Article by Richard Santalesa
While well known in information security circles that today 47 states, D.C., Puerto Rico and the Virgin Islands have enacted data breach notification statutes, these statutory regimes aren’t fixed in granite.
Last year, to name a few, California, Illinois and Texas amended their respective breach notification statutes (with Texas purporting to extend its notification law to all individuals, not merely Texas residents).
But more recently Vermont and Connecticut updated their existing breach notification statutes, highlighting the need to closely monitor state legislatures, particularly end of session happenings.
Connecticut’s update to its existing data breach notification statute, codified at Section 36a-701b of the Connecticut General Statutes, occurred during an end of term Special Session tucked away within a six hundred+ page set of house and senate budget bills.
Much time and ink has been spent parsing, explaining and setting odds on the eventual passage of the steady stream of data security and breach-related bills that spring up in Congress like mushrooms after a rain, and then – at least to date – wither away once the sun comes out.
Outside of HIPAA/HITECH, the action in data breach notification laws has and continues to remain primarily at the state level, with Vermont and Connecticut's changes highlighting a distinct notification trend.
On May 8th, Vermont amended its Security Breach Notice Act, as codified at 9 V.S.A. § 2435. The amendment was part of a broader bill addressing various consumer protections and amendments to the SBNA were effective as of the bill's passage on 5/8/12. The changes included:
- Adopting the broadly used industry-standard term of “personally identifiable information” rather than Vermont’s previous use of “personal information”.
- Modifying the definition of “security breach” to now mean an unauthorized acquisition of “electronic” data or "reasonable belief of an unauthorized acquisition...". Previously the statute read “unauthorized acquisition or access of computerized data,” and apparently in recognition of the frequent difficulty in determining triggering “access” the Vermont legislature deleted the term.
- Adding four “factors” – which are not exclusive - for determining whether there’s been acquisition or reasonable believe of same.
- Requiring breach notice to Vermont residents within 45 days after discovery of the breach, which now sets a firm cap on the previous open ended notification to be performed in the “most expedient time possible and without unreasonable delay….” The notice must also now include the “approximate date of the security breach” in addition to the previous list of information required to be contained in the consumer notice.
- Requiring notice to the Attorney General within 14 business days following when the breach was discovered or the date Vermont residents were notified (but expressly excluding entities licensed or registered with Vermont’s department of financial regulation). The notification to the AG must include at least: the date of the breach; the number of Vermont residents breached, the date of discovery of the breach and a “preliminary description of the breach.” If the date when the breach occurred is unknown at the time notice to the AG is required the date of the breach must be sent thereafter “as soon as it is known.” A copy of the notice provided to the consumers must also be sent to the AG.
As a side note, the actual enacting Bill (H.254), No. 109, An act relating to consumer protection, contains the same Section 2435(h) as the current statute, which exempts various law enforcement agencies from notification and reads: “(h) Vermont law enforcement agencies, including the department of public safety, shall not be considered a data collector.
Except as provided in subdivisions (b)(2) and (b)(3) of this section, Vermont law enforcement agencies, including the department of public safety, shall be exempt from this subchapter.” However, the Vermont legislature’s website of statutes, which apparently hasn’t been updated to reflect the May 8th amendment, still states “Subsection (h) repealed effective June 30, 2012; see note set out below.”
Connecticut’s legislature amended its own data breach notification statutes, effective as of October 1, 2012, when it ended the term last week with a marathon Special Session focused on two budget bills (H.B. No. 6001 and S.B. No. 501) totaling approximately 664 pages.
The bill shoehorned in was essentially a copy of H.B. No. 5427. That bill had been raised back in March, promptly stalled, and then apparently some member of the legislature working on the budget bill figuratively spotted it forlornly propped in the assembly’s umbrella rack where it was grabbed, dusted off and with no further debate popped into the House’s Bill at at line 4427 on page 162, to join budget allocations of $127K for daycare in the capitol and $13.8MM for state IT Services.
Rather than amend CT’s data breach notification law piecemeal, the Bill actually repeals it in full and replaces it with the amended version. While the replacement statute is essentially the same as the current one it replaces, it does slightly clarify the definition of what “breach of security” means, but more significantly adds the requirement that the Connecticut Attorney General’s office must be noticed via a new subsection (b)(2), which reads:
“If notice of a breach of security is required by subdivision (1) of this subsection, the person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall not later than the time when notice is provided to the resident also provide notice of the breach of security to the Attorney General.” (emphasis added).
Unlike Vermont’s modified breach notification statute, notification to the CT Attorney General isn’t required within a new compressed timeframe.
Subsection (c) is additionally modified to expressly state that the statute’s notification requirements are applicable only to personal information of “a resident of this state” and other portions updated to reflect the new notification required to the Connecticut Attorney General.
Violations of the statute continue to be deemed unfair trade practices under Connecticut’s Unfair Trade Practices Act (commonly known as “CUTPA “) and enforceable by the Attorney General, with no private right of action.
Together the changes to Vermont and Connecticut’s breach notification regimes distinctly point to a trend in such state statutes, if they don’t already provide for it, of including required notification to the state’s Attorney General on either an accelerated or parallel timeframe for notification to affected residents.
The recent modifications highlight yet again that states remain active in updating and changing their breach notification frameworks, sometimes without significant advance notice, as Connecticut’s latest Special Session reveals.
Companies operating in multiple states, or even within one state but that gather the personally identifiable information of residents from other states, should continue to take measure to stay abreast of the breach notification regimes in the states applicable to their business practices.
As always, feel free to contact me or any member of the InfoLawGroup team to discuss these statutes further or how they may impact your information security and breach notification plans.
Cross-posted from InfoLawGroup