Understanding Data Breach Notification Laws Across Select U.S. States

In an increasingly digitized world, the security of personal information is paramount. Data breaches, unfortunately, have become a common occurrence, posing significant risks to individuals and businesses alike. To mitigate these risks, various states in the U.S. have enacted laws mandating notification procedures in the event of a data breach. In this article, we will delve into the specifics of data breach notification laws in California, Illinois, Massachusetts, New York, and Virginia, shedding light on their key provisions and commonalities.

Applicable State Law

California

Under California law (California Civil Code Section 1798.80 et seq.), notification is required upon a breach, which is defined as an “[u]nauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”

“Personal information” means either of the following:

• (A) An individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social Security number; (2) driver’s license number or California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual; (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (4) medical information; (5) health insurance information; (6) unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph unless used or stored for facial recognition purposes; (7) information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5; (8) or genetic data; or
• (B) A username or email address in combination with a password or security question and answer that would permit access to an online account

Illinois

Illinois law (Section 815 ILCS 530/5 et. seq.) mandates notification to any “resident at no charge that there has been a breach following discovery or notification of the breach.” Breach is defined as “[a]n unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.”

“Personal information” means either of the following:

• (A) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted, or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security: (1) Social Security number; (2) driver’s license number or State identification card number; (3) account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (4) medical information; (5) health insurance information; or (6) unique biometric data; or
• (B) Username or email address, in combination with a password or security question and answer that would permit access to an online account, when either the username or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security.

Massachusetts

In Massachusetts (Massachusetts General Laws 93H Section 1 et. seq.), notification is required when a “person or agency (1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose to such resident.” Breach is defined as an “[u]nauthorized acquisition or unauthorized use of unencrypted data or encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident.”

“Personal information” is defined as:

• A resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (1) Social Security number; (2) driver’s license number or state-issued identification card number; or (3) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password, that would permit access to a resident’s financial account.

New York

New York’s General Business Law Section 899-aa et seq. mandates notification when a breach occurs, which is defined as “[u]nauthorized access to or acquisition of, or access to or acquisition without valid authorization of, computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business.”

“Personal information” is defined as any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.

“Private information” means either of the following:

• (A) Personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired: (1) Social Security number; (2) driver’s license number or non-driver ID card number; (3) account number, credit card number, or debit card number, in combination with any required security code, access code, password, or other information that would permit access to an individual’s financial account; (4) account number, credit card number, or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; (5) biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; or
• (B) A username or email address in combination with a password or security question and answer that would permit access to an online account.

*Note: Private information is the only information that triggers a breach notification in this state.

Virginia

Virginia’s Code (Sections 18.2-186.6; 32.1-127.1:05; and 58.1-341.2) requires notification “if unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes, or the individual or entity reasonably believes has caused or will cause, identity theft or another fraud to any resident of Virginia.” Breach is defined as an “Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of Virginia.”

“Personal information” is defined as an individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements, when the data elements are neither encrypted nor redacted: (1) Social Security number; (2) driver’s license number or state ID card number issued in lieu of a driver’s license number; (3) financial account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts; (4) passport number; or (5) military identification number.

Analysis and Conclusion

While the laws outlined above represent just a selection of states, they exhibit a remarkable degree of uniformity and similarity in their treatment of breach disclosures. Across these jurisdictions, breach notification laws typically require timely notification to affected individuals in the event of a breach compromising personal or private information. The definitions of breach and personal information are also broadly aligned, encompassing identifiers that pose a risk of identity theft or fraud.

Given the foregoing, it is reasonable to infer that these commonalities reflect a broader trend across all 50 states, suggesting a general consistency in how states approach data breach notification requirements. However, it is important for businesses and individuals to consult specific state statutes and seek legal counsel to ensure compliance with the intricacies of each jurisdiction’s laws.

In conclusion, robust data breach notification laws play a crucial role in safeguarding individuals’ privacy and promoting transparency in the digital age. By understanding and adhering to these laws, businesses can mitigate the impact of breaches and uphold trust with their customers and stakeholders.

Conclusion

If navigating the intricacies of data breach notification laws or ensuring compliance with state regulations seems daunting, seeking legal guidance is paramount. Global Legal Law Firm offers comprehensive counsel to businesses and individuals alike. With our expertise, we can help you understand your obligations under state laws, develop robust breach response strategies, and mitigate potential legal risks. Do not hesitate to reach out to our experienced team for personalized assistance in safeguarding your data and navigating the complex landscape of data privacy regulations. Your peace of mind is our priority.

[Disclaimer: This article is for informational purposes only and does not constitute legal advice. Readers are encouraged to seek professional legal counsel regarding their specific circumstances by contacting an attorney at Global Legal Law Firm.]