The following U.S. federal laws and regulations relate to the privacy and security of an individual’s personal information and security breach notification. Please note this list features selected legislation and should not be considered exhaustive.
Identity Theft Legislation
Identity theft is a crime in every state. While the definition of identity theft varies among the states, the crime typically involves the use of the victim’s personal information, such as Social Security number, driver’s license number, or credit/debit card number, to commit fraud or other crimes.
According to a recent survey by the National Conference of State Legislatures (NCSL), 29 states have enacted restitution statutes. These laws generally require that a person convicted of identity fraud reimburse the victims for all losses caused by the crime.
The NCSL survey also reports that 12 states have enacted identity theft passport programs to assist victims of identity theft. Under Ohio’s program, for example, the police officer who completes the police report on the victim’s complaint of identity theft also submits an application on behalf of the victim for an Identity Theft Verification Passport. The identity theft victim can present the passport to (a) law enforcement agencies to help prevent arrest for offenses committed by someone using the victim’s identity, (b) creditors to aid in the investigation of fraudulent charges, and (c) consumer reporting agencies as official notice of disputed charges on credit reports.
Consumer Report Security Freeze Laws
As of October 2010, 47 states (Alabama, Michigan, and Missouri are the exceptions) have enacted laws that require the nationwide consumer reporting agencies (i.e., Equifax, Experian, and TransUnion) to place a security freeze (also known as a credit freeze) on a consumer’s file, upon request from a consumer. A security freeze prohibits the consumer reporting agency, with limited exceptions, from releasing any information in the consumer’s file without the consumer’s authorization. A security freeze is designed to prevent potential credit grantors from accessing a consumer’s file maintained by a nationwide consumer reporting agency without the consumer’s consent.
Consumers who suspect that they may be the victim of identity theft can use a security freeze to prevent an identity thief from using the consumer’s personal information to obtain fraudulent loans or other extensions of credit.
Since November 1, 2007, Equifax, Experian, and TransUnion have allowed all consumers in all states to set a security freeze, regardless of state law. State law may limit the fees that these agencies can charge for establishing, temporarily lifting, and permanently lifting a security freeze.
Security Breach Notification Laws
Currently, a total of 46 states and four territories, including the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands, have breach notification laws in place. These laws generally define “personal information” to include, at a minimum, first name or initial and last name in combination with a Social Security number, driver’s license number, credit or debit card number, or financial account number with any required security code. Some states have added other categories of information to this definition, such as health information, health insurance information, and unique biometric identifiers (e.g., a fingerprint).
The notice laws generally define a security breach to mean the unauthorized acquisition of unencrypted, computerized personal information. Currently, eight states (Arkansas, Hawaii, Indiana, Massachusetts, North Carolina, South Carolina, and Virginia) require notice even when the security breach involves paper records. A majority of states require notification only if the security breach creates a material risk of harm, such as identity fraud, to affected individuals.
On July 1, 2003, California became the first state to enact a security breach notification law. The California law has served as a model for many other states. The California law’s principal provisions are discussed below.
California Civil Code 1798.82 (Senate Bill 1386)
Organizations that do business in California and own or license unencrypted, computerized personal information must notify those California residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Protection of Social Security Numbers
As of October 2010, more than 30 states have enacted legislation restricting certain uses and disclosures of Social Security numbers (SSNs). These laws generally prohibit (a) the public display of SSNs, (b) printing SSNs on any card, such as an insurance ID card, that an individual must show to obtain products or services, (c) requiring an individual to transmit his/her SSN over the internet unless the connection is encrypted, (d) requiring an individual to use his/her SSN to access a website unless a password or other authentication device is required to access the website, and (e) mailing documents that contain an individual’s SSN to the individual unless the document by law is required to include the SSN, such as a Form W-2.
Proper Disposal of Personal Information
As of October 2010, more than 25 states have enacted laws that require disposal of personal information in a secure manner (for example, by shredding paper documents or “cyberscrubbing” electronic storage media). The definition of “personal information” in these laws varies but generally includes first name or initial and last name in combination with a Social Security number, driver’s license number, credit or debit card number, or financial account number with any required security code. Some states also include health information and other types of sensitive information in the law’s definition of personal information.
Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts (the “Massachusetts Standards”)
Massachusetts’ Department of Consumer Affairs and Business Regulation has issued information security regulations, codified at 201 CMR 17.00, that are currently considered among the most stringent in the United States. These regulations are described below.