Data Security Breach Laws Remain the Province of the States


With 44 states and the District of Columbia having breach notification laws on the books, California — the first state in the nation to enact such a law — is proposing to amend its law (SB. 20) to require notification of breaches to the attorney general (a requirement contained in many other states’ laws), and to require “plain language” in the notices sent to consumers. Missouri is considering a law that would make the state the 45th with a breach notice law and the first to have criminal penalties for a failure to notify individuals of a data security breach involving their personal information. Other states are considering new breach liability provisions. For example, a New Jersey bill (A. 2270) would establish retailer liability to banks for breaches of payment card data and also subject every entity covered by the state’s existing data breach notification law to liability to banks for breaches of any protected personal information. Thus, the legal regime to protect consumers from identity theft when their personal information is exposed through a breach of data security remains the province of the states, with Congress considering but yet to enact a nationwide law for consumer notification. Reg S-P, the SEC’s implementation of Gramm-Lech-Bliley, was widely expected to be finally amended by year-end 2008 to provide clearer guidance on when entities supervised by the SEC needed to provide notification of data breaches, but the amended reg is still pending.