$250,000, then notice may be provided via electronic mail, via posting on the person or business’ website, or via publication in major statewide media.

Five states allow telephone notification in addition to the notice described above. Delaware, Maine, Montana, North Carolina, and Pennsylvania allow notification via telephone, with varying degrees of restrictions. For instance, Maine requires those providing telephonic notice to maintain a log, Pennsylvania only allows telephonic notice if the customer can reasonably be expected to receive the notice and it is given in a clear, conspicuous manner, and North Carolina requires that contact be made directly with the affected person.

II. Pending Federal Legislation

a. The Notification of Risk to Personal Data Act.
The proposed Notification of Risk to Personal Data Act (NRPDA) was introduced in the Senate on June 28, 2005 by Senator Jefferson Sessions [R-AL].10 The bill, which has been approved in committee and is not before the entire Senate, is the legislation currently pending in the Senate that is most like the California statute. The bill would preempt all the state notification laws and would require notification if there is a breach of sensitive personal information that results in a significant risk of identity theft to any individual. Notification must be made as expediently as possible and without unreasonable delay.

The definition of sensitive personal information differs slightly from that of the states. For purposes of the NRPDA, sensitive personal information includes an individual’s first and last name, the individual’s address or telephone number, and the social security number, driver’s license or state identification number, financial account number, credit or debit card number and any required security or access code or password. Like many state laws, the NRPDA excludes publicly available information and encrypted information from the definition of sensitive personal information. Similarly, notification is not required if notification would impede a civil or criminal investigation.

Under this legislation, notice could be given in writing, by telephone, e-mail, or in certain circumstances, by posting on the Internet or notifying the media. Before sending notice to more than 1,000 individuals, those required to give notice must also notify consumer credit reporting agencies as to the number of individuals impacted and the type of notice that will be given to individuals.

The most significant differences between the state security breach laws and the NRPDA are the enforcement provisions. Violations of the NRPDA would be enforced by the “functional regulator.” The functional regulator is the appropriate government entity based on the type of agency or business that violated the provisions of the NRPDA.

For instance, if an insurance agency violated the NRPDA, the state insurance authority would enforce the provisions; if an air carrier failed to comply with the provisions, the Secretary of Transportation would be the functional regulator. State Attorneys General could also bring actions in federal court for violations of the NRPDA. The proposed legislation prohibits private causes of action.

b. The Identity Theft Protection Act.
The proposed Identity Theft Protection Act (ITPA) is currently pending in the Senate.11 It was introduced on July 14, 2005 by Senator Gordon Smith [R-OR] and is currently scheduled for debate. The ITPA expressly preempts all state and local laws governing security breach notification. The current version of the bill provides that a covered entity has to notify the Federal Trade Commission (FTC), possibly all credit reporting agencies, and possibly consumers of breaches in security. Covered entity is defined as “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity, and any charitable, educational, or nonprofit organization that acquires, maintains, or utilizes sensitive personal information.”

The sensitive personal information definition in the ITPA is similar, but not identical to, California’s definition. Sensitive personal information is an individual’s name, address, or telephone number combined with one or more of the following pieces of information:

• social security or other taxpayer number;
• financial account number, credit card number, or debit card number, combined with the required security code, access code, or password; or
• state driver’s license identification number or state resident identification number.

Unlike the state laws, covered entities would be required to notify various agencies based on the number of individuals affected by the breach. If 1,000 or more individuals are affected by the breach, the covered agency must report the breach to the FTC, as well as all of the consumer credit reporting agencies. If fewer than 1,000 individuals are impacted and if the covered entity determines that the breach does not create a reasonable risk of identity theft, the covered entity must report the breach to the FTC but not to the consumer reporting agencies.

Regardless of the number of persons affected, covered entities would also be required to notify consumers of the breach when there is a reasonable risk of identity theft. Notification pursuant to this provision must take place in the most expedient manner practicable, but not later than 45 days after the date the breach was discovered by the covered entity continued, page 3 »