Home > Identity Theft > Will States Lead the Way on Data Breach Requirements?

Comments 0 Comments

California enacted the first data loss disclosure law in 2003, requiring companies and organizations that lose personal information to inform the individuals whose data has gone missing. Since then, 46 other states have passed similar laws. On Sept. 30, California Gov. Jerry Brown signed into law an amendment that toughens the Golden State’s pioneering legislation in several ways.

In the wake of massive data breaches at Target, Neiman Marcus, Michaels, PF Chang’s and Home Depot, California now appears to require organizations who lose certain types of data to supply “appropriate identity theft prevention and mitigation services” to each victim at no cost for 12 months. At least that’s how this amendment was widely viewed. However, legal experts say two little words inserted into the version signed by Brown muddle the mandatory nature of this new rule.

California’s law now also extends to companies that “maintain” personal data, not just own or license personal data. And in California it is now illegal to “sell, advertise for sale, or offer to sell” someone’s Social Security number.

ThirdCertainty asked Eduard Goodman, IDT911’s chief privacy officer, about the wider significance of California’s move. [Editor’s Note: IDT911 is the corporate sponsor of ThirdCertainty.]

Slippery Language

3C: Can you unmuddle this? What exactly is now being required?

Goodman: The original version of this bill read almost identically to how it was passed. However, the version signed into law adds the words “if any” to refer to the offer of “appropriate identity theft prevention and mitigation services.”  The inclusion of this language now muddies the statute. It would appear that the legislative intent to mandate that monitoring, prevention and mitigation services be offered in certain situations has been gutted.

Instead, the law now simply provides that IF any services are supplied to support the victims of the breach, the institution offering it must indicate that the service offered is provided at no cost to the affected person; provide the service for not less than 12 months; and provide all of the information necessary to take advantage of the offer to any person. The language is a bit confusing and I have a strong feeling the actual meaning will eventually be tested and interpreted by the courts in the coming year or two.

3C: Don’t companies who admit big breaches already do this on their own accord?

Goodman: Larger companies do tend to offer free services in the wake of a breach. This usually comes in the form of credit monitoring services. Smaller companies may not have proper insurance or enough money in reserves to cover breaches. Many smaller companies do not opt to offer any form of assistance and will often, based on cost constraints, simply provide the required notification of the event.

3C: The devil is always in the details. How do you expect this to actually play out over time, in terms of resulting in a material benefit to victims?

Goodman: I hope it results in companies giving credit monitoring services in cases where it is useful, such as breaches that involve stolen SSNs, rather than in cases where it is a distraction, as with payment card breaches. There are generally accepted best practices in responding to breaches. Providing more robust support services is called for in higher-risk situations, such as when there is a targeted theft of personal information. And lower-level courtesy services are adequate for lower-threat scenarios, in cases when information is lost or misplaced. Unfortunately the statute provides no real guidance as to what “appropriate services” are.

Accountable for ‘Maintaining’ Data

3C: What’s significant about extending data security responsibilities to organizations that maintain data?

Goodman: Previously the requirement to implement and maintain reasonable security measures was only incumbent upon those who “owned or licensed” personal information. However, the extension now applies to anyone that also maintains personal data. The definition of “maintains” is vague at best. Essentially, the requirement means that if you HAVE personal information in your company’s possession, whether you own or license it or just hold it for another, you now need to provide for its security as well. Seems common sense, but the statute fell short on that requirement in the past.

3C: What’s the thinking behind banning the sale of SSNs? That seems like an obscure scenario.

Goodman: The practice is not as obscure as you may think. This happens in all different types of situations. Whether it be desperate parents who sell their children’s SSNs to help make ends meet or buying and selling the SSNs of the deceased by getting access to the Death Master File. This just seems to be one more way to crack down on the illicit trade in identity information in California, one of the states with consistently high rates of ID theft.

3C: What drove California to make these changes?

Goodman: California, unlike most states with data breach notification requirements, does NOT take a set-it-and-forget approach to their privacy legislation. The regulation has already been modified prior to this, just last year. In addition, California is at the forefront of these areas. Originally, the intent was to make offering support service to breach victims a mandatory requirement, which, as already discussed, was not the end result here. Keep in mind this is just one of many areas where California has been trying to tighten privacy laws, with education privacy being one of the next main areas that will be tackled.

3C: What’s going on in other states? Are others moving to expand data loss rules and responsibilities?

Goodman: One of the big trends we’ll start to see is the expansion of education-related privacy legislation passing in multiple states. These new laws focus on privacy of education information for children in grade school through college and grad school. In addition, other states are expanding their laws to cover paper records, not just digital data, and to start tightening the time frames for required notifications to be sent out.

3C: The drive for a federal data loss disclosure law seems to have lost steam. Where does that stand?

Goodman: The problem with federal attempts is that they all tend to weaken the consumer protection already in place in the 47 different states with breach notification laws. In addition, Congress seems to be more willing to weaken these laws based on pressure from industry groups and special interests whereas on the state level these influences seem more limited. In the end I wouldn’t hold my breath for any more talk of a breach notification bill until after the mid-terms. More realistically we may not hear anything about it federally until after the 2016 election cycle.

More on Identity Theft:

Image: iStock

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team