20 States Adopt Data Breach Notification Statutes in 2005
 
December 30, 2005
 
Roz Allen - Washington

The unauthorized acquisition of computerized data – compromising the security, confidentiality or integrity of personal information – is a significant and growing problem. The Federal Trade Commission reports that identity theft complaints more than doubled from 2002 to 2004, and a recent study estimates that 9.3 million people are victims of identity theft on an annual basis.¹ Reacting to mounting public concern about the threats associated with mishandled or stolen data, policy-makers approved mandatory data breach notification statutes in 20 states during 2005.² During the same time period, 15 other states considered data breach notification legislation, and several similar bills are pending in Congress.³

The explosion of state data breach statutes followed widely publicized data losses – at financial institutions, universities, state agencies and corporations – that many observers believe would have gone unreported but for the nation’s first data breach notification law implemented by California in July 2003. During 2005 alone, mandatory notifications required by California law revealed that the personal information of over 50 million Americans was compromised.⁴

The 20 states with new data breach laws join California as jurisdictions requiring notice to state residents whose personally identifiable information is acquired, or reasonably believed to have been acquired, by unauthorized persons. In some states, third parties storing personal data on behalf of other businesses are also required to promptly notify such businesses of unauthorized access or reasonable belief that unauthorized access has occurred.

None of the state laws require breach disclosure if the data is stored in encrypted form, although data holders should consider whether risk management considerations under other laws dictate notification if any type of actual or potential breach occurs. Given the sophistication of today’s computer crimes, it is not unreasonable to conclude that someone who goes to the trouble of hacking into a database of personal information could also decipher the encryption.

In light of this trend, the highest priority for all entities that collect and store information about individuals should be to ensure that the personal information identified by the various state statutes as subject to breach notification is securely stored in encrypted form. An analysis of state breach notification laws indicates that the following types of personal information, when associated with the first name or initial and last name, are triggers for breach notification and should be encrypted: social security number, driver’s license, state identification card, financial information (i.e., account numbers, debit or credit cards). Covered entities may also choose to store triggering personal information in a format that strips out the associated name and separates different types of personal information. In addition, covered entities should review their information security practices to ensure that their enterprise-wide privacy policies include data breach notification procedures that are triggered if personal information appears likely to have fallen into unauthorized hands.

To date, there have been no prosecutions under state data breach laws, including California’s 2003 law – the first such law and the model for all state data breach legislation. The lack of case law in this area leaves covered entities with few nonstatutory resources to interpret who must be notified, when they must be notified and how they are to be notified in the event a data breach occurs. Minimal governmental guidance is available because most state agencies have had little time to implement, interpret or enforce their state’s data breach notification statutes (only the California law has existed for more than 12 months). Several state and federal data security cases are pending – including multiple suits against Choice Point alleging violations of the Fair Credit Reporting Act and fraud – but a review of pending state litigation revealed no decisions or ongoing prosecutions involving covered entities for failing to comply with any of the existing mandatory notification laws.

Covered entities should also be aware that federal involvement in this area is likely. At least four mandatory notification bills were introduced in the House and Senate during 2005. One bill, S.1408, was approved by the Senate Commerce Committee during the last week of July 2005, and the Senate Judiciary Committee approved a separate measure in November 2005. Other competing or complementary notification bills are expected to be considered during 2006 by the Senate Banking Committee, House Financial Services Committee and the House Judiciary Committee. Most observers expect some form of federal notification statute to be approved because of growing public concern about identity theft and the business community’s unease about the substantial burden associated with satisfying a plethora of similar but nuanced state privacy laws, which would be preempted by the federal bills introduced thus far.

For more information, e-mail Roz Allen or Reg Leichty at rosalind.allen@hklaw.com or reg.leichty@hklaw.com, respectively, or call toll free, 1-888-688-8500.

¹ Javelin Research & Strategy, 2005 Identity Fraud Survey Report.

² Arkansas, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana (applies to state agencies only), Louisiana, Maine, Minnesota, Montana, Nevada, New Jersey, New York, North Carolina, North Dakota, Rhode Island, Tennessee, Texas and Washington.

³ States that considered data breach bills, but did not approve legislation, include: Alaska, Arizona, Colorado, Maryland, Massachusetts, Michigan, Missouri, Ohio, Oregon, Pennsylvania, South Carolina, Virginia, West Virginia and Wisconsin.

⁴ See the Privacy Rights Clearing House Data Breach Notification Chronology: http://www.privacyrights.org/ar/ChronDataBreaches.htm (Web site last visited November 29, 2005).