There is a wide array of state, federal, and international laws requiring individuals and entities that gather, use and secure “personal” or “protected” information to report, and/or “notice,” when this type of information is accessed or acquired without authorization. The original motivator behind these laws is that this type of information, when in the hands of the wrong person, can be used to commit fraud. The goal is to provide affected individuals, and the government or consumer agencies they may turn to for assistance, with notice of the data security incident so that they may take steps to protect themselves.
Whether notice is required hinges on the types of information accessed or acquired. Each of the myriad of laws defines the types of “personal” or “protected” information that trigger notice. Most define this information to be a combination of a resident’s first initial and last name, along with Social Security number, driver’s license number (or other government-issued identification number), healthcare, or financial information. Some statutes go further, recognizing the risk resulting from unauthorized access to other types of information: birthdate, email address, mother’s maiden name, or tax identification number.
Additionally, certain courts (Massachusetts and California) recognize zip codes as protected information, under certain circumstances.
Recent statutory and proposed changes to North Dakota, California, Vermont, and Washington laws affect the types of information protected, when, and to whom, notice is required. These states aren’t the first to recognize the need to expand their laws. They won’t be the last.
North Dakota’s data breach notice law, effective Aug. 1, 2013, now affords protection to a resident’s health insurance information.
California lawmakers are considering a bill that protects a resident’s username or email address, in combination with a password or security question and answer that would permit access to an online account.
Vermont now requires entities regulated by the Vermont Department of Financial Regulation to provide notice of a breach of the security of personal information of Vermont residents to the department within 14 business days of discovering a breach.
Washington requires insurers to report an event that triggers notice obligations under its data breach notice law and/or HIPAA/HITECH, to Washington’s insurance commissioner within two business days.
There are developments on the federal and international front as well. President Obama’s recent Executive Order, the final HIPAA Omnibus Rule, pending EU legislation, and the 2011 SEC Guidance all reflect the snow-balling evolution of cyber law.
President Obama’s February 2013 Executive Order requires development of a cybersecurity framework, including a set of standards, methodologies, procedures, and processes to address cyber risks. The preliminary draft of this framework is expected in September.
Also in February, the European Union issued its proposed Cybersecurity Directive, which calls for the implementation of national reporting authorities to regulate certain industries, investigate breaches, and issue binding instructions.
Under the final HIPAA Omnibus Rule, which went into effect March 26, 2013, a breach – and notice to affected individuals – is presumed unless the covered entity, by way of a risk assessment, demonstrates there is a “low probability” that protected health information has been compromised.
The above is a far-from exhaustive discussion of the ever-changing nature of data security laws. The takeaway is that if you are not aware of the evolution of these legal duties, you are not prepared. You can be sure that regulators and plaintiffs’ attorneys are paying attention.