Alert February 19, 2009

States Continue to Focus on Data Security Concerns

Data Security Breaches Rise in 2008

Ever since California enacted in 2005 the nation’s first data breach notification regulation, a measure designed to help limit such breaches, reports of data breaches have increased steadily each year. According to the Identity Theft Resource Center, 312 data breaches were reported in 2006, 446 breaches in 2007 and 656 in 2008. The number of states with breach notification laws rose from just one in 2005 to 46 by the end of 2008. Despite states’ efforts to increase disclosure of the breaches, their incidence continues to grow.

Due largely to the increase in reports of data breaches and consumers’ concerns about safeguarding their personal information, lawmakers have faced growing pressure to respond with stricter data security regulations. State legislators are recognizing that it is not enough to require businesses to notify consumers and employees of data breaches. Instead, they are taking a proactive approach and looking at ways to prevent breaches from occurring in the first place. Some states have responded to these concerns by enacting general measures which require businesses and organizations to use reasonable measures to protect consumers’ personal information. Other states, however, like Massachusetts and Nevada, have gone further, setting forth specific data security requirements with which businesses must comply. In 2008, Washington, Michigan and New Jersey all followed suit and proposed similar regulations. If other states follow the approach that was taken by these early breach notification laws, a slew of such measures can be expected in the coming months and years. Anticipating that similar laws are likely to be enacted in additional states will allow entities that do business in those states an opportunity to plan for the often onerous obligations required by such laws.

Four States Pass Legislation Requiring Businesses to Take General or “Reasonable” Measures to Protect Consumers’ Personal Information

California, Connecticut, Texas and Rhode Island have all passed laws that regulate how businesses use and protect consumers’ personal information. The laws in these states are general and require businesses to adopt reasonable or standard procedures to protect personal information, without articulating any specific requirements as to the procedures implemented. The personal information protected by these laws differs somewhat by state, and some contain carve-outs and exemptions for certain types of organizations.

For example, in California, the law requires that a business that owns or licenses personal information about a California resident must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” (California Civil Code section 1798.81.5(b)). The Impersonation and Identity Fraud Act in Rhode Island contains almost identical provisions, and was passed shortly after the California law. (Chapter 11-49.1-1).  The law exempts health care providers, financial institutions and entities covered by HIPAA, the Vehicle Code or any federal or state law that requires more stringent protections. To determine whether a security procedure is reasonable, businesses should consider various factors, such as the nature of its business and the nature of the personal information. The law, however, provides no specific guidelines to businesses seeking to comply with its requirements.

A similar Texas statute requires businesses to “implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure of any sensitive personal information collected or maintained by the business in the regular course of business.” (Tex. Bus. & Com. Code Ann § 48.102(a)). The Texas statute differs from the California statute in that it only exempts financial institutions from its requirements, and requires businesses to take appropriate corrective action to maintain data security. (Id. at § 48.102(c)).

The Connecticut statute is more forgiving than the other statutes and applies only to willful violations. Like the California and Texas statutes, the Connecticut statute is general, stating that “[a]ny person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties. . .” (Public Act No. 08-167 §1(a)). Yet unlike these statutes, “[i]t shall not be a violation of this section if such violation was unintentional.” (Id. at §1(e)). The law does not define what will be found to be an intentional or an unintentional violation, thus leaving room for a wide variety of interpretations as to what the law covers. This escape hatch for “unintentional” violations scales back the scope and application of the law significantly.   

Two States Pass Legislation Requiring Businesses to Comply with Specific Data Security Mandates

In 2008, Massachusetts and Nevada joined the states that impose a duty on businesses to ensure data security. Unlike other states, these states ensure data security through very specific requirements. For Nevada, the legislature chose to focus solely on encryption, whereas Massachusetts mandated numerous specific requirements, including, but certainly not limited to, encryption. The Nevada statute took effect on October 1, 2008 and requires all Nevada businesses which store or use consumers’ personal information to encrypt such information when sent electronically, except if by fax. The Nevada law is the first to mandate encryption, and the text of the law is brief. It states that “[a] business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”(Nev. Rev. Stat. § 597.970.1). Unlike the more general statutes, this law does not apply strictly to the personal information of Nevada residents, but rather, any personal information of a customer of a Nevada business, regardless of where a person resides. Although the Nevada law takes a step in the direction of mandatory data encryption, its scope is limited because it applies only to personal information which is being sent from an organization’s system and transmitted over electronic networks. Many security breaches occur when data stored or collected on an organization’s system is compromised.

The newly enacted Massachusetts law goes a step further than Nevada and protects stored information, as well as information in transit. The Massachusetts law mandates a litany of security requirements for businesses that own, license, maintain or store the personal information of Massachusetts residents. In addition to requiring that all organizations storing personal information of Massachusetts residents on portable devices encrypt this information, the law also mandates that these organizations create and document security programs which comply with specific guidelines. The law applies not only to organizations incorporated or doing business in the state, but to any business or organization which stores the personal information of a Massachusetts resident. As a result, the law has potentially widespread implications for businesses in and outside of Massachusetts in that it catches in its net virtually all businesses that touch Massachusetts residents in any way. For more information on the Massachusetts law, please see Goodwin Procter’s September 29, 2008, November 17, 2008 and February 13, 2009 Client Alerts.

The Massachusetts law was originally scheduled to take effect in January 2009, but due to current economic circumstances, this deadline has been extended until January 1, 2010.

Three More States Propose Specific Data Security Regulations

The trend towards state regulation of data security seems likely to continue, as a number of states are considering legislative proposals in this area. For example, a bill proposed by the Michigan Senate in January 2008, Michigan Senate Bill No. 1022, was similar to the Massachusetts bill, as it required businesses to encrypt stored consumer information. The bill requires businesses that regularly collect and store consumers’ personal information in a computerized database to encrypt that data according to current industry-standard encryption methods.

Washington state also proposed data security legislation in 2008. Washington Senate Bill 6425 §4 would mandate that any organization that regularly stores or collects personal information in connection with an access device must comply with payment card industry standard regulations. Both the Michigan and Washington bills attempt to strike a balance between the general “reasonable” standard of Connecticut, Texas and California, and the very specific and stringent requirements of the recently enacted Massachusetts law. While these proposed bills both recognize the importance of securing stored personal information, not just information in transit, both tie the encryption requirements to industry-standard methods and contain no other specific guidelines or requirements. Neither bill was signed into law during the 2008 session.

The N.J. Division of Consumer Affairs also attempted to garner support for new data security regulations in 2008. After facing heavy criticism in 2007 from the business community for proposed regulations which were similar to those enacted by Massachusetts, the Division of Consumer Affairs scaled back its approach and released “pre-proposal regulations” resembling the general requirements of California, Texas and Rhode Island. While the New Jersey regulations proposed in 2007 mandated the use of encryption methods which complied with Federal Information Processing Standards, the 2008 pre-proposal contains no such requirements. Instead, the proposal articulates general best-practices that businesses would be encouraged to adopt. The pre-proposal also requires organizations doing business in New Jersey to implement and document a comprehensive written data-security program.

Although these proposed data security regulations were not successfully implemented in 2008, it is likely that similar bills will reappear in 2009. As the number of data breaches increase, so too will the efforts to protect consumers’ personal information.