United States: New Jersey and Pennsylvania Adopt Data Security Breach Laws

As new reports of lost data continue to heighten American fears of identity theft, Pennsylvania has become the latest state to enact security breach legislation, joining a similar initiative in New Jersey. On December 22, 2005, Pennsylvania’s Governor signed the Breach of Personal Information Notification Act (the "PA Breach Act")¹. Scheduled to become effective on June 20, 2006, the PA Breach Act establishes standards for assessing and disclosing security breaches affecting the personal information of Pennsylvania residents.

Preceding the PA Breach Act by half a year, the New Jersey Identity Theft Protection Act (the "NJ Breach Act")² became fully effective on January 1, 2006 (a provision dealing with police reports became effective on June 25, 2005). Enabling individuals to place a "freeze" on their credit reports and limiting disclosure of Social Security numbers, the NJ Breach Act appears to be the more expansive legislation, although the two laws differ in a number of other respects, as well.

Although privacy law observers across the country have been waiting for Congress to enact a federal law addressing data security breaches, the legislative process has stalled in Washington, adding momentum to the trend that has now swept more than 20 states into the breach arena. In practical terms, this trend is forcing companies that maintain computerized personal data to take urgent action to assure that their information security procedures comply with the burgeoning and often inconsistent mosaic of state law requirements.

Scope of the Law—Individuals, businesses, and Pennsylvania governmental agencies and political subdivisions all fall within the ambit of the PA Breach Act. Covered businesses include any company doing business in Pennsylvania, whether for-profit or not-for-profit, that "maintains, stores or manages computerized data that includes personal information." Financial institutions, as well as their parents and subsidiaries, wherever organized, chartered or licensed, that do business in Pennsylvania are also considered to be covered businesses, as is any entity that "destroys records."

What is a Security Breach?—The PA Breach Act’s notice provisions are triggered when computerized "personal information" is compromised. "Personal information" is defined as the individual’s first name (or first initial) and last name linked with one or more of the following data elements: (1) their Social Security number, (2) their driver’s license number, or (3) their financial account number or credit or debit card number in combination with any required access code or password.

If any personal information is encrypted (i.e., accessible only by a confidential process or key) or redacted (i.e., truncated to reveal no more than the last four digits of a card or identification number), it is excluded from coverage. Also excluded is "publicly available information that is lawfully made available to the general public from Federal, State, or local government records."

In appraising the impact of any data breach law, a threshold determination always must be made as to whether a security breach has occurred. The PA Breach Act recognizes a breach when "unauthorized access and acquisition of computerized data…materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and…causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth."

There are several key issues to consider when applying this standard. Chief among these is whether unauthorized access and acquisition of unencrypted and unredacted data actually has occurred. If the answer is yes, then was there a "material" compromise of security and does there exist a reasonable basis for believing that the result has been or will be loss or injury?

Disclosing the Security Breach to Customers—Once a breach meeting the standard has been determined to have occurred, the covered entity incurs extensive disclosure obligations. Notice of the breach must go to any resident of Pennsylvania whose principal mailing address is within Pennsylvania, as reflected in the data. Notification must be made "without unreasonable delay." An entity is allowed time to determine the scope of the breach, as well as time to restore the "reasonable integrity of the data system," before providing the notice.

Form of Notice—Security breach notifications may be made by (1) written notice, (2) telephonic notice, or (3) e-mail if a prior business relationship exists and the entity has a valid e-mail address. The telephone method of notice, which may be unique among current state data breach laws, works only if the individual can be "reasonably expected to receive it." Such notice must be given in a "clear and conspicuous manner," describing the incident in general terms, verifying personal information without requiring anyone to provide personal information, and identifying a telephone number or website for more information.

A three-pronged "substitute" form of notice may be delivered if the entity demonstrates that the cost of otherwise providing the notice would exceed $100,000, or if the class of subject persons to be notified exceeds 175,000, or the entity does not have sufficient contact information. Such substitute notice would be via e-mail (to the extent the entity has e-mail addresses) together with a conspicuous posting of the notice on the entity’s website and notification to major state-wide media.

These broadly phrased security breach notice concepts leave much of the triggering analysis and disclosure mechanics open to interpretation. For example, should notice be given if the personal information was lost but there is no direct evidence of unauthorized access? Must disclosure be made within days or weeks? Given the fact that only the contents of a telephonic notice are specified, how detailed must written notice be?

Disclosures to Law Enforcement and Credit Bureaus—The PA Breach Act creates special grounds for delaying notice of a security breach where a law enforcement agency determines and advises in writing that the notification will impede a criminal or civil investigation. Notice may be given once the law enforcement agency determines that it will not compromise the investigation or "national or homeland security." Although there is no express requirement that an entity should consult with law enforcement agencies, logic would appear to call for such a procedure before notice of any breach is given.

In addition to any other notification to individuals, if an entity provides notice to more than 1,000 persons at a time, the entity must also notify "without unreasonable delay" all national consumer reporting agencies regarding the timing, distribution and number of notices planned.

Third-Party Vendor Disclosure Obligations—Vendors that maintain, store or manage computerized data on behalf of other entities are placed in second position by the PA Breach Act. Following discovery of a security breach, a vendor must provide notice to the entity on whose behalf it maintains data, not to the individuals whose personal information is affected. The responsibility for making the determinations and disclosures under the PA Breach Act rests exclusively with the entities having the primary consumer or business relationship.

Complying With Existing Notification Policy; Federal Requirements/Safe Harbor—Any entity that "maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information" is deemed to be in compliance if those procedures are consistent with the PA Breach Act’s requirements.

For financial institutions, compliance with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be compliance with the PA Breach Act. A similar safe harbor is created for other entities governed by guidelines established by their "primary or functional federal regulator." Any county or local laws that attempt to regulate security breaches are expressly preempted by the PA Breach Act.

Penalties for Security Breach Disclosure Violation—Any violation of the PA Breach Act’s security breach disclosure provisions is deemed an "unfair or deceptive act or practice" under the Pennsylvania Unfair Trade Practices and Consumer Protection Law (the "UTPCPL"). No private right of action is available for enforcing a violation of the PA Breach Act. The Office of the Pennsylvania Attorney General is given exclusive authority to bring an action under the UTPCPL for such violations.

It may be noteworthy that an early version of the PA Breach Act limited liability to "willful and knowing" violations. That restriction ultimately was removed during the legislative process, so even a negligent violation of the PA Breach Act might prompt an Attorney General request for injunctive relief under the UTPCPL. Nonetheless, under the UTPCPL, the Attorney General can obtain civil penalties only for "willful" violations.

Effective Date—The PA Breach Act takes effect June 20, 2006, and only applies to breaches of security that occur on or after that date. If Congress acts before that date to preempt state and local security breach laws by enacting a comprehensive federal standard, the PA Breach Act will never take effect.

The NJ Breach Act contains several important provisions requiring businesses to take specific protective actions and conferring rights on New Jersey residents, all of which are designed to go beyond disclosure requirements in mitigating the risk of identity theft. Comparable provisions are not found in the PA Breach Act.

Destruction of Records—Taking a direct approach to minimize the chances that information will fall into the wrong hands, the NJ Breach Act specifies how businesses and public entities must destroy customer records under their control that they no longer need to retain. The destruction must be accomplished "through generally available means," either directly or by arrangement with another party, "by shredding, erasing, or otherwise modifying" the information in the records to make it "unreadable, undecipherable or nonreconstructable."

Identity Theft Reports to Local Police—The NJ Breach Act requires local law enforcement agencies to take a police report from anyone who suspects that he or she is a victim of identity theft, even if jurisdiction would lie elsewhere for the prosecution and investigation of the crime. If jurisdiction does lie elsewhere, the NJ Breach Act provides that the local law enforcement agency that took the complaint may refer it to the law enforcement entity in the different jurisdiction. 

"Security Freeze" of a Consumer Report—The NJ Breach Act amends New Jersey’s existing New Jersey Fair Credit Reporting Act ("NJFCRA") to allow an individual to place a "security freeze" on his or her consumer report. A "security freeze" is defined in part as "a notice placed in a consumer’s consumer report that prohibits the consumer reporting agency from releasing the report or any information from it without the express authorization of the consumer."

A consumer reporting agency must place a freeze on a report no later than five business days after receiving a consumer’s written request and must send the consumer a written confirmation of the freeze within five business days of placement of the freeze, together with a unique personal identification number or password that the consumer can use when he or she decides to authorize a temporary lifting of the freeze to allow his or her consumer report to be accessed by a specific party, or for a period of time while the freeze is in place.

A consumer reporting agency must remove a freeze that it determines was triggered by a material misrepresentation of fact by the consumer. Otherwise, subject to any temporary lifting of the freeze requested by a consumer, a security freeze remains in place until the consumer requests that it be permanently removed.

A security freeze does not apply to the use of a consumer report by a lender, an assignee or a prospective assignee for the purpose of reviewing or collecting an account. Also, use of a consumer report by law enforcement entities, trial courts, tax enforcement entities, and child support enforcement entities is not subject to a security freeze.

The NJ Breach Act contains a form of notice to advise consumers of their right to obtain a security freeze. This new notice must be provided upon any request for information about security freezes or with the notice that must be provided under the federal Fair Credit Reporting Act by a creditor that uses a consumer’s credit score in connection with an application for a residential mortgage loan application. A consumer reporting agency may not charge to place a freeze but may charge $5.00 to remove or temporarily lift a freeze, and may also charge $5.00 if the consumer fails to retain the original personal identification number or password provided by the consumer reporting agency.

Persons failing to comply with the security freeze provisions may be liable to consumers for damages and attorney’s fees under the NJFCRA.

Social Security Number Controls—The NJ Breach Act also limits disclosure of Social Security numbers to prohibit (1) the publication or display of a Social Security number or four or more consecutive digits taken from the Social Security number, (2) the printing of a Social Security number on mailers or access cards or otherwise publicly disclosing it under most circumstances, and (3) requiring in any way that an individual transmit his or her Social Security number over the Internet or use it to access a website, unless the connection is secure, the number is encrypted, or authentication is required. Social Security numbers can continue to be used for internal verification and administrative purposes, and may be included in applications and forms sent by mail in a sealed envelope.

Scope of the Law—Unlike the PA Breach Act, which covers individuals as well as businesses, the NJ Breach Act’s disclosure requirements apply to "any business that conducts business in New Jersey," whether for-profit or notfor- profit, and to any public entity (i.e., a state governmental entity) that compiles or maintains computerized records that include "personal information." Covered financial institutions include not only New Jerseychartered financial institutions, together with their parents and subsidiaries, but also financial institutions, and their parents and subsidiaries, that are federally chartered or chartered in other states. 

What is a Security Breach?—The NJ Breach Act’s provisions are triggered by a "breach of security" that involves "personal information." "Personal information" is defined, much like the PA Breach Act, as the individual’s first name or first initial and last name linked with one of more the following: the individual’s Social Security number, driver’s license number, account number, or credit or debit card account number in combination with any required access code. In a concept not found in the PA Breach Act, even in the case of data that is "dissociated" (an undefined term that presumably means data not linked together in a single database), this will  still be considered "personal information" if the means to link the data have also been accessed. Publicly available information is not within the definition of "personal information." A "breach of security" occurs upon "unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity" of personal information that has not been encrypted or made unreadable or unusable by similar technology.

Disclosing the "Security Breach" to Customers—Any business operating in New Jersey or any public entity that compiles or maintains computerized records of personal information must disclose any "breach of security" of such computerized records to any "customer" who is a resident of New Jersey "whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person." The disclosure must be made within the most "expedient time possible and without unreasonable delay." A "customer" is an individual who has provided personal information.

Form of Notice—Security breach notifications must be made by written or electronic notice that is consistent with the federal E-SIGN law. Substitute notice is permitted if a public entity or business demonstrates that the cost of providing the notice would exceed $250,000, or if the class of persons to be notified exceeds 500,000, or if the business entity does not have sufficient contact information. Substitute notice must consist of e-mail notice if the business or public entity has an e-mail address, a conspicuous posting of the notice on the website, if any, of the business or public entity, and notification to state-wide media.

Disclosures to Law Enforcement and Credit Bureaus—The NJ Breach Act permits a delay in providing notice "consistent with the legitimate needs of law enforcement" and as necessary to determine the scope of the breach and restore the integrity of the data system. Before notifying customers, an entity must report a breach to the Division of State Police in the Department of Law and Public Safety. A law enforcement agency may then determine that notification may impede an investigation and request that notification to customers be delayed. If a public entity or business discovers that notice is triggered to more than 1,000 persons at a time, it must also notify "without unreasonable delay" all nationwide consumer reporting agencies of the timing, distribution and content of the notices.

Third-Party Vendor Disclosure Obligations—Any business or public entity that compiles or maintains computerized records that include personal info "on behalf of another business or public entity" must notify that business or public entity of any breach of security. The obligation to notify customers rests exclusively with the business or public entity that has the customer relationships. Complying With Existing Notification Policy; Federal Requirements/No Safe Harbor—Any business or public entity that "maintains its own notification procedures as part of an information security policy for the treatment of personal information" and notifies customers of a breach according to such procedures will be deemed in compliance with the NJ Breach Act’s disclosure requirements, provided such internal procedures are "otherwise consistent" with the requirements of the NJ Breach Act. Nonetheless, in a major difference from the PA Breach Act, it is especially important to recognize that there is no exception for compliance with standards imposed by federal regulators.

Penalties for Security Breach Disclosure Violation—A violation of the NJ Breach Act’s Social Security number or security breach disclosure provisions can trigger a penalty under the New Jersey Consumer Fraud Act ("CFA") for any willful, knowing or reckless violation. The Attorney General may seek injunctive relief and assess fines, and a private litigant may obtain treble damages under the CFA. Also, class actions may be brought under the CFA.

Effective Date—After its enactment in June 2005, the NJ Breach Act took full effect January 1, 2006, and, though not specified explicitly, is expected to apply only to subsequently discovered breaches. If Congress acts to preempt state and local security breach laws by enacting a comprehensive federal standard, the NJ Breach Act will cease to be effective.

To avoid the necessity of jumping through the hoops set up by the Pennsylvania and New Jersey breach laws, entities will need to implement systems carefully designed and tested to safeguard personal information. Nonetheless, even an entity with the most effective information security program at some point will likely experience a data security breach requiring notice to state residents. Therefore, it is important for every entity, guided by the advice of counsel and reputable information security technicians, to install appropriate and responsive compliance procedures and to revisit their information-handling agreements with their third-party vendors. 

This article is presented for informational purposes only and is not intended to constitute legal advice.