Data Breach Notification

Just when you think you have it all under control, the data breach notification law landscape changes – again. Over the past few weeks, several data breach notification statutes were updated, including an effective date for Canada’s mandatory breach notification obligations, as well as the adoption of legislation in the two holdout states (Alabama and South Dakota). Here is the latest:

  • Canada: On March 26, the Governor General in Council, on recommendation of the Minister of Industry, set November 1, 2018, as the effective date for the mandatory data breach notification obligations in the Digital Privacy Act 2015, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA). Beginning November 1, any organization must report to the Privacy Commissioner if it has a reasonable belief that a breach of information under its control creates a real risk of “significant harm” to Canadian residents, as well as notify affected individuals. The term “significant harm” includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business, or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property. The notice to affected individuals must contain sufficient information to allow the individual to understand the significance of the breach and to take any steps to mitigate or reduce the risk of any resulting harm.
  • Alabama: On May 1, 2018, the Alabama Data Breach Notification Act will take effect, requiring that companies provide notice of the unauthorized acquisition of electronic data containing sensitive personally identifiable information that is reasonably likely to cause substantial harm. The term “sensitive personally identifiable information” includes an Alabama resident’s first name or first initial and last name in combination with Social Security or tax identification number; driver’s license or other unique government-issued identification number; financial account number in combination with the required security code, access code, password, expiration date, or PIN; medical and health insurance information; or online account credentials. The Act sets a 45-day time limit for consumer and Attorney General (if more than 1,000 Alabama residents are affected) notice. The consumer notice must contain (1) the estimated date(s) of the breach; (2) a description of the affected information; (3) a general description of the remedial actions taken; (4) a general description of the steps consumers can take to protect themselves from identity theft; and (5) the company’s contact information. The Attorney General notice must contain (1) a synopsis of the event surrounding the breach at the time notice is provided; (2) the approximate number of affected Alabama residents; (3) any free services offered to affected individuals, and instructions on how to use those services; and (4) the name, address, telephone number, and email address of the company’s point person for the breach. A violation of the Act will constitute an unlawful trade practice under the Alabama Deceptive Trade Practices Act, subject to a civil penalty of up to $5,000 per day.
  • South Dakota: On March 21, South Dakota enacted S.B. 62. Effective July 1, 2018, the statute will require that companies provide notice of the unauthorized acquisition of unencrypted computerized data (or encrypted computerized data and the encryption key) that materially compromises the security, confidentiality, or integrity of personal or protected information. The statute (1) contains expanded definitions of personal and protected information, which include health information, an employer-assigned ID number in combination with the required security code, access code, password, or biometric data, and online account credentials; and (2) sets a 60-day time limit for consumer notice, unless legitimate law enforcement needs require a longer timer period. Attorney General notice is required if the number of affected South Dakota residents exceeds 250. Violators are liable for a civil penalty of up to $10,000 per day per violation.
  • Oregon: On March 16, Oregon enacted amendments to its data breach notification law, which take effect June 2, 2018. The amendments clarify that personal information includes an Oregon resident’s first name or first initial and last name in combination with any information or combination of information that would permit access to her financial account, and require consumer and Attorney General (if the number of affected residents exceeds 250) notice within 45 days of discovery of a breach. Additionally, if a company provides free credit monitoring or identity theft prevention and mitigation services, it may not require that consumers provide a credit or debit card number (or any fee) to take advantage of those free services. Likely prompted by the Experian data breach, the amendments also prohibit consumer reporting agencies from charging a fee for a consumer to place or lift a security freeze. Previously, the statute capped such fees at $10.
  • Arizona: On April 5, the Arizona Governor received H.B. 2154, which if enacted, would (1) expand the definition of personal information to include a private key unique to an individual and used to authenticate or sign an electronic record, medical and health insurance information, passport and taxpayer identification number, unique biometric data, and online account credentials; and (2) require notification to affected consumers, as well as the Attorney General and the three largest credit reporting agencies if more than 1,000 Arizona residents are affected, within 45 days. Such notices would need to include the approximate date of the breach; a brief description of the affected personal information; the toll-free numbers for the three largest CRAs; and the toll-free number, address, and website address for the FTC. Importantly, these amendments would also create notice provisions specific to online account credentials and clarify that notice should not be made to the affected account, and should prompt the individual to (1) immediately change her password or security question and answer, and (2) take appropriate steps to protect the affected account and all other online accounts with the affected account credentials. If Arizona adopts these amendments, it will become the twelfth state to require notice in the event of a breach of online account credentials – joining California, Delaware, Florida, Illinois, Maryland, Nebraska, Nevada, Rhode Island, and Wyoming, and most recently, Alabama and South Dakota.

These developments demonstrate that data breach notification statutes are evolving, often in response to high-profile data breaches and/or concerns about a specific industry or a specific type of data – such as online account credentials. We expect U.S. states to continue to update these laws, and in particular, to (1) expand the definition of personal information to include medical and health insurance information, biometric data, and online account credentials; (2) require notice to consumers and/or regulators within a specific time period; (3) impose data security requirements; and (4) address concerns with specific industries, such as credit reporting agencies. Stay tuned for more updates!

Last week, Nebraska Governor Pete Ricketts signed into law LB 835, which makes the following amendments to the state’s data breach notification statute:

  • Adds to the definition of “personal information” a user name or email address, in combination with a password or security question and answer, that would permit access to an online account.
  • Requires notice to the Nebraska Attorney General no later than notice is provided to Nebraska residents.
  • Clarifies that data is not considered encrypted, defined as “converted by use of an algorithmic process . . . into a form in which the data is rendered unreadable or unusable without use of a confidential process or key,” if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach.

The amendments take effect July 20, 2016. Recognizing the breadth of information consumers store online, Nebraska will become the fifth state, joining California, Florida, Nevada, and Wyoming, to require notification in the event of a breach of account credentials. We will continue to track and keep you apprised of updates to state breach notification statutes.

Last week, Tennessee Governor Bill Haslam signed into law SB 2005, which makes two amendments to the state’s data breach notification statute – effective July 1, 2016. With these amendments, Tennessee has joined a handful of other states that have strengthened – or are attempting to strengthen – their breach notification statutes in light of several high-profile breaches over the past few years.

The first amendment will require that businesses provide notice of a breach to affected Tennessee consumers no later than 14 days after discovery. Previously, the statute required that notice be provided “in the most expedient time possible and without unreasonable delay.” Notice may be delayed if a law enforcement agency determines that it would impede a criminal investigation, but then must be provided within 14 days after the agency has determined it will no longer compromise that investigation.

Additionally, the amendments clarify that the acquisition of personal information by employees who intentionally use the information for an unlawful purpose triggers the statute and its notice requirement.

Last week, California Governor Jerry Brown signed into law three bills that revise California’s data breach notification statute. The bills, which take effect January 1, 2016, establish specific formatting requirements for the consumer breach notice letter; define “encrypted”; and create notice, security, and privacy obligations for data captured by automated license plate recognition (ALPR) systems. The enactment of these bills, and others, indicates California’s continued commitment to reviewing and revising privacy- and security-related legislation to address perceived gaps and new threats.

Currently, California’s breach notification statute requires that the plain-language notice to affected consumers include (1) the notifying entity’s name and contact information; (2) a list of the types of personal information subject to the breach; (3) the date of the breach; (4) whether notification was delayed due to a law enforcement investigation; (5) if the breach involved Social Security, driver’s license, or California identification card numbers, the phone numbers and addresses of the major credit reporting agencies; and (6) if identity theft and mitigation services are offered, all information necessary to take advantage of that offer. S.B. 570 adds the following formatting requirements:

  1. The notice must be titled “Notice of Data Breach.”
  2. The required content (listed above) must be described under the following headings:  “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”  Additional information may be provided as a supplement to the notice.
  3. The format of the notice must be designed to call attention to the nature and significance of the information it contains.
  4. The title and headings must be clearly and conspicuously displayed.
  5. The text must be at least 10-point type.

Notices using the following model security breach notification form will be deemed to be compliant. CA Form

Under California law, a breach has occurred only if the compromised personal information is not encrypted. A.B. 964 defines “encrypted” as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”

S.B. 34 amends the definition of “personal information,” adding “information or data collected through the use or operation of an automated license plate recognition system.” Additionally, the bill requires that ALPR operators and end-users maintain reasonable security procedures and practices, including operational, administrative, technical, and physical safeguards, to protect ALPR information, and a usage and privacy policy detailing their ALPR information collection, use, maintenance, sharing, and dissemination practices. The bill also creates a private right of action, under which individuals may bring a civil action, and a court may award actual damages of up to $2,500, punitive damages, reasonable attorney’s fees and costs, and/or other preliminary and equitable relief.

Last week, the Washington Governor signed into law amendments to the state’s data breach notification statute. Importantly, the amendments, which take effect July 24, 2015, (1) expand the statute to cover breaches of non-computerized data; (2) mandate that businesses notify the Washington Attorney General of a breach affecting more than 500 Washington residents; and (3) require that notification to consumers and to the Attorney General occur no later than 45 days after the date of discovery of the breach. The amendments were requested by Washington Attorney General Bob Ferguson.

Washington now joins only a handful of states whose breach notification statutes require notice of a breach of non-computerized data containing consumer personal information. The amendments clarify, however, that notice is only required – both for computerized and non-computerized data – if the breach is reasonably likely to subject consumers to a risk of harm. Risk of harm is assumed, though, if the data is not secured, or if the means to decipher the secured information (e.g., the encryption key) is also compromised. “Secured” is defined as “encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable.”

In addition to mandating that notification occur within 45 days of discovery of a breach, the amendments prescribe the content of the notice to both consumers and the Attorney General (if more than 500 Washington residents are affected). Specifically, the consumer notice must be written in plain language and include (1) the business’s name and contact information, (2) a list of the types of personal information reasonably believed to have been the subject of the breach, and (3) the toll-free telephone numbers and addresses of the major credit reporting agencies. The notice to the Attorney General must include the number of Washington residents affected and a sample copy of the consumer notice, provided electronically.

Despite pending federal legislation, which contains broad federal preemption provisions, state legislatures, often at the request of the Attorney General, are strengthening existing notification requirements, likely in response to the several high-profile breaches that have occurred over the last few years, to attempt to safeguard consumer personal information and prevent identity theft. We continue to track such legislation in several states, including Indiana and New Jersey, as well as the goals of state attorneys general, such as those in New York and Oregon requesting such legislation.

On Tuesday, the California Attorney General released the second annual data breach report, summarizing the 167 data breaches reported to the Attorney General’s office in 2013, and providing privacy and security recommendations for businesses. According to the report, the retail, finance, and healthcare industries reported over 60 percent of the 167 breaches, over half of which were the result of malware and hacking. The breaches affected 18.5 million California residents – a 600 percent increase over the 2.5 million records breached in 2012, and 84 percent of those records were the result of retail industry breaches.

The report provides several recommendations for businesses directed towards improving security and notification measures, including the following three non-sector-specific recommendations: (1) conduct risk assessments at least annually and update privacy and security practices based on the findings; (2) use strong encryption to protect personal information in transit; and (3) improve the readability of breach notices. Additionally, the report recommends that the healthcare industry consistently use strong encryption to protect medical information on laptops and other portable devices, and consider it for desktop computers. Importantly, the report also includes the following six recommendations specific to the retail industry, suggesting that the Attorney General considers the security measures and breach response actions of the retail industry, to date, inadequate:

  1. Update point-of-sale terminals so that they are chip-enabled and install the software necessary to operate this technology.
  2. Implement appropriate encryption solutions to devalue payment card data, including encrypting data from the point of capture until the completion of transaction authorization.
  3. Implement appropriate tokenization solutions to devalue payment card data, including in online and mobile transactions.
  4. Respond promptly to data breaches and notify affected individuals in the most expedient time possible and without unreasonable delay.
  5. Improve substitute notice, such as by placing a prominent and conspicuous link to the notice on the website homepage, leaving the link and notice up for at least 30 days, publishing the notice in the most expedient time possible and updating it as the business learns more, and telling consumers what they can do to protect themselves.
  6. Work with financial institutions to protect debit card holders in breaches of unencrypted payment card data.

Finally, the report suggests that the state consider legislation (1) to amend the breach notification statute to strengthen the substitute notice procedure, clarify the roles and responsibilities of data owners and maintainers, and require a final breach report to the Attorney General; and (2) to provide funding to support system upgrades for small California retailers. As it appears no longer a question of “if” but rather “when” a breach will occur, businesses should continue to evaluate and modify their privacy and security practices to ensure compliance with these recommendations and all legal obligations.

Last Friday, Florida enacted a new Information Security Act that repeals the state’s existing data breach notification law and increases companies’ reporting obligations and liability in the event of a data security breach. The new law takes effect July 1, 2014. Likely in response to the recent high-profile breaches, several states have introduced legislation to strengthen existing data security laws, and it is important for companies to monitor these developments and assess and revise information security policies, as necessary.

The new law will require regulator notice (written notice to the Department of Legal Affairs) if more than 500 Florida residents are affected by a breach, as well as if a company reasonably determines that notice is not required because the breach has not resulted, and will not likely result, in identity theft or other financial harm. Additionally, the new law specifies the content that must be included in both the consumer and regulator notice; imposes a 30-day timeframe for covered entities to provide such notice; and revises the definition of personal information to include medical and health insurance information and an individual’s user name or email address in combination with the required password or security question and answer. Furthermore, the law requires that third-party agents notify a company of a breach of security within 10 days, and, although the third-party agent may provide the required notice, the company is ultimately responsible for any failure by the agent to provide proper notice.

Importantly, the new law codified the Act within Florida’s Deceptive and Unfair Trade Practices Act, and specifies that a violation of the Information Security Act constitutes an unfair or deceptive trade practice. Under the DUTPA, the Attorney General may bring actions for a declaratory judgment, injunction, or actual damages. These remedies are in addition to the civil penalties the Department may assess, up to $500,000, for failure to comply with the consumer and regulator notice requirements.

Last week, Kentucky enacted a data breach notification law, becoming the 47th state to require notice to consumers in the event of a breach of unencrypted personally identifiable information. The law’s author, Representative Steve Riggs (D-Louisville), stated that he drafted the bill in response to learning that his state was one of only four (including Alabama, New Mexico, and South Dakota) that did not have a data breach notification law on the books. The new law will become effective in July.

The law sets forth a high standard on whether a breach has occurred. Specifically, it requires a company to notify Kentucky residents any time that it reasonably believes there is an unauthorized acquisition of unencrypted personally identifiable information that actually causes, or leads the company to reasonably believe has caused or will cause, identity theft or fraud. The statute defines personally identifiable information as an individual’s first name or first initial and last name, in combination with their Social Security number, driver’s license number, or financial account information and the required access code/password. Regulator notice is not required, but credit reporting agency notice is required in the event the breach affects more than 1,000 Kentucky residents.

While there have been many calls for a federal data breach notification law, particularly in the wake of the recent high-profile retailer breaches, for the time being, companies will have to consider the various state laws (as well as those of D.C., Guam, Puerto Rico, and the Virgin Islands) in the event of a data breach.