Since the beginning of the year, upwards of 10 million personal information records have been lost or stolen each day. With such a high incident rate, individuals and businesses that have never received any kind of notification that their records were included in a breach generally consider themselves lucky and assume that they are not at risk of identity theft or unauthorized account usage. Unfortunately, that is not always the case.
The fact is that there is a significant chance that your personal or non-public business information has been compromised in some way, but, legally, the companies who’ve lost the information are not obligated to inform you of the theft. For your own benefit, understanding what your rights are when it comes to data breach laws is the first step in protecting your data. For instance, do you know what information is considered “personal?” Are there ways that your data could have been lost or stolen, but the offending entity was not compelled by law to notify you for some reason? The answer is yes.
Legal Definitions Of Personal Information
Even though each state has its own laws and policies regarding data breaches and notification requirements, there is pretty much a consensus on the basics of what elements or combinations of elements constitute ‘personal information’ in the eyes of the law. At a minimum, personal information includes:
- First name or first initial and last name AND
- One or more of the following elements:
- social security number
- driver’s license or state ID number
- finance account numbers
As mentioned, this does make up the foundation of most secular legislation on data breaches. Many states go a step further and only consider account information requiring a PIN or password as having been compromised if the required PIN or password was included with the record that was stolen. That is, if a debit card requires a PIN for a transaction, you will not be notified of the data loss unless both your debit card number and the PIN are accessed.
A few of the more progressive states, like North Carolina and Nebraska, include bio-metrics and fingerprint information as part of their definition of personal information. Similarly, some states, like Missouri, have more specific, detailed laws, limiting the legal maneuverability that comes with ambiguity in statutes.
Even though laws regarding the majority of health and medical information and data policies are covered under the United States federally mandated Health Insurance Portability and Accountability Act (HIPAA), a few states do include health-related information in their definition of personal information.
Sectoral Legislation
When it comes to sectoral legislation, the current statutes are, in general, skewed in favor of protecting the corporate information holder, as opposed to the individuals who have their information compromised.
Encryption: In many states, there is specific language that says that if the personal information was redacted or encrypted at the time of the unauthorized access, then no breach or loss of data has occurred. The laws do not address the policy and notification standards for encryption that are broken post-theft.
Questionable Non-Personal Information: Depending on the state, some questionable information might be included as non-personal information. For example, the last four digits of your social security number may not be counted as personal information, despite the amount of accounts that only require you to confirm these four digits before making changes to your account.
Good-Faith Acquisitions: Nearly every state lists ‘good faith acquisitions’ as exemptions to the data breach laws. A ‘good faith acquisition’ is defined as a data loss event where the recipient of the personal information in question is employed internally or with a trusted vendor or partner—and is therefore not likely to be misused or further exposed. It’s important to note that businesses are not required to notify anyone in the event that the data breach meets ‘good faith’ requirements.
Risk of Harm Analysis: About half of the United States has laws that allow the information-holding entity to run a ‘Risk of Harm’ analysis that is used to determine the likelihood that the personal information compromised is likely to be abused or used in unauthorized transactions by the parties that have obtained it—or may obtain it in the future. In the event that the risk of harm is found to be minimal, they do not have to notify the attorney general of the state for which the analysis was run, nor do they need to notify the parties whose personal information was lost.
Choose Exact IT As Your Partner in Data Security
For most small and medium-sized businesses, a data breach, regardless of whether their information was stolen or their network had been penetrated, losing client records, has the potential to be catastrophic. At Exact IT Consulting, we can help you take proactive data and network security measures and significantly reduce the chance that your network will fall victim to cybercriminals. Contact us today or request a consultation with a member of our team today!