Common Elements of Security Breach Statutes.
(1) Applicability varies from state to state, depending on the state data brokers, state agencies, and/or private businesses may be covered;
- The state statues usually apply only to electronic data, however there is an emerging trend to include both electronic and physical (paper) records.
(2) Definition of personal information (or individually identifiable sensitive information)- generally consisting of the person’s name and one or more data elements that are not encrypted (e.g. social security number, drivers license number, account number (credit card, bank account, etc.) plus any required pin or pass code);
- Encrypted, redacted and public information are generally excluded from the definition of personal information.
(3) Definition of breach- some states apply an acquisition based trigger where the information has been materially compromised while other states apply a risk based analysis evaluating the likelihood of harm);
Encryption- If data are encrypted even though the the state may utilize an acquisition based trigger, there generally is no reporting obligation.
- Encryption is usually defined as the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key.
- However, some states like Massachusetts require the use of at least 128-bit encryption to protect any personal data in transit including information sent via e-mail, laptops, external hard drives, USB memory sticks, CDs, etcs. (201 CMR 17.00)(effective January 1, 2010).
Good Faith Acquisition- If data are acquired as the result of “good faith” acquisition for a legitimate purpose this is not typically a breach of security (assuming the personal information is not subject to an actual threat to the confidentiality, or integrity.)
(4) Who, when and how notice should be made- generally notice is always made to the consumer, however, some states may also require credit reporting agencies, police, the state attorney general, and/ or other government entities be notified);
- Contents of Notice- The specific contents of the notice required varies by state however the information normally included in a notice to a consumer includes the following:
- Description of the incident in general terms;
- The approximate date of breach;
- The type of personal information obtained as a result of the security breach; and
- The telephonic contact information of the person subject to this section.
- Method of Notice- The specific methods of notice and the application of various methods of notice varies by state, however, the following methods are generally available:
- Written notice.
- Electronic notice, for those persons for whom it has a valid e-mail address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. § 7001.
- Telephonic notice provided that contact is made directly with the affected persons.
- Substitute notice, if the business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000) or that the affected class of subject persons to be notified exceeds 500,000, or if the business does not have sufficient contact information or consent to utilize the above methods. Substitute notice shall consist of all the following:
- E-mail notice when the business has an electronic mail address for the subject persons.
- Conspicuous posting of the notice on the Web site page of the business, if one is maintained.
- Notification to major statewide media.
- Time Period for Notice- Typically 30 days, in some states 45 days, however, most states have an exception where notice is delayed per the request of law enforcement.
(6) Penalties – Penalties: The consequences of not complying include retribution by the state attorney general or a civil right of action. Many states do not specify a maximum civil penalty. However, the Arizona and Arkansas laws allow a civil penalty not exceeding $10,000, whereas the limit is $25,000 in Connecticut and Idaho, and $500,000 in
Florida; and
(7) Common Exceptions- HIPAA, GLB, Safe Harbor, and other regulated entities are excluded. For example Idaho has a safe harbor exception where the entity has procedures (as part of an information security policy) and the procedures are otherwise consistent with the timing requirements under Idaho law is deemed to be in compliance with the notice requirements of section 28-51-105 of the Idaho Code.
(9) Standing to Enforce:
- State Attorney Generals
- Private Right of Actions
(10) Proactive Security Measures- Some states require proactive security measures (e.g., California, Nevada, etc.) in addition to post breach notice requirements. Proactive security measures include “reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure” and contracts involving the disclosure of the personal information must include a provision requiring that said business partner “maintain reasonable security measures to protect data from unauthorized access, acquisition, destruction, use, modification or disclosure.
States without security breach notification statues include.
- Alabama;
- Kentucky;
- Mississippi;
- Missouri; (security breach statute enacted effective August 2009)
- New Mexico; and
- South Dakota.
Summary map of states with security breach statutes with links to relevant legislation for each state. Red denotes “acquisition based state”, Gray denotes “risk based analysis state”, and Green denotes states with no security breach legislation.
Click-on a selected state to read the state’s security breach legislation/ statute if available.
Table of States (including the District of Columbia) with Security Breach Notification Laws.
Security Breach Notification Statutes
| State | Trigger | Proactive Security Measures | Individually Identifiable Information | Key Features |
|---|---|---|---|---|
Alaska (2008 H.B. 65)(2008 Alaska Sess. Laws Ch. 92) (entitled "Personal Information Protection Act") | Risk based analysis evaluating the likelihood of harm. | Yes. | An individual's name a combination of an individual's first name or first initial; and last name plus one of the following:
|
|
| Arizona (Ariz. Rev. Stat. § 44-7501) | Risk based analysis evaluating the likelihood of harm. | No. | An individual's first name or first initial and last name in combination with anyof the following:
| GLB and HIPAA regulated entities are exempt. Entities that follow the notification procedures or security breach policies of their primary or functional federal regulator are deemed compliant. |
| Arkansas (Ark. Code § 4-110-101 et seq.) | Risk based analysis evaluating the likelihood of harm. | Yes. | First name or first initial and last name in combination with any one of the following:
| Entities covered by any state or federal regulations offering greater protection or equal disclosure requirements are exempt. |
| California (Cal. Civ. Code §§ 56.06 (medical information), 1785.11.2 (consumer credit reporting agency) , 1798.29 (state Agencies), 1798.82 (businesses)) | Acquisition based trigger- whether the information has been materially compromised. | Yes. | Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited:
| Entities covered by state medical, financial and vehicle confidentiality codes and HIPAA are exempt from pre-breach measures, but not notification requirements. |
| Colorado (Colo. Rev. Stat. § 6-1-716) | Risk based analysis evaluating the likelihood of harm. | No. | Individual's first name or first initial and last name in combination with any one of the following:
| GLB exemption. An entity is deemed compliant if it maintains procedures per federal regulator. |
Connecticut | Risk based analysis evaluating the likelihood of harm. | No. | An individual's first name or first initial and last name in combination with any one of the following:
| An entity is deemed compliant if it maintains a security breach procedure under GLB and notification is given in the event of a breach. |
| Delaware (Del. Code tit. 6, § 12B-101 et seq.) | Risk based analysis evaluating the likelihood of harm. | No. | Individual's first name or first initial and last name in combination with any one of the following:
| |
District of Columbia (D.C. Code § 28-3851 et seq.) | Acquisition based trigger- whether the information has been materially compromised. | No. | An individual's first name or first initial and last name, or phone number, or address, and any one of the following:
| GLB Exemption. |
| Florida (Fla. Stat. § 817.5681) | Risk based analysis evaluating the likelihood of harm. | No. | An individual's first name or first initial and last name in combination with any one of the following:
| An entity is deemed compliant if the entity maintains procedures for breach of security pursuant to mandate by its primary. |
| Georgia (Ga. Code §§ 10-1-910, 10-1-911) | Risk based analysis evaluating the likelihood of harm. | No. | (A) An individuaĺ's first name or first initial and last name in combination with any of the following:
(B) Any of the items above (1)-(4) (not in connection with the individuaĺs first name or first initial and last name) when the information would be sufficient to perform (or attempt to perform) identity theft against the person whose information was compromised. | Applies to Information Brokers Only. Information Brokers is defined as "any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties, but does not include any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes." (Ga. Code § 10-1-911(2)) |
Hawaii | Risk based analysis evaluating the likelihood of harm. | No. | An individual's first name or first initial and last name in combination with any one of the following:
| Financial institutions subject to the Interagency Guidelines and any health plan or healthcare provider that is subject to and in compliance with the privacy and security requirements of HIPAA are deemed compliant. |
| Risk based analysis evaluating the likelihood of harm. | No. | An individual's first name or first initial and last name in combination with any one of the following:
| ||
Illinois | Acquisition based trigger- whether the information has been materially compromised. | No. | An individuaĺ's first name or first initial and last name in combination with any of the following:
| Uses the term "Data Collector" which is defined to include government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information. |
| Acquisition based trigger- whether the information has been materially compromised. | Yes. |
| A data base owner is not required to make disclosure under this chapter if it maintains its own disclosure procedure that is as stringent as this chapter, or is required to make disclosure under a federal statute, regulation or guideline. |
|
| Iowa (Iowa Code § 715C.1 (2008 S.F. 2308)) | Risk based analysis evaluating the likelihood of harm. | No. | An individual's first name or first initial and last name with any of the following:
| Those with procedures that provide greater protection and notice, those required by other law to provide notice and GLB. |
Kansas | Risk based analysis evaluating the likelihood of harm. | Yes. | An individual's first name or first initial and last name in combination with any one of the following:
| Section 50-7a03 requires destruction of consumer information; exception. unless otherwise required by federal law or regulation, a person or business shall take reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information which is no longer to be retained by the person or business by shredding, erasing or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means. If an entity is regulated by state or federal regulators and maintains a procedure for breach of security, it is deemed compliant. |
Louisiana | Risk based analysis evaluating the likelihood of harm. | No. | An individual's first name or first initial and last name in combination with any one of the following:
| Financial institutions subject to Interagency Guidelines on security breach and notice requirements are deemed compliant with this law. |
Maine | Risk based analysis evaluating the likelihood of harm. | No. | (A) An individual's first name or first initial and last name in combination with any of the following:
(B) Any of the items above (1)-(4) (not in connection with the individuaĺs first name or first initial and last name) when the information would be sufficient to perform (or attempt to perform) identity theft against the person whose information was compromised. | Amendment clarifies that notification may be delayed for no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation. ( A person that complies with security breach notification requirements of rules, regulations, etc. established pursuant to federal law or the law of Maine is deemed compliant, if the notification procedures are as protective. |
Maryland | Risk based analysis evaluating the likelihood of harm. | Yes. | An individual's first name or first initial and last name in combination with any one of the following:
| Section 14-3503. requires reasonable security procedures and practices that are appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations. GLB and FACTA Exemptions. |
Massachusetts | Risk based analysis evaluating the likelihood of harm. | Yes. | An individual's first name or first initial and last name in combination with any one of the following:
| Use at least 128-bit encryption to protect any personal data in transit including information sent via e-mail, laptops, external hard drives, USB memory sticks, CDs, etcs. (201 CMR 17.00 entitled "Standards for The Protection of Personal Information of Residents of the Commonwealth"). Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) postponed compliance with the new regulations until January 1, 2010. (See February 12, 2009 - Press Release, Office of Consumer Affairs Files Revised ID Theft Regulations). |
Michigan | Risk based analysis evaluating the likelihood of harm. | Yes. | First name or first initial and last name linked to elements of a resident of this state:
| Financial institutions and those subject to HIPAA are deemed compliant. |
| Acquisition based trigger- whether the information has been materially compromised. | No. | An individual's first name or first initial and last name in combination with any one of the following:
| Minnesota requires notice to consumer reporting agencies if more than 500 Minnesota residents are affected. GLB Exemption. |
|
Missouri | Risk based analysis evaluating the likelihood of harm. Notification is not required if, after an appropriate investigation by the person or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach. Such a determination shall be documented in writing and the documentation shall be maintained for five years | No. | Defines “personal information” expansively to include an individual's first name or first initial and last name in combination with any one of the following: •social security numbers; •driver’s license numbers or similar unique identification numbers created by a government body; •financial account numbers (with a required security code, access code or password which would permit access to the account); •credit card or debit card numbers (with a required security code, access code or password which would permit access to the account); •unique electronic identifiers or routing codes (with a required security code, access code or password which would permit access to the account); •medical information; and •health insurance information. | "Medical information" includes "any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional." |
Montana | Risk based analysis evaluating the likelihood of harm. | Yes. | A. An individual's name, signature, address, or telephone number with one additional piece of information about the individual:
B. A social security number, in and of itself. | |
Nebraska Laws 2006, LB 876, §§ 1-7.
| Risk based analysis evaluating the likelihood of harm. | Yes | First name or first initial and last name in combination with any one of the following:
| |
Nevada | Risk based analysis evaluating the likelihood of harm. | Yes | An individual's first name or first initial and last name in combination with any one of the following:
| |
New Hampshire | Risk based analysis evaluating the likelihood of harm. | No | An individual's first name or first initial and last name in combination with any one of the following:
| Limited GLB Exemption. Note, Section 332-I:5 - Unauthorized Disclosure. – In the event of a use or disclosure of protected health information by a health care provider or a business associate of a health care provider that is allowed under federal law but not permitted by RSA 332-I:4, the health care provider shall promptly notify in writing the individual or individuals whose protected health information was disclosed. A business associate shall be responsible for the cost of such notification if the use or disclosure was by the business associate. (see http://www.gencourt.state.nh.us/rsa/html/XXX/332-I/332-I-mrg.htm) |
New Jersey | Risk based analysis evaluating the likelihood of harm. | Yes | A. An individual's first name or first initial and last name linked with any of the following:
B. Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data. | Requires notice to NJ State Policy before consumer notification. Section C.56:8-162 defines methods for destruction of certain customer records. |
| New York N.Y. Gen. Bus. Law § 899-aa | Acquisition based trigger- whether the information has been materially compromised. | No | Personal information consisting of any information in combination with any one or more of the following data elements:
| New York requires notice to consumer reporting agencies where more than 5,000 persons are affected. In all instances New York also requires notice to the New York Attorney General, Consumer Protection Board, and State Office of Cyber Security and Critical Infrastructure. See http://www.cscic.state.ny.us/security/securitybreach/ for more information. |
North Carolina | Risk based analysis evaluating the likelihood of harm. | Yes | A person's first name or first initial and last name in combination with any of the following (identifying information as defined in G.S. 14-113.20(b)):
| Security breach notification obligations modified by SB 1017 (effective October 1, 2009) requiring notification of the attorney general when a business notifies North Carolina residents of a breach (previously limited to breaches involving 1000 or more individuals). Notice to individuals affected by a breach requires: a telephone number for the business providing notice; contact information for the national credit reporting agencies; and toll-free numbers, addresses and web site addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office. Pre-breach measures are not applicable to entities subject to GLB, HIPAA, and FCRA. Financial institutions subject to federal Interagency Guidelines on security breach and notice requirements are deemed compliant. |
North Dakota | Acquisition based trigger- whether the information has been materially compromised. | No | An individual's first name or first initial and last
| |
Ohio | Risk based analysis evaluating the likelihood of harm. | No | An individual's first name or first initial and last name in combination with any one of the following:
| Financial institutions already subject to federal notification requirements are deemed compliant. The law does not apply to those regulated by the HIPAA provisions of the Social Security Act. Ohio - Financial institutions already subject to federal notification requirements are deemed compliant. The law does not apply to those regulated by the HIPAA provisions of the Social Security Act.</b> However note the exception is somewhat limited, see Insurance Bulletin 2009-12 (2009-12) Effective November 2, 2009. |
Oklahoma | Risk based analysis evaluating the likelihood of harm. | No | An individual's first name or first initial and last name in combination with any one of the following:
| GLB entities with notification requirements and entities required to notify by other federal regulator are exempt. |
| Risk based analysis evaluating the likelihood of harm. | Yes | A. First name or first initial and last name in combination with any of the following:
B. Any of the data elements or any combination of the data elements described above when not combined with the consumer’s first name or first initial and last name if the information obtained would be sufficient to permit a person to commit identity theft against the consumer whose information was compromised. | HIPAA and GLB exemption for pre-breach. GLB and those with greater protections that notify are exempt from notification requirements. |
Pennsylvania | Risk based analysis evaluating the likelihood of harm. | No | An individual's first name or first initial and last name in combination with any one of the following:
| A financial institution that complies with the notification requirements of the Interagency Guidelines is deemed compliant, and any entity that complies with the notification requirements of its primary or functional federal regulator shall be in compliance with this act. |
Rhode Island | Risk based analysis evaluating the likelihood of harm. | Yes | An individual's first name or first initial and last name in combination with any one of the following:
| Any person who maintains security breach procedures pursuant to rules of its primary or functional regulator is deemed compliant with notification requirements. Financial institutions governed by the Interagency Guidelines who notify in the event of a breach, and health care entities governed by HIPAA are deemed compliant with the chapter. |
| South Carolina (2008 S.B. 453, Act 190) | Risk based analysis evaluating the likelihood of harm. | Yes | Section 16-13-512 is incorporated by reference. First name or first initial and last name in combination with and linked to any of the following:
| GLB, HIPAA, FCRA entieis are exempt. |
Tennessee | Risk based analysis evaluating the likelihood of harm. | No | Any number that is assigned by the government to identify a particular person, including, but not limited to, social security number, federal tax payer identification number, Medicaid, Medicare or TennCare number which identifies a particular person eligible for benefits, any number assigned to a person as part of a licensure or registration process, such as a board of professional responsibility number, driver license number and passport number and any number assigned by an insurance company, health maintenance organization, managed care organization or other health benefit organization, for the purposes of identifying a particular person eligible for services; and | |
Texas | Acquisition based trigger- whether the information has been materially compromised. | Yes | Information that alone or in conjunction with other information identifies an individual, including an individual's:
(Uses the term "personal identifying information".) See alsoTexas Business and Commerce Code § 48.051, et seq. (48.001, et seq.), Consumer Protection Against Computer Spyware Act. (A person may not copy software onto a computer he does not own for the purpose of gathering personal identifying information); Texas Business and Commerce Code §§ 48.003-48.004, Anti-Phishing Act. (A person may not use the internet to induce a person to provide personal indentifying information for anything but a legitimate business purpose. This includes both web pages and email); Texas Business and Commerce Code § 35.585 (523.001), Extension of Credit to Victim of Identity Theft. (An identity theft victim cannot be denied credit on the basis of the fact that he or she has been a victim of identity theft.) | Sensitive personal information now defined to include health care information, such as information about an individual’s physical or mental health or payment for health care services. The definition of “breach of system security” to reach breaches of encrypted information where the encryption key is compromised. Breach notification obligations also applicable to public sector entities and nonprofit athletic/sports associations. |
Utah (entitled " | Risk based analysis evaluating the likelihood of harm. | Yes | An individual's first name or first initial and last name in combination with any one of the following:
| Section 13-44-201 requires the following proactive security measures: (1) Any person who conducts business in the state and maintains personal information shall implement and maintain reasonable procedures to: (a) prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business; and (b) destroy, or arrange for the destruction of, records containing personal information that are not to be retained by the person. (2) The destruction of records under Subsection (1)(b) shall be by: (a) shredding; (b) erasing; or (c) otherwise modifying the personal information to make the information indecipherable. This section does not apply to a financial institution as defined by 15 U.S.C. Section 6809. |
Vermont | Risk based analysis evaluating the likelihood of harm. | Yes | First name or first initial and last name in combination with any of the following data elements:
| Financial entities exempt. |
| Virginia (Va. Code § 18.2-186.6) | Risk based analysis evaluating the likelihood of harm. | No | An individual's first name or first initial and last name in combination with any one of the following:
| Entities required to notify pursuant to rules established by primary or functional state or federal regulator |
Washington | Risk based analysis evaluating the likelihood of harm. | No | An individual's first name or first initial and last name in combination with any one of the following:
| |
| West Virginia (W.V. Code §§ 46A-2A-101 et seq.) | Risk based analysis evaluating the likelihood of harm. | No | An individual's first name or first initial and last name in combination with any one of the following:
| GLB exemption and entities with notification requirement established by primary or functional regulator. |
Wisconsin | Risk based analysis evaluating the likelihood of harm. | No | An individual's first name or first initial and last name in combination with any one of the following:
| GLB and HIPAA regulated entities are exempt. |
Wyoming | Risk based analysis evaluating the likelihood of harm. | No | First name or first initial and last name of a person in combination with one of the following:
|
Ohio – Financial institutions already subject to federal notification requirements are deemed compliant. The law does not apply to those regulated by the HIPAA provisions of the Social
Security Act.</b> However note the exception is somewhat limited, see Insurance Bulletin 2009-12 (2009-12) Effective November 2, 2009.
Additional Resources
NYS Office of Cyber Security and Critical Infrastructure Coordination (CSCIC).
California Office of Privacy Protection Website.
N.H. Rev. Stat. Ann. § 332-I:1, et seq.
Related Blogs
Related posts:
- Interim Final Rule on Breach Notification for HIPAA Covered Entities and Business Associates Released by HHS (Effective September 23, 2009) & FTC Releases Final Guidance on PHR Security Breach Notification Requirements Regulations requiring health care providers, health plans, and other entities...
[...] Security Breach Notification Statutes [...]
[...] Law Blog 2.0 – Summary of 50 State Security Breach Notification Laws (scroll down to see the map) [...]
Great posting. We’ve added it to our data encryption blog!
That was awesome! Probably one of the more interesting reads in awhile.
Tax Attorney Attorney Temecula
[...] March 30, 2010 · Leave a Comment Summary of State Data Breach Laws [...]