States Expand Laws Regarding Data Breach Notification
Data breaches have set record-breaking numbers for the past few years, and they’ve hit companies of practically every size and industry. Sometimes the stolen information is nothing more than email addresses and passwords, while in other breaches hackers come away with the complete identities of countless people.
While there is still much work to be done in preventing data breaches, some new changes took place in various states across the country that will help consumers minimize the damage. Notification letters have been mandated for quite some time, but the timeline for reporting it to the authorities and to the consumers isn’t the same everywhere. Different states have different requirements for alerting the public depending on the type of information that was compromised, too.
California, the first state to establish a data breach notification law back in 2003, has amended its law several times over the years to keep up with various emerging trends and advancements in technology. In 2008, medical and health insurance information were added to the types of information covered by the law and in 2013 it was again amended to include a username or email address, in combination with a password or security question and answer that permits access to an online account. In 2016, it added a definition for encryption. The most recent amendment, effective January 1, 2017, now requires California residents be notified when encrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person along with (2) the encryption key or security credential which would allow for the encrypted data to be read or used.
Illinois also recently amended its Personal Information Protection Act to expand its definition of personal information to now include medical and healthcare-related information, unique biometric data used for authentication purposes as well as usernames or emails when accompanied with a password or security question and answer that permits access to an online account. In addition, the change to PIPA also requires notice for breaches involving encrypted information if the decryption key was also acquired.
There was another key change in Illinois on how data breaches are announced to the public. Prior to last year’s amendment going into effect, companies had to mail a letter to anyone suspected of being a victim of a breach. In many cases, the costs of mailing such a letter were a burden, especially if the letter was only to inform consumers that a breach had occurred but that their data was never in any danger. Now, depending on the method of the breach and the information that was accessed, businesses in Illinois have the option to email victims whose information has been compromised.
According to the National Conference of State Legislatures (NCSL), at least 26 states introduced or were considering security breach notifications bills or resolutions in 2016. While some measures failed, others were passed or remain pending. These and other changes are major steps forward for consumer protection, but of course, the real work of protecting your information also includes the consumer. Monitoring your accounts for suspicious activity and requesting copies of your credit reports each year will help you spot any problems as soon as they begin. Developing strong, unique passwords can help keep hackers at bay while changing your passwords and security questions regularly can help you stay safe if criminals manage to decrypt old login information.
If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App.
Read next: Spring Cleaning for your Mobile Device