Home > Regions > North America > Data Privacy and Network Security Alert: 3 new state data breach notification statutes

Data Privacy and Network Security Alert: 3 new state data breach notification statutes

California

As of January 1, 2012, California has amended its data privacy statute requiring significantly more information to be included in data breach notification letters to California residents. When an entity suffers a breach of personal information (PI), Section 1798.82 of the California Civil Code now requires that the notification shall:

  • Be made in the most expedient time possible, but without unreasonable delay
  • Be written in plain language
  • Include the name and contact information of the reporting person or business
  • Include a list of the types of personal information that were or are reasonably believed to have been the subject of a breach
  • Include the date of the breach (if known at the time of notification)
  • Indicate whether notification was delayed as a result of a law enforcement investigation
  • Include a general description of the breach incident
  • State the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a Social Security number or a driver’s license or California identification card number

The amendment also encourages the notifying entity to include the following information:

  • Information about what the person or business has done to protect the affected individuals
  • Advice to affected individuals as to what steps they can take to protect themselves from another breach

If more than 500 California residents need to be notified, the entity must also electronically notify the California Attorney General and provide a redacted copy of the notification letter that was sent to affected California residents.

Illinois

Illinois also amended its data breach notification statute, which became effective January 1, 2012, to be more specific as to the notice requirements. As amended, the law requires that breach notification letters sent to Illinois residents must include, but need not be limited to:

  • The toll-free numbers and addresses for consumer reporting agencies
  • The toll-free number, address, and website address for the Federal Trade Commission
  • A statement that the individual can obtain information from these sources about fraud alerts and security freezes

In addition, Illinois’ revised statute now addresses the disposal of documents containing PI. Similar to many other states’ data destruction laws, HB 3025 mandates that a “person must dispose of materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable.” Paper documents with PI may either be redacted, burned, pulverized, or shredded. Hard copy records may be destroyed or erased so that PI cannot practicably be read or reconstructed. The new law also allows an organization to contract with a third party who will dispose of such materials containing PI, provided that appropriate policies and procedures are implemented to ensure that the third party will properly carry out its duties and protect the security of PI consistent with Illinois’ new statute.

Texas

As of September 1, 2012, the Texas Attorney General may certainly become the most powerful in the nation. That’s because when the new Texas Security Breach Bill (HB 300) goes into effect, it will impact companies all across the country if they transact any business in Texas. At first glance, HB 300 appears to be new healthcare privacy legislation that will ensure privacy of protected health information. Section 14 of the new law signed by Governor Rick Perry, however, contains a very intriguing provision relative to general data breaches.

Just like a majority of data privacy laws, the first part of Section 14 requires a “person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person…” But unlike any other data privacy statute, the new Texas law sets forth its definition of “any individual” to mean any individual, no matter where they reside:

Notwithstanding Subsection (b) the requirements of Subsection (b) apply only if the individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person is a resident of this state or another state that does not require a person described by Subsection (b) to notify the individual of a breach of system security.

Thus, Texas’ new law requires an organization that has suffered a breach to not only notify residents of Texas, but also notify other individuals that reside everywhere else in the United States (provided the organization conducts business in Texas, which means having at least one customer in Texas). For those states that do not have a data breach statute yet (Alabama, Kentucky, New Mexico, and South Dakota), their residents will now be provided with notice of a breach. The bigger problem, however, arises with states, such as Massachusetts, which do have strict breach notification statutes which restrict the types of information you can disclose to an affected individual. One thing is for certain, however, Texas intends to impose hefty fines on those that violate its new law, which can reach up to $250,000 for a single breach incident.

If you were uncertain before, these new statutes further punctuate the fact that a “one size fits all” breach notification letter cannot be used. What is required in one state is illegal in another. Given these rapidly changing requirements, it is now more critical than ever to work with experts that are knowledgeable and well versed in this area.

If you have any questions, please contact:

James J. Giszczak
248.220.1354
jgiszczak@mcdonaldhopkins.com

Dominic A. Paluzzi
248.220.1356
dpaluzzi@mcdonaldhopkins.com

or any of our Data Privacy and Network Security attorneys by clicking on the link below:

Data Privacy and Network Security

McDonald Hopkins counsels businesses and organizations regarding all aspects of data privacy and network security, including proactive compliance with the numerous state, federal and private data security regulations (including PCI DSS and HITECH) relative to personal information and protected health information, training of employees and preventative measures to decrease the risk of data theft. We also counsel businesses and organizations through the data breach response process and coordinate notifications to affected individuals and state attorneys general, as well as advising on media related issues. Our attorneys can help you properly assess your risks to ensure compliance. After you complete the brief McDonald Hopkins Data Privacy and Network Security Review, your company will be provided with an assessment of the required areas of compliance which have the greatest need of attention and improvement.

Carl J. Grassi, President
600 Superior Avenue, East, Suite 2100, Cleveland, Ohio 44114

Chicago
312.280.0111
Fax: 312.280.8232
Cleveland
216.348.5400
Fax: 216.348.5474
Columbus
614.458.0025
Fax: 614.458.0028
Detroit
248.646.5070
Fax: 248.646.5075
Miami
1.305.704.3990
Fax: 1.305.704.3999
West Palm Beach
561.472.2121
Fax: 561.472.2122

IRS CIRCULAR 230 DISCLOSURE: To ensure compliance with requirements imposed by the Internal Revenue Service, we inform you that any tax advice contained in this communication (including any attachments), was not intended or written to be used, and cannot be used, by any taxpayer for the purpose of (1) avoiding any penalties under the Internal Revenue Code or (2) promoting, marketing or recommending to another party any transaction matter addressed herein.

© 2012 McDonald Hopkins LLC All Rights Reserved. This Alert is designed to provide current information for our clients, friends and their advisors regarding important legal developments. The foregoing discussion is general information rather than specific legal advice. Because it is necessary to apply legal principles to specific facts, always consult your legal advisor before using this discussion as a basis for a specific action.