StateStats | March 2015

3/1/2015

STATE LEGISLATURES MAGAZINE

Bar chart graphic

Defending Against Breaches

It’s not if, but when.

With the enormous amount of personal data Americans are sharing online and businesses are amassing, experts agree that it’s just a matter of time before hackers and cyber thieves get their hands on all that treasure.

Legislatures have worked to protect citizens by passing laws that require businesses with computerized personal information to notify customers if that information is leaked or accessed without authorization. The laws also allow consumers to monitor their records or close their credit card accounts to protect themselves against theft and fraud. Many credit these data breach laws with prompting better security practices among businesses—such as encryption, which makes documents unreadable except to the intended recipient.

Still, data intrusions continue. The credit reporting agency Experian predicts thieves will be focusing more on usernames and passwords stored in the cloud this year, as well as patients’ confidential health information.

This increased vulnerability has lawmakers searching for ways to improve upon the laws already on the books to make them more effective. California expanded its law requiring reasonable security practices to include businesses that maintain—not just own or license—personal information. Kansas, Louisiana, West Virginia and Wyoming expanded notification requirements to educational institutions. Florida amended its law to include notification of medical and insurance information breaches and to require businesses to notify consumers within 30 days. (Most states simply require notification in the “most expeditious time possible and without unreasonable delay.”) And South Carolina now requires state agencies to report breaches to the Division of State Technology along with developing security plans.

As awareness and security practices improve, so do the skills of those determined to break into systems and steal confidential data. Businesses and governments will have to run fast to stay ahead of them. 

Pam Greenberg, NCSL

A “Data Security Breach” is the potential or actual unauthorized access to or acquisition of sensitive, protected or confidential personal information, such as names with Social Security or driver’s license numbers, or credit card numbers with access codes.

TOP 10 INFORMATION MOST OFTEN STOLEN

Real Names

Birth Dates

Social Security Numbers

Home Addresses

Medical Records

Phone Numbers

Financial Information

Email Addresses

Usernames and Passwords

Insurance Policy Numbers

Source: Symantec

Additional Resources