As data breaches continue to escalate in both frequency and scope, government officials at both the federal and state levels are working toward more robust legislation to regulate the process of breach notification. 2015 saw a major Congressional push to establish a federal data breach standard, with nearly a dozen new breach notification bills introduced. Despite initial promise surrounding a few of these bills, the legislative year came and went without much movement. In fact, most of these bills remain stalled in committee. With an increasingly polarized Congress in a divisive presidential election year, many privacy experts do not expect much progress in 2016.
Without a federal standard, companies are forced to comply with a patchwork of state privacy regulations that rarely align on even the most fundamental components. State breach notification laws run the gamut, from states like California with strict consumer protections to states like Alabama, New Mexico, and South Dakota, where there are still no state-level breach notification laws in place. Companies operating or employing people in multiple states must be prepared to comply with dramatically different standards in the event of a breach.
2015 was something of a banner year for the evolution of state breach legislation. Thirty-three states introduced new security breach bills or resolutions, with 13 states passing new bills or making significant amendments to existing legislation (according to the National Conference of State Legislatures). Of these states, California continues to set the pace for consumer-friendly breach legislation. The Golden State passed two new bills this year – A.B. 964 and S.B. 570 – which define the meaning of encrypted data and set a new template for breach notices. With California repeatedly ahead of the game, these new bills may serve as a bellwether for legislation soon to be introduced in other states.
Beginning with California’s new template for breach notifications, let’s examine the ongoing trends in state breach notification laws.
Defining the template for breach notifications
California’s S.B. 570 goes where no state law has gone before. It prescribes – down to the font size – exactly how companies should notify the public in the event of a breach. To begin, the breach notice must be titled “Notice of a Data Breach” and must include sections titled:
- “What Happened”
- “What Information Was Involved”
- “What We Are Doing”
- “What You Can Do”
- “Other Important Information”
- “For More Information”
It also gives specific instructions for posting the notification, allowing companies to post a link to the notification on the home page of their website, provided it is conspicuously posted with contrasting fonts, colors, symbols, or formatting, remains posted for a minimum of 30 days, and calls attention to itself with font sizes of at least 10 point. Notifications may also be emailed, unless the company’s email database was also compromised in the breach.
Why is this significant? For starters, this level of detail is new. Other states define what information a breach notification must include, but no state goes so far as to define the specific way in which the company must organize the notice. More importantly, this first-in-the-nation provision may become a de facto standard, as companies may elect to rely on California’s template even when the breach affects consumers outside the state.
Still, even with the first notification template in place, it will be an uphill battle to consistency. For example, many states require breach notifications to include information that differs substantially from that which is required in California. Rhode Island, for example, requires that companies notify individuals of their right to request a police report. A company operating in both California and Rhode Island, then, would need to accommodate both states’ mandates in any unified breach notification, or issue separate notifications for each state impacted. As states continue to pass new legislation and amend existing legislation, these challenges will only increase.
Defining when to report breaches to authorities
In addition to notifying affected individuals, nearly half of all states require companies to disclose a breach simultaneously to state authorities, typically the state attorney general or other regulators. Five states – Montana, North Dakota, Washington, Oregon, and Rhode Island – passed amendments requiring notification to regulators in 2015. As of this writing, all but Rhode Island have implemented this new provision (Rhode Island’s new breach notification bill goes into effect in July 2016). Many privacy experts expect this trend to continue, with more states proposing legislation requiring expedient reporting to regulators following a breach.
Among the 23 states requiring notification to regulators, there are still incongruities in the threshold for triggering a breach notification. Some laws, like the newly implemented requirement in Washington, necessitate a minimum of 500 affected individuals before a company is required to report. Some states set the threshold at 250 and others at 1,000. But the majority of states requiring reporting do so regardless of the number of affected individuals. These discrepancies are unlikely to be resolved until a federal standard is passed.
New Categories of Data that Trigger State Breach Notifications
Which categories of personal information trigger a state breach notification? State requirements are not consistent, and the categories continue to evolve. However, all states with breach notification laws agree that, at a minimum, a breach notification will be triggered by unauthorized access to a first name (or initial) and last name in conjunction with a driver’s license number or state ID number, Social Security number, or credit or debit card numbers in combination with required security codes.
Beyond this baseline, the categories of “trigger information” continue to expand. Many states have expanded the categories to include personal health information and health insurance information. In 2016, as more sensitive data is collected by more organizations, states will continue to broaden the categories of data that trigger a mandatory notification. For example, beginning January 1, 2016, Oregon expanded this category to also include biometric data, including fingerprint scans and iris or retina scan data. In addition, as part of an amendment to its breach notification law, Rhode Island will expand its definition of personal information in July to include an email address with a password that would allow access to personal, medical, insurance, or financial information.
These trends received a great deal of attention in 2015, and the data breach notification law is expected to be a popular topic in 2016. Other areas of notification, including tighter notification deadlines following a breach and requiring complementary identity protection and monitoring services, will likely receive extra consideration this year as well.
The state breach notification landscape continues to evolve rapidly and inconsistently. And, barring the unexpected passage of a federal law, companies will continue to face the growing regulatory challenges that follow the wake of a breach affecting multiple states.
Check out our State by State Roadmap to US Data Breach Notifications Laws to get the most recent information on the relevant laws in each state, the categories of personal information that trigger the notification, and other useful information to navigate the complex web of state data breach notification laws.