As data collection has become more ubiquitous, so too have the technologies and the desire to analyze, monetize and exploit such data. In response, U.S. states and federal regulators have continued to expand the scope of data elements worthy of, and subject to, privacy protections. Recognizing the tremendous power of big data to re-identify seemingly anonymous data sets, the Federal Trade Commission has expanded its definition of what constitutes “personally identifiable information” worthy of privacy protections. “[W]e now regard data as personally identifiable when it can be reasonably linked to a particular person, computer or device,” declared Jessica Rich in an April 2016 blog post, citing FTC guidance going back to the 2009 Staff Report on Online Behavioral Advertising and the FTC’s 2012 Privacy Report. She continued, “In many cases, persistent identifiers, such as device identifiers, MAC addresses, static IP addresses, and retail loyalty card numbers meet this test.”
Recognizing that consumer data is now more valuable than ever before, states have continued the trend to extend privacy protections to additional categories of “personal information” protected under data breach notification laws. While none have gone so far as to announce that the unauthorized acquisition of persistent identifiers is a notifiable security breach event – yet – states have been expanding the breach law definition of personal data to guard against new threats and pernicious types of consumer harm.
“Personal information” under state data breach statutes
In 2003, California’s groundbreaking data breach notification law defined “personal information” to include an individual’s unencrypted first name or initial and last name, along with one or more of the following: (1) Social Security number; (2) driver’s license number or state-issued ID card number; or (3) account number or credit or debit card with any password or pin that would give access to the affected account. Just over 14 years later, 47 states have passed breach notification legislation. Most of these state statutes initially mirrored California’s definition of personal information, but owing to frequent amendments, more than half of the states with breach notice laws—including California—now define personal information more expansively than the original California statute.The expansion of the definition of personal information was one of the key trends in the 2015-2016 updates to the state breach notification laws.
Login Credentials: User names and passwords
Because individuals tend to reuse passwords for multiple websites, breaches affecting login credentials can have substantial residual effects. Recognizing this, states have begun amending their personal data definitions to include an email address or username in combination with a password or security question/answer that would permit access to an online account. California was the first state to add login credentials to its statute in 2013, followed by Florida, North Dakota, Nevada and Wyoming in 2014 and 2015. In 2016, another three states added login credentials to the state definition of personal data: Nebraska, Rhode Island and Illinois (eff. January 2017).
The process for notifying individuals of a breach of login credentials varies across the states, with some providing for a less stringent method of notice for breaches involving login credentials and nothing more. For example, Illinois allows entities to provide notice to affected individuals “in electronic or other form” simply by sending an email or other notice directing the individual to “promptly change his or her user name or password and security question or answer” and to take “other appropriate steps” to protect all other affected accounts. Nebraska, on the other hand, treats login credentials the same as all other personal data element, requiring written (hardcopy) notice of a breach to individuals as well as to the Nebraska Attorney General.
In 2016, both Oregon and Illinois (eff. January 2017) amended their statutes to include biometric information. Biometric data is typically defined to include a fingerprint, voice print, retina or iris scan, or facial imaging or facial geometry; the Illinois definition is broader, however, including “unique biometric data generated from measurements or technical analysis of human body characteristics” used by the entity to authenticate the individual, “such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.” A handful of other statutes, including Connecticut, Iowa, Kentucky, Nebraska, Wisconsin, Wyoming and others also include biometric information under the state breach notice statutes.
Medical and health insurance information
HIPAA requires covered entities and business associates to notify if a security breach involves protected health information, but states are increasingly more likely to include health information in state breach notification laws in an attempt to capture health-related breaches that fall outside the HIPAA context. In 2016, Rhode Island, Oregon and Illinois amended their data breach statutes to include medical and health insurance information. Rhode Island’s statute covers “medical or health information” generally. The amendments to the Illinois and Oregon statutes are much more descriptive, including a health insurance policy number or subscriber identification number as well as any information about an individual’s medical history, mental or physical condition, or a medical treatment or diagnosis by a health care professional. Illinois further specifies that medical information “includes such information provided to a website or mobile application.”
Many state data breach statutes specify that a breach involving personal data requires notice only if the data is unencrypted or if the data was encrypted but the encryption key was also lost. Most statutes, however, have not defined “encryption.” California’s 2015 statutory amendment (eff. January 2016) clarified that “‘encrypted’ means that the information has been rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” In 2016, Rhode Island took things a step further, specifying that information is considered to be “encrypted” if it is obscured via a “one hundred twenty-eight (128) bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” Rhode Island is the first state to specifically denote a methodology that satisfies the encryption exception to consumer notice requirements.
Trends and predictions
The trend to expand the types of personal data subject to breach notice obligations will likely continue unabated as states seek to keep up with trends in cybersecurity and the threat landscape. The expansion of personal data definitions to include login credentials is a trend likely to continue, as consumer notification can help to mitigate the harm caused by a compromise of personal accounts. As biometric authentication becomes more prevalent, and as hackers figure out how to replicate and exploit biometric data, we may see more amendments to include biometric data as personal information protected by breach notice statutes. It will be interesting to see if other states follow Rhode Island’s lead in specifying methodologies or data security standards which must be met in order to take advantage of the encryption exception.
Given the subtle variations among the state statutes, responding appropriately to a breach requires attention to detail and a nimble approach. This task is not made easier by the frequency of statutory amendments and updates. Persistent monitoring of new legislation will continue to be important, as legislative activity does not appear to be slowing down.
Special thanks to Sulina Gabale for her contributions to this article.
If you want to comment on this post, you need to login.