Lawyer Article

D. Scott Anderson, a summer associate in the firm's Charlotte office, wrote this article with supervision provided by Mr. Claypoole, a member of the firm's Intellectual Property Practice Group.

Published in the June 14, 2005 issue of Southeast Tech Wire

Until recently, serious concerns over information security were largely relegated to financial institutions and certain operations within the federal government. With an increasing amount of information being stored in networked data warehouses, a rise in cases of identity theft, and a spate of news stories chronicling database breaches around the country, information security concerns are coming within the view of a much larger audience.

Information security has now caught the eye of many state and national legislators. Several states have recently passed laws imposing obligations on a wide range of companies regarding information security. Aside from obligations detailing the handling of sensitive personal data, these various laws mandate that companies notify consumers if their personal information may have been accessed without authorization. These state laws are not always in agreement, however; and companies must remain alert to an increasing number of nuances in the state laws to avoid legal pitfalls.

In 2002, California became the first state to pass a law requiring that companies provide notices of any data security breaches that might have compromised residents’ personal information. Six more states (Arkansas, Georgia, Indiana, Montana, North Dakota, and Washington) have adopted similarly-themed legislation so far this year. Related state bills are currently before the governors of Florida and Illinois. This year alone, comparable legislation has been introduced in at least twenty-five other states. In spirit, these bills and laws have much in common; in practical application, they may have some significant differences.

California’s Notice of Security Breach law is the model from which other states are working. The California law requires any person, state agency, or company that does business in the state, or owns information about its residents, to notify Californians if their personal information is acquired by an unauthorized person. Notice is also required when the company reasonably believes that personal information may have been compromised. Notice can be delayed if law enforcement agencies determine that notifying citizens would impede a criminal investigation into the breach. California defines “personal information” as a name (first name or initial and last name) combined with any one of the following unencrypted identifiers: (1) social security number, (2) driver’s license or state identification card number, or (3) any financial account number in combination with a security code that would allow access to the account.

Some states’ laws are nearly identical. The relevant portions of Washington’s law and the Illinois bill before the Governor are nearly identical to California’s law. Aside from requiring that notice of a breach be given within 45 days of discovery, notifying credit agencies if more than 1,000 residents are affected by a breach, and providing for administrative penalties of up to $500,000, the pending Florida bill uses definitions similar to those in California and Washington laws.

Definitions and provisions are broader in a few states. Arkansas’s legislation is more stringent than the California law. Its notification requirement is similar, but Arkansas adds medical information to the definition of personal information, requires companies to destroy information once it is no longer needed, and voids any waivers of the data security law. Likewise, North Dakota expands the definition of personal information from identity and account numbers to include an individual’s date of birth, mother’s maiden name, or electronic signature.

Other states’ laws apply to only certain entities. Only state agencies must abide by Indiana’s new notification law and Georgia’s law only applies to information brokers that distribute information to third parties. Though limited in scope, Georgia’s new law is tougher than the California benchmark; under Georgia law, relevant personal information need not be connected with a person’s name if the information alone is sufficient to perform, or attempt to perform, identity theft. This nuance means that more data will come within the definition of personal information since single pieces of information could trigger notice requirements. Georgia also requires information brokers to notify credit reporting agencies when a breach affects more than 10,000 residents.

While much of Montana’s law is worded largely the same as the California legislation, a special provision changes the analysis for most companies, requiring notification only if database breaches materially compromise personal information. This modifier arguably weakens Montana’s law because it appears that breaches would have to rise to a certain undefined level of significance before notice requirements are triggered. With the Montana statute being worded the same other states’ laws in many instances, this change was likely a deliberate one. Though the state’s intention may have been avoiding overloading its citizens with unnecessary security notifications, the altered language does blur the developing contours of the law.

The more state laws differ on notification and the definition of personal information, the more onerous complying with these laws becomes for businesses that operate in multiple states. While large national businesses that deal with data security issues on a daily basis may be attuned to the growing patchwork of state laws, it is increasingly important for small businesses and regional players to keep an eye on this rapidly-changing legislative landscape. Failing to comply with applicable state laws can bring hefty fines, potential lawsuits, and further damage to companies’ reputations. In time, Congress may resolve these disparities with a national database security breach notification law, but that day is far from certain.