Have Your Data Breach Reporting Obligations Been Heightened?
Companies storing personal information related to residents of California, Florida, Illinois, Nebraska, Nevada, Rhode Island, or Wyoming beware—your data breach reporting obligations are increasing.
As cyber security risks continue to grow, so too do state data privacy and notification laws. Among other recent trends, several states on the forefront of data privacy protection have expanded the scope of their data privacy and notification laws by broadening the statutory definition of personally identifiable information (PII). While states initially defined PII narrowly to include “basic” information like driver’s license numbers, Social Security numbers, or financial account information in combination with a security code, at least seven states have recently widened their approach as threats to data privacy rise. Most notable of the developments is the expansion of the definition of PII—for purposes of a state’s data breach notification statute—to include information that would permit access to an online account.
As with most data breach notification trends, California’s legislature began the movement in 2013 when it passed a bill that enlarged the coverage of its existing data breach law by defining PII as including: “a username or email address, in combination with a password or security question and answer that would permit access to an online account
Cal. Civ. Code § 1798.82(h)(2). Since 2013, at least seven states have similarly expanded the definition of PII by passing comparable legislation. Although some states have employed variations of the language used in California’s data breach notification statute, the result is generally the same—when a company that stores information that would allow access to an online account experiences a data breach, the company now must comply with the state’s data breach notification laws
The impetus for the trend is simple. It appears states are increasingly acknowledging that if a third-party gained unauthorized access to an individual’s credentials for one account, the individual’s other accounts may also become compromised. The Committee analysis from the California bill explains this concept well:
[R]equiring disclosure of security breaches involving user names, passwords, or security questions and answers would allow those whose information has been disseminated to take actions to minimize the impact of that disclosure. As Privacy Rights Clearinghouse notes, ‘[m]any individuals compound their exposure to financial loss and theft of personal data [because] they use the same password or username or answer to a security question for some or all of their online accounts.’ Consequently, ‘a breach of one online account can have a cascading effect upon the user's other accounts.’ If existing disclosure requirements were expanded to include disclosures of security breaches involving user names, passwords, and security questions and answers, California residents would be better equipped to proactively change their passwords and other login credentials on other online accounts before those accounts are compromised.
As states aiming to protect the data privacy of their citizens will likely continue to expand the definition of PII, companies must continually monitor their reporting obligations. For additional information about the potential implications of this trend or any other matter related to data breach notification, please contact any member of the Ice Miller Data Privacy and Security practice group
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.