Over 10 million personal records have been lost or stolen, daily. That’s a lot of information. With numbers this high, there is a change you, or someone you know, has fallen victim to a data breach. Most of the time individuals or businesses are never notified if their information has been compromised. This leads to a false sense of security in thinking your personal information is safe. Don’t be one of the many that make this mistake.
It’s safe to assume that your personal information has been compromised in one of the numerous data breaches over the years. You may not know because the company responsible for losing your information isn’t required to inform you. It’s time to stand up and understand your rights that are outlined in data breach laws.
Legal Definition of Personal Information
Laws that govern how businesses must respond to a data breach vary from state to state. There is a consensus on the basic responsibilities these organizations have once data is accessed without permission, but differentiating opinions on what constitutes personal information. Two qualifications most jurisdictions agree on are:
- First name or first initial and last name
AND - One or more of the following elements: social security number, driver’s license or state ID number, finance account numbers.
Some states choose to go a step further than this by only considering accounts secured with a PIN or password as being worthy of notification. For example, if your debit card number was stolen, the business that let it happen doesn’t need to contact you unless both the number AND the pin were compromised.
In states that have a more advanced view of data security, such as North Carolina and Nebraska, they include biometric information as part of their personal information considerations. Other states, like Missouri, have specific laws on the books that limit the legal portability that is inherent in the overreaching statutes.
Since the majority of health and medical data is protected under the federal Healthcare Insurance Portability and Accountability Act (HIPAA), only a few states include this information in their definition of personal information.
Additionally, some state laws state a limit of personal information a company can have compromised before having to contact their state’s attorney general’s office. This number is variable, but most states agree that anything over 1,000-to-5,000 files lost constitute an offense in which reporting becomes necessary.
Currently, however, the statutes on the books are biased to protect organizations from individual legal reprisals. Qualifications that protect corporate interests include:
- Encryption: Many states have deliberately put in specific language to protect corporations if information was encrypted by an organization, stolen, and decrypted afterwards. This also goes for redacted information. If it was found that a business worked to secure the data, no breach notification would be necessary.
- Questionable non-personal information: In various states, questionable information can be included as non-personal information. One example is the last four digits of a person’s social security number. Since the whole number’s integrity remains intact, the organization would not have to file it as having been compromised with the state’s A.G.
- Good-faith acquisitions: Most states list “good faith acquisitions” as exemptions from standing data breach statutes. A ‘good faith acquisition’ is defined as an event where data is lost or compromised by people employed by the organization where an individual works, or had a working relationship with (like a vendor). Since a co-worker, superior, or vendor is not as likely to misuse or lose personal information, no breach notification is necessary if the event meets this very subjective ‘good faith’ requirement.
- Risk of harm analysis: Around half of U.S. states have laws that allow an information-holding entity to run a ‘Risk of Harm’ analysis to quantify the risk any compromised personal information has in regards to its use by another party, or potential abuse that information could have in unauthorized transactions. If they find that risk from harm is minimal, the organization doesn’t need to notify parties involved.
The fact is that a data breach, regardless of the circumstances surrounding it, can be completely categorized as a negative event. Call the IT professionals at IT Support Guys to find out how we can proactively manage your network to keep threats from affecting your data. Call us today at 855-4IT-GUYS (855-448-4897).
