House of Representatives

SB 1338

personal information; security breach; notification

Sponsors: Senator Huppenthal, Senator Gray, Representative Groe et al

 

X

Committee on Government Reform & Government Finance Accountability

 

Committee on Commerce

 

Caucus and COW

 

As Engrossed and As Passed the House

 

 

SB 1338 provides guidelines for business owners or persons conducting business in this state, or who are maintainers of personal information, to disclose a compromise of personal identification to those individuals affected by the breach of security.

 

History

Security breaches can take many forms, including lost or misplaced disks or backup tapes, stolen laptops or computers, hacked data or compromised passwords.  According to the Federal Trade Commission (FTC), the major metropolitan areas with the highest per capita rates of identity theft in 2005 were: 1) Phoenix/Mesa/Scottsdale, AZ; 2) Las Vegas/Paradise, NV; and 3) Riverside/San Bernardino/Ontario, CA.   In 2005, the most common identity theft complaints related to credit card fraud, followed by phone or utility fraud, bank fraud and employment-related fraud.   The Identity Theft Data Clearinghouse administered by the FTC and shared through the Consumer Sentinel reports that, in 2005, 9,320 identity theft complaints were filed from Arizona victims.

The two federal acts which have bearing on this section are The Gramm-Leach-Bliley Act (Act) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II).  The Act is a federal law enacted to control the ways that financial institutions deal with the private information of individuals.  Within the Act, a Safeguards Rule was created which requires all financial institutions to design, implement and maintain safeguards to protect customer information. The rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions such as credit reporting agencies that receive customer information from other financial institutions.  The provisions of HIPAA require the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data.

Provisions

·          Requires business owners or those conducting business in this state that own or license unencrypted computerized data containing personal information, to notify in the most expedient manner, the individuals affected by a security breach of personal identification upon the completion of a reasonable investigation.

·          Stipulates that the notification may be delayed if a law enforcement agency determines that the notification will impede criminal proceedings.  However, the person is required to make the notification after the law enforcement agency determines that it will not compromise the investigation.

·          Requires the notification to also include the nature and scope of the breach upon the individual and/or the steps taken to restore the integrity of the data system.

·          Requires a person who maintains yet does not own, unencrypted computerized data that includes personal information to notify and cooperate with the owner or licensee upon determination of a breach of security without reasonable delay.

·          Specifies that the maintainer must share relevant information concerning the security breach with the owner or licensee but is not required to provide notice to the individuals affected unless specified under previous agreements between the owner and the maintainer. 

·          Authorizes the disclosure of a security breach to be provided by one of the following methods:

·          Written notice.

·          Electronic notice if this is the primary means of contact or if electronic notice is consistent with the provisions set forth in the electronic signatures section of the Global and National Commerce Act.

·          Notice by telephone.

·          A substitute notice if demonstrated that the cost of providing notice would exceed $50,000, if the number of affected persons exceeds 100,000 or sufficient contact information has not been established.

·          Designates the substitute notice to consist of all of the following:

·          Electronic mail notice if such contact information is available.

·          Conspicuous posting of notice on the website of the person if such site exists.

·          Notification to major statewide media.

·          Establishes that if a person who maintains notification procedures as part of a security policy pertaining to personal information and is consistent with statutory guidelines, is deemed compliant with the statutory notification requirements if the person notifies the affected individuals by the person’s security breach notification procedures.

·          Maintains that a person in compliance with the person’s primary or functional federal regulator’s notification procedures for a security breach is deemed in compliance with this section.

·          Exempts from notification requirements, situations in which after a reasonable investigation from the person or law enforcement agency, a security breach is determined to have not occurred or is not reasonably likely to occur.

·          Mandates that this section may only be enforced by the Attorney General.  The Attorney General may litigate for actual damages from willful and knowing violation of the notification requirements and may also seek a civil penalty not to exceed $10,000 per security breach determined in a single investigation.

·          Provides that the state’s power to regulate security system breach notification preempts all municipal and county laws, charters, ordinances and rules relating to this issue.

·          Stipulates that this section applies to neither a person subject to Title V of the Gramm- Leach-Bliley Act of 1999 nor covered entities defined under regulations implementing the Health Insurance Portability and Accountability Act.

·          Defines the terms:  breach, encrypted, individual, person, personal information and redact.

·           

·           

·          ---------- DOCUMENT FOOTER ---------

·          Forty-seventh Legislature

·          Second Regular Session    2          March 15, 2006

·           

·          ---------- DOCUMENT FOOTER ---------