Posted on May 12, 2008 by Tanya Forsheit

Iowa Enacts 43rd State Breach Notification Law

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer's personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach.  Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (SF 2308)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (Okla. Stat. § 74-3113.1)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted on April 7, 2008 by Tanya Forsheit

More Breach Notification Laws -- 42 States and Counting

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma).  Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §210-B-1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

H.B. 208 and S.B. 194)

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted on January 2, 2008 by Scott J. Carpenter

DHS Says Infrastructure More Vulnerable to Cyber Attacks; Private Businesses Told to Be Vigilant

Businesses are on notice to pay more attention to computer security in order to protect business assets and private information, and to thwart infiltrations that threaten interconnected computers.  And help is available from the United States Computer Emergency Readiness Team (“US-CERT”).

Department of Homeland Security (“DHS”) Secretary Michael Chertoff and Assistant Secretary of Cybersecurity Greg Garcia recently warned that an uptick in cyber attacks  reveal a growing threat to critical U.S. infrastructure and private networks. Garcia warned that hackers “are making massive efforts to compromise computer systems on a global scale,” a reference to the fifty percent in crease in cyber-attacks between 2006 and 2007.  Chertoff called upon businesses to help protect networks and infrastructure from infiltration and data theft.  Secretary Chertoff remarked, “There's no question this is the vulnerability of the 21st century.”

These comments came on the heals of a growing number of reported cyber incidents, including one recent attack on a U.S. federal nuclear weapons laboratory. According to the New York Times, “an unknown group of attackers sent targeted e-mail messages to roughly 1,100 [laboratory] employees,” and “about 11 staff opened the attachments, which enabled the hackers to infiltrate the system and remove data.” The New York Times article also reported that the US-CERT issued an advisory notice stating that “the level of sophistication and the scope of these cyber security incidents indicate that they are coordinated and targeted at private sector systems.” 

Many attacks come in the form of infected e-mails and e-mail attachments – namely Trojan e-mails, which use seemingly harmless files to gain access to unauthorized information. Once a network user is compromised, an attacker can infect other areas of the network and remotely collect sensitive data such as usernames and passwords. US-CERT also warns that attackers manipulate innocent and unknowing websites to link users to other malicious sites that can then provide the attackers with access to restricted data.

Currently, DHS and US-CERT provide information to businesses regarding cyber threats such as suspect Internet signatures. Such signatures should be added to Intrusion Device Systems or other detection  to prevent attacks. DHS and US-CERT also recommend that network users take extreme caution when dealing with unsolicited e-mails, particularly e-mails with suspicious attachments or links. 

 For more information on US-CERT and cyber security, you may visit US-CERT’s website at http://www.us-cert.gov/index.html.
Tags: , , , , ,
Posted on October 14, 2007 by Tanya Forsheit

Governor Schwarzenegger Says No to California A.B. 779

On Saturday, California Governor Arnold Schwarzenegger vetoed AB 779, legislation that would have amended California’s landmark data security breach legislation. The bill would have been the first to follow law enacted by Minnesota earlier this year and effective August 1, 2007, discussed here, that amended Minnesota’s security breach notification law by, among other things, prohibiting businesses from retaining certain payment card data after authorization of a transaction.

As discussed in our previous posts here and here, AB 779 was proposed in the wake of the massive security breach at the TJX Companies and would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards, debit cards, or other payment devices from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. The bill also incorporated certain liability-shifting provisions that would have made such businesses liable to the owner or licensee of the information for the reimbursement of reasonable and actual costs of providing notice to consumers as required by existing law and for the reasonable and actual cost of card replacement as a result of the breach of the security of the system. It also would have mandated the inclusion of specific kinds of information about a breach in notices provided to individuals affected by the breach.

The Governor’s veto was based on concerns that AB 779 would potentially conflict with private sector data security standards such as the Payment Card Industry Data Security Standard and would increase the costs of compliance.

In his veto message, available here, the Governor stated that, while he is "committed to strong laws that safeguard every individual’s privacy and prevent identity theft, . . . this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information. This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace. This measure creates the potential for California law to be in conflict with private sector data security standards." The Governor also noted that the bill "fails to provide clear definition of which business or agency ‘owns’ or ‘licenses’ data, and when that business or agency relinquishes legal responsibility as the owner or licensee. This issue and the data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses." The Governor encouraged "the author and the industry to work together on a more balanced legislative approach that addresses the concerns outlined above."

It remains to be seen whether Governor Schwarzenegger's veto effectively puts to an end efforts in other states to pass such legislation.
Tags: , , , , , , , , , , , , ,
Posted on August 16, 2007 by Tanya Forsheit

Massachusetts Is 39th State to Mandate Breach Notification

Massachusetts is now the 39th state to enact a personal data breach notification law. On August 2, Governor Deval Patrick signed the law, requiring that businesses and government agencies notify residents of data breaches in certain situations. The law requires that a person or agency that owns or licenses personal information about a resident of the commonwealth notify the attorney general, the director of consumer affairs and business regulation, and the affected resident if it "knows or has reason to know of a breach of security" or "knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose." Notice also must be provided to consumer reporting agencies and state agencies identified by the director of consumer affairs and business regulation.

Unlike the majority of state breach notification laws, Massachusetts defines a "breach of security" to include hard copy, as well as electronic data. A breach is defined as "the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth." The only other states that currently require notification in the event of a breach involving hard copy data are Hawaii, Indiana, North Carolina, and Wisconsin.

The law defines "personal information" as a resident's first name and last name or first initial and last name in combination with any one or more of the following: 1) Social Security number, 2) driver's license number or state-issued identification card number, or 3)  financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

The new law can be found here.

Tags: , , , ,
Posted on August 3, 2007 by Tanya Forsheit

Breach Law Data

We thought it might be helpful to provide citations to the 37 state (plus D.C. and Puerto Rico) breach notification laws that cover private entities (Oklahoma’s law, that only addresses state agencies, is not included).  We also provide links, or uploaded copies, where available.

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h)

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (S.B. 2290, Act 135)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 4-1-11 et seq.)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §210-B-1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Michigan (S.B. 309)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-42-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Washington (WASH. REV. CODE § 19.255.010)

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

For a helpful compilation of state laws addressing credit freezes and Social Security numbers, and proposal federal legislation addressing identity theft, see Congressional Research Service Report for Congress, Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills, June 1, 2007.
Tags: , , , , ,
Posted on July 31, 2007 by Tanya Forsheit

Oregon Becomes 38th State to Adopt Breach Notification Law

On July 12th, Oregon Governor Theodore R. Kulongoski signed into law S.B. 583, an omnibus data security bill scheduled to take effect on October 1. Oregon is the 38th state to enact a breach notification law (37 states have legislation that applies to private entities); the District of Columbia and Puerto Rico also have similar legislation. Continuing a five-year-old national legislative trend, Oregon lawmakers greenlit provisions requiring state businesses and government agencies to notify residents of certain kinds of data breaches.

The bill defines "breach of security" as the "unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person" (emphasis added), and requires businesses to notify state residents if their computerized personal information is compromised unless, "after an appropriate investigation or after consultation with relevant federal, state or local agencies responsible for law enforcement, the person determines that no reasonable likelihood of harm to the consumers whose personal information has been acquired has resulted or will result from the breach."

For purposes of the bill, "personal information" is defined as a consumer’s first name or first initial and last name in combination with their 1) social security number, 2) driver’s license or state identification card number, 3) passport or other United States issued ID number or 4) financial account information along with password or security code information. An individual’s name need not be directly connected to the other data elements to trigger the notice requirements; notice is required if the compromised data "would be sufficient to permit a person to commit identity theft."

Under the new law, businesses and government agencies also must meet certain data security and disposal requirements. Specifically, they must "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information, including disposal of the data." An entity will be deemed to be in compliance if it implements an information security program that includes certain enumerated administrative, technical and physical safeguards.

Violations of the new law can result in civil penalties of not more than $1,000 for each violation. In the case of a continuing violation, each day’s continuance is a separate violation, but the maximum penalty for any occurrence shall not exceed $500,000.

The full text of S.B. 583 is available here.
Tags: , , , ,
Posted on May 11, 2007 by Brendon Tavelli

New York Attorney General Tags Worker's Compensation Claims Service Provider for Seven Week Delay in Security Breach Notification

On April 26, 2007, New York Attorney General Andrew Cuomo announced that his office entered into a settlement with CS STARS LLC for violating the state’s Information Security Breach and Notification Law, which is codified at N.Y. Gen. Bus. Law § 899-aa. Cuomo’s office targeted CS STARS for delaying, for seven weeks, the issuance of legally required notification regarding the theft of a computer which contained the personal information of approximately 540,000 worker’s compensation recipients.

New York’s security breach notification law, like other such laws, requires a business that maintains private information that it does not own to notify the data’s owner when this information may be compromised. The data owner must then notify potentially affected consumers. New York’s law also requires notice to the state’s Attorney General, Consumer Protection Board, and Office of Cyber Security. The timing of the notification is a particularly important aspect of many states’ security breach notification laws, including New York. Subject to law enforcement needs, New York requires notice to data owners “immediately following discovery” and to affected consumers “in the most expedient time possible and without unreasonable delay.”   

CS STARS first noticed that a computer containing the names, addresses, and Social Security numbers of New York consumers was missing on May 9, 2006. However, CS STARS did not notify New York Special Funds Conservation Committee (“NYSFCC”), the data owner, of the potential breach until June 29, 2006. The company notified the FBI that same day, and the following day notified the proper state agencies. Notices to potentially affected consumers, however, did not begin mailing until July 18, 2006 pursuant to the FBI’s request and N.Y. Gen. Bus. Law § 899-aa(4), which explicitly allows a business to delay notification if a law enforcement agency determines that such notification will impede a criminal investigation.

The FBI recovered the missing computer, which had been taken by an employee of a cleaning contractor, on July 26, 2006. No consumers’ information was improperly accessed. Nonetheless, Attorney General Cuomo felt that the lengthy delay between discovering the theft and issuing the proper notifications “would have been ample time [for identity thieves] to victimize hundreds of thousands of consumers.” 

CS STARS’ settlement requires the company to implement precautionary measures to safeguard private information, comply with the state’s notification law in the event of any future breach, and pay $60,000 to cover costs related to the investigation. CS STARS did not admit to any violation of law.
Tags: , , , ,
Posted on April 5, 2007 by Clifford Davidson

Social Security Numbers for Sale

The protection of Social Security numbers (SSNs) from identity thieves has emerged as a hot news topic in the past few weeks. In California, it was revealed that, for the past three years, the Secretary of State’s office has been selling in bulk electronic UCC filings containing SSNs. Those filings were available to the public on the Secretary’s website, so that lenders and creditors could verify the availability of personal property used as collateral. Approximately one-third of the state’s two million UCC filings contained SSNs. Secretary of State Debra Bowen immediately shut off web-based access to the UCC filings and took down the offending part of the website.

Colorado also recently addressed an identical problem with its UCC filing website. Several years ago, the state redacted SSNs from 610,000 filings and issued new UCC forms that do not require SSNs. However, many financial institutions continued to use the old forms. Like California, Colorado took down its filing website. At the same time, Massachusetts Secretary of State William Galvin reportedly has refused to remove similar UCC filings.

The other major SSN story this week was that Texas Governor Rick Perry signed into law a bill, H.B. 2061, that permits county and court clerks to disclose, "in the ordinary course of business," SSNs contained in documents those clerks possess. It has been reported that the legislation was a reaction to a February 23 ruling by Texas Attorney General Greg Abbott that such disclosures were violations of state and federal privacy laws and were punishable by prison terms and fines.

The developments in California, Colorado, and Texas are surprising, in part because the unauthorized acquisition of computerized data including SSNs, in conjunction with a first name or first initial and last name, constitutes a security breach triggering notification requirements in those states. Cal. Civ. Code §§ 1798.29, 1798.82; Colo. Rev. Stat. § 6-1-716; Tex. Bus. & Comm. Code § 48.002(1)(a). The new Texas legislation appears to permit SSN disclosure by county and court clerks, notwithstanding any other applicable Texas law.
Tags: , ,