What you and your HRO provider should know about new state notification laws.
Is our data missing? Does that question sound familiar? Major thefts and misappropriations of computerized personal and financial information are making headlines nationwide. And legislators are opening their eyes to the problem in the wake of a 2002 California data security breach notification law.
Amid rising concern over the problem of identity loss, the policy behind data security breach notification laws is to give members of the public prompt notice that their personal information may have been misappropriated. Since the California law was enacted, many other states have recently adopted similar laws. HR departments and outsourcers should become accustomed to dealing with data confidentiality and security requirements under these state laws. Because the California law is the model that other states have followed in enacting data security breach notification requirements, several points should be noted with respect to that law.
The California law applies to any company that does business in California and that owns or licenses computerized data, which includes personal information. Under the law, personal information is defined as a combination of two categories of information: personal identifying information–that is, a persons first name or initial and last name combined with any item in a specific list of data elements, such as a social security number, drivers license or California identification card number, or a financial account number in combination with the account password, security code, or access code. To constitute personal information, the security breach must involve both
identifying information and one of the specified data elements but does not include publicly available information that is lawfully made accessible to the general public from government records. When discussing data security, there are two important concepts to keep in mind:
- Encryption–The notification requirements of the California law do not apply if either the personal identifying information or the data elements are in encrypted form.
- What Constitutes a Breach–The term breach of the security of the system is defined as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.
Who must be notified, and how?
The California law requires reasonably expedient notification to individuals whose unencrypted personal
information was, or is reasonably believed to have been, acquired by an unauthorized person. Notice may be written or electronic. There is a provision for so-called substitute notice if the cost of notifying individual consumers would exceed $250,000, or if the number of consumers to be notified exceeds 500,000. Substitute notice consists of all of the following efforts: e-mail notice to those consumers for whom the company has an e-mail address, conspicuous posting on the companys Web site, and notification to statewide media. If a security breach takes place while the information is in the hands of a third-party (such as a company to whom data processing has been outsourced), that party must promptly notify the owner of the information of the breach.
Enactments in other states and, potentially, by Congress
As of August 2005, at least 17 other states have enacted data breach security notification laws similar to that in California. Although many of those states followed the California model without any essential changes, it is important to be aware that there are a few state enactments with significant differences from the California law. In particular, companies with multistate operations, or that maintain databases which are likely to contain information about consumers in more than one state, should scrutinize these individual enactments to determine applicability and requirements specific to those states. Some of the differences in the laws enacted by these individual states include adding to the list of specific data elements that may comprise personal information and exempting certain technical breaches of security from the notification requirement. Congress is considering bills that would impose a national standard for notification of security breaches that involve consumer data.