In the past two months, lawmakers in three states have introduced legislation that would expand the scope of certain security breach notification requirements.
Virginia SB 1041
On January 11, 2011, Virginia lawmakers introduced SB 1041, which would amend the state’s health breach notification statute to impose notification requirements on businesses, individuals and other private entities, in the event unencrypted or unredacted computerized medical information they own or license is reasonably believed to have been accessed and acquired by an unauthorized person. The law currently applies only to organizations, corporations and agencies supported by public funds. In addition to broadening the scope of the law’s applicability, the amendment would permit the Virginia Attorney General to impose a civil penalty of up to $150,000 per breach (or series of similar breaches that are discovered pursuant to a single investigation), without limiting the ability of individuals to recover direct economic damages for violations.
Update: On February 11, 2011, BNA’s Privacy Law Watch reported that SB 1041 had failed and would not be carried over to the next legislative session.
Oregon HB 2851
Also on January 11, 2011, legislators in Oregon introduced HB 2851, which would expand the definition of “breach of security” under the Oregon Consumer Identity Theft Protection Act to include an unauthorized acquisition of “written data” that compromises personal information. “Written data” is defined in the bill as “information obtained from any paper, document, instrument, record, report, memorandum, communication, file or other tangible written material, whether an original or a copy, and regardless of physical form or characteristic…” Currently, only a handful of state breach notification laws apply to incidents involving hard-copy records. The bill also would require the development, implementation and maintenance of reasonable safeguards to protect written data.
California SB 24
On December 6, 2010, California State Senator Joe Simitian (D-Palo Alto) introduced SB 24, which would establish new content requirements for breach notification letters and require that entities submit a sample notification letter to the Attorney General when the breach affects more than 500 California residents.
This is the third time Senator Simitian has introduced a bill seeking to build on the landmark California breach notification law he authored in 2002. Former Governor Schwarzenegger vetoed previous iterations of the bill in 2009 and 2010, citing a lack of proof that the information currently provided to consumers was insufficient, or that requiring notice to the Attorney General provided any additional consumer benefit.
As these legislative initiatives emerge at the state level, the Department of Commerce issued a privacy paper on December 16, 2010, in which it proposed a federal commercial data security breach notification law that would establish national standards and authorize enforcement by state authorities.