In an Era of Anything’s Accessible: State Security Breach Notification Law Enhance the Protection of Personal Information

Overview

While the talk of 2011 may be the possibility of Congressional action on a privacy bill or a single, preemptive federal data security law, states currently provide the best means of protecting personal information. Forty-six states, the District of Columbia, the District of Puerto Rico, and the Virgin Islands have enacted laws requiring organizations that possess sensitive personal information to notify individuals of privacy breaches.1

With California paving the way,2 breach notification laws are driven by concerns that privacy breaches may lead to identity theft and fraud. Technological advancements have made it possible for organizations to store vast amounts of personal data electronically. Any breach of e-storage containing personal identifying information creates the risk of an unauthorized person stealing the information to assume another’s identity and engage in fraud.

According to the Privacy Rights Clearinghouse, there have been more than 533 million breaches of sensitive personal information since 2005.3 While further study is needed on information security practices, privacy breaches, and the link between these breaches and fraud, state notification statutes have motivated organizations to improve data security of personal information so as to avoid adverse publicity, embarrassment, brand damage, and the potential legal ramifications arising from the theft or misuse of personal information.4

Breach notification statutes apply to state and private organizations, such as data brokers, retailers, credit card issuers, payment processors, banks, furnishers of credit reports, and any other organizations that possess databanks of personal information.5 State involvement in data breaches also has extended into the medical realm, as states enforce the Health Information Technology for Economic and Clinical Health (HITECH) Act.6

Security breach notification statutes generally include the following commonalities. First, the statute defines the scope and nature of the information covered by the law. Second, the statute specifies events and conditions triggering obligations under the law. Third, the statute defines obligations under the law in the event action is required. Although common attributes of breach notification statutes are discussed below, organizations must recognize that the laws vary by state and sometimes in significant ways. If your organization experiences a data breach involving individuals in more than one state, then your obligation in different states may vary and require cumulative and concurrent action.

Scope and Nature of Information Covered by Statute

Identity theft and well-publicized data breaches prompted California to enact the first state-level security breach notification law. The California statute, which has been amended since 2003, requires any agency, person, or business that conducts business in California and “that owns or licenses computerized data that includes personal information” to notify affected California residents of any security breach in the resident’s personal information that was, or is reasonably believed to have been, accessed by an unauthorized person.7

Under the revised California statute,8 personal information refers to “an individual’s first name or first initial and last name in combination with any one or more of the following”: (a) a social security number; (b) driver’s license of California identification card number; (c) account, credit, or debit card number in combination with any security or access code or password that would allow access to an individual’s financial account; (d) medical information9; and (e) health insurance information.10 The term “personal information,” however does not include “publicly available information that is lawfully made available to the general public from federal, state, or local government records.11

All but four states have enacted similar data breach notification laws.12 Mississippi enacted the most recent statute, which takes effect on July 1, 2011.13 Some states have more expansive definitions of “personal information” so as to the name of the person (first name or initial and last name) plus email address, alien registration number, passport number, employer or tax ID number, Medicaid or food stamp account number, biometric data and fingerprints, insurance policy number, Department of Transportation operator’s number, unique electronic number, address, or routing code.14

New York’s statute takes a different approach. Instead of using the name of the person, it defines “personal information” as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”15 It then defines “private information” as “personal information in combination with any one or more of the following data elements [such as social security number, driver’s license, etc.]” when “either the personal information or the data is not encrypted, or encrypted with an encryption key that has also been acquired[.]”16

In the vast majority of states, the application of breach notification laws is limited to computerized data that contains personal information, and even then, only if the computerized data is unencrypted. Some statutes, such as Maine, North Carolina, Ohio, and Pennsylvania, define the term “encrypted,” while others, such as California, do not. In a small number of states, breach notification obligations may be implicated if personal information in paper records is the subject of a breach.

Lastly, some states, such as Illinois, Ohio, and Pennsylvania, exempt redacted information from notification obligations. The term “redacted” is not always defined, which provides uncertainty as to what type or extent of redaction eliminates the notification requirement.

Events and Conditions Triggering Breach Notification Obligations

Breach notification laws typically apply if “personal information” is acquired by an unauthorized person or in the event that there is a breach of the security of the system. A “breach” is considered to have occurred when someone acquires computerized data that compromises the security, confidentiality, or integrity of personal information. Some issues to consider are whether “acquired” is the same as “accessed.” Further, some statutes cover an acquisition that compromises the “integrity” of personal information.

As we all know from high-tech law enforcement shows like Criminal Minds and NCIS, discovering a breach of security may be difficult. Skilled hackers like characters Penelope Garcia or Timothy McGee can erase their steps in the electronic storage system. They can disguise the destination of downloaded data. Accordingly, in some instances, identifying the security breach that triggers the notification obligations may present challenges, but the organization cannot merely rely on the absence of evidence. To quote from the Global Practices — Consumer Protection and Data Breach Notification Conference, “[t]he absence of evidence is not evidence of absence.”17

Some statutes require notification whenever there is unauthorized access of personal information, while others do not require notification if an organization reasonably determines that harm is not likely to result from the breach. New York’s statute takes it further and requires that companies notify the Attorney General, the Consumer Protection Board, and the State Officer of Cyber Security and Infrastructure Coordination about the number of individuals affected and the timing and distribution of the notice.18 All state notification breach statutes place the burden for deciding whether notification is required on the organization itself.

When and What Type of Notice is Required?

If an organization determines that a breach requiring notice has occurred, a myriad of issues arise, the most complex being when and what type of notice must be given to the individual whose personal information has been compromised. In general, notice must be given as expeditiously as possible without unreasonable delay, although notice may be delayed if providing notice would interfere with a law enforcement investigation. A few states have bright line rules setting forth a specific number of days within which notice must be provided.

Notwithstanding, most statutes provide some flexibility concerning the type of notice that must be provided. Written notice is the standard approach, with many states allowing electronic notice if such notice is provided in a manner consistent with the Electronic Signatures in Global and National Commerce Act (E-SIGN Act). A few states permit telephonic notice.

Under certain circumstances, such as breaches involving an unusually large number of individuals or where costs of notification may be beyond the resources of a small business, substitute notice is permitted. Substitute notice generally requires email notice of possible, conspicuous posting of notice on a company’s website, and notification to a major statewide media outlet. A few states require that notice must be given to state authorities in addition to those individuals whose information was the subject of a breach.

Most state statutes do not specify exactly what must be stated in the notice; however, the states that do, serve as useful guidance. Generally, they provide that notice must describe the breach incident, the type of personal information that was placed at risk, and the steps that the company has taken to minimize or prevent further risk. It is also commonly required that the notice should include a telephone number that the individual can call with questions or to seek further guidance, as well as a reminder that individuals should exercise diligence in monitoring their accounts and finances such as credit reports to determine whether the breach has resulted in any specific harm.

Practical Steps

Organizations must be proactive in the management and security of personal information stored on electronic systems and should implement an offensive notification plan. Based on studies conducted by the Samuelson Law, Technology, & Public Policy Clinic,19 components to consider in developing a plan include:

• A uniform standard that requires public notice of all personal information breaches, which serves to ensure that all affected consumers are being provided with breach notices;

• A uniform reporting standard, which requires notification to a centralized organization in addition to consumers.

• Clarify and broaden technology safe harbor provisions beyond encryption, which serves to give better guidance to the organization on what types of security mechanisms are sufficient to prevent lost data from being accessible for the purpose of misuse.

• Create a safe harbor period for notifications, which serves to balance the need to give clear instructions on how quickly notifications must be given with the need to provide flexibility for the organization to investigate and remedy security breaches.

• Collect information on the type of notification trigger that should be used.

The following statutes require companies to notify consumers when their personal information has been breached:

Alaska: Alaska Stat. § 45.48.010 et seq. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. Penalty: Up to $500 per resident who was not notified.

Arizona: Ariz. Rev. Stat. § 44-7501. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. Penalty: Up to $10,000 per breach.

Arkansas: Ark. Code § 4-110-101 et seq. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

California: Cal. Civ. Code §§ 1798.29, 1798.82. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Colorado: Colo. Rev. Stat. § 6-1-716. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Connecticut: Conn. Gen Stat. 36a-701(b). Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Delaware: Del. Code tit. 6, § 12B-101 et seq. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Florida: Fla. Stat. § 817.5681. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. Penalty: Up to $500,000 for failure to notify within 45 days.

Georgia: Ga. Code §§ 10-1-11, -912. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Hawaii: Haw. Rev. Stat. § 487N-2. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. See statute for specific notice requirements. Penalty: Up to $2,500 for each violation plus damages incurred as a result of the breach.

Idaho: Idaho Stat. §§ 28-51-104 to 28-51-107. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. Penalty: Up to $25,000 per breach.

Illinois: 815 ILCS 530/1 et seq. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Indiana: Ind. Code §§ 24-4.9-1-1 et seq., 4-1-11 et seq. Notification may be via written notice, facsimile, or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. Penalty: Up to $150,000 and cost for attorney general to enforce.

Iowa: Iowa Code § 715C.1. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. See statute for specific notice requirements.

Kansas: Kan. Stat. 50-7a01, 50-7a02. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Louisiana: La. Rev. Stat. § 51:3071 et seq. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. Penalty: Actual damages caused by breach.

Maine: Me. Rev. Stat. tit. 10 §§ 1347 et seq. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. Business shall also notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the person is not regulated by the department, the Attorney General. Penalty: Up to $500 per violation; maximum of $2,500 for each day the business is in violation.

Maryland: Md. Code, Com. Law § 14-3504 et seq. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. See statute for specific notice requirements. A business shall provide notice of a breach to the Office of the Attorney General prior to giving the notification.

Massachusetts: Mass. Gen. Laws 93H § 1 et seq. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. The notice shall also be provided to the attorney general and consumer reporting agencies or state agencies, if any. See statute for specific notice requirements.

Michigan: Mich. Comp. Laws § 445.72. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. See statute for specific notice requirements. Penalty: Up to $250.00 for each failure to provide notice, not to exceed $750,000.

Minnesota: Minn. Stat. §§ 325E.61, 325E.64. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Mississippi: Miss. Code Ann. § 75-24-29 (eff. July 1, 2011). Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Missouri: Mo. Rev. Stat. § 407.1500. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. See statute for specific notice requirements. In the event a business provides notice to more than one thousand consumers at one time, the business shall notify the attorney general’s office.

Montana: MCA §§ 30-14-1704, 2-6-504. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Nebraska: Neb. Rev. Stat. §§ 87-801 et seq. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Nevada: Nev. Rev. Stat. 603A.010 et seq. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

New Hampshire: N.H. Rev. Stat. §§ 359- C:19, -C:20, -C:21. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. See statute for specific notice requirements.

New Jersey: N.J. Stat. 56:8-163. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. The breach of security and any information pertaining to the breach must be reported to the Division of State Police in the Department of Law and Public Safety before notification to the customer.

New York: N.Y. Gen. Bus. Law § 899-aa. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. Business shall notify the state attorney general, the consumer protection board, and the State Office of Cyber Security and Critical Infrastructure Coordination as to the timing, content, and distribution of the notices and approximate number of affected persons.

North Carolina: N.C. Gen. Stat § 75-65. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. See statute for specific notice requirements. The business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General’s Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice.

North Dakota: N.D. Cent. Code § 51-30- 01 et seq. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Ohio: Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. Penalty: Up to $1,000 a day for violations. After 60 days, $5,000 a day penalty. After 90 days, a $10,000 a day penalty.

Oklahoma: OK ST. T. 74 § 3113.1 and 24 § 161 to -166. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. Penalty: Up to $150,000.00 per breach or actual damages.

Oregon: Oregon Rev. Stat. § 646A.600 et seq. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. See statute for specific notice requirements.

Pennsylvania: 73 Pa. Stat. § 2303 et seq. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Rhode Island: R.I. Gen. Laws § 11-49.2-1 et seq. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. Penalty: Up to $100 per occurrence, not to exceed $25,000.

South Carolina: S.C. Code § 39-1-90. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. Penalty: Up to $1,000 for each resident whose information was accessible by reason of the breach (amount to be decided by the Department of Consumer Affairs).

Tennessee: Tenn. Code § 47-18-2107, 2010 S.B. 2793. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Texas: Tex. Bus. & Com. Code § 521.053. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

Utah: Utah Code §§ 13-44-101, -102, -201, -202, -301. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. Penalty: Up to $2,500 for a violation or series of violations concerning a specific consumer; and no greater than $100,000 in the aggregate for related violations concerning more than one consumer.

Vermont: 9 V.S.A. § 2430 et seq. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. See statute for specific notice requirements.

Virginia: Va. Code § 18.2-186.6, § 32.1-127.1:05 (effective January 1, 2011). Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. See statute for specific notice requirements. Business shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General.

Washington: Wash. Rev. Code § 19.255.010, 42.56.590. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available.

West Virginia: W. Va. Code §§ 46A-2A-101 et seq. Notification may be via written notice or by electronic or telephonic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. See statute for specific notice requirements. No civil penalty unless repeated and willful violations. Penalty: Up to $150,000.

Wisconsin: Wis. Stat. § 134.98 et seq. Notification may be via mail or by a method the business has previously employed to communicate with the subject of the personal information. See statute for specific notice requirements.

Wyoming: Wyo. Stat. § 40-12-501 to -502. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. See statute for specific notice requirements.

District of Columbia: D.C. Code § 28- 3851 et seq. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. See statute for specific notice requirements. Penalty: Up to $100 for each violation, the costs of the action, and reasonable attorney’s fees. Each failure to provide a District of Columbia resident with notification constitutes a separate violation.

Puerto Rico: PR ST T. 10 § 4051 et. seq. Notification may be via written notice or by electronic means. Where a large breach occurs or where the cost to notify is high, alternative methods of notice are available. Within a non-extendable term of ten (10) days after the violation of the system’s security has been detected, the parties responsible shall inform the Department of Consumer Affairs.


[1] A state-by-state survey can be found at the end of this article.

[2] Cal. Civ. Code §§ 1798.29, 1798.82.

[3]500 Million Sensitive Records Breached Since 2005,” Privacy Rights Clearinghouse, Aug. 10, 2010, <http:// www.privacy rights.org/500-million-records-breached> (last accessed May 5, 2011); see also Chronology of Data Breaches, Privacy Rights Clearing House, May 6, 2011, <http://www.privacyrights.org/data-breach#1> (last ac­cessed May 7, 2011).

[4] See M. Turner, Towards a Rational Personal Data Breach Notification Regime, Information Policy Institute, at 2 (2006), <http://perc.net/files/downloads/data_breach.pdf> (last accessed May 7, 2011).

[5] See supra note 1.

[6] In February 2009, President Obama signed the HITECH Act as part of his overall economic stimulus plan. 42 U.S.C. §§ 300jj-15, 300jj-16, 300jj-17(d) (2010). The HITECH Act continues the effort of the Health Insurance Portability and Accountability Act (HIPAA) to encourage movement to electronic patient records and to deliver stricter data protection regulations for more secure patient privacy. Id. Among the most important of the HITECH Act mandates is a federal breach notifica­tion requirement for stored health information that is not encrypted or otherwise made indecipherable, as well as increasing penalties for violations. Id. Until this law was passed, only two of the 46 states with data breach notification requirements included health information as a specified data type. Id.

[7] Cal. Civ. Code § 1798.82.

[8] Id. at §1798.82(e).

[9] “Medical information” means “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional.” Id. at §1798.82 (f)(2).

[10] “Health insurance information” means “an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.” Id. at §1798.82 (f)(3).

[11] Id. at §1798.82 (f)(1).

[12] States with no security breach notification laws: Alabama, Kentucky, New Mexico, and South Dakota.

[13] The law, which will take effect July 1, 2011, applies to the unauthorized acquisition of unencrypted electronic files, media, databases, or computerized data containing personal information of any Mississippi resident. See Miss. Code §75-24-29. The law contains a harm threshold specifying that notification is not required if it can be reasonably determined that the breach will not likely result in harm to affected individuals. Id. at ¶ 7. The statute on its face does not recognize a private cause of action. Id. at ¶ 8.

[14] For a more comprehensive discussion on different state notification of breach statute see Canadian Internet Policy and Public Interest Clinic, Approaches to Security Breach Notification: A White Paper, 11-14 (2007), <http://www.cippic.ca/uploads/BreachNotification_9jan07-print.pdf> (last accessed on May 2, 2011).

[15] N.Y. Gen. Bus. Law § 899-aa(1)(a) (2005).

[16] Id. at § 899-aa(1)(b).

[17] See Global Practices — Consumer Protection and Data Breach Notification, Nov. 14, 2007, <http://apps.americanbar.org/buslaw/newsletter/0067/materials/pp2.pdf at 14> (last accessed May 7, 2011).

[18] N.Y. Gen. Bus. Law § 899-aa(8)(a).

[19] Samuelson Law, Technology & Public Policy Clinic, “Security Breach Notification Laws: Views from Chief Security Officers.” Technical report, University of California, Berkeley, December 2007, <http://www.law.berkeley.edu/files/cso_study.pdf> (last accessed May 7, 2011).

Finis

Citations

  1. A state-by-state survey can be found at the end of this article. Jump back to footnote 1 in the text
  2. Cal. Civ. Code §§ 1798.29, 1798.82. Jump back to footnote 2 in the text
  3. 500 Million Sensitive Records Breached Since 2005,” Privacy Rights Clearinghouse, Aug. 10, 2010, <http:// www.privacy rights.org/500-million-records-breached> (last accessed May 5, 2011); see also Chronology of Data Breaches, Privacy Rights Clearing House, May 6, 2011, <http://www.privacyrights.org/data-breach#1> (last ac­cessed May 7, 2011). Jump back to footnote 3 in the text
  4. See M. Turner, Towards a Rational Personal Data Breach Notification Regime, Information Policy Institute, at 2 (2006), <http://perc.net/files/downloads/data_breach.pdf> (last accessed May 7, 2011). Jump back to footnote 4 in the text
  5. See supra note 1. Jump back to footnote 5 in the text
  6. In February 2009, President Obama signed the HITECH Act as part of his overall economic stimulus plan. 42 U.S.C. §§ 300jj-15, 300jj-16, 300jj-17(d) (2010). The HITECH Act continues the effort of the Health Insurance Portability and Accountability Act (HIPAA) to encourage movement to electronic patient records and to deliver stricter data protection regulations for more secure patient privacy. Id. Among the most important of the HITECH Act mandates is a federal breach notifica­tion requirement for stored health information that is not encrypted or otherwise made indecipherable, as well as increasing penalties for violations. Id. Until this law was passed, only two of the 46 states with data breach notification requirements included health information as a specified data type. Id. Jump back to footnote 6 in the text
  7. Cal. Civ. Code § 1798.82. Jump back to footnote 7 in the text
  8. Id. at §1798.82(e). Jump back to footnote 8 in the text
  9. “Medical information” means “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional.” Id. at §1798.82 (f)(2). Jump back to footnote 9 in the text
  10. “Health insurance information” means “an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.” Id. at §1798.82 (f)(3). Jump back to footnote 10 in the text
  11. Id. at §1798.82 (f)(1). Jump back to footnote 11 in the text
  12. States with no security breach notification laws: Alabama, Kentucky, New Mexico, and South Dakota. Jump back to footnote 12 in the text
  13. The law, which will take effect July 1, 2011, applies to the unauthorized acquisition of unencrypted electronic files, media, databases, or computerized data containing personal information of any Mississippi resident. See Miss. Code §75-24-29. The law contains a harm threshold specifying that notification is not required if it can be reasonably determined that the breach will not likely result in harm to affected individuals. Id. at ¶ 7. The statute on its face does not recognize a private cause of action. Id. at ¶ 8. Jump back to footnote 13 in the text
  14. For a more comprehensive discussion on different state notification of breach statute see Canadian Internet Policy and Public Interest Clinic, Approaches to Security Breach Notification: A White Paper, 11-14 (2007), <http://www.cippic.ca/uploads/BreachNotification_9jan07-print.pdf> (last accessed on May 2, 2011). Jump back to footnote 14 in the text
  15. N.Y. Gen. Bus. Law § 899-aa(1)(a) (2005). Jump back to footnote 15 in the text
  16. Id. at § 899-aa(1)(b). Jump back to footnote 16 in the text
  17. See Global Practices — Consumer Protection and Data Breach Notification, Nov. 14, 2007, <http://apps.americanbar.org/buslaw/newsletter/0067/materials/pp2.pdf at 14> (last accessed May 7, 2011). Jump back to footnote 17 in the text
  18. N.Y. Gen. Bus. Law § 899-aa(8)(a). Jump back to footnote 18 in the text
  19. Samuelson Law, Technology & Public Policy Clinic, “Security Breach Notification Laws: Views from Chief Security Officers.” Technical report, University of California, Berkeley, December 2007, <http://www.law.berkeley.edu/files/cso_study.pdf> (last accessed May 7, 2011). Jump back to footnote 19 in the text