Pennsylvania is among the most recent to enact an “information security breach notification” statute bringing the total to well over 30 in one form or another in just the past few years. In case you are keeping score, Pennsylvania’s law goes into effect in June of this year, while Montana and Rhode Island have breach notification statutes which become effective March 1. And you thought legislatures move at a snail’s pace!
Most state statutes relating to breach notifications apply to entities that conduct business in the state, have databases or information in the state, and/or have customers who reside in the state, but the Pennsylvania law also covers anyone that “destroys” records. As a general rule, “breach of security” is defined to mean any unauthorized access to personal information, and some state laws only cover “unencrypted” personal information—but not all state laws are consistent in their definitions and what constitutes covered information is defined in each statute. If you want to generalize, name, address, email and other similar non-public personally identifiable information, driver’s license, credit or financial account information, date of birth, and the like are almost always included within the definition.
When it comes to notification, in addition to the protected consumers involved, some states require notification to law enforcement, others require notification to the consumer reporting agencies, and some require all of these. Although states may differ slightly, one can learn some general themes from the common denominators that we see in most of them. First, on or about the time that notice is given, the integrity and confidentiality of the network, database or system whose security has been compromised, should be restored. As a general rule, the notice should be able to identify (or you should know) the cause and extent of the breach that has occurred and should include an indication of the steps that have been taken to prevent a repetition and the continuation of the breach that has been identified. In virtually all states, government officials (e.g., the Attorney General, federal and state law enforcement agencies) can defer or suspend the notification obligation if an investigation would be impaired by disclosing the information normally required in a notice.
Even the form of notice is specifically spelled out in most statutes. All of them provide for notice in writing, but also permit electronic communications if the consumer has elected to receive messages electronically, and some allow notice by phone. In addition, many states have enacted substitute notification rules that are triggered when the notice requirements affect a number of consumers or a dollar amount for sending notifications above a certain threshold, or if there is not enough information to send mail or an electronic message. That said, the substitute notification rules are often significantly more public and generally require email notification, posting on your website and notice to all major media (news, television, radio). In fact, at least one state requires that the cumulative total readership, viewing or listening audience be equal to or greater than a specified percentage of the total population of the state.
While we hope it never happens to you, simply reading the newspaper after ChoicePoint’s announcement on February 15, 2005, and a chronology of only those incidents that have been publicly reported, is frightening indeed. An ounce of prevention…well, you know the rest.