Ah, Federalism. In countless ways we benefit from a system in which individual states can express their respective policy interests in differing state laws, with the resulting quilt bound together by the Constitution, federal law, and judicial interpretation. But on some topics we end up with a “crazy quilt” … and PII breach notification is trending crazy.
Since 2002, when California enacted the seminal state law mandating notification of individuals whose personally identifiable information (PII) is breached, virtually every state has followed suit. Forty-seven states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands now have such statutes. Only Alabama, New Mexico, and South Dakota are without one, and under Texas’ statute, companies doing business in Texas that have a PII breach must follow the Texas notification requirements for affected residents of these three states.
These laws are triggered by the affected individual’s residency, not where the breach occurred. So, when an organization with employees or customers in many states suffers a data breach, it must comply with a wide variety of differing and potentially conflicting state breach notification laws. And differ and conflict they do, as the following three examples illustrate.
Scope of PII
State PII breach notification laws generally apply to a state resident’s name combined with another identifier useful for traditional identity theft, such as the individual’s Social Security number, driver’s or state identification number, or financial account number with access information. But many states include other combination elements in their PII definition:
- Medical information (Arkansas, California, Florida, Missouri, Montana as of 10/1/15, North Dakota, Nevada, Oregon as of 1/1/16, Puerto Rico, Texas, and Wyoming)
- Health insurance information (California, Florida, Missouri, North Dakota, Oregon as of 1/1/16, Texas and Wyoming)
- Unique biometric data or DNA profile (Iowa, Nebraska, North Carolina, Oregon as of 1/1/16, Wisconsin and Wyoming)
- Shared secrets or security token for authentication (Wyoming)
- Taxpayer ID or other taxpayer information (Maryland, Montana as of 10/1/15, Puerto Rico and Wyoming)
- IRS identity protection PIN (Montana as of 10/1/15)
- Email address or Internet account number, with security access information (Florida and North Carolina)
- Digital or electronic signature (North Dakota)
- Employment ID number (North Dakota), if combined with security access information (North Dakota as of 8/1/15)
- Birthdate (North Dakota)
- Birth or marriage certificate (Wyoming)
- Parent’s surname before marriage (North Dakota)
- Work-related evaluations (Puerto Rico)
In Florida, Georgia, and Maine, and also Oregon as of Jan. 1, 2016, notification requirements can attach to specified identification data even without the individual’s name, if such information would sufficiently enable identity theft.
PII Media
All of the state breach notification laws apply to PII in electronic or computerized form. But in several states, including Alaska, Hawaii, Indiana, Massachusetts, North Carolina, North Dakota as of 8/1/15, and Wisconsin, a breach of PII in any medium, including paper records, can result in notification obligations.
Effective encryption of PII is an explicit safe harbor from notification obligations in virtually every jurisdiction, other than in Wyoming, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. But 13 states add the condition that the encryption key must not have been compromised in the breach. Twenty-five states provide “redaction” as a safe harbor, as do 17 states if any “other means” are used to render the information unreadable or unusable.
Notification Requirements
The mandated time frame for notifying affected individuals is commonly described as the most “expeditious” or “expedient” time possible, “without unreasonable delay,” considering such factors as the need to determine the scope of the breach, to restore system integrity, and to identify the affected individuals. But some states have deadlines. Ohio and Wisconsin provide a time period not exceeding 45 days following discovery or notice of the security breach. Florida’s statute allows only up to 30 days after discovery or determination of a breach event, unless an additional 15 days is allowed for good cause shown.
Half of the states require breach reporting to the state’s Attorney General or other designated state agencies, at various specified thresholds of affected individuals. And a majority of these laws also require breach reporting to credit agencies, at differing defined thresholds.
Quilt in motion
State breach notification laws are constantly changing. New Nevada and Wyoming requirements became effective July 1, and note all the “as of” references above for recent amendments to the Montana, North Dakota, and Oregon statutes. Beyond that, legislators in 32 states have proposed 2015 bills with yet further changes in breach notification requirements.
Maybe someday we’ll have a federal PII breach notification law that establishes a uniform set of rules – something easier in theory than in reality. In the meantime, organizations must be careful to keep abreast of the crazy quilt of state notification laws. Clarity on what information triggers notification requirements is crucial for keeping current on the proper scope of security controls. And with the response clock ticking after a breach occurs, an up-to-date understanding of response requirements is essential.
As the Department of Justice recommends in its recently issued Best Practices for Victim Response and Reporting of Cyber Incidents: “Legal counsel that is accustomed to addressing these types of issues that are often associated with cyber incidents will be better prepared to provide a victim organization with timely, accurate advice. …Having ready access to advice from lawyers well acquainted with cyber incident response can speed an organization’s decision making and help ensure that a victim organization’s incident response activities remain on firm legal footing.” That’s good advice, to help keep your security posture and breach response from unraveling.