National Association of Attorneys General
States Offer Data Breach Protection
Consumers are becoming increasingly aware of how secure information can suddenly become vulnerable or accessible. A major security breach at a New England grocery chain, Hannaford Brothers, exposed 4.2 million customers’ credit- and debit-card numbers to potential identity theft. Not necessarily consumer related, but just as alarming, the passport records of the three U.S. presidential candidates were compromised. Both topics beg the questions of how individuals are notified of data breaches and who bears the responsibility of the notification.
History of Data Breach Legislation
Identity theft targets consumers’ personal information anywhere it is stored. One major source of aggregated consumer information, and unfortunately identity theft, is through a data broker. These companies collect and sell consumer data to third parties and, up until 2005, most failed to ensure that their customers were not using the data for criminal purposes.
In February 2005, a security breach at ChoicePoint compromised the personal financial records of more than 163,000 customers, dramatically increasing the need for security breach legislation. ChoicePoint is one of the largest data aggregators and resellers in the country. It compiles, stores, and sells public records, credit reports, demographic and lifestyle data about virtually every U.S. adult. In 2005, criminals obtained fake online ChoicePoint accounts through the establishment of fraudulent businesses. They were able to view Social Security numbers and dates of birth, among other personal identifying information.
An existing California law1, the first of its kind, required ChoicePoint to notify all affected Californians about the security breach. News of the breach began to surface after the company notified an estimated 35,000 consumers. Pressure from state Attorneys General across the country forced ChoicePoint to notify affected individuals nationwide. In 2007, forty-four state Attorneys General2 reached a settlement with ChoicePoint, resolving allegations that it failed to adequately protect its consumers’ personal information.
Since ChoicePoint, numerous other data breaches have occurred at businesses and other organizations, including Bank of America, Citigroup, Cardsystems, LexisNexis, TJX Companies and Hannaford. Privacy Rights Clearinghouse, a national non-profit organization, reports that more than 223 million personal records were involved in security breaches in the U.S. since January 2005. In response, states have taken the lead in enacting legislation requiring companies to notify affected consumers of security breaches.
Current Data Breach Legislation
Despite numerous bills that have been introduced on Capitol Hill, there is no federal data breach notification law. However, 39 states and the District of Columbia have currently enacted their own legislation requiring notification of security breaches. Generally, consumers are informed of the security breach when their data is lost or compromised, putting consumers on alert for potential identity theft. Some state laws also include a credit freeze provision that allows a consumer to stop the disclosure of a credit report by a credit bureau. States have differing definitions and requirements, but most of the statutes contain four main components:
- The personal information definition describes what type of data is subject to the breach notification law. This definition usually includes an individual’s name in combination with another identifying data element such as a social security number, identification card number or credit card number with an access code or password.
- Notification requirements determine who is required to provide notification in the event of a breach. This could mean any person or business in the respective state that owns, licenses, or is otherwise responsible for personal information data and reasonably believes that personal information has been acquired by an unauthorized person. State laws in California and New York, for example, require notification to a person any time there has been a breach of unencrypted data and do not allow companies to determine whether there was a significant risk.
- Notification procedures describe how affected individuals should be notified using one of three methods: written notice, electronic notice with customer’s consent, or substitute notice. Substitute notice occurs if the cost of providing the notice would exceed $250,000 or involves a class of affected persons in excess of 500,000 persons. Substitute notice could be accomplished by e-mail notification, posting of the notice in a conspicuous place on the agency or company’s website, or notifying media.
- Finally, notification timelines determine how quickly notification is required. States require notification of the breach 10-45 days after the security breach, depending on the sensitivity of the data. One notable exception would be to delay notification to protect a criminal investigation.
New Legislative Initiatives
In 2007, seven state legislatures4 proposed bills that shift liability of breaches onto merchants. Under this type of law, a company like Hannaford would be liable for any fraud-related losses that occurred from their security breach and not the banks that currently carry most of the financial burden.
Minnesota was the first state to enact a retailer breach liability law. The Minnesota law requires a merchant to reimburse a financial institution for the costs related to providing customers with notification of the breach, cancellation and reissuance of credit cards, closing or reopening of accounts and customer refunds for unauthorized transactions charged to accounts. A New Jersey bill proposes to expand liability for breach costs to all businesses and government agencies in the state and covers all breached protected personal information.
States continue to lead the effort in the fight against identity theft through innovative and practical legislation. In the security breach arena, as well as other disciplines, states clearly prove to be effective “laboratories of democracy.”
1 Cal. Civ. Code Section 1798.80 et seq.
2 Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, West Virginia, Wisconsin and the District of Columbia.
4 Alabama, Iowa, Michigan, Minnesota, New Jersey, Washington and Wisconsin.