State legislatures have become more vigilant over the past year in passing (and tightening) data breach notification laws. Universally, these laws at a minimum require entities to disclose when data containing sensitive personally identifiable information (SPII) has been breached or released inappropriately. SPII usually includes a handful of data that when combined significantly increases the risk of identity theft: social security numbers, state ID numbers, birth dates and financial account numbers (i.e. credit card numbers, etc.)

According to the National Conference of State Legislatures, forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.However, the laboratory of the states has produced some fairly disjoint legislation (most states has different requirements for disclosure and levels of liability), and Congress is starting to notice. Last month, Senator Patrick Leahy (D-VT) introduced legislation that creates federal data security breach notification requirements. The bill requires differing levels of public and governmental agency notification depending on the severity of the breach. The proposed federal law would not preempt state legislation, but reportedly would supersede state laws that applied to businesses engaged in interstate commerce.

So, companies small and large – what does this mean for you? It means that you’re on notice to keep track of the notification requirements in each of these state laws if you store SPII for residents of these forty-eight U.S. states and territories. Sounds like quite a burden if your principal place of business is in Oklahoma, but have data about employees working remotely in California, North Carolina and Massachusetts. How much due diligence and legal overhead will smaller shops collecting credit card numbers online need to exert to remain in compliance with a myriad of state legislation? Perhaps this is where a unifying federal law will provide some relief, but that remains to be seen: Senator Leahy’s bill is one of three to be introduced this year alone.

I’ll try to keep tabs on this issue as it’s relevant to both my day job and consumer law, which I’m taking this semester. I’ll post any relevant updates to Congress’ progress as I find them.

A tip of the hat to Hunton & Williams Privacy & Information Security Law Blog for summarizing the July modifications to some state law and reporting on the status of the federal bills.

UPDATE (10/17/2009): Montana, Texas, Maine and North Carolina have passed amendments to their notification statutes. Check out Steptoe & Johnson LLP’s E-Commerce Law Week for details.

No related posts.