It’s once again time for a summary round-up for the puzzling array of state PII breach notification laws.
Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached. By 2018 every state had followed suit, along with the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications (bold text below reflects changes since 2018).
These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when a business with employees and customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws.
Scope of PII
State PII breach notification laws generally apply to a state resident’s name combined with another identifier useful for traditional identity theft, such as the individual’s Social Security number, driver’s or state identification number, or financial account number with access information. But an ever-growing number of states include other combination elements in their PII definition:
- Medical information (Alabama, Arkansas, Arizona, California, Colorado, Delaware, D.C., Florida, Illinois, Maryland, Missouri, Montana, Nevada, North Dakota, Oregon, Puerto Rico, Rhode Island, South Dakota, Texas, Vermont, Washington, and Wyoming)
- Health insurance information (Alabama, Arizona, California, Colorado, Delaware, D.C., Florida, Illinois, Maryland, Missouri, Nevada, North Dakota, Oregon, Rhode Island, Texas, Vermont, Washington, and Wyoming)
- Unique biometric data or DNA profile (Arkansas, Arizona, California, Colorado, Delaware, D.C., Iowa, Illinois, Louisiana, Maryland, Nebraska, New Mexico, North Carolina, Oregon, Vermont, Washington, Wisconsin and Wyoming)
- Shared secrets or security token for authentication (Wyoming)
- Taxpayer ID or other taxpayer information (Alabama, Arizona, California, Delaware, D.C., Maryland, Montana, Puerto Rico, Vermont, Virginia, and Wyoming)
- IRS identity protection PIN (Arizona and Montana)
- Email address or Internet account number, with security access information (Alabama, Delaware, Florida, Maryland, Nevada, Rhode Island, and Wyoming)
- Digital or electronic signature (Arizona, North Carolina, North Dakota, and Washington)
- Employment ID number combined with security access information (North Dakota and South Dakota)
- Birthdate (North Dakota and Washington)
- Birth or marriage certificate (Wyoming)
- Mother’s maiden name (North Dakota)
- Work-related evaluations (Puerto Rico)
And in Arizona, California, Colorado, the District of Columbia, Florida, Georgia, Illinois, Indiana, Maine, Nebraska, New York, North Carolina, Oregon, South Dakota, and Washington, notification requirements can attach to specified identification data even without the individual’s name (in some such states with the proviso that such information would sufficiently enable unauthorized account access or identity theft).
PII media & encryption/redaction safe harbors
All of the state breach notification laws apply to PII in electronic or computerized form. But in several states, including Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina, Rhode Island, Washington, and Wisconsin, a breach of PII in any medium, including paper records, can trigger notification requirements.
Effective encryption of PII is an explicit safe harbor from notification obligations in virtually every jurisdiction, but 22 states now add the condition that the encryption key must not have been compromised in the breach. Thirty-four states now explicitly provide “redaction” as a safe harbor (with seven states adding the condition that the means to un-redact are uncompromised), as do 23 states if other means are used to render the information unreadable or unusable.
The mandated time frame for notifying affected individuals is commonly described as the most “expeditious” or “expedient” time possible, “without unreasonable delay,” considering such factors as the need to determine the scope of the breach, to restore system integrity, and to identify the affected individuals. But increasingly, states are imposing outside deadlines for notifications:
- 90 days: Connecticut
- 60 days: Delaware, Louisiana, South Dakota, and Texas
- 45 days: Alabama, Arizona, Maryland, New Mexico, Ohio, Oregon, New Mexico, Rhode Island, Tennessee, Vermont, and Wisconsin
- 30 days: Colorado, Florida, Maine, and Washington (formerly 45 days)
- 10 days: Puerto Rico
Twenty-nine states’ statutes contain prescribed minimum content for breach notifications to individuals, and various states have unique content requirements.
Thirty-six of the states require breach reporting to the state’s Attorney General or other designated state agencies, triggered at various specified thresholds of affected individuals, ranging from one to over 1,000. And a similar majority of the states require breach reporting to credit agencies, triggered at differing thresholds, from one to over 10,000.
… and the rules keep changing
The footprint of these state PII breach notifications remains volatile. Notable trends since 2018 include the ongoing rise in states that include biometric data, medical information, health insurance information, and taxpayer information as PII, and the continuing increase of states establishing, or shortening, deadlines for making notifications. States are also becoming yet more assertive in specific content requirements for notifications, such as the manner in which credit monitoring and identity theft protection services are offered.
The prospects for a preempting federal law on PII breach notification remain slim, largely because of states’ concerns about such preemption. So, businesses must continue to piece together the various requirements in these state laws. Yes, it continues to be like assembling a jigsaw puzzle in a windstorm. But keeping up with the changes is crucial — both for security incident response readiness, and also for compliantly defining the scope of information subject to the organization’s security safeguards and controls.