000 (under the old law) to $100 per individual per day of failed or delayed notification, not to exceed $250,000 for a single breach.

What does this mean for entities that have suffered a data breach? Many companies that suffer nationwide data breaches already elect to notify individuals who reside in states that do not have breach notification laws, simply to avoid negative public relations scrutiny for not doing so. However, for companies that conduct business in Texas, there could now be a price tag of up to $250,000 for not notifying non-Texas residents whose sensitive personal information was subject to a data breach.

Texas's new law will become effective September 1, 2012.

Texas's H.B. 300 also amends Texas' Health and Safety Code to impose privacy and data security requirements that go beyond HIPAA (the Health Information Portability and Accountability Act), and it applies to entities that are neither a "covered entity" nor a "business associate" as defined by HIPAA. Instead, Texas's definition of "covered entity" would cover any entity that handles PHI (protected health information), with some exceptions. We will blog about these amendments separately.

Tags: Security Breach Notification Laws, Texas, breach, notification, response, state

2009 Ponemon Institute "Cost of a Data Breach" Study Released

Posted on January 29, 2010 by Natalie Newman

This past week, the Ponemon Institute announced their publication of the results of their fifth annual study on the costs of data breaches for U.S.-based companies. The study was sponsored by the PGP Corporation. A similar report for U.K.-based companies was also released. This year's report, entitled 2009 Annual Study: Cost of a Data Breach, displays the results of the Ponemon Institute's research of data breach incidents occurring in 2009.

Overall, as with previous years, the study found that U.S. organizations continue to experience increased costs associated with the data breaches they experience.

The 2009 U.S. study surveyed 45 U.S. companies covering 15 various industry sectors, with the top represented industries including the financial, retail, services and healthcare industries. The size of the breaches experienced by companies surveyed ranged from approximately 5,000 compromised records to approximately 101,000 compromised records, with a cost range of approximately $750,000 up to nearly $31 million.

This year’s study revealed that the average per-record cost of the data breaches experienced by the surveyed organizations was in 2009 $204, which is just $2 more than the average per-record cost in 2008 (click here for the Privacy Blog’s posting on the Ponemon Institute’s 2008 Study), but represented a $66 dollar overall increase since 2005, the first year the Ponemon Institute conducted this same study, when the average per-record cost was $138.

The costs of a data breach include both direct costs (such as communications costs, investigations and forensics costs and legal costs) and indirect costs (such as lost business, public relations costs and new customer acquisition costs), and the study found that some industries experience a higher customer churn rate (i.e., lost business) than others. The industries with the highest customer churn rates in 2009 were the pharmaceutical, healthcare, communications, financial services and services industries.

The study also revealed a variety of primary causes of data breaches experienced by the surveyed companies, including, for example, that:

42% of all breaches studied involved errors made by, or compromises otherwise incurred while a company’s data is in the possession or control of, a third party.
36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices. Interestingly, the study found that the per-record cost of a data breach involving a stolen laptop or mobile device was just over $224, whereas the per-record cost of a data breach not involving a stolen laptop or mobile device was only around $192.
24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).
82% of all breaches studied involved organizations that had experienced more than one data breach involving the compromise of more than 1,000 records containing personal information.

This study can serve as an incredibly useful tool for companies to understand the full scope of potential costs of a data breach (including both direct and indirect costs) and in performing a cost-benefit analysis of the costs of implementing pre-breach, prophylactic measures (such as policies, training, encryption of sensitive information and other security), versus the potential costs of experiencing and dealing with the aftermath of a breach that could have been avoided, or at least mitigated.

Tags: Data Breaches, Ponemon, breach, data breach, data security breach, laptop, notification

Proskauer Litigation Team Helps Secure Dismissal of Speculative Identity Exposure Claims Against BNY Mellon

Posted on September 2, 2009 by Brendon Tavelli

Where the only harm alleged is mere “speculation as to a possible risk of injury,” a claim cannot survive a 12(b)(6) motion to dismiss, according to a District of Connecticut decision issued on August 31, 2009. McLoughlin v. People’s United Bank, Inc., and Bank of New York Mellon, Inc., No. 3:08-cv-00944-VLB (D. Conn. Aug. 31, 2009), thus follows a long and growing line of cases which simply hold that where there is no actual harm, there can be no case.

In February 2008, the archive vendor transporting back-up tapes associated with The Bank of New York Mellon Shareowner Services, a business unit of The Bank of New York Mellon (“BNY Mellon”), discovered that one of ten boxes was missing. Those tapes contained certain shareowner, plan participant, and payment information, including Social Security numbers and other personally identifying information. Customers of People’s United Bank, another financial institution and a client of Shareowner Services, were among the persons whose data was contained on the missing tapes. Shortly after the tape loss, BNY Mellon alerted affected individuals and offered them two years of credit monitoring, $25,000 in identity theft insurance, and a free credit freeze.

In May 2008, several individual plaintiffs brought a putative class action against People’s United Bank and BNY Mellon, claiming that the loss of the tapes compromised their personal information. They sought damages based on an alleged violation of the Connecticut Unfair Trade Practices Act (“CUTPA”), negligence, and breach of fiduciary duty. Notably, plaintiffs did not allege that any direct financial losses had occurred or that any member of the putative class had been the victim of identity theft as a result of the breach. Plaintiffs instead alleged that the increased risk of identity theft constituted cognizable harm because they would have to pay for future credit monitoring (beyond the two years offered by the defendants) and take other steps to protect against an increased risk of identity theft arising from the incident. Additionally, although not alleged in the complaint, Plaintiffs later argued that the fees paid to People’s United Bank represented additional actual harm (an argument which was roundly rejected by the court as an improper amendment of the pleadings in motion papers).

Judge Bryant rejected plaintiffs’ arguments and granted defendants’ motions to dismiss as to all claims. In dismissing the negligence claim, the court relied chiefly on two recent Southern District of New York decisions, Caudle v. Towers, Perrin, Forster & Crosby, Inc., 80 F. Supp. 2d 573 (S.D.N.Y. 2008) (dismissing claims for negligence and breach of fiduciary duty brought by plaintiffs whose identities had not been stolen), and Shafran v. Harley Davidson, Inc., 2008 WL 763177, at *3 (S.D.N.Y. Mar. 20, 2008) (“an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy. Plaintiff’s alleged injuries are solely the result of a perceived and speculative risk of future injury that may never occur.”). As Judge Bryant explained in her opinion:

[T]he Plaintiffs have pointed to no case decided anywhere in the country where a court allowed a negligence claim to survive absent an allegation of actual identity theft . . . . The Court concludes that the courts of Connecticut, like those of New York, would not recognize a negligence claim founded solely on the fear, unsupported by any allegation of malfeasance, of identity theft . . . .

Judge Bryant followed similar reasoning in dismissing the CUTPA and breach of fiduciary duty claims, both of which require an actual, ascertainable loss or harm.

McLoughlin is the latest in a series of data loss cases that refuse to recognize damages stemming from mere “increased risk of harm” absent some evidence of actual fraud or identity theft. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); Stollenwerk v. Tri-West Health Care Alliance, No. 05-16990, 2007 U.S. App. LEXIS 27164 (9th Cir. Nov. 20, 2007); Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009); Randolph v. ING Life Ins. & Annuity Co., No. 07-CV-791 (D.C. Jun. 18, 2009); Ruiz v. Gap, Inc., No. 07-5739 SC, 2009 WL 941162 (N.D. Cal. Apr. 6, 2009); Belle Chasse Auto. Care, Inc. v. Advanced Auto Parts, Inc., No. 08-1568, 2009 WL 799760 (E.D. La. Mar. 24, 2009); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (D. Minn. 2006); Bell v. Acxiom Corp., 4:06CV00485-WRW, 2006 U.S. Dist. LEXIS 72477 (E.D. Ark. Oct. 3, 2006); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476 (JBS), 2006 U.S. Dist. LEXIS 52266 (D.N.J. July 31, 2006).

Special thanks to this week’s guest author, Jason Gerstein, a member of Proskauer’s litigation team for the McLoughlin case, for preparing this post.

Tags: Connecticut, Data Breaches, New York, breach, breach notification, credit monitoring, damages, data breach, dismiss, identity exposure, increased risk, lawsuit, personal identifying information, personal information, social security number, southern district

Seven Days Is All She Wrote . . .

Posted on May 25, 2009 by Proskauer Rose LLP

As our readers know, many of the 44 state data breach notification laws allow for (and may even require) a brief delay in notifying affected individuals of the breach if that notification would interfere with or impede a law enforcement investigation. Last week, the governor of Maine, emphasizing the importance of providing notice "as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement," as articulated in the existing statute, amended that state's data breach notification law. The amendment clarifies that notification may be delayed for no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation. The amended language can be found here. It becomes effective 90 days following adjournment of Maine's 124th Legislature.

Tags: Maine, Security Breach Notification Laws, breach, breach notification, data breach, delay, expediently, investigation, law enforcement, security breach, without unreasonable delay

Breach Litigation Developments Webinar

Posted on December 19, 2008 by Proskauer Rose LLP

Early this month I discussed recent developments in data breach litigation at a webinar hosted by Debix. You can listen to the webinar at any time by following the instructions here.

All of us in Proskauer's Privacy and Data Security Practice Group wish you a peaceful and happy holiday.

Tags: Debix, Miscellaneous, breach, data breach, data breach litigation, data security breach, litigation, security breach, webinar

Iowa Enacts 43rd State Breach Notification Law

Posted on May 12, 2008 by Proskauer Rose LLP

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer's personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (SF 2308)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (Okla. Stat. § 74-3113.1)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

More Breach Notification Laws -- 42 States and Counting

Posted on April 7, 2008 by Proskauer Rose LLP

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma). Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §210-B-1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

H.B. 208 and S.B. 194)

Proskauer's Tanya Forsheit Gives Web Exclusive Interview on Pending Data Breach Legislation

Posted on February 19, 2008 by Scott J. Carpenter

http://www.csoonline.com/article/217027/CSO_Disclosure_Series_What_s_Next_with_Disclosure_Legislation_

Tags: California, Data Privacy Laws, Disclosure, Laws, breach, data, legislation, notification, privacy, security

No Harm, No Lawsuit: Seventh Circuit Refuses Data Breach Lawsuit Where Credit Monitoring Costs Are the Only "Damages" Sought

Posted on September 10, 2007 by Brendon Tavelli

Where the only “damages” alleged following a data security breach are the costs of credit monitoring, a plaintiff has no case, so ruled the Seventh Circuit on August 23, 2007. The decision dealt another blow to so-called “identity exposure” plaintiffs seeking to recover damages stemming from the unauthorized disclosure of their personal information, as the Seventh Circuit’s ruling joined the unanimous line of lower court decisions denying recovery in the absence of actual, present harm.

In Pisciotta v. Old National Bancorp, -- F.3d --, 2007 WL 2389770 (7th Cir. Aug. 23, 2007), the court ruled that “Indiana law would not recognize the costs of credit monitoring that the plaintiffs seek to recover in this case as compensable damages.” Id. at *6. In doing so, the Seventh Circuit joins a chorus of federal district courts that uniformly reject such costs as a form of cognizable injury sufficient to support legal claims for damages.

Old National Bancorp (“ONB”) collected customer information online in connection with applications for accounts, loans, and other ONB banking services. This information included customers’ names, addresses, Social Security numbers, driver’s license numbers, dates of birth, and other financial information. In 2005, ONB’s website was hacked, compromising the personal information ONB maintained about its customers.

Plaintiffs Luciano Pisciotta and Daniel Mills filed a putative class action in the U.S. District Court for the Southern District of Indiana asserting claims for negligence, breach of contract and implied breach of contract against ONB and its website hosting partner NCR. Plaintiffs alleged that ONB’s failure to protect their personal confidential information caused each member of the class to suffer substantial potential economic damages and emotional distress and worry that third parties might misuse their personal information. But Plaintiffs did not allege that any completed direct financial losses had occurred or that any member of the putative class already had been the victim of identity theft as a result of the breach. Id. at *2.

After the district court dismissed all claims against NCR, ONB filed a motion for judgment on the pleadings. The district court granted ONB’s motion, finding that Plaintiffs “have not alleged that ONB’s conduct caused them cognizable injury.” Id. at *2. In reaching this conclusion, the district court found persuasive the decisions of other federal district courts which had rejected “the cost of credit monitoring as an alternative award to for what would otherwise be speculative and unrecoverable damages.” Pisciotta v. Old Nat’l Bancorp, No. 1:05-cv-668-LJM-WTL (S.D. Ind. 2006) (order granting defendant’s motion for judgment on the pleadings). The district court further noted that “[t]he expenditure of money to monitor one’s credit is not the result of any present injury, but rather the anticipation of future injury that has not yet materialized.” Id.

The Seventh Circuit, after concluding that Plaintiffs’ allegations satisfied constitutional standing requirements, considered the elements of Plaintiffs’ negligence and breach of contract claims, principally the requirement that Plaintiffs’ demonstrate legally cognizable damages. Pisciotta, 2007 WL 2389970, at *4. (Other courts considering similar claims have dismissed for lack of standing or ripeness, finding that the threat of damage fails to create a case or controversy.)

The court rejected Plaintiffs’ argument that Indiana’s state security breach notification law evidenced the Indiana legislature’s belief that an individual suffers a completed harm at the moment his information is exposed. The court also rejected Plaintiffs’ analogies to medical monitoring cases and several Indiana cases concerning disclosures of personal information by banks. The court pointed out that no Indiana authority had allowed recovery for medical monitoring costs. Id. at *7. In the bank disclosure cases, the plaintiffs suffered direct and immediate reputational injuries and sought to be compensated for that harm, not for their efforts to protect against some future, anticipated injury. Id. at *6.

Ultimately, the Seventh Circuit, like the district court, found the overwhelming weight of authority from other jurisdictions denying recovery for credit monitoring costs persuasive. The court stated:

Although some of these cases involve different types of information losses, all of the cases rely on the same basic premise: Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.

Id. at *8.

Pisciotta is the latest in a series of cases that refuse to recognize damages stemming from “identity exposure” absent some evidence of actual identity theft. See, e.g., Kahle v. Litton Loan Serv. LP, No. 1:05cv756, 2007 U.S. Dist. LEXIS 35845, at *22 (S.D. Ohio May 16, 2007); Randolph v. ING Life Ins. and Annuity Co., No. 06-1228 (CKK), 2007 U.S. Dist. LEXIS 11523, *25 (D.D.C. Feb. 5, 2007); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476, 2006 U.S. Dist. LEXIS 52266, at *12 (D.N.J. July 31, 2006); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1021 (D. Minn. 2006); Guin v. Brazos Higher Educ. Servs. Corp., No. 05-688 (RHK/JSM), 2006 U.S. Dist. LEXIS 4846, at *15 (D. Minn. Feb. 7, 2006); Stollenwerk v. Tri-West Healthcare Alliance, No. Civ. 03-0185-PHX-SRB, 2005 U.S. Dist. LEXIS 41054, at *10 (D. Ariz. Sept. 8, 2005).

Tags: Identity Theft, breach, cognizable injury, damages, information, lawsuit, notification, personal, security, standing

Massachusetts Is 39th State to Mandate Breach Notification

Posted on August 16, 2007 by Proskauer Rose LLP

Massachusetts is now the 39th state to enact a personal data breach notification law. On August 2, Governor Deval Patrick signed the law, requiring that businesses and government agencies notify residents of data breaches in certain situations. The law requires that a person or agency that owns or licenses personal information about a resident of the commonwealth notify the attorney general, the director of consumer affairs and business regulation, and the affected resident if it "knows or has reason to know of a breach of security" or "knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose." Notice also must be provided to consumer reporting agencies and state agencies identified by the director of consumer affairs and business regulation.

Unlike the majority of state breach notification laws, Massachusetts defines a "breach of security" to include hard copy, as well as electronic data. A breach is defined as "the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth." The only other states that currently require notification in the event of a breach involving hard copy data are Hawaii, Indiana, North Carolina, and Wisconsin.

The law defines "personal information" as a resident's first name and last name or first initial and last name in combination with any one or more of the following: 1) Social Security number, 2) driver's license number or state-issued identification card number, or 3) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

The new law can be found here.

Tags: Security Breach Notification Laws, breach, breach notification, data security, security breach

Breach Law Data

Posted on August 3, 2007 by Proskauer Rose LLP

We thought it might be helpful to provide citations to the 37 state (plus D.C. and Puerto Rico) breach notification laws that cover private entities (Oklahoma’s law, that only addresses state agencies, is not included). We also provide links, or uploaded copies, where available.

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h)

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (S.B. 2290, Act 135)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)