model. Congress has followed suit with several bills of its own, all designed to impose security breach notification requirements on a nationwide basis. And several banking regulatory agencies have adopted regulations that also require notification of security breaches involving sensitive personal information. 122
The Basic Obligation
Taken as a group, the state and federal security breach notification laws generally require that any business in possession of sensitive personal information about a covered individual must disclose any breach of such information to the person affected. The key requirements, which vary from state-to-state, include the following:
Type of information – the statutes generally apply to unencrypted sensitive personally identified information – e.g., information consisting of first name or initial and last name, plus one of the following: social security number, drivers license or other state ID number, or financial account number or credit or debit card number (along with any PIN or other access code where required for access to the account).
Definition of breach – generally the statutes require notice following the unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of such personal information. In some states, however, notice is not required unless there is a reasonable basis to believe that the breach will result in substantial harm or inconvenience to the customer.
Who must be notified – notice must be given to any residents of the state whose unencrypted personal information was the subject of the breach.
When notice must be provided – generally, persons must be notified in the most expedient time possible and without unreasonable delay; however, in most states the time for notice may be extended for the following:
Legitimate needs of law enforcement, if notification would impede a criminal investigation
Taking necessary measures to determine the scope of the breach and restore reasonable integrity to the system
122 See, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 12 C.F.R. Part 30 (OCC), 12 C.F.R. Part 208 (Federal Reserve System), 12 C.F.R. Part 364 (FDIC), and 12 C.F.R. Part 568 (Office of Thrift Supervision), adopted in March, 2005. These regulations require financial institutions to develop a response program to protect against and address breaches of the security of customer information maintained by the financial institution or its service provider. Such program must include procedures for notifying customers, as well as regulatory and law enforcement agencies, about incidents of unauthorized access to customer information that could result in substantial harm or inconvenience to the customer. The rules also require the financial institution to offer assistance to customers whose information was the subject of the incident (e.g., inform customers of their rights, recommend actions that they should take, assist them in the process, etc.).