Breach notification statutes have been enacted in 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands. Only Alabama, New Mexico and South Dakota have not adopted such laws. In general, a business has no obligation to provide notification unless a breach compromises “personal information.” There is no uniform definition of “personal information.” It varies from state to state depending upon how “personal information” is defined in that state’s breach notification statute. There are common elements found in all state statutes. For instance, all the statutes define “personal information” to include: first name, last name, or first initial and last name, in combination with Social Security Numbers, driver’s license numbers, state ID numbers, or financial account number with an access code.
But the statutes in 25 states include additional elements that create significant differences and broaden the definitions of “personal information.” For example, California and Florida have added user name and password to the definition. Wyoming includes birth and marriage certificates. Oregon includes passport numbers. Arkansas, California and Missouri include medical information, and California and Missouri include health insurance information. Iowa’s statute includes as “personal information” unique biometric information such as a fingerprint, retina or iris image. Wisconsin’s statute includes an individual’s DNA profile. Maryland’s definition includes taxpayer identification number. North Dakota includes a person’s date of birth, mother’s maiden name, employer-provided identification number and an electronic signature as “personal information.” These are just some of the differences.
This patchwork of state requirements exists because of the absence of a universally applicable federal law on the subject. But even proposed federal bills do not necessarily agree on an appropriate definition of personal information.
In January of 2015, The White House released a draft of the proposed Personal Data Notification and Protection Act which includes names in combination with home address, telephone number, mother’s maiden name and date of birth. Later in February 2015, the White House released a draft of the proposed Consumer Privacy Bill of Rights Act of 2015, expanding the definition of “personal information” more broadly than any state law to include such data elements as a name in combination with email address, fax number, and/or vehicle identification number.
Congress has been debating a uniform federal bill for nearly 10 years, and disagreement remains within its ranks, as well as among Congress, the White House and federal regulators, about the best approach. Despite continuing chatter about federal legislation, whether a bill can get through this Congress to the President’s desk, and whether the President will sign something that this Congress sends him, remains to be seen.