Introduction
In the four years since California took the lead and enacted SB 1386, many states have followed suit and enacted similar legislation. While many of the provisions are similar, the laws contain varying definitions of personal information. The laws also provide for different types of notification after a security breach. Although this article will include a brief discussion of various state statutes, the differences between the various state laws may be made irrelevant by federal legislation. There are five bills currently under consideration by Congress. It is unclear which, if any, of the pending bills will become the national security breach notification law. What is clear is that if any of the current iterations of the pending legislation is enacted by Congress, businesses will once again have to adapt their business practices because the federal legislation will preempt the current state laws.

I. Overview of State Legislation

a. Definition of Personal Information.
The primary element of the privacy breach notification statutes in the various states is the definition of personal information. Generally, any business that possesses the personal information of a resident of a particular state must notify the resident that his or her personal information has been obtained by an unauthorized individual. Obviously, to determine whether a breach must be reported, it is critical to determine whether information obtained by a hacker qualifies as personal information for purposes of the many different state statutes.

For instance, in California, personal information includes a person’s first name or first initial and last name, along with one of the following unencrypted pieces of information:

• social security number;
• driver’s license number or state identification
  number; or
• account number, credit card number, or debit card number, combined with any password, security code, or access code.1

The definitions of personal information in Connecticut, Delaware, Florida, Illinois, Louisiana, Minnesota, Montana, Nevada, New Jersey, Rhode Island, Tennessee, Texas, and Washington are identical to California’s definition.2 Although Indiana’s and Ohio’s definitions of personal information are identical to California’s definition, the notification statutes in these states only apply to state agencies.3 Private businesses are not required by the Indiana or Ohio statutes to report security breaches.

There are also several states that include more information in the definition of personal information than California. For example, Arkansas’ statute

contains medical information, as well as the items enumerated in the California definition of personal information.4 Georgia’s and Maine’s definitions of personal information include the data components identified in California’s statute, as well as account passwords or other personal identification numbers or access codes and any items that, even without the first and last name are sufficient to allow an unauthorized person to attempt identity theft.5 North Carolina’s statute also expands the California

definition to include passport numbers, debit card numbers, digital signatures, any other numbers or information that can be used to access a person’s financial resources, biometric data, and fingerprints.6 North Dakota also includes date of birth, mother’s maiden name, identification numbers assigned by employers, and digital signatures.7 In New York, “personal information” is defined as information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person. Notification is required when public information is obtained in conjunction with a social security number, driver’s license or state
identification number, or account number, credit card number, or debit card number, in combination with the security code or password.8

Businesses that maintain personal information on behalf of clients can significantly reduce the burden of reporting security breaches by encrypting the data. Of the twenty-three states that have enacted security breach notification laws, only five states require notification of a breach of encrypted data.9

Businesses that expect to incorporate provisions into their customer contracts waiving the statutory notification provisions should beware. Most privacy breach notification statutes include provisions that any attempt to waive the statutory obligations is void because it is against public policy. For more information regarding the other components of the state statutes, please refer to Figure 1.

b. Notification After Personal Information Has
Been Breached.
Most of the jurisdictions also followed California’s lead when describing the type of notice required for security breaches. The vast majority of states allow written notice or electronic notice provided in accordance with 15 U.S.C. § 7001. If the person or business providing the notice demonstrates that the number of affected persons exceeds 500,000 or that the cost of notice would exceed continued, page 2 »