States Advance Breach Notification LawsKentucky Becomes 47th State to Enact Requirements
As Congress dawdles over enactment of a national data breach notification law (see Why U.S. Breach Notice Bill Won't Pass), several states are taking steps to strengthen consumers' rights when breaches occur.
Kentucky earlier this month became the 47th state to enact a data breach notification law. Meanwhile, Iowa's governor signed a bill to strengthen that state's notification law. And in California, the first state to enact a data breach notification law, two lawmakers introduced legislation to toughen the rules, including requiring breached businesses to reimburse card issuers for costs to replace cards unless the businesses demonstrate they complied with the data breach law.
The action by the three states - and the failure of Congress to act - further muddles matters for businesses and other organizations that must comply with 47 different state laws.
"The nuances of breach notification laws across the country continue to grow in number and further complicate responding to multi-state breaches," says Joseph Lazzarotti, who heads the privacy, social media and information management practice at the Jackson Lewis law firm in Morristown, N.J. "Whether a national standard will resolve this challenge remains to be seen. In the meantime, companies have to exercise care when determining whether a particular incident constitutes a breach, and to whom notice must be provided."
The highly publicized breaches of retailers Target and Neiman Marcus served as catalysts for new and revised state breach notification laws. "Recent breaches emphasized the need for stronger consumer protections and awareness," says Assemblyman Roger Dickinson, who's co-sponsoring a bill in the California Assembly to toughen that state's data breach notification law. "The retailers affected by the recent mega data breaches are not the first, nor will they be the last."
Kentucky Joins the Club
According to an analysis of Kentucky's just-enacted law that Lazzarotti wrote for the National Law Review, that measure follows the same structure of many other states' breach notification laws. The new law:
- Defines a breach as an unauthorized acquisition of unencrypted and unredacted data that compromises personally identifiable information that causes, or leads the information holder to reasonably believe will cause, identity theft or fraud against any resident of Kentucky.
- Requires that notification be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
- Allows breached organizations to notify consumers electronically if they meet state e-signature requirements.
- Obliges organizations to provide timely notification of a breach to national consumer reporting agencies and credit bureaus if more than 1,000 Kentuckians are affected.
The Kentucky law exempts entities such as banks that are subject to the Gramm-Leach-Bliley Act and healthcare providers that adhere to Health Insurance Portability and Accountability Act; both of those laws have their own breach notification rules.
It also aims to protect the data of kindergarten through 12th grade students when stored on the cloud. "Cloud providers serving these institutions in Kentucky need to be aware of this law not only so they can take steps to comply, but because it requires the providers to certify in their services contracts with the educational institutions that the providers will comply with this new law," Lazzarotti says.
The Kentucky law specifically prohibits cloud providers from processing student data for any purpose other than providing, improving, developing or maintaining the integrity of its cloud computing services, unless the provider receives express permission from the student's parent.
Iowa Amends Notification Law
In Iowa, Gov. Terry Branstad signed legislation, Senate File 2259, that amends the state's breach notification law to require notice be sent to the director of the Consumer Protection Division of the Office of Attorney General within five business days of notifying consumers of the breach if the breach affects more than 500 people.
The new law amends the definition of "breach of security" to include personal information transferred from a computer to any medium, including paper. It also redefines the term "personal information" to include encrypted or redacted personal information if the keys to unencrypt, unredact or otherwise read the data have been obtained.
In addition, the law adds expiration dates of credit and debit cards combined with the credit or debit card number to the list of information included in "personal information" subject to a breach of security notification requirements.
Iowa's breach notification law does not apply to organizations that comply with a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breach of security or personal information. Businesses, including many financial services organizations, that comply with Title V of the Gramm-Leach-Bliley Act also are exempt from the Iowa law.
Hardening Standards in California
In California, two lawmakers introduced legislation to amend the nation's first data breach notification law. The measure would prohibit the sellers of goods and services to Californians from storing payment information, sensitive authentication data and payment verification codes, such as personal identification, Social Security and driver's license numbers.
"Consumers need increased protection from the large data breaches that are occurring across the country," says Assembly Judiciary Committee Chairman Bob Wieckowski, the Fremont Democrat who's cosponsoring the bill, known as AB 1710, and will chair hearings on the measure. "By improving the way sensitive information is retained and how consumers are alerted when breaches occur, AB 1710 will better protect customers' personal information."
The California bill would require breached businesses to reimburse card issuers for all costs to replace cards unless the businesses demonstrate they complied with the data breach law. It also would require businesses that maintain but do not own the data, such as cloud services providers, to alert those affected by a data breach within 15 days by sending an e-mail message, posting a notice on their website and notifying statewide media.
If enacted, the measure would require the breached business to offer identity theft prevention mitigation services at no cost to the affected individuals for no less than 24 months. It also would prohibit the sale of an individual's Social Security number.
"AB 1710 will increase consumer privacy, ensure appropriate fraud and identity theft protection and safeguard against the exploitation of personal information," says Dickinson, who chairs the Assembly Banking and Finance Committee.