National Academies Press: OpenBook
« Previous: VI. Right to Privacy Under State Statutes
Page 35
Suggested Citation:"VII. Whether State Data Breach Notification Laws Apply to Transportation Agencies." National Academies of Sciences, Engineering, and Medicine. 2016. Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public. Washington, DC: The National Academies Press. doi: 10.17226/23586.
×
Page 35
Page 36
Suggested Citation:"VII. Whether State Data Breach Notification Laws Apply to Transportation Agencies." National Academies of Sciences, Engineering, and Medicine. 2016. Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public. Washington, DC: The National Academies Press. doi: 10.17226/23586.
×
Page 36
Page 37
Suggested Citation:"VII. Whether State Data Breach Notification Laws Apply to Transportation Agencies." National Academies of Sciences, Engineering, and Medicine. 2016. Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public. Washington, DC: The National Academies Press. doi: 10.17226/23586.
×
Page 37
Page 38
Suggested Citation:"VII. Whether State Data Breach Notification Laws Apply to Transportation Agencies." National Academies of Sciences, Engineering, and Medicine. 2016. Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public. Washington, DC: The National Academies Press. doi: 10.17226/23586.
×
Page 38
Page 39
Suggested Citation:"VII. Whether State Data Breach Notification Laws Apply to Transportation Agencies." National Academies of Sciences, Engineering, and Medicine. 2016. Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public. Washington, DC: The National Academies Press. doi: 10.17226/23586.
×
Page 39

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

35 sensitive personal information that results in the potential compromise of the confidentiality or integ- rity of the data.”509 In Ohio, the term “breach of the security of the system” is defined to mean an unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of per- sonal information owned or licensed by a state agency or an agency of a political subdivision and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state.510 B. States Having Data Breach Notification Statutes As of January 2015, all states except Alabama, New Mexico, and South Dakota have laws requiring that notice be given to the public if there is a security breach involving data having personal informa- tion.511 The term “personal information” may be phone or other electronic device and provides that a violation would be punishable as a Class 1 misde- meanor.502 Bills applicable to ALPRs are pending in both chambers of the North Carolina legislature. Senate Bill 182 simply provides that any law enforcement agency using an ALPR must adopt a written policy governing its use, whereas House Bill 829 restricts the use of ALPRs to four purposes, including for electronic toll collection and specific law enforcement purposes.503 Furthermore, the House version creates a right of civil action against anyone who knowingly violates the law.504 8. Pennsylvania In Pennsylvania, Senate Bill 854 would make it unlawful “for any person to utilize tracking technol- ogy without lawful authority or consent.”505 House Bill 401 entitled “Protecting Pennsylvanians’ Pri- vacy Act” would require a government entity to obtain a search warrant prior to obtaining locational information on an electronic device and would impose a civil penalty for a violation.506 9. Texas In Texas, under House Bill 3929, if an ALPR were to be used for anything other than a “valid law enforcement purpose,” it would become a Class A misdemeanor.507 A bill in the Senate, which provides that an ALPR may be used only for investigating a criminal offense or a report of a missing person, mandates that all of the images and data collected from an ALPR are to be destroyed no later than the seventh day after collection.508 VII. WHETHER STATE DATA BREACH NOTIFICATION LAWS APPLY TO TRANSPORTATION AGENCIES A. Definition of a Data Breach A data breach may be defined “as a loss or theft of, or other unauthorized access to, data containing 502 House Bill 876 [Edition 1]. Status: April 15, 2015, referred to Committee on Judiciary. 503 Senate Bill 182 [Edition 2]. Status: April 4, 2015, referred to the Committee on Transportation; House Bill 829 [Edition 2], Status: April 28, 2015, re-referred to the Commit- tee on Rules, Calendar, and Operations of the House. 504 House Bill 829 § 20-183.26(a). 505 Senate Bill 854. Status: May 28, 2015, referred to Judiciary. 506 House Bill 401. Status: February 9, 2015, referred to Judiciary. 507 House Bill 3929. Status: May 14, 2015, placed on General State Calendar. 508 Senate Bill 1286. Status: March 18, 2015, referred to Criminal Justice. 509 Froomkin, supra note 213, at 1025 (footnote omitted) (internal quotation marks omitted). See discussion of state notification laws in Dana Rosenfeld and Donnelly McDowell, Moving Target: Protecting Against Data Breaches Now and Down the Road, 28 aNTiTRUsT ABA 90 (2014) [hereinafter Rosenfeld and McDowell]; John A. Fisher, Secure My Data or Pay the Price: Consumer Remedy for the Negligent Enablement of Data Breach, 4 WM. & MaRy BUs. L. Rev. 215 (2013) [hereinafter Fisher]; Jill Joerling, Data Breach Noti- fication Laws: An Argument for a Comprehensive Federal Law to Protect Consumer Data, 32 Wash. U. J.L. & pOL’y 467 (2010) [hereinafter Joerling]; and Robert Sprague and Corey Ciocchetti, Preserving Identities: Protecting Personal Identifying Information through Enhanced Privacy Policies and Laws, 19 aLB. L.J. sci. & Tech. 91 (2009) [hereinafter Sprague and Ciocchetti]. 510 OhiO Rev. cOde § 1347.12(B)(1) (2015). 511 See National Conference of State Legislatures, Secu- rity Breach Notification Laws (2015) (citing aLaska sTaT. § 45.48.010, et seq.; aRiz. Rev. sTaT. § 44-7501; aRk. cOde § 4-110-101, et seq.; caL. civ. cOde §§ 1798.29 and 1798.80, et seq.; cOLO. Rev. sTaT. § 6-1-716; cONN. geN sTaT. § 36a-701b; deL. cOde tit. 6, § 12B-101, et seq.; fLa. sTaT. §§ 501.171, 282.0041, and 282.318(2)(i); ga. cOde §§ 10-1- 910-912 and § 46-5-214; haW. Rev. sTaT. § 487N-1, et seq.; idahO sTaT. §§ 28-51-104-107; 815 iLL. cOMp. sTaT. §§ 530/1– 530/25; iNd. cOde § 4-1-11, et seq. and 24-4.9, et seq.; iOWa cOde §§ 715C.1-715C.2; kaN. sTaT. § 50-7a01, et seq., ky. Rev. sTaT. §§ 365.732 and 61.931-61.934; La. Rev. sTaT. §§ 51:3071, et seq. and §§ 40:1300.111-1300.116; Me. Rev. sTaT. tit. 10 § 1347; et seq.; Md. cOde cOM. LaW § 14-3501, et seq., Md. sTaTe gOv’T cOde §§ 10-1301-1308; Mass. geN. LaWs § 93H-1, et seq.; Mich. cOMp. LaWs §§ 445.63 and 445.72; MiNN. sTaT. §§ 325E.61 and 325E.64; Miss. cOde § 75-24-29; MO. Rev. sTaT. § 407.1500; MONT. cOde §§ 2-6- 504 and 30-14-1701, et seq.; NeB. Rev. sTaT. §§ 87-801-807; Nev. Rev. sTaT. §§ 603A.010, et seq. and 242.183; N.H. Rev. sTaT. §§ 359-C:19-C:21; N.J. sTaT. §§ 56:8-161-163; N.Y. geN. BUs. LaW § 899-aa and N.Y. sTaTe Tech. LaW § 208; N.C. geN. sTaT. §§ 75-61 and 75-65; N.D. ceNT. cOde § 51-30-01, et seq., OhiO Rev. cOde §§ 1347.12, 1349.19, and 1349.191-192; OkLa. sTaT. §§ 74-3113.1 and 24-161-166; ORegON Rev. sTaT. §§ 646A.600-646A.628; 73 pa. sTaT. § 2301, et seq.; R.I. geN.

36 Washington State’s breach notification law applies to personal information, a term that (5) …means an individual’s first name or first initial and last name in combination with any one or more of the fol- lowing data elements, when either the name or the data elements are not encrypted: (a) Social security number; (b) Driver’s license number or Washington identification card number; or (c) Account number or credit or debit card number, in com- bination with any required security code, access code, or password that would permit access to an individual’s finan- cial account.514 (6) For purposes of this section, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.515 C. Applicability of the Statutes to Government Agencies Although the breach notification statutes apply to businesses and commercial entities as defined in each statute, in at least 23 states, the statutes also apply to government agencies.516 defined to include a person’s name, Social Security number, driver’s license number, credit card num- bers, security codes, PINs, or passwords.512 For exam- ple, the Ohio statute provides that an agency must disclose a breach of the security of personal informa- tion data. Personal information is defined to be an individual’s name, consisting of the individual’s first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable: (i) Social security number; (ii) Driver’s license number or state identification card number; (iii) Account number or credit or debit card number, in com- bination with and linked to any required security code, access code, or password that would permit access to an individual’s financial account.513 LaWs § 11-49.2-1, et seq.; S.C. cOde § 39-1-90; TeNN. cOde § 47-18-2107; Tex. BUs. & cOM. cOde §§ 521.002-521.053 and Tex. ed. cOde § 37.007(b)(5); UTah cOde § 13-44-101, et seq.; vT. sTaT. tit. 9, §§ 2430 and 2435; va. cOde §§ 18.2-186.6 and 32.1-127.1:05; Wash. Rev. cOde §§ 19.255.010 and 42.56.590; W. va. cOde § 46A-2A-101, et seq.; Wis. sTaT. § 134.98; WyO. sTaT. § 40-12-501, et seq.; and D.C. cOde § 28- 3851, et seq.), available at: http://www.ncsl.org/research/ telecommunications-and-information-technology/security- breach-notification-laws.aspx (last accessed Oct. 12, 2015). See also Mintz Levin, State Data Security Breach Notifica- tion Laws (2015) [hereinafter State Breach Notification Laws], available at: http://www.mintz.com/newsletter/2007/ PrivSec-DataBreachLaws-02-07/state_data_breach_matrix. pdf (last accessed Oct. 12, 2015) (analyzing state laws by data and consumers protected; the statutes’ definition of a breach; covered entities; notice procedures, timing, and exemptions; whether encryption is a safe harbor; preemption; penalties; and whether the statutes create a private right of action) and Sprague and Ciocchetti, supra note 509, at 104–105 (also including citations to breach notification statutes). 512 See aLaska sTaT. § 45.48.090(7)(A) (2015); caL. civ. cOde § 1798.29(g) (2015); ga. cOde aNN. § 10-1-911(c) (2015); haW. Rev. sTaT. § 487 N-1 (2015); idahO cOde § 28-51-104(5) (2015); 815 iLL. cOMp. sTaT. § 530/5 (2015); iNd. cOde § 4-1-11-3 (2015); kaNsas sTaT. aNN. § 50-7a01(g) (2015); La. Rev. sTaT. §§ 3073(4)(a) and (b) (2015); MaiNe Rev. sTaT. tit 10, § 1347(6) (2015); Mass. geN. LaWs ch. 93H, § 1(a) (2015); Mich. cOMp. LaWs 445.63 §§ 3(q) and (r) (2015) (defining personally identifying information and personal information, respectively); MONTaNa cOde aNN. §§ 2-6-501(4) (a) and (b) (2015); Nev. Rev. sTaT. § 603A.040 (2015); NeW JeRsey sTaT. aNN. § 56:8-161 (2015); OhiO Rev. cOde § 1347.01(E) (2015); OkLa. sTaT. §§ 24-162(6) and 74-3113.1(D)(2) (2015); 73 pa. cONs. sTaT. § 2302 (2015); R.I. geN. LaWs § 11-49.2-5(c) (2015); S.C. cOde § 39-1-90(D)(3) (2015); veRMONT sTaT. tit. 9, ch. 62 § 2430(5)(A) (2015) (defin- ing the term “personally identifiable information”); va. cOde § 18.2-186.6(A) (2015); Wash. Rev. cOde § 19.255.010(5) (2015); W. va. cOde, art. 2A, § 46A-2A-101(6) (2015), Wis. sTaT. § 134.98(1)(b) (2015); and 14 V.I. cOde § 2208(e) (2015). 513 OhiO Rev. cOde § 1347.12(A)(6)(a) (effective Sept. 29, 2015). See also OhiO Rev. cOde § 1347.01(E) (2015). 514 Wash. Rev. cOde § 19.255.010(5) (2015). 515 Wash. Rev. cOde § 19.255.010(6) (2015).. 516 aLaska sTaT. §§ 45.48.090(2)(B) and (3) (2015) (stating that the term “covered person” includes a government agency, meaning “a state or local governmental agency, except for an agency of the judicial branch”); see also aLaska sTaT. § 45.48.090(4) (2015) (defining the term “information collector” to mean a “covered person who owns or licenses personal information in any form” on a state resident); caL. civ. cOde § 1798.14 (2015) (directing an agency to maintain only relevant and necessary personal information in its records); ga. cOde § 10-1-911(2) (2015) (defining the term “data collector” to include “any state or local agency or sub- division thereof...or other government entity,” but excepting agency records maintained primarily for traffic safety, law enforcement, or licensing purposes); haW. Rev. sTaT. § 487 N-1 (2015) (chapter also applying to a government or instru- mentality of the state or any county); idahO cOde § 28-51- 104(1) (2015) (defining the term “agency” to mean any pub- lic agency as defined in idahO cOde § 74-101); 815 iLL. cOMp. sTaT. § 530/5 (2015) (stating that the term “data collector” includes government agencies); iNdiaNa cOde § 4-1-11-4 (2015) (defining the term “state agency” as set forth in iNdiaNa cOde § 4-1-10-2); see also iNdiaNa cOde § 4-1-11-5(a) (2015) (requiring state agencies to disclose security breaches); kaNsas sTaT. § 50-7a01(f) (2015) (defining term “person” to include a government or governmental subdivi- sion or agency or other entity) and kaN. sTaT. § 3073(1) (2015) (defining the term “agency” to include the state, its political subdivision, agency, or similar body); MaiNe Rev. sTaT. tit. 10, § 1347(5) (2015) (defining the term “person” to include agencies of state government); see also MaiNe Rev. sTaT. § 1347(3) (2015) (defining the term “information bro- ker” as being inapplicable to a governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes); Mass. geN. LaWs, ch. 93H, § 1(a) (2015) (defining the term “agency” to include

37 In Ohio, the statute defines the term “agency of a political subdivision” to mean “each organized body, office, or agency established by a political subdivi- sion for the exercise of any function of the political subdivision, except that ‘agency of a political subdi- vision’ does not include an agency that is a covered entity as defined in 45 C.F.R. 160.103, as amended.”519 In some states there is a good faith defense to the disclosure of personal information as long as the personal information was not used for illegitimate purposes and there were no other unauthorized dis- closures of the data.520 D. State Breach Notification Laws Authorizing Civil Penalties or Claims for Damages 1. Overview Although some breach-notification laws provide for enforcement and civil penalties, it appears that only in 13 states and the District of Columbia would a person injured by a data breach have a private right of action,521 and that at least 4 states exempt govern- ment agencies from “enforcement proceedings.”522 Of the states in which the breach notification laws apply to government agencies, the states differ in regard to a right of action against government agencies for a violation of the statute. In some states, no action is permitted against government entities or there is no provision for a private right of action. Some state statutes provide for the imposition of a civil penalty for a violation of the breach notification statute, whereas other states authorize a claim for damages. Some breach notification statutes delegate authority to the attorney general to bring an action for a violation. The statutes typically provide that encryption is a defense to a claim for a data breach for any missing, lost, or stolen data.517 For example, the California breach notification law requires that [a]ny agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unau- thorized person.518 “any agency, …authority of the commonwealth, or any of its branches, or of any political subdivision thereof”); Mich. cOMp. LaWs 445.63 § 3(a) (2015) (defining the term “agency” to include “a department, board, commission, office, agency, authority, or other unit of state government of this state”); MONTaNa cOde § 2-6-501(6(a) (2015) (defining a state agency to include “an agency, authority, …or other instrumentality of the legislative or executive branch of state government,” as well as “an employee of a state agency acting within the course and scope of employment”); Nev. Rev. sTaT. § 603A.030 (2015) (defining the term “data collector” to include “any governmental agency…that…handles, collects, disseminates or otherwise deals with nonpublic personal information”); N.J. sTaT. aNN. § 56:8-161 (2015) (defining a public entity to include the state, county, public agency, political subdivision, or other state public body); OhiO Rev. cOde §§ 1347.01(A) and (b) (2015) (defining state agency and local agency, respectively); see also OhiO Rev. cOde § 1347.01(D) (2015) (defining the term “maintain” to mean state or local ownership of, control over, responsibility for, or accountability for data systems and §§ 1347.12(A)(1) and (B)(1) (2015) (defining agency of a political subdivision); OkLa. sTaT. § 24-162(2) (2015) (stating that the term “entity” includes “governments, governmental subdivisions, agen- cies, or instrumentalities, or any other legal entity….”); 73 pa. cONs. sTaT. § 2302 (2015) (defining the term “entity” to include a state agency or a political subdivision of the Com- monwealth); R.I. geN. LaWs § 11-49.2-3(a) (2015) (applying to “[a]ny state agency or person that owns, maintains or licenses computerized data that includes personal informa- tion….”); S.C. cOde §§ 37-1-301(18) and (20) 39-1-90 (2015) (statute applying also to a “governmental subdivision”); TeNN. cOde § 47-18-2102(9) (2015) (defining the term “per- son” to include a “governmental agency…and any other legal or commercial entity however organized….”); veRMONT sTaT. tit. 9, ch. 62, § 2430(3) (2015) (defining the term “data collector” to include the state, state agencies, and political subdivisions of the state); va. cOde § 18.2-186.6 (2015) (defining the term “entity” to include governments, govern- mental subdivisions, agencies, or instrumentalities; see also va. cOde § 42.56.590(b) (2015) (stating that the term “agency” has the same meaning as in § 42.56.010); W. va. cOde § 46A-2A-101 (2015) (defining the term “entity” to include governments, governmental subdivisions, agencies, or instrumentalities); Wis. sTaT. § 134.98(1)(a)(2) (2015) (defining the term “entity” to include the state and any office, department, independent agency, or state government body, as well as a city, village, town, or county); 14 V.I. cOde § 2208(b) (2015) (applicable to any agency maintaining com- puterized data with personal information). 517 Joerling, supra note 509, at 471. 518 California Security Breach Information Act § 1798.29 (a) (emphasis added). 519 OhiO Rev. cOde § 1347.12(A)(1) (2015). 520 Joerling, supra note 509, at 471. 521 Alaska (but not against government agencies), Cali- fornia, Delaware (treble damages and reasonable attorney’s fees), Louisiana (actual damages), Maryland, Massachu- setts (in certain situations), Minnesota, New Hampshire, North Carolina, Rhode Island, South Carolina, Virginia, Washington, and the District of Columbia. See State Breach Notification Laws, supra note 511. See Joerling, supra note 509, at 479 N 63 (citing California Security Breach Informa- tion Act, caL. civ. cOde § 1798.84 (2009); D.C. cOde aNN. § 28-3853(a) (2009); N.H. Rev. sTaT. aNN. § 359-C:21(I) (2009); N.C. geN. sTaT. aNN. § 75-65 (2007); OR. Rev. sTaT. aNN. § 646A.624 (2009); S.C. cOde aNN. § 37-20-170 (2008); TeNN. cOde aNN. § 47-18-2107(h) (2009); and Wash. Rev. cOde aNN. § 19.255.010(10)(9) (2007)). See also Sprague and Ciocchetti, supra note 509, at 106 (at that time identifying the District of Columbia and 11 states—California, Delaware, Hawaii, Illinois, Louisiana, Maryland, Nevada, North Carolina, Rhode Island, Tennessee, and Washington). 522 Joerling, supra note 509, at 476 (citing haW. Rev. sTaT. aNN. § 487N-2 (2009); fLa. sTaT. aNN. § 817.5681 (2006); Me. Rev. sTaT. aNN. tit. 10, § 1349 (2008); and TeNN. cOde aNN. § 47-18-2107 (2009)).

38 fails to give notice [of a security breach] in accor- dance with section 28-51-105, Idaho Code, shall be subject to a fine of not more than twenty-five thou- sand dollars ($25,000) per breach of the security of the system.”526 Montana Code Section 30-14-142(2) provides that if a court finds that “a person is willfully using or has willfully used” an unlawful method, act, or prac- tice, a civil fine of not more than $10,000 may be imposed for each violation. A willful violation occurs when the party committing the violation knew or should have known that the conduct was a violation of Section 30-14-103.527 5. Liability for Damages Several states authorize an action for damages for a violation of the state’s statute protecting per- sonal information and/or for failure to give notice of a breach of the security of personal information.528 As stated, California’s IPA provides that an indi- vidual may bring a civil action against an agency whenever the agency refuses to comply with an indi- vidual’s lawful request to inspect under Section 1798.34(a); fails to maintain accurate and complete records concerning an individual as further pro- vided in the statute; or “[f]ails to comply with any other provision of this chapter, or any rule promul- gated thereunder, in such a way as to have an adverse effect on an individual.”529 In Ohio, Section 1347.12(G) authorizes the attor- ney general to conduct an investigation and bring a civil action for an alleged failure by a state agency or an agency of a political subdivision to comply with Section 1347.12.530 In South Carolina, a resident who is injured by a violation of the state statute that applies to a breach of the security of “business data” may Some of the statutory provisions regarding enforcement, such as for damages or a civil penalty, apply to an agency’s failure to give notice of a secu- rity breach, whereas some provisions apply to any violation of the state’s privacy act protecting per- sonal information maintained by an agency. 2. No Action Permitted Against Government Agencies In some states no action is permitted against gov- ernment agencies.523 3. No Provision for a Private Right of Action In some states there appears to be no provision for a private right of action.524 4. Liability for Civil Penalties Some states’ statutes provide for the imposition of a civil penalty for a violation of a state statute protecting personal information and/or a violation of a requirement that an agency give notice of a breach of the security of personal information.525 In some states, however, a civil penalty will not be assessed unless an agency’s action was willful or intentional. For example, in Idaho, “[a]ny agency, individual or commercial entity that intentionally 523 See haW. Rev. sTaT. § 487N-3(a) (2015); MaiNe Rev. sTaT. § 1349(2)(A) (2015) (provisions on enforcement and for imposition of civil penalties for violations of Maine’s statute on Notice of Risk to Personal Data not applicable to the state). 524 See ga. cOde § 10-1-910, et seq. (2015); 815 iLL. cOMp. sTaT. § 530/20 (2015) (no specific penalty found that applies to government agencies but a violation constitutes an unlaw- ful practice under the Consumer Fraud and Deceptive Busi- ness Practices Act); iNd. cOde § 4-1-11-2, et seq. (2015) (no provision located that permitted a civil action or imposed a civil penalty for a violation); N.J. sTaT. aNN. § 56:8-166 (2015) (although stating that it is “unlawful…to willfully, knowingly or recklessly violate sections 10 through 13 of this amenda- tory and supplementary act,” no provision located authoriz- ing a cause of action or imposing a specific civil penalty). 525 aLaska sTaT. § 45.48.080(a) (2015) (stating that an information collector that is a governmental agency is liable to the state for a civil penalty of up to $500 for each state resident who was not notified under aLaska sTaT. 45.48.010– 45.48.090 but total civil penalty may not exceed $50,000); Mich. cOMp. LaWs § 445.72(14) (2015) (applicable to § 445.72’s security breach requirements and providing that “[t]he aggregate liability of a person for civil fines under subsection (13) for multiple violations of subsection (13) that arise from the same security breach shall not exceed $750,000). See Mich. cOMp. LaWs § 445.72(15) (2015) (stating that “[s]ubsec- tions (12) and (13) do not affect the availability of any civil remedy for a violation of state or federal law”); R. I. geN. LaWs § 11-49.2-6(a) (2015) (stating that a breach of the state’s Identity Theft Protection Act “is a civil violation for which a penalty of not more than a hundred dollars ($100) per occur- rence and not more than twenty-five thousand dollars ($25,000) may be adjudged against a defendant”). 526 idahO cOde § 28-51-107 (2015) (emphasis added). 527 MONT. cOde § 30-14-142(4) (2015). See also MONT. cOde § 30-14-1705 (2015) (incorporating MONT. cOde § 30-14- 142(1)) (authorizing the courts to impose also a civil fine for violating an injunction or temporary restraining order). 528 La. Rev. sTaT. § 3075 (2015) (authorizing a civil action “to recover actual damages resulting from the fail- ure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person’s personal information”); TeNN. cOde aNN. §§ 47-18-2104 and 22105 (2015) (providing, respec- tively, for a private right of action and for civil penalties for a violation of the Tennessee Identity Theft Deterrence Act of 1999). 529 caL. civ. cOde § 1798.45(a)–(c) (2015). See also caL. civ. cOde § 1798.46(b) (2015) (allowing for attorney’s fees and other litigation costs for violations of §§ 1798.45(b) or (c)) and § 1798.53 (2015) (allowing actions for invasion of privacy except against state or local government agency employees). 530 OhiO Rev. cOde § 1347.12(G) (effective Sept. 29, 2015).

39 breach of the statute.538 In Oklahoma, Oklahoma Statute Section 24-165(A) provides for enforcement and a civil penalty for a violation of the Security Breach Notification Act: “A violation of this act that results in injury or loss to residents of this state may be enforced by the Attorney General or a district attorney in the same manner as an unlawful prac- tice under the Oklahoma Consumer Protection Act.” Subsection (B) grants the attorney general or a district attorney exclusive authority to bring an action either for actual damages for a violation of the act or for a civil penalty not to exceed $150,000 “per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation.”539 Vermont’s statute on Protection of Personal Infor- mation with respect to all data collectors grants the attorney general with some exceptions “sole and full authority to investigate potential violations of this sub- chapter and to enforce, prosecute, obtain, and impose remedies for a violation of this subchapter….”540 In Virginia, the attorney general “may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single inves- tigation.”541 However, the section does not “limit an individual from recovering direct economic damages from a violation….”542 The West Virginia Breach of Security Information law provides that the attorney general has exclusive authority to bring an action; that no civil penalty may be assessed unless the court finds that the defendant has engaged in a course of repeated and willful violations of article 2A; and that no civil pen- alty may exceed $150,000 “per breach of security of the system or series of breaches of a similar nature that are discovered in a single investigation.”543 (1) institute a civil action to recover damages in case of a wilful [sic] and knowing violation; (2) institute a civil action that must be limited to actual damages resulting from a violation in case of a negligent violation of this section; …and (4) recover attorney’s fees and court costs, if successful.531 Furthermore, under South Carolina law, a person “who knowingly and wilfully [sic] violates this sec- tion is subject to an administrative fine in the amount of one thousand dollars for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs.”532 In Virginia, although the attorney general is authorized to impose a civil penalty for a security breach, the statute also provides that an individual is not limited “from recovering direct economic dam- ages from a violation….”533 In Washington, a customer who is injured by a violation of the state’s statutory requirement that a notice be given of a breach in the security of per- sonal information may institute a civil action for damages;534 however, an agency is not required to disclose a technical breach of the security system that does not seem reasonably likely to subject a customer to a risk of criminal activity.535 Finally, it may be noted that a number of class actions have been brought against private compa- nies for damages allegedly caused by a breach of security and a theft of PII. However, some cases have been dismissed for lack of standing on the ground that the risk of future injury caused by a breach, such as a possible identity theft, in and of itself is “too speculative to confer standing,”536 or because the plaintiff was unable to show an actual injury-in-fact.537 6. Power Delegated to the Attorney General Some of the privacy statutes delegate authority to the attorney general to bring an action for a 531 S.C. cOde §§ 31-1-90(G) (2015). 532 S.C. cOde § 31-1-90(H) (2015) (emphasis added). 533 va. cOde § 18.2-186.6(I) (2015). 534 Wash. Rev. cOde § 42.56.59(10)(a) (2015). 535 Wash. Rev. cOde § 42.56.59(10)(d) (2015). 536 Rosenfeld and McDowell, supra note 509, at 93 (citing In re TJX Cos. Retail Sec. Breach Litig., 527 F. Supp. 2d 209 (D. Mass. 2007) (affirmed by, in part, vacated by, in part, remanded, Amerifirst Bank v. TJX Cos. (In re TJX Cos. Retail Sec. Brach Litig.), 2009 U.S. App. LEXIS 6636 (1st Cir. Mass., Mar. 30, 2009)). 537 Id.; Sprague and Ciocchetti, supra note 509, at 101 (cit- ing Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 631 (7th Cir. 2007) (applying Indiana law)). 538 kaN. sTaT. § 50-7a02(g) (2015) (empowering the attor- ney general “to bring an action in law or equity to address violations of this section and for other relief that may be appropriate”); Mass. geN. LaWs ch. 93H, § 3 (2015) (stating that the “attorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate”); OhiO Rev. cOde § 1347.12(G) (2015) (stating that the attorney general may conduct an investi- gation and bring a civil action for an alleged failure by a state agency or agency of a political subdivision to comply with § 1347.12); 73 pa. cONs. sTaT. § 2308 (2015) (providing that the attorney general has exclusive authority to bring an action for a violation of the state’s Breach of Personal Notification Act). 539 OkLa. sTaT. § 24-165(B) (2015). 540 vT. sTaT. tit. 9, § 2435(g)(1) (2015). 541 va. cOde § 18.2-186.6(I) (2015). 542 Id. 543 W. va. cOde § 46A-2A-104(b) (2015) (emphasis added).

Next: VIII. Remedies at Common Law for Invasion of Privacy »
Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

TRB's National Cooperative Highway Research Program (NCHRP) Legal Research Digest 71: Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public reviews the statutes, regulations, and common law regarding the release of data collected for transportation purposes. Included in this research are questions concerning the application of public records laws and the application of any constitutional, statutory, or common law privacy rights. The digest also researches and identifies statutes and common law dealing with the collection of data on the activities of the public, includes a literature search of topics addressing these issues, and also includes a search of state and federal laws focusing on this and similar topics.

Appendixes A through D provide background on the research effort.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!