Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

On July 9, Missouri Governor Jay Nixon signed a data security breach bill into law leaving Alabama, Kentucky, Mississippi, New Mexico and South Dakota as the only remaining states without a breach notification requirement.  The Missouri law’s noteworthy provisions include a broad definition of personal information that encompasses medical and health insurance information and a requirement to notify consumer reporting agencies and the state attorney general if more than 1,000 consumers are being notified of a security breach.  The Missouri law goes into effect August 28, 2009.

On July 22, Senator Patrick Leahy (D-VT) reintroduced a privacy bill that includes federal data security breach notification requirements.  The Personal Data Privacy and Security Act would require businesses engaged in interstate commerce to notify individuals if their computerized sensitive personally identifiable information (SPII) is subject to a data security breach.  Notably:

• The bill requires notification of: (1) major media within any state where more than 5,000 individuals are affected by a breach; (2) consumer reporting agencies if more than 5,000 individuals are affected; and (3) the Secret Service if more than 10,000 individuals are affected or if the breach involves a federal database, national security officials or a database containing information on more than 1,000,000 individuals. 
• Businesses that collect, use or access the SPII of more than 10,000 individuals must implement a comprehensive data security and privacy program (financial institutions that are subject to the Gramm-Leach-Bliley Act (GLB) and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) are exempt from this requirement). 
• The notification provisions of the proposed federal law would not preempt existing state data breach notification laws, but they would supersede any other provision of federal law or any provision of any state law relating to notification by a business engaged in interstate commerce. 

Similar federal privacy legislation has been approved by the Senate Judiciary Committee in prior sessions of Congress, but has never been voted upon by the full Senate.  Senator Leahy’s bill is the third major federal data privacy bill to be introduced in 2009.  Senator Diane Feinstein introduced a data breach notification law in January; in April, Representative Bobby Rush introduced H.R. 2221 (the Data Accountability and Trust Act), a bill  which is strongly supported by the FTC's Acting Director of the Bureau of Consumer Protection.

Finally, on July 27, North Carolina Governor Beverly Perdue signed a bill amending that state’s data breach notification law.  As of October 1, 2009, any time a business provides notice pursuant to the North Carolina statute, the business must also notify the Consumer Protection Division of the North Carolina Attorney General’s Office.  The notice must include information on the nature of the breach, the number of consumers affected, steps taken to investigate the breach, steps taken to prevent a similar breach in the future and information regarding the timing, distribution and content of the notice being sent to affected individuals.   Previously, North Carolina required notification of the state attorney general only when a business provided notice to more than 1,000 persons at one time, and such notification needed to include only the timing, distribution and content of the notice to consumers.

Alaska Stat. § 45.48.010 et seq. will apply to breaches of unencrypted personal information in both paper and electronic records.  Personal information is defined as first name or first initial and last name plus one or more of the following data elements:  (i) Social Security number, (ii) driver’s license number or state identification card number, (iii) account number, credit card number or debit card number, combined with any security code, access code, personal identification number or password needed to access an account, and (iv) passwords, personal identification numbers or other access codes for financial accounts.  Notification is not required if, after an appropriate investigation and written notification to the attorney general of Alaska, the entity experiencing the breach determines that there is not a reasonable likelihood that harm to the individuals whose personal information has been acquired has resulted or will result from the breach.  An entity is also exempt from notification in the event of an unauthorized but good-faith acquisition of personal information by an employee of the entity, so long as the employee does not use the personal information for an illegitimate purpose or make further unauthorized disclosure of the information.  The statute authorizes a state agency to promulgate implementing regulations at any point after the effective date.

South Carolina. Code Ann. § 39-1-90 will apply to breaches of unencrypted personal identifying information in both paper and electronic records.  Personal identifying information is defined as first name or first initial and last name in combination with and linked to one or more of the following data elements:  (i) Social Security number, (ii) driver’s license number or state identification card number, (iii) financial account number, or credit card or debit card number in combination with any required security code, access code or password that would permit access to a resident's financial account, and (iv) other numbers or information that may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.  The law does not require notification in the event of an unauthorized but good-faith acquisition of personal identifying information by an employee of the entity for the purposes of its business if the personal identifying information is not used or subject to further unauthorized disclosure.