Different definitions
Complying with states’ breach notification laws requires diligence, as there are differences in what each state requires. The key differences among these laws are:
The format of the data. Most states protect electronic personal information. A small number of states, however, also protect physical personal information.
How personal information is defined.
While most states use a definition similar to the one implemented by California, other states have implemented broader definitions of personal information. As a result, there are approximately 25 data types being defined as personal information in one state or another.
The trigger for notification. Each state defines differently what constitutes a breach of information. Most states require that there is a material risk of harm to the individual whose information was accessed by an individual without authorization. Some states, however, have defined a breach of information as simply the potential acquisition by an unauthorized individual.
The consequences for non-compliance.
Most states leave enforcement of these laws to the Attorney General or another state body. Some states, however, have also provided consumers with a private right of action.
Gaining ground
Keeping up with privacy laws
This article broadly covers recent and pending changes in state privacy regulations. It is provided as general information only and is not intended, nor should it be construed, as legal advice. The regulations themselves are complicated and detailed. Consult your own attorney with respect to your specific situation and any legal questions you may have.
One of the leading developments in privacy laws over the past decade has been the introduction of Security Breach Notification Laws. In 2002 California passed the first Breach Notification law. The law requires state agencies – and persons or businesses that conduct business in California – that own or license computerized personal information of California residents, to disclose to any resident of California if their unencrypted personal information is acquired by an unauthorized person in a breach of security. The personal information protected by this law includes first and last name or first initial and last name in combination with Social Security number, driver's license number, account number, credit or debit card number, or security code or password for accessing a financial account.
After the Security Breach Notification Law was passed in California, 45 other states (as of December 2009) have followed suit and passed their own security breach laws. In general the breach notification laws require businesses or states that hold personal information to follow certain steps if any breach or possible breach of security occurs.
As technology becomes more pervasive and more processes become paperless, additional issues regarding the safety of personal information have arisen. Nevada and Massachusetts are leading the charge for stronger measures to keep personal information from getting into the wrong hands.
Nevada SB 227, which became effective January 1, 2010, mandates that a business in the state cannot transfer any personal information of a customer through an electronic transmission, unless the business uses encryption to ensure the security of electronic transmission. By using encryption, the business is able to transfer information without the risk that the information will be accessed by an unauthorized party.
Looking forward
Massachusetts has passed a data security regulation which will go into effect March 1, 2010. Under the new regulation, entities that own, license or maintain personal information – which includes social security numbers, state identification numbers and financial accounts – must follow certain standards. These standards are designed to:
- Insure the security and confidentiality of personal information in a manner that is consistent with industry standards.
- Protect against anticipated threats or hazards to the security or integrity of personal information.
- Protect against unauthorized access to or use of personal information that may result in substantial harm or inconvenience to any consumer.
Some of the new guidelines under the ruling include:
- Designate one or more employees to maintain the security program.
- Identify and assess the internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information.
- Evaluate current safeguards and means for detecting and preventing security system failures.
- Implement and evaluate employee compliance with policies and procedures.
- Develop security policies that set forth whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.
What to do
As with the California Security Breach law, it is likely that other states will adopt laws or regulations patterned after Nevada and Massachusetts’ legislation – an important reason for employers to become familiar with them now.
When reviewing your organization’s privacy and security practices, consider the following:
- How are the laws in the states where you conduct business changing?
- What is considered personal information?
- When is notification required and what is the notification process?
- Who needs to be notified in the case of a breach?
- What is the timing of response that is required?
