Just about anyone who cares knows by now that most states have data breach notification statutes. What’s not as well known, even among security professionals, is that Minnesota has long had another statute that could require reporting of data breaches. Taken literally, the statute would require reporting even when Minnesota’s data breach notification law does not.

The law is in Minnesota Statutes section 609.8911, which was added in 1994. It reads:

A person who has reason to believe that any provision of section 609.88, 609.89, or 609.891 is being or has been violated shall report the suspected violation to the prosecuting authority in the county in which all or part of the suspected violation occurred. A person who makes a report under this section is immune from any criminal or civil liability that otherwise might result from the person’s action, if the person is acting in good faith.

Chapter 609 is Minnesota’s criminal code, and sections 609.88, 609.89, and 609.891 are Minnesota’s computer crime statutes. Section 609.8911 therefore says that anyone who “has reason to believe” that any successful or attempted unauthorized computer access, damage, or theft has taken place must notify the county prosecutor.

Note what the statute does not say:

• It’s not limited to data an organization “owns or licenses,” as section 325E.61 is for data breach notification.

• It does not limit the reporting duty to situations where there’s a reasonable chance that the data was obtained by a third party. Because Minnesota’s computer crime statute outlaws attempted acts of computer crime, it seems to be irrelevant whether the attempted computer theft, damage, or unauthorized access was successful.
• It’s not even limited to data the organization handles—the language of the statute would seem to require telling the county attorney that someone else was hacked.

That’s broad. For example, a literal reading of the statute’s language would require calling the county prosecutor every time a virus scanner finds a virus. A virus either accesses a computer without authorization or damages it. As soon as the virus scanner alerts the user to the the presence of the virus, that user has reason to know that someone committed a computer crime. Does it matter that the user doesn’t know who committed the crime, that the county prosecutor can’t do anything with the information, or that universal compliance with the letter of the law would flood the prosecutor’s phone line with nothing but “I just got a virus” calls? Maybe in the real world, but there’s nothing in the statute to suggest that these concerns relieve anyone of the duty to report.

The statute is missing something else: penalty provisions. Any self-respecting criminal statute has two parts: (1) a list of things not to do, and (2) the penalties for doing those things. Criminal penalties can be specific, or they can just categorize the crime (as a felony, misdemeanor, etc.), but to have any force, they have to say what the cost of violating the law would be. There’s some question whether this is even a criminal statute—it’s in the criminal code, but it states an affirmative duty, not a prohibition, and it has no penalty provision. If it is a criminal statute, it’s mostly toothless.

It also appears that the statute has never been used. A search of Minnesota cases reveals no instance in which the statute was even cited, much less used to convict someone.

Becuase the statute has no penalties and has never been enforced, can you ignore it? Maybe. The stakes of doing so certainly seem low. But just try to find a lawyer who will say it’s okay to ignore any statute, even a toothless unenforced statute.

One reason to comply with the statute is that even a statute without penalty provisions can form the basis of a negligence per se claim. Negligence per se is a way for a plaintiff to use a statutory requirement to skip the usual inquiry into whether the defendant used reasonable care. There are technical requirements for negligence per se claims, but if those are met, a plaintiff’s case is made much easier. Here’s how it might work with section 609.8911:

1. A company sees an attempted attack, but doesn’t reasonably believe the attacker obtained any personal information, so does not report it.

2. The attacker, who actually did obtain data, misuses it, harming one of the data subjects.
3. The data subjects file a class-action against the company, claiming that the company was negligent in not telling them about the breach. To establish negligence, the plaintiffs point to section 609.8911, which says the company should have reported the attempted breach to the county prosecutor.

And—voila—a statute with no penalty provision has just become a problem for the company. Admittedly, that’s a stretch, and there are those “technical requirements” referred to earlier, but lawyers have advised their clients to avoid less probable risks.

The language of the statute, the lack of a penalty, and its immunity provision might make one wonder about the original purpose of the statute. It turns out that it was actually an early attempt at requiring data breach notification. In Minnesota House Judiciary Committee hearings held March 18, 1994, Rep. Phyllis Kahn, author of the original Minnesota computer crime law and the duty-to-report provision, said that her bill was an attempt to force banks and financial institutions to report computer crimes they might otherwise prefer to hide. It was “generally believed,” she said, that computer crimes were under-reported because these institutions preferred maintaining an appearance of security that could be hurt by disclosing a breach. She acknowledged that the section did not include any penalties for failing to report, but said that her bill would be a “good step forward,” and that she couldn’t imagine what a good penalty would be.

A few states have similar duties to report computer crimes, including Ohio and Utah. Georgia had a similar statute that was repealed in 1991. A handful of other states have general duties to report any crimes (or sometimes felonies), but in most states, there is no duty to report that one has seen a crime. The computer duty-to-report statutes appear to be isolated exceptions to this general rule.

Minnesota has a real data breach notification statute for a few years now. Perhaps it is time for the legislature to repeal or substantially modify section 609.8911. But until that happens, the safest course for any organization is to send the county prosecutor notice of any attempted data breach. It may seem silly (partly because, in many cases, it is), but that’s the letter of the law. With any luck, the busy prosecutor will respond with, “Thanks, but please don’t bother me again.”

On July 17, North Carolina amended its data breach notification law and changed some credit freeze and credit monitoring requirements.

The new law, S.B. 1017, makes two small changes to North Carolina’s notification requirements. First, it requires telling the state Attorney General about breaches of any size, not just those that affect more than one thousand people. Second, it requires the notifications to include contact information for the consumer reporting agencies (CRAs), the FTC, and the North Carolina Attorney General’s office.

The statute still has the same notification triggers as before: it applies to any business that “owns or licenses” personal information. The law applies to businesses that own or license data, but the statute’s definition of a “security breach” is not limited to breaches of information the business owns or licenses. It may just be a quirk of wording, but it looks like the law requires any business that owns or licenses data to notify people affected by any security breach. In fact, there’s nothing in the language saying that companies only have to disclose their own breaches:

N.C. Gen. Stat. § 75-65(a): Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. . . .

I doubt that’s the intention of the law, but there’s the language: companies that own or license data shall notify the affected person that “there has been a security breach.” So, maybe it’s a business’s duty to inform consumers that a competitor has been breached?

Also note the statute’s broad interstate reach, pulling in “any business that conducts business in North Carolina that owns or licenses personal information in any form.” It doesn’t even bother to limit the reach of the statute to businesses that own or license personal information about North Carolina residents.

The law’s big changes are to consumer credit reporting. It made quite a few changes to the state’s security freeze law. It reduced the time Consumer Reporting Agencies (CRAs) can take to initiate or remove a freeze from five days to three, gives CRAs fifteen minutes to temporarily lift a freeze once the consumer has requested a temporary lift by phone or e-mail (if the request is by mail, the CRA has three days), prohibits the CRAs from charging for placing, removing, or temporarily lifting a credit freeze unless the request was by mail (the old law allowed charging $10 per request), and requires that credit reports under a freeze say that the freeze does not reflect a negative score, history, report, or rating.

Finally, the law adds a “Credit Monitoring Services Act,” which might as well be titled the “freecreditreport.com” act. It requires anyone who provides credit monitoring or obtains a credit report on behalf of a consumer for a fee to give clear and conspicuous notice of the consumer’s right to a free credit report.

Missouri finally passed a data breach notification law this year as part of an omnibus crime bill, H.B. 62. That brings the number of states without data breach notification laws to five: Alabama, Kentucky, Mississippi, New Mexico, and South Dakota.

The law itself is pretty standard, at least as much as anything with fifty-five versions can be called “standard.” It requires anyone with personal information about a Missouri resident to notify the resident of a breach of security, defines “personal data” as any of the usual suspects plus a name (although, as John Bambenek points out, a name isn’t actually needed to steal money from someone’s checking account with ACH), requires the notice to be made “without unreasonable delay,” and allows safe harbors for encryption and cases where the data handler determines identity fraud is not likely. Notification can be written, by phone, or with certain electronic notice. The law allows substitute notice if personal notice would cost over $100,000, if more than 50,000 people are affected, or if there isn’t enough contact information to contact people directly. A data handler who has to notify more than one thousand people also has to alert the media, the attorney general’s office, and the credit reporting agencies. Enforcement is by the attorney general, with a civil penalty of $50,000 per breach for willful violations.

Senator Feinstein’s national data breach notification bill hasn’t emerged from committee since she introduced it in January. It’s now a bit of a race to see which happens first: a nationwide breach notification bill, or the remaining states passing their own versions.

Five years after California’s landmark SB 1386, our interactive map shows you which 38 states have passed laws requiring companies to notify consumers whose personal information has been compromised. [UPDATED 7/28/2008]

More than five years after California’s seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. When this map was originally published in February, eleven states still had not passed laws mandating that companies notify consumers when that company has lost the consumer’s personal data.  Read Here

Senator Dianne Feinstein re-introduced her federal data breach notification bill this week. This is the Senator’s fourth attempt to pass a data breach bill, having introduced similar bills in 2003, 2005, and 2007.

The bill looks at lot like Sen. Feinstein’s previous bills. Most importantly, this year’s bill, like previous bills, would preempt state data breach laws. That would be good for businesses, who currently have to track forty-seven data breach notification laws enacted by states, the District of Columbia, and two territories. A federal data breach notification law would replace all these different laws with a single standard for notification. Consumers, however, might be better off without a national breach notification law, because companies usually comply with whichever state law demands the most of them, rather than adjusting their notifications by state. A federal data breach notification law therefore has to be carefully written so that it doesn’t end up reducing consumer protection.

Preemption is almost certain to be part of any national data breach notification law. Only 6.7% of Americans live in states without data breach notification laws, and they probably get breach notifications as a side effect of other states’ laws. So a national law is no longer necessary to ensure notification, but it could still be used to create uniform requirements—which means preemption.

Sen. Feinstein’s previous bills didn’t get far, even when TJX and Choicepoint were in the news. This year, we have no data breach poster child, and lots of other priorities. It’s a new Congress and a new administration so anything could happen, but unless there’s another big public breach I’d be surprised if this bill gets much attention this year.

Governor Schwarzenegger vetoed California’s second attempt at a payment card law yesterday. Even though the bill passed by overwhelming margins, AB 1656 fell victim to one of Schwarzenegger’s record-setting 415 vetoes.

The bill did, however, escape the boilerplate veto message many bills got. Schwarzenegger again said that the marketplace did enough to protect consumers, and complained that the bill required notification even without evidence that the data has been misused:

As I stated in last year’s veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.

Clearly, the need to protect personal information is increasingly critical as routine commercial transactions are more and more exclusively accomplished through electronic means. However, by requiring notification even where no information was obtained improperly, this bill would likely result in significant costs to businesses and to the state. In addition, by locking in today’s best practices, AB 1656 would assure that the law remains static in the face of future, unseen concerns. Moreover, this bill would create a disincentive for businesses to adhere to new, more comprehensive, industry standards.

Existing law already contains a comprehensive penalty scheme for identity theft that details with great particularity the numerous ways in which it can occur, and imposes criminal sanctions. These provisions cover both identity thieves and retailers who are complicit in their crimes. If existing penalties are inadequate to properly deter would-be identity thieves, the proper response would be to enhance these penalties..

I’m not sure that the requirement for “notification even where no information was obtained improperly” is new in AB 1656. It adds requirements for what must be reported, but the criteria for notification are set in California Civil Code sections 1798.29(b) and 1798.82(b), which require notification if “personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” AB 1656 did not change this language. One might wonder what would have happened in 2002 to SB 1386 had Schwarzenegger, not Gray Davis, been governor.

It’s also arguable whether the marketplace alone does enough to dissuade data loss or compensate harms. One of the financial costs of large-scale credit card thefts is the issuing banks’ expenses in reissuing all those lost credit cards. Agreements between the issuers and card brands allow the issuers to reallocate losses, but these do not cover all an issuer’s costs. Although a recent appellate decision reopened the possibility of recovering under the third-party beneficiary contract theory, efforts of issuers to recoup their expenses have so far failed. That was part of the motivation for this bill.

Governor Schwarzenegger is on somewhat firmer ground when he points out the problems in legislating specific technical requirements. It’s a challenge the Minnesota payment card law faced with only partial success. Still, California’s bill didn’t seem to pose too many of the problems listed in the veto statement. It doesn’t get tied down to particular physical formats, or too-specifically define a PIN or verification code the way the Minnesota bill does. It applies to “payment-related data” and data from a “payment card or other payment-related device.” This is not the kind of language likely to require a legislative revisit each year.

This bill was a weakened version of a bill sent to Governor Schwarzenegger’s desk last year. Will the California legislature try again next year? The large margins by which AB 1656 passed—only four people in the California legislature voted against it—suggest that the legislature is very interested in updating its data breach law. But this veto raises the question: would Governor Schwarzenegger sign any version of this bill, no matter how weakened?

Chances of an override look slim—last year’s bill also passed by similarly large margins, well above the two-thirds majority needed to override a veto in California, but no override vote ever happened. With a record-setting 415 vetoes this year, AB 1656 probably won’t get enough attention for an override.

Better luck next year.

Update, 7/23/09: Missouri passed a breach notification law on July 9, 2009.

Alaska has enacted a data breach notification law, making it the forty-fourth state (along with D.C. and Puerto Rico) to do so. Now that only six states remain, maybe instead of listing all the states with breach notification laws, we should just name the ones who for some reason haven’t done so:

• Alabama
• Kentucky
• Mississippi
• Missouri
• New Mexico
• South Dakota

States without data breach notification laws

Alabama and Missouri have at least considered breach notification bills. Alabama’s bill would also have incorporated PCI DSS requirements.

According to a study out of Carnegie Mellon’s Heinz School, data breach laws have “no statistically significant effect” on reducing identity theft. The researchers performed a regression analysis using FTC identity theft data, factoring in income, strictness of the laws, and some interstate effects.

I have a couple of minor quibbles, but otherwise the results aren’t surprising.

First, the quibbles. Although the study considers some interstate commerce effects, I don’t think it accounted for them quite enough. Interstate commerce effects are those where one state’s data breach law affects identity theft rates in other states because of corporations with customers in multiple states.

For each state, the study tried to compensate for interstate effects by including variables for (1) the state’s level of interstate activity, (2) the number of that state’s neighbors with data breach notification laws, and (3) the percentage of all U.S. states with identity theft laws. What I think this still misses is the extent to which one large, populous state can force nationwide compliance. For example, consider what happened when California was the only state with a breach notification law. Companies who suffered a breach could choose to notify only their California customers, but if the breach were large, the publicity would still be nationwide—and customers in other states might wonder why the company didn’t tell them, too. Preventive measures don’t split along state lines as neatly. A company with weak security that wanted to avoid having to tell California customers about a data breach couldn’t improve only security for its California data; a security change would affect all its customers.

It’s therefore a matter of diminishing returns as more states pass data breach notification laws: when one large state has a notification law, it has a significant nationwide effect. Adding ten more states increases that effect, but not tenfold. By the time thirty-eight states have data breach notification laws (my count as of sometime early this year), one or two more won’t have that much more impact on nationwide compliance requirements. Any adjustment for the number of states with data breach laws should take this into account.

Another small criticism I have of the report is that it expects secondary effects to show up too quickly. Secondary effects of data breach notification laws are the incentives for companies to improve their data security practices. These process improvements take time to implement, and it wouldn’t be surprising to see a two or three year delay between passage of a data breach notification law and any sign of lowered identity theft.

The CMU report found that when (or whether) a state had passed a data breach law made little difference in the rates at which identity theft rates increased or declined. Overall identity theft rates increased at about the same rate in each category through 2005, and then, interestingly enough, declined at about the same rate in each category from 2005 to 2006:

This overall drop could reflect a delayed nationwide impact from California’s law, to which laws in additional states haven’t add as much as we might think.

Despite these complaints, I think the report’s ultimate findings are valid. Data breach notification laws probably don’t have a significant effect on identity theft rates, for a number of reasons:

• Data breach events account for a small portion of identity thefts: 12% to 26%, depending on the study.
• People may or many not receive notice of a breach, pay attention to it, or take action to avoid identity theft. Failure to do any of these reduces data breach laws’ effectiveness on the primary effects of a data breach.
• Data handlers want to avoid data breach announcements, but they might think they’ll never have a breach, or they might accept the risk of a breach, or they might decide that the cost of improving security is higher than the expected cost of a breach. These reduce a data breach law’s effectiveness in creating secondary effects.
• Consumers don’t have the ability to control how their data is handled. In a perfect market, we could choose to do business with companies that carefully handle data. But it’s not a perfect market, and a lot of our data is collected without our knowledge or consent, so we only have a limited ability to keep our data out of the hands of people who are sloppy with it, even when we know they’re sloppy.

Data breach laws are useful and necessary. If someone misplaces my data, they should have to tell me about it. But these laws alone aren’t enough to make companies handle data securely.

“Data breach laws have no effect on prevention, researchers say” [SearchSecurity.com]