By Daniel C. Soldato
Data breaches, particularly of consumer information and other private information, are becoming an increasing public concern and a headline in the daily news. We regularly hear about incidents in which electronically stored customer information is lost by or stolen from businesses, including health care companies, retailers, and telecommunications companies. These risks are exponentially increasing with the increased use of mobile devices in businesses (e.g., laptops, tablets, flash drives, smartphones, etc.) and the increased use of mobile apps by consumers. Electronic data, if not adequately secured, can lead to both physical and electronic thefts (e.g., hacking, malware, etc.). In light of the increase in data breach reports, this week, the Consumer Financial Protection Bureau issued an advisory bulletin to provide guidance to consumers on protecting their personal information following the recent high-profile breaches involving debit cards and other payment data (e.g., Target, Michaels, Neiman Marcus). Notice to consumers about a breach of their data is seen as another way to further protect against a loss.
Data Breach Laws. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Section 5 of the Federal Trade Commission Act are two federal laws under which federal agencies aim to protect the confidentiality of sensitive personal information such as health information, social security numbers and other personally identifiable information. In addition, many states have enacted laws that have a similar aim. One such law that many states have enacted is a breach notification law that requires business entities to notify affected individuals when their personally identifiable information has been breached or compromised.
Kentucky is one of a handful of states that has yet to enact a breach notification law. However, on January 21, 2014, Representative Steve Riggs introduced HB 232, which, if passed, would implement new standards and requirements to notify affected individuals in the event of a breach of their personally identifiable information. The Bill is now under consideration by the House Labor and Industry Committee.
As currently drafted, the Bill would require all Kentucky businesses and governmental entities that are owners or licensees of computerized data (except for financial institutions covered by the Gramm-Leach-Bliley Act) to disclose any unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality or integrity of personally identifiable information to Kentucky residents whose unencrypted personally identifiable information was, or is reasonably believed to have been, acquired by an unauthorized person.
“Personally identifiable information” means data capable of being associated with a particular customer through one or more identifiers, including but not limited to a customer’s name, address, telephone number, electronic mail address, fingerprints, photographs or computerized image, Social Security number, passport number, driver identification number, personal identification card number or code, date of birth, medical information, financial information, tax information, and disability information.
The timing of notification under the proposed Kentucky law is flexible. The method of notification must generally be written or electronic notice (consistent with Federal law regarding electronic records and signatures), although substitute notice is allowed in certain circumstances. A business may be subject to civil damages for injury caused by the failure to provide timely notice. Governmental entities are exempt from this civil damages provision.
The proposed law is similar to breach notification laws that have been adopted in many other states, including Mississippi and Tennessee. In fact, the proposed Kentucky Bill is almost identical to the current Tennessee breach notification law, with one notable exception, the definition of “personally identifiable information.” The definition in the proposed Kentucky law is broader than that under the current Tennessee law. In other words, Kentucky’s definition would encompass more data than the definition under Tennessee law. Indiana requires notice of a breach of unencrypted information that could result in identity theft or fraud affecting an Indiana resident.
Kentucky has attempted to pass similar breach notification legislation in recent years. For example, in 2008 and 2010, Bills were introduced, which, if enacted as law, would have required notice to individuals upon the discovery of a breach of the security of their personal information. As noted above, neither of these initiatives resulted in a law being passed. However, given the recent surge in public interest in data breaches and the magnitude of recent breaches of personally identifiable information, perhaps this legislation will have the support in the public and legislature to become law. If so, Kentucky would, like many of its surrounding states, require notice to affected Kentucky residents in the event of a breach of their personally identifiable information.