California, Florida, Kentucky, and Iowa have changed their security breach notification requirements in the past few months: California passed legislation effective January 1, 2015, that for the first time, addresses identity theft prevention and mitigation services in certain circumstances; Florida expanded its statute to include login credentials and health information as triggering notice obligations, as well as adding other requirements; Kentucky enacted a notification statute for the first time; and Iowa added a requirement that the Attorney General be notified of a breach that affects more than 500 Iowa residents. Existing incident response plans should be updated to take these changes into account.
On September 30, 2014, California Governor Jerry Brown signed A.B. 1710 into law. The legislation amends Cal. Civ. Code § 1798.82, which specifies data breach notification requirements for entities conducting business in California. As of January 1, 2015:
If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information [involving social security, driver’s license, or California identification card numbers.].
Note that although California data breach notification requirements also may apply to breaches involving financial account numbers, medical information, health insurance information, and online account login credentials, this additional requirement does not apply to breaches involving only those types of information.
In addition to the changes to the notification requirements, the legislation extends the mandate to implement reasonable security procedures to encompass businesses that “maintain” (not just “own” or “license”) personal information. Cal. Civ. Code § 1798.81.5. (The breach notification requirements already applied to businesses that only “maintain” personal information.) Also, the bill includes additional protections for social security numbers, adding prohibitions on selling, advertising for sale, or offering to sell social security numbers, with limited exceptions. Existing law prohibits publicly posting or displaying social security numbers. Cal. Civ. Code § 1798.85(a)(6).
Effective July 1, 2014, among other changes, Florida residents must now be notified when a data security breach incident compromises login credentials or health information.
On June 20, 2014, Florida Governor Rick Scott signed into law the Florida Information Protection Act of 2014 (“FIPA”), repealing Fla. Stat. § 817.5681 and replacing it with Fla. Stat. § 501.171, which is more far-reaching.
Expanded Security Breach and Personal Information Definitions
Prior to FIPA, Florida required breach notification only in connection with breaches involving (1) all or part of an individual’s name plus social security number, driver’s license or Florida identification card number, or financial account number in combination with any required security or access codes, and (2) unauthorized acquisition of computerized data that materially compromised the security, confidentiality, or integrity of the personal information (“PI”).
“Security breach” is now expanded from “unauthorized acquisition” of data to any unauthorized “access” of data in electronic form containing personal information, without regard to whether the breach materially affected the security, confidentiality, or integrity of PI maintained by an entity. Additionally, the definition of PI that requires breach notification has been expanded to include username or email address, in combination with a password or security question and answer, as well as “medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional” or health insurance information in combination with a person’s first name or initial and last name.
Notification Requirements Added and Expanded
Changes to Individual Notice: The new law makes several changes to the content and timing of notice to affected individuals.
Notice must be provided within 30 days of determination of a breach (shortened from 45 days).
Notice must now include certain elements, at a minimum: (1) the date, estimated date, or estimated date range of the breach; (2) a description of the PI that was accessed or is believed to have been accessed; and (3) the entity’s contact information that can respond to affected individuals’ inquiries.
Entities may give notice by email, regardless of whether the affected individual has previously consented to electronic notice.
New Attorney General Notice: The new law requires notification to the Department of Legal Affairs (“Department”) about breaches that affect 500 or more individuals in Florida. Within 30 days of determining a breach or reason to believe a breach occurred, entities must submit a written report including:
a synopsis of the events surrounding the breach;
the number of potentially affected Florida residents;
services that the entity will offer at no charge to affected individuals and instructions for accessing the services;
a copy of the notice to individuals or an explanation of other actions taken to notify the affected individuals; and
contact information of the entity's representative responsible for providing information about the breach.
The Department may also request investigative reports, copies of breach response policies, and remediation steps taken since the breach. A companion bill passed at the same time as the revisions requires that all breach-related information submitted to the Attorney General or law enforcement be kept confidential and exempt from the public records requirement.
Finally, violation of the data breach law will now allow the Attorney General to bring an unfair trade practices action in addition to imposing civil fines, which were previously available.
This spring, Kentucky became the 47th state to enact a security breach notification statute, leaving Alabama, New Mexico, and South Dakota as the only states without such legislation. Kentucky’s law applies to any person or entity doing business in Kentucky.
Effective July 15, 2014, Ky. Rev. Stat. § 365.732 covers security breaches that involve the “unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information . . . that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud” against a Kentucky resident.
Kentucky’s new statute defines “personally identifiable information” to include a person’s first name or initial and last name plus at least one of the following data elements when the name or data element is not redacted: ( 1) social security number; (2) driver’s license number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password to permit access to an individual's financial account. Notification must be made to all affected Kentucky residents, but the law specifies no requirements for content of the notice.
Iowa’s legislature amended its breach notification statute, Iowa Code §§ 715C.1 -715C.2, to expand the definition of a security breach and to require that the Attorney General be notified if the breach affected more than 500 Iowa residents. Specifically, effective July 1, 2014:
Breach of security means “unauthorized acquisition of personal information maintained by a person in any medium, including on paper, that was transferred by the person to that medium from computerized form and that compromises the security, confidentiality, or integrity of the personal information.” Previously, the definition of “breach” was limited to computerized information.
If the security breach affected more than 500 Iowa residents, then the person or business suffering the breach must notify the Consumer Protection Division of the Iowa Attorney General’s Office within five business days of notifying the consumer.
“Personal information” triggering notification requirements was expanded to include situations not only where data is unencrypted, but also where the name or data elements have been encrypted or redacted, but the keys to unencrypt, unredact, or otherwise read the data elements have been obtained through the breach of security. The amendment also clarifies that in addition to security codes, access codes, or passwords, financial account numbers in combination with an “expiration date” that would permit access to a financial account triggers notification obligations.
All entities that conduct business with residents of these states should assess their current data security procedures and breach protocols. In particular, the Florida statute, by now including login information, applies to all companies that do business with Florida residents through online accounts, many of whom do not otherwise hold information that triggered breach notification requirements under the old statute.
For a summary of current breach notification requirements in each state, D.C., and Puerto Rico, please visit our Security Breach Notification Chart.