The Privacy Commissioner of Canada’s Position at the Conclusion of the Hearings on the Statutory Review of PIPEDA
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Appendix VI
Overview of American Data Breach Notification Laws
As of the end of 2006, 34 states had adopted some type of data breach notification requirement. Several notification laws have been introduced federally, but none of these have been passed. California, which has taken the lead with many privacy and data security issues, enacted the first data breach notification law. The law, which took effect in July 2003, requires any organization to notify California residents when their unencrypted personal information “was, or is reasonably believed to have been, acquired by an unauthorized person.”
Although most states have followed the California model, there are several differences in the various state laws. This patchwork of legislation has evolved within an environment that lacks a comprehensive privacy or data protection regime at either the state or federal level.
Definition of Personal Information
These laws define personal information more narrowly than typical privacy laws such as the Personal Information Protection and Electronic Documents Act. California’s law defines “personal information” for purposes of a breach as an individual’s first name, or last name and first initial, in combination with a social security number, driver’s licence or other state identification card number, or account number, credit or debit card number with the necessary access code or password. Many states have adopted this core definition. Others have added some variations. For example, North Dakota has expanded the definition to include a mother’s maiden name, employer-assigned number or the individual’s digitized or other electronic signature. Nebraska’s definition includes all the elements in California’s definition, but also includes unique biometric data or other unique physical representation. New York law has a broader definition of the initial data elements, which includes “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.” Kansas includes financial account numbers or credit or debit card numbers even without the required access code. In general, the laws include personal information that could be used to commit identity theft or other forms of fraud.
Encryption Requirement
Many of the state statutes require notification requirements only for breaches in which some or all of the personal information compromised was unencrypted (i.e., Rhode Island, California, Tennessee, Texas, Utah). Notification is required in New York, North Carolina and Pennsylvania for encrypted personal information if the encryption keys are compromised along with the encrypted data. Some states have defined the term “encryption” (Maine, North Dakota, Indiana), while others have not (California, Arkansas, Louisiana, Illinois).
Most state laws, including the New York and California legislation, only apply tocomputerized data. North Carolina’s and Wisconsin’s laws apply to paper records as well.
Consumer Notification Trigger
The notification requirement is triggered by a breach of a consumer’s personal information; however, there is some variation across the states with respect to the threshold. For example, California’s consumer notification law is triggered by any breach of security where an individual’s unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Several states have adopted a more stringent notification trigger that requires a certain degree of likelihood of identity theft or harm to consumers. For example, Arizona’s statute is triggered where the breach “causes or is reasonably likely to cause substantial economic loss to an individual.”
Covered Entities
The state laws vary as to which entities must comply with the breach notification requirements. Some have followed California’s lead and require all entities doing business in a particular state to comply with the notification requirements (i.e., Colorado, Connecticut, Delaware, Florida, Minnesota, Montana, Washington). Other states have expanded the entities to which the data breach statute would apply, for example, to any business that acquires, owns or licenses personal information of a state resident (i.e., Arkansas, Illinois). Others have limited the entities to which the notification requirements apply – for example, some states have exempted financial institutions subject to the federal Gramm-Leach-Bliley Act (GLB) and institutions subject to Health Insurance Portability and Accountability Act of 1996 (HIPAA). Georgia’s statute applies only to “information brokers,” defined to include “any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties.” The Georgia law specifically excludes governmental agencies from the term “information brokers.”
Method of Notice
California requires written notification by mail except in specific circumstances. Companies can provide the required notice using alternative methods, such as e-mail, web site postings, or notification through statewide media, if the costs of notification exceed $250,000 or the number of people to be notified exceeds 500,000. Although many states have adopted California’s requirements, some states permit notification by telephone (i.e., Georgia, Illinois, Washington). Indiana also allows for notification via facsimile. Illinois follows California in allowing alternative forms of notification if the cost exceeds $250,000 or more than 500,000 consumers are involved. Rhode Island permits substitute notification if the cost would exceed $25,000 or the number of individuals exceeds 50,000.
Notices to Credit Reporting Agencies and Oversight Bodies
Some state laws require notification beyond the consumer. For example, Colorado’s data breach notification statute requires notification to all consumer reporting agencies if the breach impacts more than 1,000 Colorado residents. Georgia requires notification to consumer reporting agencies if the breach involves more than 10,000 residents, while Minnesota requires notification to consumer credit agencies if the breach involves more than 500 people. New York requires notification to “the state attorney general, the consumer protection board, and the state office of cyber security and critical infrastructure coordination as to the timing, content and distribution of the notices and approximate number of affected persons.” New Jersey’s law requires notification to the Division of State Police in the Department of Law and Public Safety prior to the disclosure to the customer.
Timing of Notice
Some states set out specific timelines for notification, for example, not later than 45 days in the case of Florida. Other states require notification as soon as possible but recognize that notification may have to be delayed for law enforcement purposes. California, for instance, requires that the required notification be made “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement?, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” Other states have followed a similar formula. A minority of states do not address the needs of law enforcement in their provisions regarding timing of notification.
Private Right of Action and Penalties
Many states follow California’s lead and provide their citizens with a private right of action against companies that violate the notice provisions. However, some states do not provide a private right of action, instead relying on state attorneys general to enforce the notification requirements.
The amount of potential fines varies widely. California allows tort damages, while other states track unfair and deceptive trade laws or provide for statutory penalties that can be as high as $500,000 for violations of notice provisions. Rhode Island’s statute sets out a penalty of not more than a $100 per occurrence and no more than $25,000 may be adjudged against a defendant.
- Date modified: