Breach Notification refers to the notification that businesses, government agencies and other entities are required by law in most states to do when certain personally identifiable information is obtained or believed to have been obtained by an unauthorized party. The breach can occur when a system is hacked or when a device containing sensitive information is lost, stolen or inadvertently sold.
Personally identifiable information, also known as PII, is information that on its own or in conjunction with other information can be used to identify a person—the latter can include, for example, a name combined with a Social Security number, driver’s license number, bank account or credit card number.
The first state breach notification law was passed in California in 2002 and went into effect the following year. Among the first breaches reported under the new law occurred in 2004 when a bank card processing company CardSystems Solutions was hacked. CardSystems Solutions processed purchasing transactions for its retailer customers by sending the card account data to the correct bank or issuer for authorization. Some 263,000 card numbers were verified stolen in the hack, but nearly 40 million card numbers were exposed to the hackers. The data involved card transactions that CardSystems had retained on its system long after the transactions were completed and that had been stored in an unencrypted format. The breach began in September 2004 but wasn’t discovered until May 2005. It was the first major breach disclosed under the new California law.
Also among the first companies disclosing a breach under the new law was Choicepoint. The data broker sent letters to 145,000 people in February 2005 notifying them that it had mistakenly sold personal data about them to identity thieves. ChoicePoint was in the business of collection financial, medical and other information on billions of people in order to sell it to other marketers, other businesses and government agencies. The thieves had posed as legitimate businesses to open customer accounts with the massive data broker, then subsequently succeeded to purchase Social Security numbers, credit histories and other information that ChoicePoint had collected on them.
Since the California law was passed, another forty-six states and the District of Columbia have passed similar legislation. Alabama, New Mexico and South Dakota do not have breach laws.
This patchwork of laws has resulted in uneven and confusing requirements for businesses with customers in multiple states. The laws vary on a number of things, including when notification needs to occur, how notification should occur and exemptions from notification.
Federal lawmakers have been trying for years to remedy this confusing patchwork of laws by passing a federal law that would take precedent over all of them. But the proposed bills have failed to take hold on Capitol Hill.
President Obama and the White House began pushing another bill in January 2015 that would require breached entities to notify affected victims within 30 days of discovering the breach, though critics say this renewed push for a mandatory notification period will likely suffer the same problems previous bills had.