States Move Forward on Breach Notice While Waiting on Congress

With federal legislation pending in various forms since 2006, the states are not standing still.  Illinois amended its breach notice statute effective 1/1/2012.  http://ilga.gov/legislation/publicacts/fulltext.asp?Name=097-0483.  The amendment adds many of the lessons learned since the Illinois statute was originally enacted in 2005.  These changes include (a) providing information to contact consumer reporting agencies [I would hope that Illinois meant the three national CRAs] and how to initiate a credit freeze; (b) delay for a law enforcement hold; (c) treatment of third-parties holding the data of others; and (e) a disposal rule.   Interestingly, the amendment prohibits the disclosure in the notice of the total number of consumers affected; a good modification to better promote security.

Just as Massachusetts enacted a law to impose minimum data security requirements to every company doing business in the state, Texas amended its consumer notification obligations to apply not only to residents of Texas, but also to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person from a person who “conduct business in” Texas. The amendment specifically requires notification of data breaches to residents of states that have not enacted their own notification law.  Penalties also changed from a maximum of $50,000 under the old law to $100 per individual per day of failed or delayed notification, not to exceed $250,000 for a single breach.   http://www.legis.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf


Posted by Ron Raether
Data Security
August 29, 2011