National Association of Attorneys General
Aftermath of the Target Data Breach: State Laws & Bills
The data breach at Target Corporation in December, exposing millions of debit and credit card numbers just prior to the holidays, has focused attention at the state level on updating state data breach notification laws. Forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private and/or government entities to notify affected individuals of data breaches involving their personally identifiable information. Most of these laws include specifications as to the entities required to comply, the elements constituting a breach, the timing and method of notification required and any exemptions to the requirements. As a result of the Target breach, several new bills on this issue have been introduced in state legislatures, and this article will provide an update on several of those bills which have shown movement through their respective legislatures.
Perhaps the most notable of these bills are those recently passed by the House chamber of Kentucky and New Mexico, two of the four states currently without data breach notification statutes. On March 10, the Kentucky House passed H.B. 232, requiring any person or entity doing business in the state to expeditiously notify anyone whose personal identifying information may be compromised after the breach is discovered. The bill would also require any breach affecting the personal information of more than 1,000 persons to be reported to the three major credit reporting agencies. Previously, on Jan. 30, the House passed H.B. 5, a bill requiring state and local government agencies to notify the state police, public auditor and state attorney general within 24 hours of the discovery of a security breach. Those agencies would also be required to conduct a reasonable and prompt investigation into the breach and to notify individuals whose personal data was exposed within 35 days of completing the investigation into the breach. Kentucky would also have to report a breach involving the personally identifiable information of 1,000 or more individuals to national consumer reporting agencies.
Turning to New Mexico, its House passed H.B. 224 on Feb. 17, a bill which would require any person owning, maintaining or possessing the personally identifiable information of a state resident to notify affected individuals within 10 days of discovering a breach and also notify the state attorney general within 10 business days if more than 50 residents were affected. The bill also contains provisions for credit card breaches and would require companies to implement and maintain reasonable security and data disposal procedures. The bill would give the state attorney general authority to seek injunctive relief and recovery of actual damages, as well as a civil penalty of up to $150,000 for failure to notify.
In Arizona, legislative efforts were directed at extending the scope of data security to the education system and student data. The Arizona House passed H.B. 1645 on March 6, which would require its Department of Education to develop and implement a detailed security plan incorporating security audits and planning for a possible breach of data security, including notification procedures to entities affected by the breach. The bill would also require contracts with outside vendors governing databases to include express provisions for safeguarding security and penalties for non-compliance.
In Iowa, the state Senate passed S.B. 2259 on Feb. 26, a bill widening the definition of a breach to include the unauthorized acquisition of personal information. The bill details the notification requirements, as well as requiring notification to the state attorney general of any breach affecting more than 500 residents.
Finally, the Vermont Senate passed S.B. 269 on March 12, a bill which requires notification of a breach to those whose personally identifiable information has been compromised on or before 45 days after discovery of the breach. The bill details the specific information to be provided in the notification, and also requires the state Attorney General�s Office or the Department of Financial Regulation to be notified of a breach within 14 business days.