A recent publication from the National Conference of State Legislatures has highlighted several intriguing trends with regards to recent and upcoming data breach legislation. Given most states reactive nature, the 2013 holiday season generated a “we must do something!” response in many state capitols following the front page data breaches of Target and Neiman Marcus.
In the face of Congressional gridlock (after all the past five years have seen numerous federal data breach and related bills introduced only to languish without votes) and the steady rise of data breaches and cybercrimes, individual states are – for better or worse – at the forefront of data security. Most notably, nineteen states have moved to introduce legislation that would protect consumers from future data breaches (including Arizona, Vermont, New Mexico, Massachusetts, Florida, Delaware, New York, Iowa, Louisiana, Kentucky, Minnesota, Missouri, Nebraska, Oklahoma, Pennsylvania, Rhode Island, South Carolina, New Jersey, and California).
These proposed state statutes contain provisions aimed at adding or providing consumer oriented protections, such as free credit reports, mandatory notifications regarding data breaches and identity theft services in case of data breach. Various states, such as California, have also called for increased security regarding Protected Health Information (PHI) on state health exchanges. For example, California’s AB 1560 would prohibit exchanges from releasing patient data to third parties to determine eligibility, or signing up the patient for coverage.
Other states like Florida have drafted provisions that would coerce businesses to use encryption methods to protect personal and sensitive financial information – joining Nevada and Massachusetts. Noticeably, Florida’s bill, SB 1524, also goes one step further, stating that “[e]ach covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information and prevent a breach of security.”
While these measures are noteworthy, it remains to be seen whether most of these potential new statutes will be enacted or be effective. Furthermore, most of the proposed statutes lack the proverbial “legal fangs” to indemnify consumers and major institutions from intricate and well-planned schemes like Operation High Roller. This infrequently talked about data breach ultimately led to at least $78 million dollars being taken from bank accounts around the world, employing malware and automated attacks to carry out the digital heist. With all things being considered, this may seem like an infinitesimal amount of capital to some, but a much larger attack could leave institutions and consumers without the proper financial protection or varying degrees of legal impunity (for businesses).
If you would like to discuss these recent state efforts or how they many impact your data security and risk management programs, feel free to contact us at 203 307-2665 or info@SmartEdgeLawGroup.com
Law clerk, John Pritsiolas contributed to this article.