In 2018, less than 10 percent of data privacy or security incidents were breaches requiring notification. Yet it wouldn’t be surprising if that percentage starts to increase. One of the key factors in breach determination is the nature of the personal information exposed. Last year, we saw a significant expansion in the definition of personal information across multiple laws.
The scope of what qualifies as personal information has continued to expand since the first data breach notification law went into effect in California in 2003. In 2018, eight U.S. states expanded their definition of personal information well beyond the original standard of an individual’s name in combination with:
- Social security number
- Driver’s license number or state identification card number
- Account, credit, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
For example, Connecticut SB 472 (effective October 01, 2018), added a nuance to their law’s definition of personal information by distinguishing credit or debit card numbers from other financial account numbers. The nuance here is that a credit or debit card number no longer needs to be disclosed in combination with any required security code, access code, or password for it to be considered personal information, only an individual’s name must also be present.
When South Dakota became the 49th state to enact a breach notification law this year, its definition included the standard set of personal information noted above as well as health information and biometric data. It also included online account credentials (meaning a username or email address in combination with a password, security question answer, or other information that permits access to an online account) in its definition of protected information. The nuance here is that the acquisition of online credentials by an unauthorized person, regardless of whether the individual’s name is also present, could trigger breach notification obligations under the law.
In 2018, Alabama became the 50th state to join what has been called the “crazy quilt” of state data breach notification laws. Notably, Alabama’s definition of personal information includes medical information and health insurance identification information.
“Personal information” around the world
While the definition of personal information has been steadily expanding in the U.S., the expansion is typically the addition of specified data elements, either alone or in combination with other data. Internationally, we see quite a different approach. Under the GDPR in the EU and PIPEDA in Canada, personal information is defined as any information in any form relating to an identifiable individual. Under the GDPR, we also see certain kinds of information being identified as particularly sensitive, including:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Sex life or sexual orientation
Why the changes?
Technology has forever altered the way information is disseminated, stored, and used. Thus, data is more accessible than ever before. Back in 2016, Edith Ramirez, then-FTC chairwoman, said, “As consumers use more digital devices and the sophistication of big data analytics increases, it has become significantly easier to identify individuals based on information not traditionally categorized as personal information, making it more difficult to protect their privacy.” It’s no surprise that legislators are working to keep pace by redefining what is meant by personal information.
The challenges for privacy and security teams
As the scope of personal information continues to expand, it’s likely that privacy and security teams will face new challenges. Some of these could include:
- An increase in the number of incidents due to the broader scope of personal information, each requiring a multi-factor risk assessment.
- Uncertainty about whether an incident qualifies as a breach, based on a particular state's definition of personal information, and the sensitivity of that information as it relates to the applicable risk of harm standard and the incident's overall risk assessment.
However the definition of personal information may broaden, one thing remains constant: Privacy teams must consistently risk assess each incident to determine potential breach notification obligations. Purpose-built software such as RADAR operationalizes how you manage your incident response, applying automation and best practices so you can ensure regulatory compliance and reduce data breach risks.
Stay tuned for the next post in this series, in which we discuss the second regulatory trend: increasing specificity in notification timelines. In the meantime, you can learn more by downloading the free ebook: Changing Data Breach Notification Laws: Regulatory Trends.