Data-Specific Security and Privacy Regulations
Many states have created laws to protect the use of certain types of information. Similar to the federal government, they create laws by data type. This section discusses some of the data-specific laws that states have created to protect personal information.
Minnesota and Nevada: Requiring Businesses to Comply With Payment Card Industry Standards
Some states have started to create laws that require entities in the state to comply with industry security standards. For example, Minnesota and Nevada have created laws that require businesses operating in those states to comply with parts of the Payment Card Industry (PCI) Data Security Standard (DSS).
When Is Federal Legislation Appropriate?
The federal government has limited lawmaking power. The U.S. Congress cannot make any laws outside of the scope granted to it in the U.S. Constitution. This means that Congress cannot usually interfere in state matters. It also cannot create a uniform federal law in areas legislated by the states unless there is a compelling reason to do so.
Congress can create laws in areas where the U.S. Constitution allows it. For instance, the Constitution grants the federal government the power to regulate commerce between the states. If an activity has the potential to affect the trade relations between the states, then Congress may address it under its Commerce Clause power.
Sometimes states enact laws that extend beyond their borders. If these laws affect trade between the states, then it is possible that they start to infringe upon an area where the federal government alone has the power to create laws. When this happens, the question arises whether that area has become “ripe” for federal legislation.
When deciding if an area is ripe for federal legislation, Congress looks at whether differing state laws affect activities that it traditionally regulates. It considers how many states have created laws addressing the specific topic and reviews whether there is state confusion or complexity on activities that might affect relationships between the states. Congress also looks at whether the differing state laws create an undue burden or economic cost on businesses operating in several states.
Congress may use its legislative power to enact federal laws if there is confusion among the states. It does this to eliminate confusion for businesses that operate in several states. If it creates a national law in an area where there are many different state laws, the federal law will preempt the state laws. The state laws will no longer be valid.
The Congressional Research Service has compiled reports on various federal laws that may create breach notification requirements. The report notes that breach notification laws are complicated and often confusing. You can read their 2019 report at https://crsreports.congress.gov/product/pdf/R/R45631.
Minnesota’s 2007 Plastic Card Security Act was the first state law that attempted to codify certain parts of the PCI DSS. It forbids businesses from storing cardholder information for more than 48 hours after the credit card transaction is approved.21 Information that cannot be stored includes:
- Card verification number
- PIN number
- Contents of the card magnetic stripe
The PCI DSS also states that businesses may not retain this information. The Minnesota law has turned this part of the PCI DSS industry standard into a law.
The Minnesota law shifts the cost of a breach to a business that violates the law. If a business suffers a breach, and is found to have violated the storage requirements, then it can be held responsible for costs related to the breach. For instance, a bank or other financial institutions can sue the business to recover their costs in responding to the breach. These costs include issuing new cards or refunding unauthorized charges.22
The Minnesota Plastic Card Security Act Supported by Financial Institutions
One of the reasons the Minnesota Plastic Card Security Act was introduced was the 2007 TJX data breach. Financial institutions often paid the cost for notifying people that their credit and debit card information was disclosed in a breach. There were other costs as well. If another organization suffered a breach that included card data, financial institutions had to reissue the cards to their customers, which costs money. They had to refund unauthorized charges. They also suffered reputation damage when customers asked whether the financial institution was also involved in the breach.
The Minnesota Credit Union Network, an association of more than 160 credit unions in Minnesota, was tired of paying for another organization’s weak security practices. The Network engages in political advocacy, education, and awareness activities. It pushed for the creation of the Plastic Card Security Act to help reduce its costs for another organization’s security breach.
NOTE
Businesses that wish to accept credit cards for payment must follow the PCI DSS. The major credit card companies require it, although it is not a law. Credit card companies such as Visa and MasterCard enforce PCI DSS.
In 2010, Nevada was the first state to make following the entire PCI DSS a state law requirement.23 The Nevada law says that businesses will not be liable for damages for a data breach, such as paying for credit cards to be reissued, if they are following the law and did not engage in other intentional misconduct. Washington state also provided businesses with a safe harbor from data breach liability if the business can certify that it was PCI DSS compliant at the time of the data breach.24 The Washington law, however, does not require businesses to follow PCI DSS.
NOTE
The Nevada law states that “personal information” is a person’s name combined with SSN, financial account number, credit card number, health insurance number, and driver’s license or other identification number.25
The Nevada law is novel because it makes following the entire PCI DSS required by law. Some commentators thought that the Nevada law would encourage other states to adopt similar laws. However, widespread adoption has not really happened. This is because businesses that accept credit cards already have to comply with the PCI DSS under their contracts with credit card companies. If they violate the PCI DSS, they can be subject to large fines from those companies. Laws such as Nevada’s do not protect businesses from fines from the credit card companies.
Indiana: Limiting SSN Use and Disclosure
Some states have created laws protecting SSNs. These laws recognize that SSNs are highly sensitive pieces of information that can be very valuable to an identity thief. Thieves can use the number to easily establish new identities to commit identity theft crimes.
Indiana has laws designed to protect SSNs. For example, its laws forbid SSNs from appearing in public documents. It also has laws that forbid state agencies from disclosing a person’s SSN to any other person or entity.
Since 2006, Indiana law has stated that county recorders’ offices may not accept any document for recording that contains an SSN.26 The only time that they can accept a document containing an SSN is when another law requires that the document contain an SSN. Some types of federal laws, such as releases of federal tax liens, require the use of an SSN.
NOTE
The Social Security Administration created the SSN in 1936 to track worker earnings. This was necessary to administer the Social Security program. The first person to receive Social Security benefits was Ernest Ackerman in January 1937. He received a one-time payout of 17 cents.
The state also was concerned that public records recorded before 2006 could contain SSNs and that identity thieves could use these documents to get SSNs. Since 2008, Indiana law states that county recorders cannot provide a recorded document to a member of the public unless they first search the document for SSNs. If they find a document with an SSN, they must redact it before allowing public inspection. It is a civil violation for a county recorder or any employee to disclose a recorded document containing an SSN without first searching the document for an SSN. The law does not cover disclosure of the last four digits of an SSN.
The Importance of Legislative History
All laws have a legislative history that documents the number of times that a law is modified during the period from introduction to signing. It includes any materials generated in the course of creating legislation, committee reports and hearings, and transcripts of debate and reports issued by legislatures. The legislative history can be reviewed to help determine what a legislature intended when it created a law. The Nevada law requiring data collectors to follow PCI DSS went through many changes. You can read the law’s legislative history at http://www.leg.state.nv.us/Session/75th2009/Reports/history.cfm?DocumentType=2&BillNo=227.
When Senate Bill 227 was first introduced, it contained no language requiring data collectors to follow PCI DSS. Instead, it required data collectors to use certain types of approved encryption technologies. After the bill was introduced, industry groups contacted the bill’s author to express concerns about the bill. They opposed it because it was not technology neutral. You can read the letter submitted by industry groups at http://www.leg.state.nv.us/75th2009/Exhibits/Assembly/CMC/ACMC1140C.pdf.
After negotiation, the bill was amended to include the PCI language. Little information was included in the legislative history to indicate why the PCI language was added. A question that remains is whether the businesses that objected to the bill’s original language are happy with the final law that requires PCI compliance.
FYI
A county recorder’s office keeps public records about certain types of transactions. These offices usually handle legal documents regarding real estate ownership. These documents are filed, or recorded, with a county recorder’s office to give public notice of the transaction. Certain types of records also can be filed with a county recorder for future reference or safekeeping.
Indiana law also provides that a state agency may not disclose a person’s SSN to anyone.27 State agencies include an elected official’s office and state educational institutions. However, there are limited exceptions to this law. A state agency is allowed to disclose an SSN if:
- A person gives explicit written consent for the disclosure of his or her SSN.
- The disclosure is required by state or federal law.
- The disclosure is required by a court order.
The law lists very specific penalties for an inappropriate disclosure of a person’s SSN. The state agency is not responsible for these penalties. Instead, they are directed at the state agency employee who disclosed the SSN. For instance, a state agency employee who “knowingly, intentionally, or recklessly” discloses an SSN in violation of the law commits a Level 6 felony. This is a criminal sanction. In Indiana, a Level 6 felony can result in a prison term between 6 months and 2.5 years. In addition, a person can be fined up to $10,000.28
NOTE
One of the biggest differences between civil law and criminal law is punishment. In civil law, a defendant is not sent to jail as a punishment. Instead, civil law imposes fines. Civil law also requires a defendant to reimburse a plaintiff for damages. In criminal law, punishment usually involves fines or prison sentences, or both.
If a state agency employee negligently discloses an SSN, the person commits a Class A infraction. In Indiana, an infraction is a civil sanction that a person cannot be imprisoned for. However, he or she can receive a fine of up to $10,000.
Under the law, if a state agency impermissibly discloses an SSN, it must notify the affected person. It also must notify the state attorney general’s office. Under the law, the state attorney general has the authority to investigate an improper disclosure of an SSN. The state attorney general also can make additional rules to carry out the nondisclosure law. Individuals do not have a private cause of action under the law. For example, they cannot sue a state agency for wrongfully disclosing an SSN.
Other states have laws designed to protect SSNs. Arizona law, for example, prohibits printing an SSN on government or private identification cards. This law also prohibits the transmission of a person’s SSN over an unsecured internet connection.29 California law forbids companies from requiring people to transmit an SSN over the internet unless the connection is secure or the SSN is encrypted.
California: Protecting Consumer Privacy
California continues to be at the forefront of states that seek to protect the data of their citizens. In 2018, California enacted the California Consumer Privacy Act (CCPA).30 The CCPA governs the protection of personal information that is collected by businesses, which must comply with the CCPA if they meet any of the following:
- Have gross annual revenues in excess of $25 million
- Buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices
- Derive 50 percent or more of their annual revenues from selling consumers’ personal information
If a business is covered by the CCPA, it must provide notice to consumers of their rights and how to exercise those rights before it collects data from the consumer. Consumers have the following rights under the CCPA:
- The right to know—A consumer has a right to know what personal information is collected, used, shared, and sold by the business.
- The right to delete—A consumer has the right to demand that a business delete the consumer’s personal information.
- The right to opt-out—A consumer has the right to opt-out of the sale of his or her personal information or to tell the business to stop selling that information.
- The right to nondiscrimination—A consumer should not be subject to price or service discrimination when a consumer exercises a privacy right under CCPA.
The California attorney general enforces the CCPA. The law allows for civil penalties of $2,500 for each violation or $7,500 for each intentional violation. Penalties can only be imposed after a business receives notice of the violation and has 30 days to correct the violation.
NOTE
The individual rights included in the CCPA are similar to the individual rights guaranteed by the European Union General Data Protection Regulation (GDPR).