WASHINGTON (4/18/14)--As the Credit Union National Association continues to work on data security issues at the federal level, states are making progress with laws to protect and inform consumers about data security.
Last week, Kentucky Gov. Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation. With Beshear's signature, there are only three states left--Alabama, New Mexico and South Dakota--that do not have laws requiring companies to inform consumers about data breaches.
Under Kentucky's new law, companies that conduct business in the state and maintain consumer data of state residents are required to disclose data breaches involving the unauthorized acquisition of residents' unencrypted computerized data. Companies are required to disclose the breach in the "most expedient time possible" and "without unreasonable delay." Additionally, companies are required to notify consumer reporting agencies and credit bureaus if the breach affects more than 1,000 individuals.
Iowa Gov. Terry Branstad recently signed S.F. 2259 into law, which amended the state's Personal Information Security Breach Protection statute (JD Supra April 17). It requires written notice be provided to the Iowa Attorney General's office regarding a breach of security affecting 500 or more Iowa residents no later than five business days after notice of the breach. It also expands the term "breach of security" to include unauthorized acquisition of personal information "maintained by a person in any medium, including on paper, that was transferred by the person to that medium from computerized form."
A dozen more states have pending legislation that would amend and enhance existing state laws regarding security breaches.
During its recent Government Relations Rally, the California Credit Union League focused on the Consumer Data Breach Protection Act (See Wednesday's News Now: Card, member protection headline Calif. league rally.) A.B. 1710 has similar notification and retailer liability provisions to Iowa and Kentucky's newly enacted laws, but it adds mandatory credit monitoring services for those affected and civil penalties of up to $500 per violation or $3,000 for a willful or reckless violation (National Law Review April 17).
The Credit Union National Association found that credit unions incurred $30.6 million in costs directly related to last year's Target data security breach--not including fraud costs--and is pressing federal lawmakers to address data security relative to merchants, who are not held to the same standards of security as credit union and other financial institutions.
One of the reasons why the pre-trial activities for the Target class action lawsuits have been consolidated in Minnesota is because of state statutes that prohibit merchants or businesses from retaining magnetic-strip information captured during a transaction, require reimbursement to financial institutions for reissuing cards, and communicate "in the most expedient time possible and without unreasonable delay" if a breach occurs.