Breach Notification Obligations In All 50 States?

Posted on August 16, 2011 by Kristen J. Mathews

Did you know there are breach notification obligations in all 50 states (effective 9/2012), even though only 46 states have adopted them?  How could that be, you ask?  Because Texas said so.  (Does that surprise you?)

Texas recently amended its breach notification law so that its consumer notification obligations apply not only to residents of Texas, but to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  Texas's amended law (H.B. 300) specifically requires notification of data breaches to residents of states that have not enacted their own law requiring such notification (that is, Alabama, Kentucky, New Mexico and South Dakota). 

The law covers what it defines as "sensitive personal information," which includes (A) an individual's name in combination with his (i) Social Security number, (ii) state driver's license number or government issued ID number, or (iii) financial account number along with credentials that would allow access to his financial account, and (B) personally identifying information relating to an individual's physical or mental health or condition, heath care provided to such individual, or payment therefor.

The law only applies to persons who "conduct business in" Texas, although the law does not elaborate on what that might include. 

The amended law also increases the penalties for a failure to notify consumers of a data breach from a maximum of $50,000 (under the old law) to $100 per individual per day of failed or delayed notification, not to exceed $250,000 for a single breach.

What does this mean for entities that have suffered a data breach?  Many companies that suffer nationwide data breaches already elect to notify individuals who reside in states that do not have breach notification laws, simply to avoid negative public relations scrutiny for not doing so.  However, for companies that conduct business in Texas, there could now be a price tag of up to $250,000 for not notifying non-Texas residents whose sensitive personal information was subject to a data breach.

Texas's new law will become effective September 1, 2012. 

Texas's H.B. 300 also amends Texas' Health and Safety Code to impose privacy and data security requirements that go beyond HIPAA (the Health Information Portability and Accountability Act), and it applies to entities that are neither a "covered entity" nor a "business associate" as defined by HIPAA.  Instead, Texas's definition of "covered entity" would cover any entity that handles PHI (protected health information), with some exceptions.  We will blog about these amendments separately.
Tags: , , , , ,

You, NOT the Newspapers, Should Report a Breach: WellPoint to Pay $100,000 to Indiana AG for Delayed Breach Notification

Posted on July 11, 2011 by Brendon Tavelli

On July 5, 2011, Indiana Attorney General Greg Zoeller announced a settlement with health insurer WellPoint, Inc. The settlement resolves allegations that the company failed to promptly notify the Attorney General’s office of a data breach as is required by the Indiana Disclosure of Security Breach Act. As part of the settlement, WellPoint will pay a fine of $100,000 and provide certain identity-theft-prevention assistance to consumers affected by the breach. Interestingly, the settlement includes an admission by WellPoint that the company failed to comply with the law by not notifying Zoeller’s office “without unreasonable delay.”

The data breach out of which the Attorney General’s investigation, lawsuit, and ultimate settlement arose occurred between October 2009 and March 2010. During that time, personal information submitted in connection with applications for individual insurance policies was made publicly accessible via the company’s online application tracker website. The exposed information included Social Security numbers, financial account information, and health records. WellPoint immediately secured the application tracker site in early March 2010 after being told by a consumer, a second time, that records containing personal information were potentially accessible on the site.

WellPoint notified affected consumers of the breach beginning in June 2010, but did not also notify the Attorney General’s office as required by Indiana law. When Zoeller’s office learned of the breach through news reports in late July, it launched an investigation and in October filed suit against the company seeking an injunction and civil penalties for violations of the Indiana Disclosure of Security Breach Act. The parties’ recent settlement makes the Attorney General’s lawsuit disappear, but not without significant costs to WellPoint. The settlement mandates that WellPoint pay $100,000 into the Attorney General’s Consumer Assistance Fund; comply with the Disclosure of Security Breach Act in the future and admit that it failed to do so in this instance; provide affected consumers with up to two years of credit monitoring; and reimburse affected consumers up to $50,000 for any losses that result from identity theft stemming from the breach.

Although WellPoint is currently the public face of improper breach notification in Indiana, it is apparently not alone. Attorney General Zoeller’s office has issued warning letters to 47 other companies that delayed issuing appropriate security breach notifications. Perhaps it should go without saying, but according to Zoeller, “[t]he requirement to notify the Attorney General ‘without unreasonable delay’ is not fulfilled by having me read about the breach in the newspaper.” Sounds simple enough, but are you faster than the reporters? We certainly hope so.
Tags: , , , , ,

2009 Ponemon Institute "Cost of a Data Breach" Study Released

Posted on January 29, 2010 by Natalie Newman

This past week, the Ponemon Institute announced their publication of the results of their fifth annual study on the costs of data breaches for U.S.-based companies. The study was sponsored by the PGP Corporation. A similar report for U.K.-based companies was also released. This year's report, entitled 2009 Annual Study: Cost of a Data Breach, displays the results of the Ponemon Institute's research of data breach incidents occurring in 2009.  

Overall, as with previous years, the study found that U.S. organizations continue to experience increased costs associated with the data breaches they experience.

The 2009 U.S. study surveyed 45 U.S. companies covering 15 various industry sectors, with the top represented industries including the financial, retail, services and healthcare industries. The size of the breaches experienced by companies surveyed ranged from approximately 5,000 compromised records to approximately 101,000 compromised records, with a cost range of approximately $750,000 up to nearly $31 million.

This year’s study revealed that the average per-record cost of the data breaches experienced by the surveyed organizations was in 2009 $204, which is just $2 more than the average per-record cost in 2008 (click here for the Privacy Blog’s posting on the Ponemon Institute’s 2008 Study), but represented a $66 dollar overall increase since 2005, the first year the Ponemon Institute conducted this same study, when the average per-record cost was $138.  

 

The costs of a data breach include both direct costs (such as communications costs, investigations and forensics costs and legal costs) and indirect costs (such as lost business, public relations costs and new customer acquisition costs), and the study found that some industries experience a higher customer churn rate (i.e., lost business) than others. The industries with the highest customer churn rates in 2009 were the pharmaceutical, healthcare, communications, financial services and services industries.

 

The study also revealed a variety of primary causes of data breaches experienced by the surveyed companies, including, for example, that:

  • 42% of all breaches studied involved errors made by, or compromises otherwise incurred while a company’s data is in the possession or control of, a third party. 
  • 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices. Interestingly, the study found that the per-record cost of a data breach involving a stolen laptop or mobile device was just over $224, whereas the per-record cost of a data breach not involving a stolen laptop or mobile device was only around $192.
  • 24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).
  • 82% of all breaches studied involved organizations that had experienced more than one data breach involving the compromise of more than 1,000 records containing personal information.

This study can serve as an incredibly useful tool for companies to understand the full scope of potential costs of a data breach (including both direct and indirect costs) and in performing a cost-benefit analysis of the costs of implementing pre-breach, prophylactic measures (such as policies, training, encryption of sensitive information and other security), versus the potential costs of experiencing and dealing with the aftermath of a breach that could have been avoided, or at least mitigated.
Tags: , , , , , ,

Show-Me State Finally Shows Its Residents a Data Breach Notification Law, Other States (TX, NC, ME) Make Changes

Posted on July 30, 2009 by Brendon Tavelli

On July 9, 2009, Missouri Governor Jay Nixon signed House Bill 62 ("HB 62”), making the Show-Me State the 45th state with an information security breach notification law on the books. The new law takes effect on August 28, 2009. But Missouri’s new law isn’t the only new data breach notification requirement on the horizon. Amendments to existing data breach notice laws in three other states, Texas, Maine and North Carolina, will also become effective soon.

Missouri: HB 62 includes many provisions that are similar to other state laws requiring notice to individuals when the security of their personal information has been compromised. For example, HB 62 includes a “material risk of harm” trigger. In other words, a business is not required to notify Missouri residents if, after an appropriate investigation or consultation with relevant law enforcement authorities, the business determines that identity theft is not likely to result from the breach. In addition, a business is not required to notify state residents if the personal information compromised was encrypted. Like some other state laws, HB 62 also requires notice to the Missouri Attorney General and national consumer reporting agencies if more than 1,000 Missouri residents are notified, and allows the Attorney General to seek actual damages or civil penalties from persons that fail to comply with the law.

HB 62 applies to the “typical” categories of personal information, including Social Security numbers, driver’s license numbers and information that would permit access to an individual’s financial accounts. But unlike most other state data breach notification laws, HB 62 also applies to medical and health insurance information, including an individual’s medical history, mental or physical condition, treatment or diagnosis, health insurance policy number and any other unique identifier used by a health insurer. Previously, only laws in California, Arkansas and Texas (see below) applied to this kind of information.

Texas:  On June 19, 2009, Texas Governor Rick Perry signed House Bill 2004 (“HB 2004”), which expanded the scope of Texas’ data breach notification law to include public sector entities and health information. Specifically, HB 2004 amends the definition of “sensitive personal information” to include health care information, such as information about an individual’s physical or mental health or payment for health care services. The bill also amends the definition of “breach of system security” to reach breaches of encrypted information “if the person accessing the data has the key required to decrypt the data.” Finally, HB 2004 makes the state’s breach notice obligations applicable to public sector entities and nonprofit athletic and sports associations.

North Carolina: As of October 1, 2009, entities doing business in North Carolina will be required to both provide more detailed data breach notices to individuals and be more forthcoming with the state’s attorney general. North Carolina Senate Bill 1017 (“SB 1017”), signed by Governor Bev Perdue on July 27, 2009, amends North Carolina’s data breach notification law in two significant ways. First, SB 1017 requires notice to the attorney general anytime a business notifies North Carolina residents of a breach. Previously, such notice had been required only for breaches affecting more than 1,000 people. Second, notices to individuals affected by a breach will now be required to include a telephone number for the business providing the notice; toll-free numbers and addresses for the national credit reporting agencies; and toll-free numbers, addresses and web site addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office along with a statement that individuals can learn about preventing identity theft from these sources. These new requirements build on top of existing mandates to (1) describe the incident, the type(s) of personal information unlawfully obtained and the actions being taken to prevent further unauthorized access; (2) provide a telephone number that the recipient may call for further information and assistance; and (3) advise affected individuals to remain vigilant by reviewing account statements and monitoring free credit reports.

MaineFor information about the recent amendment to Maine’s breach notification law, soon to become effective, see our prior blog post.

Since Missouri’s new law and these important updates need to be added to the smorgasbord of state data breach notification laws, it is probably a good time to revisit “The List” of such laws. Here it is!

Alaska (ALASKA STAT. § 45.48.010 et seq.)

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (D.C. CODE § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (HAW. REV. STAT. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (IOWA CODE § 715C.1 et seq.)

Kansas (KAN. STAT. ANN. § 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.; see also L.D. 970)

Maryland (MD. CODE ANN., COM. LAW § 14-3501 et seq.)

Massachusetts (MASS. GEN. LAWS ANN. ch. 93H, § 1 et seq.)

Michigan (MICH. COMP. LAWS ANN. § 445.72)

Minnesota (MINN. STAT. § 325E.61)

Missouri (HB 62, tentatively codified at MO. REV. STAT. § 407.1500)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT. § 75-65; see also SB 1017)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (OKLA. STAT. § 74-3113.1)

Oregon (OR. REV. STAT. § 646A.600 et seq.)

Pennsylvania (73 PA. STAT. § 2303)

Puerto Rico (P.R. LAWS ANN. tit. 10, § 4051)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3)

South Carolina (S.C. CODE ANN. § 39-1-90)

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COM. CODE ANN. § 521.001 et seq.; see also HB 2004)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia (Va. Code Ann. § 18.2-186.6)

U.S. Virgin Islands (V.I. CODE ANN. tit. 14, § 2209)

Washington (WASH. REV. CODE § 19.255.010)

West Virginia (W. Va. Code § 46A-2A-101 et seq.)

Wisconsin (WIS. STAT. § 134.98)

Wyoming (WYO. STAT. ANN. § 40-12-501 et seq.)
Tags: , , , , , , , , , , ,

Proskauer's Tanya Forsheit Gives Web Exclusive Interview on Pending Data Breach Legislation

Posted on February 19, 2008 by Scott J. Carpenter

http://www.csoonline.com/article/217027/CSO_Disclosure_Series_What_s_Next_with_Disclosure_Legislation_

 

Tags: , , , , , , , , ,

No Harm, No Lawsuit: Seventh Circuit Refuses Data Breach Lawsuit Where Credit Monitoring Costs Are the Only "Damages" Sought

Posted on September 10, 2007 by Brendon Tavelli

Where the only “damages” alleged following a data security breach are the costs of credit monitoring, a plaintiff has no case, so ruled the Seventh Circuit on August 23, 2007. The decision dealt another blow to so-called “identity exposure” plaintiffs seeking to recover damages stemming from the unauthorized disclosure of their personal information, as the Seventh Circuit’s ruling joined the unanimous line of lower court decisions denying recovery in the absence of actual, present harm.

In Pisciotta v. Old National Bancorp, -- F.3d --, 2007 WL 2389770 (7th Cir. Aug. 23, 2007), the court ruled that “Indiana law would not recognize the costs of credit monitoring that the plaintiffs seek to recover in this case as compensable damages.” Id. at *6. In doing so, the Seventh Circuit joins a chorus of federal district courts that uniformly reject such costs as a form of cognizable injury sufficient to support legal claims for damages.

Old National Bancorp (“ONB”) collected customer information online in connection with applications for accounts, loans, and other ONB banking services. This information included customers’ names, addresses, Social Security numbers, driver’s license numbers, dates of birth, and other financial information. In 2005, ONB’s website was hacked, compromising the personal information ONB maintained about its customers.

Plaintiffs Luciano Pisciotta and Daniel Mills filed a putative class action in the U.S. District Court for the Southern District of Indiana asserting claims for negligence, breach of contract and implied breach of contract against ONB and its website hosting partner NCR. Plaintiffs alleged that ONB’s failure to protect their personal confidential information caused each member of the class to suffer substantial potential economic damages and emotional distress and worry that third parties might misuse their personal information. But Plaintiffs did not allege that any completed direct financial losses had occurred or that any member of the putative class already had been the victim of identity theft as a result of the breach. Id. at *2.

After the district court dismissed all claims against NCR, ONB filed a motion for judgment on the pleadings. The district court granted ONB’s motion, finding that Plaintiffs “have not alleged that ONB’s conduct caused them cognizable injury.” Id. at *2. In reaching this conclusion, the district court found persuasive the decisions of other federal district courts which had rejected “the cost of credit monitoring as an alternative award to for what would otherwise be speculative and unrecoverable damages.” Pisciotta v. Old Nat’l Bancorp, No. 1:05-cv-668-LJM-WTL (S.D. Ind. 2006) (order granting defendant’s motion for judgment on the pleadings). The district court further noted that “[t]he expenditure of money to monitor one’s credit is not the result of any present injury, but rather the anticipation of future injury that has not yet materialized.” Id. 

The Seventh Circuit, after concluding that Plaintiffs’ allegations satisfied constitutional standing requirements, considered the elements of Plaintiffs’ negligence and breach of contract claims, principally the requirement that Plaintiffs’ demonstrate legally cognizable damages. Pisciotta, 2007 WL 2389970, at *4. (Other courts considering similar claims have dismissed for lack of standing or ripeness, finding that the threat of damage fails to create a case or controversy.) 

The court rejected Plaintiffs’ argument that Indiana’s state security breach notification law evidenced the Indiana legislature’s belief that an individual suffers a completed harm at the moment his information is exposed. The court also rejected Plaintiffs’ analogies to medical monitoring cases and several Indiana cases concerning disclosures of personal information by banks. The court pointed out that no Indiana authority had allowed recovery for medical monitoring costs. Id. at *7. In the bank disclosure cases, the plaintiffs suffered direct and immediate reputational injuries and sought to be compensated for that harm, not for their efforts to protect against some future, anticipated injury. Id. at *6.

Ultimately, the Seventh Circuit, like the district court, found the overwhelming weight of authority from other jurisdictions denying recovery for credit monitoring costs persuasive. The court stated:

Although some of these cases involve different types of information losses, all of the cases rely on the same basic premise: Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.

Id. at *8. 

Pisciotta is the latest in a series of cases that refuse to recognize damages stemming from “identity exposure” absent some evidence of actual identity theft.  See, e.g., Kahle v. Litton Loan Serv. LP, No. 1:05cv756, 2007 U.S. Dist. LEXIS 35845, at *22 (S.D. Ohio May 16, 2007); Randolph v. ING Life Ins. and Annuity Co., No. 06-1228 (CKK), 2007 U.S. Dist. LEXIS 11523, *25 (D.D.C. Feb. 5, 2007); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476, 2006 U.S. Dist. LEXIS 52266, at *12 (D.N.J. July 31, 2006); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1021 (D. Minn. 2006); Guin v. Brazos Higher Educ. Servs. Corp., No. 05-688 (RHK/JSM), 2006 U.S. Dist. LEXIS 4846, at *15 (D. Minn. Feb. 7, 2006); Stollenwerk v. Tri-West Healthcare Alliance, No. Civ. 03-0185-PHX-SRB, 2005 U.S. Dist. LEXIS 41054, at *10 (D. Ariz. Sept. 8, 2005).
Tags: , , , , , , , , ,