Show-Me State Shows Nation's 45th Data Breach Law

Adding to America's crazy quilt scenario of similar-but-different state laws and regulations facing retailers,a new data breach notification law goes into effect in Missouri Friday (Aug. 28). There are now 45 states with such measures, according to the National Conference of State Legislatures.

The Missouri law is similar to most other state laws dealing with data breach notifications, but it includes medical and health information, data the states usually don't mention because it is protected by the federal Health Insurance Portability and Accountability Act (HIPAA).

With the new Missouri law, those in the state who "own or license personal information" of Missouri residents "or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri" will be required to notify affected consumers when security breaches are discovered, according to the law. It defines a breach as "unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality or integrity of the personal information."

However, the law stresses that notification is not required if, "after an appropriate investigation" or consultation with the law enforcement agencies, it is determined that a risk of identity theft or other fraud to consumers is unlikely to occur due to the breach. The law gives the state attorney general authority to sue violators of the law and seek fines of up to $150,000 per breach "or series of breaches of a similar nature that are discovered in a single investigation."

Missouri stipulates that personal information includes a person's first name or first initial and last name "in combination with" unprotected (through encryption, redaction or other means) elements such as a Social Security number, a driver's license number or other unique identification number created or collected by a government body; a financial account number, credit card number or debit card number or unique electronic identifier or routing codes (in combination with any required security codes, access codes or passwords). Unlike some other states, Missouri also includes medical or health insurance information in that list.

The law calls for disclosure of data breaches "without unreasonable delay" but, as in the case of a proposed federal security breach law, it doesn't define "unreasonable." The law says consumer notification must be "consistent with the legitimate needs of law enforcement" and with any efforts needed to determine "sufficient contact information," the scope of the breach and to "restore the reasonable integrity, security, and confidentiality of the data system."

So what, exactly, will retailers have to disclose to consumers when a breach is discovered? In addition to a general description of the incident, the merchant will be required to reveal the type of personal information obtained by the culprits, provide a telephone number for consumers seeking more information "if one exists," give out the contact information for consumer reporting agencies and provide the potential victims with "advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports."

Steve DelBianco, executive director of NetChoice, an Internet lobbying group, said that "the industry has worked hard to make these state laws as consistent and similar as it can to avoid a patchwork situation. For the most part, we've been able to do that."

Nevertheless, differences remain. For example, Illinois doesn’t permit companies to delay issuing data breach notices while they work with law enforcement, DelBianco said.

He added that most national and multi-state retailers don't alter their notification plans on a state-by-state basis. "For the most part, a retailer will follow the notice requirements of their home state or the state where they have the most customers," he said.