More States Enact Security Breach Notice Laws

In 2002, California enacted the nation's first security breach notification law (SB 1386), which required businesses to notify California residents if computer systems were compromised and personal information disclosed. Personal information is defined as a person's name in combination with an unencrypted social security number, driver's license number, or financial account or credit card number with an accompanying access code.

Few states followed California's lead immediately and the handful whose legislatures proposed notification laws in 2003 and 2004 saw the bills die in session. However, news stories about security breaches and losses of personal data have become common fare. The high-profile story in February 2005 about information broker Choicepoint's mistaken sale of personal information of about 145,000 people has since led to a flurry of state activity and given life to federal security legislative proposals.

This year thirty-two state legislatures have proposed laws to require notice to consumers in the event of a security breach that results in unauthorized disclosure of personal information. With the legislative session for 2005 drawing to a close in many states, five states have passed notification laws: Arkansas, Georgia, Montana, North Dakota and Washington. Florida's legislature has passed a notification law that at the time of this publication is awaiting the governor's signature.

Similar legislative proposals are pending in Missouri, Minnesota, Tennessee, and Texas, whose legislative sessions end shortly, while Illinois, New Jersey, and New York have laws pending in their longer legislative sessions. Six states, including Colorado, have rejected notice laws or tried to pass laws that died in the legislature without action.

The laws enacted so far track California's model closely, but there are some key differences. First, personal information is not uniformly defined among the states. Montana, for example, deems a social security number alone as personal information. Arkansas includes medical information in combination with a name as personal information. Georgia deems any password or other identifier that permits access to an account without the name as personal information.

Further, most states permit enforcement of the notification law by the state's attorney general, but are silent in regard to a private cause of action. Washington, however, includes a private cause of action in its law for injunctive relief and damages. Florida's law, if enacted, will include stiff penalties for a failure to give notice within the prescribed period.

Finally, notification periods after discovery of a breach are not uniform in the legislation, nor are the exceptions for delaying notice (e.g., for internal investigation, corrective action or to assist law enforcement). Some require immediate notification and others require prompt or timely notice.

The inconsistencies in these state laws are likely to lead Congress to step in with uniform standards for security breach notification that will preempt inconsistent state laws. At least three federal bills are pending (S. 751, Feinstein; S. 68, Schumer; and H.R. 1069, Bean) that contain security breach notification obligations, and other committees continue to hold hearings on identity theft, information brokers and privacy.

In the meantime, businesses must be alert to the new state laws that mandate such notice. While California's law was widely publicized due to its first-in-the-nation status, the current cascade of state notification laws may catch businesses off guard in the event of a security breach. Because the laws vary in terms of timing and requirements, there is no single common denominator for notification. Notice will have to be addressed on a state-by-state basis.