Why State Data-Breach Laws May Not Protect You
For various reasons, the current Congress hasn't passed any federal cybersecurity legislation. Because of this, the most important consumer-related cybersecurity rules are the data-breach notification laws in force in most states.
That's not to say there isn't any federal regulation regulating data breaches. But what there is regards very specific industries.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and modifications to it under the American Recovery and Reinvestment Act of 2009 require the health-care industry to notify affected patients and the government if patient information is compromised. That's one reason hospital data breaches often make news.
Under the Gramm-Leach-Bliley Act of 1999, some financial institutions are subject to similar guidelines regarding client information.
That’s a start, but for most industries and organizations, there are no federal guidelines. Regulation and enforcement are left up to the states.
Despite the Internet having no borders, and the likelihood that a resident of one state will have his or her information stored in a data center in another state, there is no consistency in the state data-breach notification laws.
In fact, there's nothing compelling a state to enact any type of data-breach notification law at all. Alabama, Kentucky, New Mexico and South Dakota have none.
So what exactly do the laws in the other 46 states set out to do?
According to the Better Business Bureau's website, "data-breach notification statutes generally require businesses that have personal information about residents within a state to notify those residents if someone who is not authorized acquires that information."
Note the phrase, "residents within a state." If you are a resident of the state where the breach occurred, and if the state has a data-breach notification statute, then the company needs to notify you within the time frame dictated by the law.
But what if you happen not to live in the state where the breach occurred? It's not clear.
"The laws of the states where a consumer does not live do not apply," said David Duncan, director of software and security solutions at Imation, a data-storage and data-security provider in Oakdale, Minn.
"It is the businesses' responsibility to notify the state in which a customer is a resident — based on the information that the company has of a consumer's location," Duncan said.
From hot to cold
Imation has developed an online "heat map" that shows how strict the data-breach laws are in each state, plus the District of Columbia, Puerto Rico and the Virgin Islands.
For the general consumer, a quick look at the map will give an idea how his or her state ranks. A resident of Virginia, for example, might be happy to learn that the state's laws are the most stringent on the books.
The state data-breach laws cover everything from the amount of time a company has to notify customers after the discovery of a data breach to what kind of information needs to be encrypted.
What makes a data-breach law strong or weak is what the law actually covers, said Justin Sulhoff, director of security services with Megaplan-IT, a data-security provider and consultancy in Lake Bluff, Ill.
"Major differences include encryption rules, what data falls within scope of the laws, notification of data loss [or] theft, destruction of sensitive data and, of course, fines for non-compliance," Sulhoff said.
Why does it matter if a state has strict or weak individual laws? It matters because states differ wildly in rates of data breaches.
"Companies in the computer-software, IT and health-care sectors accounted for 93 percent of the total number of identities stolen in 2011," said Sulhoff, citing figures from Symantec's Internet Security Threat Report of April 2012.
“Back in 2009, HIPAA architects established a breach-notification rule, so the health-care industry provides the best data to answer this question," said Sulhoff. "States with a high population, like California and Texas, accounted for the most data breaches overall, but things change if you look at the rate per 1,000 people.
"In that case, Virginia, Utah, D.C., New Hampshire and Tennessee are the top five worst states for health-care data breaches," he said. "In 2011, Maine and Vermont had zero breaches."
However, there's no financial incentive to set up shop in a state that mandates less security or has weaker laws.
"Unless you're planning to circumvent the law, there is no added benefit to working with a data center in one of the few states that have no such notification laws," said Sulhoff.
"It's important to note that most regulatory compliance frameworks transcend state boundaries," he said. "While data-breach laws (or privacy laws) may be derived from the state or federal level, there are other governing bodies (i.e. payment card brands and the PCI Security Standards Council) that develop standards that companies need to comply with regardless of where they do business in the U.S."
Consumers can usually easily learn what their state laws say. If you believe you are a victim of a breach, the Federal Trade Commission provides a list of actions you can take, from requesting credit scores to contacting government agencies.
As for actual federal data-breach laws, national cybersecurity legislation likely won’t be discussed again until the next session of Congress.
Whenever it is, Duncan has a list ready of what he'd like to see established by a federal law:
— Definition of what constitutes non-breach loss of personal information, such as a storage device that is misplaced but not known to be lost or stolen
— Minimum thresholds to trigger notification of consumers
— Lesser thresholds that result in alternative notifications or remediation (for example, a free report from a credit-reporting service)
— Maximum amount of time allowed before consumers must be notified
— Consistent requirements for federal, state and local reporting and notification
— A uniform set of penalties
If such a federal law ever comes to pass, the onus of protecting oneself from corporate or government cybersecurity breakdowns may no longer fall on innocent consumers who have no control over how their personal data is stored.