Updated Breach Notification Laws
Following is an updated list of citations to state data breach notification laws. We also note that as of January 1, 2008, California’s data breach notification law, Civil Code § 1798.82, will include "medical information" and "health insurance information" in the definition of personal information. Also, any business "maintained for the purpose of managing medical information" must comply with the prohibitions of California’s Confidentiality of Medical Information Act, effective January 1. These changes were enacted through A.B. 1298, signed by Governor Schwarzenegger on October 14, 2007.
Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h)
Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)
California (CAL. CIV. CODE § 1798.82)
Colorado (COLO. REV. STAT. § 6-1-716)
Connecticut (CONN. GEN. STAT. § 36a-701b)
Delaware (DEL. CODE ANN. tit. 6, § 12B-101)
District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)
Florida (FLA. STAT. § 817.5681)
Georgia (GA. CODE ANN. § 10-1-911)
Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)
Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)
Kansas (KAN. STAT. ANN. §§ 50-7a01-02)
Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)
Maine (ME. REV. STAT. ANN. tit. 10, §210-B-1346 et seq.)
Maryland (
H.B. 208 and S.B. 194)Minnesota (MINN. STAT. § 325E.61)
Montana (MONT. CODE ANN. § 30-14-1704)
Nebraska (NEB. REV. STAT. § 87-801 et seq.)
Nevada (NEV. REV. STAT. 603A.010 et seq.)
New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)
New Jersey (N.J. STAT. ANN. § 56:8-163)
New York (N.Y. GEN. BUS. LAW § 899-aa)
North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)
North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)
Ohio (OHIO REV. CODE ANN. § 1349.19)
Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)
Puerto Rico (Law 111 and Regulation 7207)
Rhode Island (R.I. GEN. LAWS § 11-49.2-3))
Tennessee (TENN. CODE ANN. § 47-18-21)
Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)
Utah (UTAH CODE ANN. § 13-42-101 et seq.)
Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)
Washington (WASH. REV. CODE § 19.255.010)
Wisconsin (WIS. STAT. § 895.507)
Wyoming (W.S. 40-12-501 through 40-12-509)
Proposed California Legislation Would Require Retailers to Dispose of Personal Information Within 90 Days
Under legislation recently proposed in California, retailers doing business in the state would be subject to enhanced data destruction requirements, and all businesses would be affected by new data breach notification requirements. In the wake of the TJX Companies data breach, which may have affected more than 46.2 million credit and debit cards, California Assemblyman Dave Jones introduced revised A.B. 779. That legislation reiterates that retailers are subject to the same data safeguard requirements as other businesses that maintain customer records or own or license personal information, while significantly truncating the period of time retailers may retain personal information of customers. The bill also would revise the data breach notification laws applicable to all businesses that own or license personal information.
Proposed Data Destruction Requirements for Retailers
California currently requires all businesses to comply with several statutory provisions related to data security and destruction. These provisions are contained in California Civil Code §§ 1798.80 – 1798.84 and concern three major topics: (1) destruction of customer records containing personal information; (2) the safeguarding of personal information; and (3) data breach notification. A.B. 779 incorporates the data privacy laws by reference and expressly applies them to retailers that “collect[] or maintain[] personal information for any purpose.”
Under the bill, retailers would be required to dispose of records that contain personal information within 90 days. Existing law, California Civil Code § 1798.81, provides general guidelines for records disposal for all businesses. Under the current statute, a “record” is anything on or through which information is recorded or preserved, including written or spoken words, graphic depiction or electronic transmission. “Personal information,” for purposes of this section, is:
any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information. “Records” does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.
California Civil Code § 1798.80 (emphasis added).
The destruction requirements proposed in A.B. 779 reach far beyond those set forth in § 1798.81. Existing law requires only that a business
take all reasonable steps to destroy, or arrange for the destruction of a customer’s records within its custody or control containing personal information which is no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.
Section 1 of A.B. 779, however, would require that “a retailer that sells goods or services to any resident of California . . . not retain personal information for longer than 90 days after the date of the original transaction, or the period of time during which goods may be returned for a refund or exchange, whichever is shorter.” (emphasis added). Thus, should A.B. 779 be passed into law, it will significantly impact retailers’ records retention and disposal policies and procedures with respect to personal information of customers.
Proposed New Data Breach Notification Requirements for All Businesses.
California Civil Code § 1798.82, the first-in-the-nation security breach notification law, currently requires all businesses that own or license personal information to notify individuals if their data have been, or may have been, acquired by an unauthorized person. Personal information is defined as the first name or initial and last name of an individual, with one or more of the following: 1) Social Security Number, 2) driver’s license number, 3) credit card or debit card number, or 4) a financial account number with information such as PINs, passwords or authorization codes that could gain access to the account.
A.B. 779 would amend California Civil Code § 1798.82 in three primary respects. First, it would require that the following information appear in breach notices:
(A) The date of the notice.
(B) The name of the person or business that maintained the computerized data at the time of the breach.
(C) The date on which the breach occurred.
(D) A description of the categories of personal information that were, or are reasonably believed to have been, acquired by an unauthorized person.
(E) A toll-free telephone number or, if the primary method used by the person or business to communicate with the individual is by electronic means, an electronic mail address that the individual may use to contact the person or business or their agent, so that the individual may learn what types of personal information the person or business maintained about that individual.
(F) The toll-free telephone numbers and addresses for the major credit reporting agencies.
Second, according to the text of the bill, owners or licensees of personal data would be entitled to reimbursement from a third party person or business that maintains the data and that is actually responsible for the breach, for the “reasonable and actual costs” of providing required breach notification. Data owners would remain responsible for providing notice. Third, companies providing notice must send a copy of the notice provided to consumers to the California Office of Privacy Protection. This requirement is similar to the laws of other states, including New York and New Jersey, that require notification to other governmental agencies.
110th Congress Proposes Sweeping Federal Data Security Legislation
Senators and Representatives from both sides of the aisle have introduced several new pieces of legislation proposing sweeping new frameworks for data privacy law:
S. 239 (“Notification of Risk to Personal Data Act”);
H.R. 958 (“Data Accountability and Trust Act”);
H.R. 836 (“Cyber-Security Enhancement and Consumer Data Protection Act of 2007”); and
S. 495 (“Personal Data Privacy and Security Act of 2007”).
S. 495 and H.R. 958 establish requirements for data security, as well as breach notification standards; S. 239 is limited to breach notification requirements; and H.R. 836 criminalizes the concealment of data breaches, enhances penalties for identity theft, and requires the reporting of breaches to federal law enforcement agencies. Whatever the final text of data privacy legislation, we are likely to see this Congress pass federal data security legislation. Congressional leaders have emphasized that data privacy and breach notification are top priorities.
Federal legislation is necessary, some believe, in order to standardize what currently is a patchwork of requirements among the 35 states with data security and breach notification requirements.
Following are some of the more notable provisions of the proposed bills:1) Pre-emption
All four bills would pre-empt state laws pertaining to similar subject matter. However, the bills do allow states to specify additional information that must be included in data breach notifications.
2) Regulatory enforcement and rulemaking
S. 239, H.R. 958 and S. 495 all delegate to the FTC the responsibility of establishing guidelines for data security and breach notification. Although the FTC’s mandate until now has not included breach notification, the FTC has a fair amount of experience with enforcing data security standards under its Section 5 (15 U.S.C. § 45) authority.
The proposed legislation delegates authority to the FTC to promulgate regulations based on criteria similar to those the FTC already follows in its Section 5 cases: establishment of security policies, enforcement of those policies and monitoring of potentially vulnerable systems. See, e.g., H.R. 958, sec. 2.
3) Breach notification duty belongs to data owner, not licensee or third-party data manager
H.R. 958 and S. 495 explicitly state that a third-party data manager’s only notification obligation after a breach is to alert the data owner, i.e., the entity on behalf of which the data is maintained, to the breach. S. 239 also imposes such an obligation, but notes that the proposed legislation does not prevent a data owner and a third party from allocating through contract the burden of notifying individuals’ whose data were compromised. The other two proposals are silent as to this issue.
4) No private cause of action
All four bills explicitly state that they do not create new private federal causes of action. Furthermore, they note that violations of their provisions cannot give rise to private actions under state consumer protection laws. Rather, only state Attorneys General may sue for underlying violations of federal data privacy statutes under state consumer protection laws. The FTC may join or move to stay such proceedings.