States with laws requiring consumer notification of ID theft
Few states lack laws requiring notification of data breach victims
As recently as 2004, only one state required businesses to tell consumers if their personal data had been lost or stolen. Now, spurred on by a groundbreaking California state law and justified by a seemingly endless parade of high profile data breaches, security breach notification legislation has swept the nation. And experts say that consumers are much better off because of it.
10 steps to protect yourself
from identity theft
Reports of massive breaches can leave you feeling helpless, but there's plenty you can do to protect yourself and prepare for the worst.
For residents of 46 states, the District of Columbia, Puerto Rico and the Virgin Islands, security breach notification legislation means consumers can expect to be contacted by a business or bank should their personal data get lost or stolen. After California introduced its notification laws in 2003, similar laws were quickly enacted in other states.
These laws fulfill an important job."Breach notification laws serve two critical functions," says Paul Stephens, director of policy and advocacy for nonprofit consumer group Privacy Rights Clearinghouse. "These laws help provide information to consumers if their personal information has been compromised, which can enable them to protect themselves. They also motivate organizations to implement better data security so as to avoid the negative publicity associated with the required disclosures."
Why the rush?
With so many other problems confronting state legislatures, what is it about data breach notification that's drawn nearly every state to act? The answer is simple: When hundreds of thousands of people have their personal data stolen, that makes big headlines that catch everyone's eyes, and few legislators wanted to have to answer this question: "Why doesn't your state have laws to protect my personal data?" Thus, the flood of laws began.
Some states point to one particular incident: the 2005 security breach at consumer data broker ChoicePoint, in which more than 160,000 records were impacted by identity thieves who established bogus accounts. When that was made public in early 2005, California was the only state with notification laws. The attention ChoicePoint received spurred other states to guarantee notification for their own residents. "As a result of that, many other states quickly came on board to pass similar legislation. Washington was one of those," says Kristin Alexander, a spokeswoman for the office of Washington's attorney general.
The widespread, rapid adoption of laws on the state level has allowed federal enactment of a data breach law to fall down the congressional priority list. So that means that consumers in the remaining states with no notification laws -- Alabama, Kentucky, Mississippi, New Mexico and South Dakota -- may be left unaware if their data are compromised.
Laws vary but have common core
Experts say notification laws vary significantly from state to state. For example, in a few states, credit reporting agencies must be told about the breach, according to experts. Separately, some states require the business to provide consumers with security freeze or credit monitoring services."There are states that offer greater protection because they offer a broader definition of a data breach that requires notice to their consumers," says David Thompson, who focuses on consumer finance compliance and litigation for law firm McGlinchey Stafford PLLC in Cleveland.
Still, the laws all try to accomplish the same thing: making sure consumers know ASAP when their data have been compromised so they can act quickly to protect themselves. To get there, the laws focus on seven key areas, including:
- Notification of breached sensitive data. For businesses, generally, "the laws require you to notify customers in writing in the event of a breach involving some risk of identity theft, and the breach has to involve sensitive data," says Susan Lyon with law firm Perkins Coie in Seattle, where she has represented companies dealing with security breaches. That sensitive data typically involves first name and last name plus credit card number, Social Security number, driver's license number and financial account information. However, experts say that some states also allow notification by e-mail or even via phone call.
- What the notification must include. Consumers can usually expect the notification they receive to contain a few elements. "Generally speaking, the notice must include: (1) general description of incident; (2) type of information accessed; (3) acts of business to protect information from further breach; (4) telephone number for additional information; and (5) advice to monitor accounts and free consumer reports," says David D. Cherner, legal counsel for credit collection professionals association ACA International, via e-mail. The level of detail required varies, so some letters may be more cryptic than informative.
- "Trigger points" for notification. If the breach is big enough, laws may allow other forms of notification, says Privacy Rights Clearinghouse's Stephens. Those trigger points -- for example, when the cost of the breach equals or exceeds $250,000 or when 500,000 or more individuals are impacted -- allow for notification to be published on the company's website or through alerting the media instead of through notifying each victim individually, Stephens says.
- How quickly notification must be sent. Companies that suffer a data breach must alert consumers as quickly as possible. "They need to act immediately," Lyon says. "Any delay in time needs to be justified." Most states have a standard requiring alerts go out ASAP, Lyon says, although alerts may be held up if a temporary delay would help authorities "watch, track and trap identity thieves," Lyon says.
- Exceptions to notification. If the information breached is very private or already public, notification may not be needed. For example, if a consumers' personal information is encrypted -- meaning it's encoded to protect it during electronic transmission -- notification is almost never necessary. Because lost or stolen laptop computers are the leading source of data breaches, "many more companies have invested money in encrypting laptops throughout their organizations to prevent these breaches," Lyon says. Notification also may not be required when the breached data is made up of government records, "on the theory that the information is already public; it's just become more public, you could say," Stephens says.
- Penalties for noncompliance. Companies that fail to notify could end up paying. "Enforcement and penalties are typically handled by the state attorney general, with some states providing substantial penalties for failing to meet notification obligations," says Steve DelBianco, executive director of e-commerce advocacy group Netchoice. "California also authorizes private lawsuits, and any victim of fraud or ID theft can sue a breached entity to recover actual damages due to negligence or breach of contract," he says. For companies, the focus has been on limiting the number of alerts that need to be sent. "The industry has worked very hard to ensure that states have risk-based triggers before we flood people with notices unnecessarily," DelBianco says.
What can data breach victims expect?
Breach notices differ. Kelly Whalen, a stay-at-home mom in the Philadelphia suburbs and blogger at the thecentsible life, says her bank, National City, sent her a letter in the mail about seven months ago acknowledging a data breach. Whalen says the letter indicated her credit card was one of those affected by the breach, but otherwise didn't provide information about how or where the breach occurred. "They weren't really clear on the details," she says.
Consumers may be mailed a new credit card to replace their compromised plastic. But banks often skimp on providing details about the breach.
Experts say that a tight-lipped attitude creates problems. "When you send a letter that's vague, you tend to alarm without providing the tool for assessing the potential level of risk," says Privacy Rights Clearinghouse's Stephens. He notes that the level of risk to consumers varies depending on the breached data. For example, lost or stolen Social Security numbers represent a much greater danger than breached credit card information.
Whalen wasn't overly alarmed. "It's nice to know when something like that happens with your account. As a consumer, it's more important that I constantly monitor my account for identity theft," she says. National City did offer six free months of credit monitoring, which she accepted. Nothing came of the breach. "We didn't notice anything on our account, any charges or anything," she says.
These laws help provide information to consumers if their personal information has been compromised, which can enable them to protect themselves.
|-- Paul Stephens
Privacy Rights Clearinghouse
Industry offers protection
Even if she had found unusual charges, Whalen would have been protected. Credit cardholders typically won't pay for any charges that result from a data breach. "As part of MasterCard and Visa's zero liability policies, customers are not liable for any unauthorized purchases made with their cards," says Chase spokesman Paul Hartwick, via e-mail.
Consumer advocates argue that despite zero liability policies, data breach notification fulfills a necessary purpose. "It's useful that there is zero liability," says Amina Fazlullah, legislative counsel for the U.S Public Interest Research Group. "However, there needs to be some mechanism that alerts consumers that they have to go beyond checking their credit card statement to ensure they are protected."
"By not having the laws and just having zero liability, credit card companies avoid the scrutiny of the press and avoid warning potential customers of security breaches within their walls," Fazlullah says. Furthermore, consumers need to know whether their data will be secure if they choose to do business with a specific company. "If you walked into McDonald's, and somebody got sick but didn't die, you'd still want to know about it," she says.
In the case of breaches involving debit card information, "you can potentially have major problems," Stephens says. "Irrespective of what Visa and MasterCard say about zero liability on their debit cards, what they don't tell you is you don't get the money back right away." That waiting period of up to two weeks can lead to bounced checks and penalty fees stemming from a drained bank account. Despite a bank's zero-liability policies, "that doesn't mean they will waive any banking fees that have been incurred," Stephens says.
As was the case with Whalen, a data breach doesn't always equal stolen funds. "Most data breaches don't result in identity theft," Lyon says. "A data breach could be as simple as somebody loses a laptop and they don't know where it is." Often, the threat to personal data lies much closer to home. "Far more identity theft happens as a result of people known to the victim than occurs from data breaches," says Netchoice's DelBianco.
Holes in laws mean threats remain
Despite these assurances, the gaps in state data breach notification laws mean a lack of alerts for some consumers. "Depending on the laws within your own state, you may or may not receive protection" in the event of a data breach, says U.S. PIRG's Fazlullah. Additionally, the laws leave some nuance when it comes to who is responsible for notifying consumers. "It kind of comes down to who owned the information and where it resides, where the breach occurred," Thompson says.
That means select consumers could still be left in the dark if their data are compromised.
Far more identity theft happens as a result of people known to the victim than occurs from data breaches
|-- Steve DelBianco
A retailer in any of the four states without laws need not alert local customers when their financial information is lost or stolen. For example, in case of a data breach at a local Alabama merchant, "if all the residents are in the state of Alabama, that might be enough of a tipping point for some companies not to notify consumers," Lyon says.
Other consumer protections
Though it lacks a specific data breach notification law, Kentucky says its Consumer Protection Act prohibits any "unfair, false, misleading act or practice in trade or commerce." "Although Kentucky does not have a statute specifically detailing what acts constitute a data breach, the [Consumer Protection Act] provides the attorney general broad authority to investigate a security breach and seek remedies including injunctive relief, restitution and civil penalties if the facts of the situation warrant," says Shelley Johnson, deputy communications director for the office of Kentucky's attorney general, in an e-mail. "This would apply to both Kentucky businesses and Kentucky residents; however, it depends on the facts and circumstances. There are a lot of factors that go into determining whether we have jurisdiction over a business or not."
In New Mexico, "We do everything we can to protect consumers. That's one of our main efforts here in New Mexico with the attorney general's office," says spokesman Phil Sisneros.
Sara Rabern, public information officer with the South Dakota attorney general's office, says she is unaware of any security breach notification legislation currently planned for the 2010 session, although this could change since that state's legislative session -- which runs from January to March -- is still to come.
More legislation ahead
The gaps in state law may eventually be filled. In Kentucky, the attorney general pushed for data breach legislation in the 2008 session, it just didn't pass, says Johnson. "So that is certainly something that he would like to see in Kentucky," Johnson says.
Although efforts have been made toward the introduction of federal legislation that would pre-empt state laws on data breach notification, Lyon doesn't see their introduction as imminent. "I would bet money that those five states will come on board before federal legislation is enacted," she says.
Consumer advocates say that might not be a bad thing. Federal legislation could weaken state laws if, for example, it pre-empted state laws, didn't allow for litigation against companies that allow data breaches to occur and set a ceiling (rather than a floor) on consumer protection. "That would actually be worse than waiting for those five states to fill in," says U.S. PIRG's Fazlullah.
"Right now, I don't think any bill has all those parts that I've described," she says.
Still, with the House of Representatives currently discussing privacy legislation, Fazlullah says talk could turn to data breach laws. "There is an opportunity for this comprehensive legislation that would be clearer to consumers and clearer to businesses, as well, and that would also allow for states to continue to provide more robust protections if needed," she says.
See related: 10 steps to protect yourself from ID theft, Payment processor involved in massive data breach offers few answers, Heartland Payment Systems data breach claims a victim: me, Heartland data breach aftershocks continue, 1st arrests made in Heartland data breach case, Largest credit card scam uncovers retailer culpability
Updated: June 1, 2010