More States Enact Data Security/Breach Notification Legislation

Posted: April 28, 2008

Joseph J. Lazzarotti

Employee Benefits, including Complex ERISA Litigation, Workplace Privacy and Executive Compensation

Breaches of personal data continue to affect millions of individuals in the United States and internationally. To help protect their residents, state legislatures in the U.S. continue to pass laws aimed at protecting this data and requiring certain holders of data to provide notification in the case of a breach. While bills continue to be mulled in states such as Missouri, Alabama and Iowa, this article discusses briefly some recent developments in states that have enacted or are likely to enact data security legislation. As repositories for information subject to these laws, employers need to be aware of new mandates and be prepared to deal with the new notification requirements should a breach occur.

Alaska

Governor Sarah Palin is considering a data security measure that would, among other things, require businesses to (i) notify residents if their personal information is breached, (ii) dispose properly of records containing personal data, and (iii) restrict the use of Social Security numbers. If signed into law, these provisions would become effective July 1, 2009.

The data breach notification provisions of the legislation (H.B. 65) would require businesses to notify state residents if their unredacted and unencrypted personal information, whether in paper or electronic format, has been breached. However, if the business determines there is no reasonable likelihood that harm would result from the breach, it can avoid the notice requirement so long as it notifies the state Attorney General, documents the decision and retains the documentation for five years. Violation of these requirements could result in civil penalties of up to $500 for each state resident who was not notified, up to a maximum penalty of $50,000.

H.B. 65 also would require businesses to adopt policies and procedures that relate to the adequate destruction and proper disposal of personal information. In this regard, businesses would be required to exercise “due diligence” when hiring third parties to perform these disposal functions. Due diligence would include such steps as examining independent audits of the third party’s operations and obtaining references. Violators would be liable to the state for a penalty not to exceed $3,000 and individuals would have a private right of action to enjoin further violations and to recover actual economic damages and reasonable attorney’s fees.

Indiana

Since 2006, Indiana law included a breach notification requirement. That law, however, provided an exemption from the notification requirement for password-protected portable devices where the password was not also lost in the breach. Effective July 1, 2008, password protection alone no longer will be sufficient to qualify for the exemption. To qualify for the notification exemption under the amended statute, the portable device must be encrypted.

South Carolina

South Carolina enacted on April 2, 2008, an omnibus data security bill (S.B. 453) affecting businesses and government agencies. The new law contains data breach notification provisions, required methods for data disposal, and limitations on the uses and disclosures of Social Security numbers. While the law generally becomes effective on December 31, 2008, the data breach notification requirement is not effective until July 1, 2009.

Under the law, notice of a breach would not be required unless “illegal use of information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm.” However, if notification is required for more than 1,000 persons at one time, the business also would have to notify, without unreasonable delay, the Consumer Protection Division of the state Department of Consumer Affairs and all consumer reporting agencies that compile and maintain files on a nationwide basis.

State residents who are injured by a violation of the data breach requirements may pursue a private right of action to recover damages for willful and knowing violations (limited to actual damages in cases of negligent violations), obtain an injunction to enforce compliance and recover attorney’s fees. In cases of knowing and willful violations, the state’s Department of Consumer Affairs may impose an administrative fine of $1,000 for each resident whose information was accessible by reason of the breach.

Virginia

Effective July 1, 2008, Virginia law will require entities doing business in Virginia and state agencies to notify individuals of a breach of their computerized, unredacted and unencrypted personal information. Under the law, notice is required only if the breach causes, or it is reasonably believed that it has or will cause, identity theft or other fraud to a resident of the Commonwealth.

Similar to the data breach notification laws in other states, such as Massachusetts and New Hampshire, notification must be provided to the Virginia Attorney General, as well as the affected residents. Also, if more than 1,000 persons would have to be notified at one time, the business would have to notify the Virginia Attorney General and all consumer reporting agencies of the timing, distribution, and content of the notice. Violations of this statute are enforced by the Attorney General, who may seek up to $150,000 in penalties per breach. Individuals also may recover direct economic damages from a violation.

West Virginia

On March 27, 2008, Governor Joe Manchin III signed breach notification legislation into law. The law requires businesses and government agencies to notify state residents if their computerized, unredacted and unencrypted personal information is subjected to unauthorized access and acquisition. The West Virginia Attorney General has exclusive enforcement authority, except for certain financial institutions (which are subject to exclusive enforcement by their “primary functional regulator”). However, while the Attorney General can seek civil penalties, the law expressly provides that “no civil penalty may be assessed in an action unless the court finds that the defendant has engaged in a course of repeated and willful violations.” Civil penalties are limited to $150,000 per breach or series of breaches of a similar nature that are discovered in a single investigation. The law is scheduled to become effective May 6, 2008.

Legislation in this area shows no sign of slowing. The laws significantly increase businesses’ exposure to civil actions by individuals and state administrative agencies over the security of personal data. Therefore, businesses that maintain personal information need to understand their obligations under these laws. Adoption and implementation of appropriate policies and procedures, such as a data breach response plan, can go far to reducing potential liability. Members of our Workplace Privacy Group can help your business to understand your compliance obligations and plan accordingly.