InfoLaw Update: Data Breach Legislation

Posted on: November 26, 2007

Attention: Database Owners/Users

Two more states have adopted laws requiring database owners (and in some cases, businesses that just store and maintain database lists) to notify everyone on their list of a breach to the database. Additionally, you must notify the attorney general of your state or appropriate consumer agency.

In most cases the Database Breach Notification laws apply to personal information containing name and one of the following: Social Security Number, Drivers License Number, State ID Card, Passport or Financial Account Information with password or security code information. A breach is an unauthorized acquisition or use of the data.
The following states have laws now on the books: AZ, ARK, CA, CO, CT, DE, FL, GA, HI, ID, IL, IN, IA, KS, LA, MA, ME, MI, MN, MT, NB, NV, NH, NJ, NC, ND, OH, OK, OR, PA, RI, TN, TX, UT, VT, WA, WS.

More states are expected to add laws if they don’t have them and federal regulation is likely. Penalties for non compliance are calculated per name so they can be expensive.

Steps to take:
1. Maintain a control data security policy
2. If you have a breach, immediately determine if your state has a law
3. Contact your attorney for specific step by step procedure in your state for compliance.