Whew – we’ve survived yet another round of states enacting or amending their PII breach notification laws. If a trial lawyer’s vacation is the time between her question and the witness’s answer, a data security lawyer’s vacation is when state legislatures are out of session.
Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached. Now every state has followed suit, with the final two holdouts, Alabama and South Dakota, joining the other forty-eight states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands by enacting PII breach notification statutes. Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications.
These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when an organization with employees or customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws. And differ and evolve they do:
Scope of PII
State PII breach notification laws generally apply to a state resident’s name combined with another identifier useful for traditional identity theft, such as the individual’s Social Security number, driver’s or state identification number, or financial account number with access information. But a growing number of states include other combination elements in their PII definition:
- Medical information (Alabama, Arkansas, Arizona, California, Colorado, Florida, Illinois, Maryland, Missouri, Montana, Nevada, North Dakota, Oregon, Puerto Rico, Rhode Island, Texas, and Wyoming)
- Health insurance information (Alabama, Arizona, California, Colorado, Delaware, Florida, Illinois, Maryland, Missouri, Nevada, North Dakota, Oregon, Rhode Island, Texas, and Wyoming)
- Unique biometric data or DNA profile (Arizona, Colorado, Delaware, Iowa, Illinois, Louisiana, Maryland, Nebraska, New Mexico, North Carolina, Oregon, Wisconsin and Wyoming)
- Shared secrets or security token for authentication (Wyoming)
- Taxpayer ID or other taxpayer information (Alabama, Arizona, Delaware, Maryland, Montana, Puerto Rico and Wyoming)
- IRS identity protection PIN (Arizona and Montana)
- Email address or Internet account number, with security access information (Alabama, Delaware, Florida, Maryland, Nevada, Rhode Island, and Wyoming)
- Digital or electronic signature (Arizona, North Carolina, and North Dakota)
- Employment ID number combined with security access information (North Dakota and South Dakota)
- Birthdate (North Dakota)
- Birth or marriage certificate (Wyoming)
- Mother’s maiden name (North Dakota)
- Work-related evaluations (Puerto Rico)
And in California, Colorado, the District of Columbia, Florida, Georgia, Illinois, Maine, Nebraska, New York, North Carolina, Oregon, and South Dakota, notification requirements can attach to specified identification data even without the individual’s name, if such information would sufficiently enable unauthorized account access or identity theft.
All of the state breach notification laws apply to PII in electronic or computerized form. But in several states, including Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina, Rhode Island, Washington, and Wisconsin, a breach of PII in any medium, including paper records, can trigger notification requirements.
Effective encryption of PII is an explicit safe harbor from notification obligations in virtually every jurisdiction, but 20 states add the condition that the encryption key must not have been compromised in the breach. Thirty-three states explicitly provide “redaction” as a safe harbor, as do 22 states if other means are used to render the information unreadable or unusable.
The mandated time frame for notifying affected individuals is commonly described as the most “expeditious” or “expedient” time possible, “without unreasonable delay,” considering such factors as the need to determine the scope of the breach, to restore system integrity, and to identify the affected individuals. But increasingly, states are imposing outside deadlines for notifications:
- 90 days: Connecticut
- 60 days: Delaware, Louisiana, and South Dakota
- 45 days: Alabama, Arizona, Maryland, New Mexico, Ohio, Oregon, Rhode Island, Tennessee, Vermont, Washington, and Wisconsin
- 30 days: Colorado and Florida
- 10 days: Puerto Rico
Twenty-eight states’ statutes contain prescribed minimum content for breach notifications to individuals, and various states have unique content requirements.
Roughly half of the states require breach reporting to the state’s Attorney General or other designated state agencies, triggered at various specified thresholds of affected individuals, ranging from one to over 1,000. And a majority of the states require breach reporting to credit agencies, triggered at differing thresholds, from one to over 10,000.
…and the rules keep changing
The footprint of these state PII breach notifications remains volatile. Notable trends include the surge of states including biometric data as PII, the steady growth in states adding medical and health insurance information as PII, and the increase in states establishing hard deadlines for making notifications. States are also becoming more assertive in specific content requirements for notifications, such as the manner in which credit monitoring and identity theft protection services are offered.
A preempting federal law on PII breach notification remains a unicorn, largely due to states’ concerns about that preemption. So, organizations must continue to track the evolving footprint of these state laws. Yes, it’s a bit like assembling a jigsaw puzzle in a windstorm. But keeping up with the changes is crucial — both for breach response readiness, and also for compliantly defining the scope of information subject to the organization’s security safeguards and controls.