In the aftermath of many well publicized data breaches, in the past few years, more than 40 U.S. states have enacted data breach disclosure laws—“identity theft” statutes—which, among other things, require consumers to be notified when personally identifiable information is or may have been compromised in a database. But recent reports citing ineffectiveness of such legislation (e.g., Carnegie Mellon University researchers found notification laws only reduce identity theft by around 2 percent) and a growing sense that notification laws don’t prevent the problem, have caused some states to examine other approaches. At least two states, Nevada and Massachusetts, have enacted different legislation aimed at prevention, and Washington and Michigan are actively considering new measures.
Data Breach. Cause for Alarm or a Big Yawn?
By August 2008, there were more publicly disclosed data breaches among U.S. businesses than for all of 2007. More information is created, flowing and stored by commercial enterprise than ever; more clever schemes are being hatched by criminals for hacking or disrupting information; employees don’t appreciate the value of assets you can’t feel; and consumers are befuddled by a maze of privacy notices, data theft notices, credit report advertisements, and scare tactics launched by advocacy groups—well intentioned though they may be. More than 40 U.S. states have laws requiring disclosure of data breaches. If these were intended to create incentives to prevent data breaches and reduce occurrence, how do we explain the steady rise? Are the laws ineffective? Are businesses accountable beyond some adverse publicity, once they provide legally mandated disclosure? Have we become jaded by news reports, privacy and breach notices as just so much junk mail? In the credit card world, consumers generally have a maximum $50 liability if a card is lost or stolen. In situations where there are no real time approvals, credit card companies take the risk. In that environment, a business decision is made to accept certain loses because the potential revenue generated by the business model yields a greater reward. In the world of consumer privacy and personally identifiable information disclosure, who is taking what risk? Studies for years indicate IT professionals appreciate that digital crime—theft of intellectual property, piracy, theft of trade secrets, customer data or employee information—is a problem. Many companies may not even know their security is breached and others have little incentive to solve the problem. Need more information? Come to my web page, contact me and tell me what you think. Call if you need help with a policy, a position or an understanding of your legal rights and obligations. We can help.
Security Breaches Causing Headaches — Take Two Notices and Call Us in the Morning
Pennsylvania is among the most recent to enact an “information security breach notification” statute bringing the total to well over 30 in one form or another in just the past few years. In case you are keeping score, Pennsylvania’s law goes into effect in June of this year, while Montana and Rhode Island have breach notification statutes which become effective March 1. And you thought legislatures move at a snail’s pace!
Most state statutes relating to breach notifications apply to entities that conduct business in the state, have databases or information in the state, and/or have customers who reside in the state, but the Pennsylvania law also covers anyone that “destroys” records. As a general rule, “breach of security” is defined to mean any unauthorized access to personal information, and some state laws only cover “unencrypted” personal information—but not all state laws are consistent in their definitions and what constitutes covered information is defined in each statute. If you want to generalize, name, address, email and other similar non-public personally identifiable information, driver’s license, credit or financial account information, date of birth, and the like are almost always included within the definition.
When it comes to notification, in addition to the protected consumers involved, some states require notification to law enforcement, others require notification to the consumer reporting agencies, and some require all of these. Although states may differ slightly, one can learn some general themes from the common denominators that we see in most of them. First, on or about the time that notice is given, the integrity and confidentiality of the network, database or system whose security has been compromised, should be restored. As a general rule, the notice should be able to identify (or you should know) the cause and extent of the breach that has occurred and should include an indication of the steps that have been taken to prevent a repetition and the continuation of the breach that has been identified. In virtually all states, government officials (e.g., the Attorney General, federal and state law enforcement agencies) can defer or suspend the notification obligation if an investigation would be impaired by disclosing the information normally required in a notice.
Even the form of notice is specifically spelled out in most statutes. All of them provide for notice in writing, but also permit electronic communications if the consumer has elected to receive messages electronically, and some allow notice by phone. In addition, many states have enacted substitute notification rules that are triggered when the notice requirements affect a number of consumers or a dollar amount for sending notifications above a certain threshold, or if there is not enough information to send mail or an electronic message. That said, the substitute notification rules are often significantly more public and generally require email notification, posting on your website and notice to all major media (news, television, radio). In fact, at least one state requires that the cumulative total readership, viewing or listening audience be equal to or greater than a specified percentage of the total population of the state.
While we hope it never happens to you, simply reading the newspaper after ChoicePoint’s announcement on February 15, 2005, and a chronology of only those incidents that have been publicly reported, is frightening indeed. An ounce of prevention…well, you know the rest.