Kroll Ontrack | Home

Important Laws and Regulations

Suspect a Data Breach?

  • Call the Data Breach Hotline:
    1-877-300-6816 (24/7 access)

Contact Us

Learn More

HITECH Hotline
A solution for healthcare data breach response.

Learn more

Additional Resources

Subscribe to our Data Security Newsletter

HIPAA Self Risk Assessment Demo Video

Federal Legislation for the Privacy and Protection of Personal Information

The following U.S. federal laws and regulations relate to the privacy and security of an individual’s personal information and security breach notification. Please note this list features selected legislation and should not be considered exhaustive.

State Legislation about Identity Theft and Security Freezes

Identity Theft Legislation

Identity theft is a crime in every state. While the definition of identity theft varies among the states, the crime typically involves the use of the victim’s personal information, such as Social Security number, driver’s license number, or credit/debit card number, to commit fraud or other crimes.

According to a recent survey by the National Conference of State Legislatures (NCSL), 29 states have enacted restitution statutes. These laws generally require that a person convicted of identity fraud reimburse the victims for all losses caused by the crime.

The NCSL survey also reports that 12 states have enacted identity theft passport programs to assist victims of identity theft. Under Ohio’s program, for example, the police officer who completes the police report on the victim’s complaint of identity theft also submits an application on behalf of the victim for an Identity Theft Verification Passport. The identity theft victim can present the passport to (a) law enforcement agencies to help prevent arrest for offenses committed by someone using the victim’s identity, (b) creditors to aid in the investigation of fraudulent charges, and (c) consumer reporting agencies as official notice of disputed charges on credit reports.

Consumer Report Security Freeze Laws

As of October 2010, 47 states (Alabama, Michigan, and Missouri are the exceptions) have enacted laws that require the nationwide consumer reporting agencies (i.e., Equifax, Experian, and TransUnion) to place a security freeze (also known as a credit freeze) on a consumer’s file, upon request from a consumer. A security freeze prohibits the consumer reporting agency, with limited exceptions, from releasing any information in the consumer’s file without the consumer’s authorization. A security freeze is designed to prevent potential credit grantors from accessing a consumer’s file maintained by a nationwide consumer reporting agency without the consumer’s consent.

Consumers who suspect that they may be the victim of identity theft can use a security freeze to prevent an identity thief from using the consumer’s personal information to obtain fraudulent loans or other extensions of credit.

Since November 1, 2007, Equifax, Experian, and TransUnion have allowed all consumers in all states to set a security freeze, regardless of state law. State law may limit the fees that these agencies can charge for establishing, temporarily lifting, and permanently lifting a security freeze.

State Legislation about Breach Notification, Privacy Protection, and Information Security

Security Breach Notification Laws

Currently, a total of 46 states and four territories, including the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands, have breach notification laws in place. These laws generally define “personal information” to include, at a minimum, first name or initial and last name in combination with a Social Security number, driver’s license number, credit or debit card number, or financial account number with any required security code. Some states have added other categories of information to this definition, such as health information, health insurance information, and unique biometric identifiers (e.g., a fingerprint).

The notice laws generally define a security breach to mean the unauthorized acquisition of unencrypted, computerized personal information. Currently, eight states (Arkansas, Hawaii, Indiana, Massachusetts, North Carolina, South Carolina, and Virginia) require notice even when the security breach involves paper records. A majority of states require notification only if the security breach creates a material risk of harm, such as identity fraud, to affected individuals.

On July 1, 2003, California became the first state to enact a security breach notification law. The California law has served as a model for many other states. The California law’s principal provisions are discussed below.

California Civil Code 1798.82 (Senate Bill 1386)

Organizations that do business in California and own or license unencrypted, computerized personal information must notify those California residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

  • California amended its security breach notification law, effective January 1, 2008, to include health information as well as health insurance information, in the law’s definition of “personal information.” Previously, the definition of “personal information” had been limited to first name or initial and last name in combination with a Social Security number, driver’s license number, credit or debit card number, or financial account number with any required security code.
  • Notice must be provided in the most expedient time possible and without unreasonable delay. Notice may be delayed in response to a request from law enforcement authorities.
  • Notice may be provided in writing or by email if certain conditions are met. If the cost of providing notice would exceed $250,000, more than 500,000 individuals need to be notified, or the organization has insufficient contact information for affected individuals, notice may be provided through publication in major statewide media.
  • A separate law, effective January 1, 2009, requires a healthcare provider who has experienced a data breach to notify affected individuals and the California Department of Public Health within five (5) days after detection of the breach.

Protection of Social Security Numbers

As of October 2010, more than 30 states have enacted legislation restricting certain uses and disclosures of Social Security numbers (SSNs). These laws generally prohibit (a) the public display of SSNs, (b) printing SSNs on any card, such as an insurance ID card, that an individual must show to obtain products or services, (c) requiring an individual to transmit his/her SSN over the internet unless the connection is encrypted, (d) requiring an individual to use his/her SSN to access a website unless a password or other authentication device is required to access the website, and (e) mailing documents that contain an individual’s SSN to the individual unless the document by law is required to include the SSN, such as a Form W-2.

Proper Disposal of Personal Information

As of October 2010, more than 25 states have enacted laws that require disposal of personal information in a secure manner (for example, by shredding paper documents or “cyberscrubbing” electronic storage media). The definition of “personal information” in these laws varies but generally includes first name or initial and last name in combination with a Social Security number, driver’s license number, credit or debit card number, or financial account number with any required security code. Some states also include health information and other types of sensitive information in the law’s definition of personal information.

Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts (the “Massachusetts Standards”)

Massachusetts’ Department of Consumer Affairs and Business Regulation has issued information security regulations, codified at 201 CMR 17.00, that are currently considered among the most stringent in the United States. These regulations are described below.

  • The Massachusetts Standards require any private or public entity which maintains the personal information of Massachusetts residents to prepare and implement a comprehensive written information security program aimed at safeguarding that information. The Massachusetts Standards define “personal information” to mean first name or initial and last name in combination with a Social Security number, driver’s license number, credit or debit card number, or financial account number of a Massachusetts resident, whether in paper or electronic form.
  • The information security program must address all of the requirements in the Massachusetts Standards. These requirements include, for example, secure storage of paper documents containing personal information, encryption of personal information when in transmission and when stored on portable electronic devices, access controls to information systems containing personal information, monitoring systems for unauthorized access to personal information, and employee training.
  • These regulations took effect on March 1, 2010.