By: Robert Ellis Smith
A mosaic of more than 40 state laws determines whether organizations are obligated to notify the public of a breach of security in databases with personal information in them. This means that a lot of misinformation creates mythology about exactly what is required.
One myth: that the laws apply only to private businesses and not governmental agencies.
Another myth: that there are no federal requirements.
Myth number three: that a hacking into any personal data system is covered by the laws.
Myth number four: that the state requirements are pretty much the same.
Myth number five: that the laws require notification to a government authority and no one else.
You have to read carefully, as we unravel the misinformation. A breach of security is the breaking in to a system of records by an unauthorized person, usually an outsider. The laws on the books cover breaches that compromise personal information, but not all personal information, and require a victimized organization to notify the persons affected and often, a governmental authority. A breach into non-personal information is not covered by the security breach notification laws. In many states, encrypting personal data exempts an organization from the notification requirement.
Who must make breach notifications?
The world’s first notification law was enacted in California in 2003, requiring all government and private organizations to make notifications once they have experienced a breach of personal information. The California law has had perhaps unanticipated nationwide effect because any organization, including an out-of-state governmental organization, is obligated to make notifications. Consequently, all Americans learned about breaches that they otherwise would not have known about, including the incident in 2006 at ChoicePoint, a national collector of personal information for insurance companies and employers, and the massive breach experienced by Target Stores last December. (Attorneys general from Illinois, Connecticut, and New York, not the Federal Trade Commission are leading the investigation of the Target case.)
The California law seemed to be a positive result for consumers, and so many states began to enact their own laws. In Arizona, financial and medical establishments subject to federal regulations are exempt from the state requirement, but state and local governments are covered, except for law enforcement. In Washington and Indiana only government agencies are covered. In Minnesota, New Hampshire, New Jersey, New York, Rhode Island, South Carolina, Tennessee, businesses and state and local governments are covered.
In Maryland, the law requires a state contractor to notify the contracting agency if the contractor has experienced a breach into personal information that it holds. Law enforcement records are specifically excluded in Arizona, Connecticut, and Vermont. In Michigan falsely claiming a breach is punishable.
What Triggers the Requirement?
In Colorado, Illinois, and Maryland, the breach notification is triggered by disclosures of Social Security numbers, driver’s license numbers, or account numbers only. The same is true in Nebraska, plus biometric information (like fingerprints, eye scans, or voice prints). Louisiana’s law adds PIN numbers to the list. Arkansas regards passwords as personal information. In these states, the disclosure of solely a person’s name even if on an embarrassing list will not trigger notification to the victims.
Oklahoma and Oregon’s laws define personal information very narrowly.
Hawaii’s law does not define “personal information,” nor does Idaho’s. Laws in many other states, like Nebraska, Maryland, and Massachusetts, say that release of a person’s name along with SSN, account number, or other data triggers the notification requirement. North Dakota regards mother’s maiden name or an employee ID or a PIN as sensitive; therefore disclosures of them triggers the state law to apply.
The reason that legislatures included restrictions in the reach of these laws is that all of them were enacted as reactions to identity theft, not to the release of sensitive, embarrassing information.
For instance, there could be very humiliating releases of nude images of individuals by organizations, like the Transportation Security Administration, but these breaches are not covered by any of the 50 or more laws on the books. Nor is the release of photo portraits, the location of children, social media entries, student records, telephone logs or the content of emails or telephone conversations, except to the extent that they involve the specific microdata listed in the text of the laws. In other words, a lot of sensitive information is not subject to the protections in these laws.
How many states have these laws?
The state laws with partial coverage have led to an overestimate of the number of states requiring breach notifications by businesses generally. The count by Privacy Journal, the newsletter that each year publishes a compilation of state privacy laws, is 43. Alabama, Kentucky, New Mexico, and South Dakota have no breach laws.
When must notification be made?
The notification clearly must be prompt, after a breach is discovered – in a matter of days and certainly not in a matter of months. In Arkansas, notification must be made to individuals after law enforcement is informed. In Ohio, within 45 days of discovering the breach. Most laws leave this unstated or say “as soon as possible.” After they began enforcing their laws, authorities in Indiana and Connecticut have said that 90 days is too long. In Illinois and Mississippi: “without unreasonable delay.” Ohio says, “when it is reasonably believed that a breach will cause a material risk of identity theft or other fraud” and within 45 days unless law enforcement delays public notification to pursue an investigation.
To whom must notice be sent?
In short, notification of a breach must be made to individuals likely to be adversely affected, and also to a state attorney general in a few states and to a credit bureau in a few instances.
This does not necessarily mean that notification is limited to persons within each state. A state agency may be obligated by some of these laws to notify residents of other states if their data is compromised.
In Maine and Nevada, notification must also be made to credit bureaus if more than 1000 persons are affected. Pennsylvania seems unique in requiring notice to “statewide news media.” In Massachusetts, North Carolina, Virginia and elsewhere, notification must be made to the attorney general’s office simultaneous to notification to persons likely to be adversely affected. But in North Carolina the notice to the attorney general is required only if the breach affects 1000 or more persons. The province of Alberta in Canada requires notice of a breach be sent to the provincial privacy commissioner, who will decide whether individuals will be notified.
What kinds of breaches trigger the requirement?
In Arkansas, “wrongful disclosure” triggers the obligation. In Kansas or Wyoming, if misuse has or will occur. In Utah, if the leak is “unauthorized.” In Hawaii, if the leak is inadvertent. In Alaska, only if harm will result. In Arizona, only if the lost data is unencrypted or unredacted.
Are there federal requirements?
A proposal in the U.S. Senate, S.1193, would require as a matter of federal law that commercial entities, but not governmental bodies, report security breaches involving more than 10,000 individuals to those persons as well as to the FBI or Secret Service. In its current session and the previous session, Congress has not enacted a notification law.
The 2009 amendments to the HIPAA medical-confidentiality law requires breach notification by healthcare providers and allied businesses. In some cases, state and local governments are healthcare providers; in nearly all cases they hold medical information that may be covered by HIPAA.
Notification must be made to affected individuals and to the Department of Health and Human Services. On its HIPAA Web site, the department must publish a list of establishments experiencing breaches affecting more than 500 individuals. In 2013, its first year, it listed more than 250 breaches. But a report issued in 2011 by the San Diego-based Identity Theft Resource Center says, “The public has no way of knowing just how minor or serious the data exposure was for any given incident.” In all, the center recorded 619 data disclosures in 2013, with nearly half in the medical sector. This high rate is attributable in part to the fact that this sector is required nationwide to report breaches. “Malicious attacks still account for more breaches than human error (about nine percent),” said the center.