Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
35 sensitive personal information that results in the potential compromise of the confidentiality or integ- rity of the data.â509 In Ohio, the term âbreach of the security of the systemâ is defined to mean an unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of per- sonal information owned or licensed by a state agency or an agency of a political subdivision and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state.510 B. States Having Data Breach Notification Statutes As of January 2015, all states except Alabama, New Mexico, and South Dakota have laws requiring that notice be given to the public if there is a security breach involving data having personal informa- tion.511 The term âpersonal informationâ may be phone or other electronic device and provides that a violation would be punishable as a Class 1 misde- meanor.502 Bills applicable to ALPRs are pending in both chambers of the North Carolina legislature. Senate Bill 182 simply provides that any law enforcement agency using an ALPR must adopt a written policy governing its use, whereas House Bill 829 restricts the use of ALPRs to four purposes, including for electronic toll collection and specific law enforcement purposes.503 Furthermore, the House version creates a right of civil action against anyone who knowingly violates the law.504 8. Pennsylvania In Pennsylvania, Senate Bill 854 would make it unlawful âfor any person to utilize tracking technol- ogy without lawful authority or consent.â505 House Bill 401 entitled âProtecting Pennsylvaniansâ Pri- vacy Actâ would require a government entity to obtain a search warrant prior to obtaining locational information on an electronic device and would impose a civil penalty for a violation.506 9. Texas In Texas, under House Bill 3929, if an ALPR were to be used for anything other than a âvalid law enforcement purpose,â it would become a Class A misdemeanor.507 A bill in the Senate, which provides that an ALPR may be used only for investigating a criminal offense or a report of a missing person, mandates that all of the images and data collected from an ALPR are to be destroyed no later than the seventh day after collection.508 VII. WHETHER STATE DATA BREACH NOTIFICATION LAWS APPLY TO TRANSPORTATION AGENCIES A. Definition of a Data Breach A data breach may be defined âas a loss or theft of, or other unauthorized access to, data containing 502 House Bill 876 [Edition 1]. Status: April 15, 2015, referred to Committee on Judiciary. 503 Senate Bill 182 [Edition 2]. Status: April 4, 2015, referred to the Committee on Transportation; House Bill 829 [Edition 2], Status: April 28, 2015, re-referred to the Commit- tee on Rules, Calendar, and Operations of the House. 504 House Bill 829 § 20-183.26(a). 505 Senate Bill 854. Status: May 28, 2015, referred to Judiciary. 506 House Bill 401. Status: February 9, 2015, referred to Judiciary. 507 House Bill 3929. Status: May 14, 2015, placed on General State Calendar. 508 Senate Bill 1286. Status: March 18, 2015, referred to Criminal Justice. 509 Froomkin, supra note 213, at 1025 (footnote omitted) (internal quotation marks omitted). See discussion of state notification laws in Dana Rosenfeld and Donnelly McDowell, Moving Target: Protecting Against Data Breaches Now and Down the Road, 28 aNTiTRUsT ABA 90 (2014) [hereinafter Rosenfeld and McDowell]; John A. Fisher, Secure My Data or Pay the Price: Consumer Remedy for the Negligent Enablement of Data Breach, 4 WM. & MaRy BUs. L. Rev. 215 (2013) [hereinafter Fisher]; Jill Joerling, Data Breach Noti- fication Laws: An Argument for a Comprehensive Federal Law to Protect Consumer Data, 32 Wash. U. J.L. & pOLây 467 (2010) [hereinafter Joerling]; and Robert Sprague and Corey Ciocchetti, Preserving Identities: Protecting Personal Identifying Information through Enhanced Privacy Policies and Laws, 19 aLB. L.J. sci. & Tech. 91 (2009) [hereinafter Sprague and Ciocchetti]. 510 OhiO Rev. cOde § 1347.12(B)(1) (2015). 511 See National Conference of State Legislatures, Secu- rity Breach Notification Laws (2015) (citing aLaska sTaT. § 45.48.010, et seq.; aRiz. Rev. sTaT. § 44-7501; aRk. cOde § 4-110-101, et seq.; caL. civ. cOde §§ 1798.29 and 1798.80, et seq.; cOLO. Rev. sTaT. § 6-1-716; cONN. geN sTaT. § 36a-701b; deL. cOde tit. 6, § 12B-101, et seq.; fLa. sTaT. §§ 501.171, 282.0041, and 282.318(2)(i); ga. cOde §§ 10-1- 910-912 and § 46-5-214; haW. Rev. sTaT. § 487N-1, et seq.; idahO sTaT. §§ 28-51-104-107; 815 iLL. cOMp. sTaT. §§ 530/1â 530/25; iNd. cOde § 4-1-11, et seq. and 24-4.9, et seq.; iOWa cOde §§ 715C.1-715C.2; kaN. sTaT. § 50-7a01, et seq., ky. Rev. sTaT. §§ 365.732 and 61.931-61.934; La. Rev. sTaT. §§ 51:3071, et seq. and §§ 40:1300.111-1300.116; Me. Rev. sTaT. tit. 10 § 1347; et seq.; Md. cOde cOM. LaW § 14-3501, et seq., Md. sTaTe gOvâT cOde §§ 10-1301-1308; Mass. geN. LaWs § 93H-1, et seq.; Mich. cOMp. LaWs §§ 445.63 and 445.72; MiNN. sTaT. §§ 325E.61 and 325E.64; Miss. cOde § 75-24-29; MO. Rev. sTaT. § 407.1500; MONT. cOde §§ 2-6- 504 and 30-14-1701, et seq.; NeB. Rev. sTaT. §§ 87-801-807; Nev. Rev. sTaT. §§ 603A.010, et seq. and 242.183; N.H. Rev. sTaT. §§ 359-C:19-C:21; N.J. sTaT. §§ 56:8-161-163; N.Y. geN. BUs. LaW § 899-aa and N.Y. sTaTe Tech. LaW § 208; N.C. geN. sTaT. §§ 75-61 and 75-65; N.D. ceNT. cOde § 51-30-01, et seq., OhiO Rev. cOde §§ 1347.12, 1349.19, and 1349.191-192; OkLa. sTaT. §§ 74-3113.1 and 24-161-166; ORegON Rev. sTaT. §§ 646A.600-646A.628; 73 pa. sTaT. § 2301, et seq.; R.I. geN.
36 Washington Stateâs breach notification law applies to personal information, a term that (5) â¦means an individualâs first name or first initial and last name in combination with any one or more of the fol- lowing data elements, when either the name or the data elements are not encrypted: (a) Social security number; (b) Driverâs license number or Washington identification card number; or (c) Account number or credit or debit card number, in com- bination with any required security code, access code, or password that would permit access to an individualâs finan- cial account.514 (6) For purposes of this section, âpersonal informationâ does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.515 C. Applicability of the Statutes to Government Agencies Although the breach notification statutes apply to businesses and commercial entities as defined in each statute, in at least 23 states, the statutes also apply to government agencies.516 defined to include a personâs name, Social Security number, driverâs license number, credit card num- bers, security codes, PINs, or passwords.512 For exam- ple, the Ohio statute provides that an agency must disclose a breach of the security of personal informa- tion data. Personal information is defined to be an individualâs name, consisting of the individualâs first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable: (i) Social security number; (ii) Driverâs license number or state identification card number; (iii) Account number or credit or debit card number, in com- bination with and linked to any required security code, access code, or password that would permit access to an individualâs financial account.513 LaWs § 11-49.2-1, et seq.; S.C. cOde § 39-1-90; TeNN. cOde § 47-18-2107; Tex. BUs. & cOM. cOde §§ 521.002-521.053 and Tex. ed. cOde § 37.007(b)(5); UTah cOde § 13-44-101, et seq.; vT. sTaT. tit. 9, §§ 2430 and 2435; va. cOde §§ 18.2-186.6 and 32.1-127.1:05; Wash. Rev. cOde §§ 19.255.010 and 42.56.590; W. va. cOde § 46A-2A-101, et seq.; Wis. sTaT. § 134.98; WyO. sTaT. § 40-12-501, et seq.; and D.C. cOde § 28- 3851, et seq.), available at: http://www.ncsl.org/research/ telecommunications-and-information-technology/security- breach-notification-laws.aspx (last accessed Oct. 12, 2015). See also Mintz Levin, State Data Security Breach Notifica- tion Laws (2015) [hereinafter State Breach Notification Laws], available at: http://www.mintz.com/newsletter/2007/ PrivSec-DataBreachLaws-02-07/state_data_breach_matrix. pdf (last accessed Oct. 12, 2015) (analyzing state laws by data and consumers protected; the statutesâ definition of a breach; covered entities; notice procedures, timing, and exemptions; whether encryption is a safe harbor; preemption; penalties; and whether the statutes create a private right of action) and Sprague and Ciocchetti, supra note 509, at 104â105 (also including citations to breach notification statutes). 512 See aLaska sTaT. § 45.48.090(7)(A) (2015); caL. civ. cOde § 1798.29(g) (2015); ga. cOde aNN. § 10-1-911(c) (2015); haW. Rev. sTaT. § 487 N-1 (2015); idahO cOde § 28-51-104(5) (2015); 815 iLL. cOMp. sTaT. § 530/5 (2015); iNd. cOde § 4-1-11-3 (2015); kaNsas sTaT. aNN. § 50-7a01(g) (2015); La. Rev. sTaT. §§ 3073(4)(a) and (b) (2015); MaiNe Rev. sTaT. tit 10, § 1347(6) (2015); Mass. geN. LaWs ch. 93H, § 1(a) (2015); Mich. cOMp. LaWs 445.63 §§ 3(q) and (r) (2015) (defining personally identifying information and personal information, respectively); MONTaNa cOde aNN. §§ 2-6-501(4) (a) and (b) (2015); Nev. Rev. sTaT. § 603A.040 (2015); NeW JeRsey sTaT. aNN. § 56:8-161 (2015); OhiO Rev. cOde § 1347.01(E) (2015); OkLa. sTaT. §§ 24-162(6) and 74-3113.1(D)(2) (2015); 73 pa. cONs. sTaT. § 2302 (2015); R.I. geN. LaWs § 11-49.2-5(c) (2015); S.C. cOde § 39-1-90(D)(3) (2015); veRMONT sTaT. tit. 9, ch. 62 § 2430(5)(A) (2015) (defin- ing the term âpersonally identifiable informationâ); va. cOde § 18.2-186.6(A) (2015); Wash. Rev. cOde § 19.255.010(5) (2015); W. va. cOde, art. 2A, § 46A-2A-101(6) (2015), Wis. sTaT. § 134.98(1)(b) (2015); and 14 V.I. cOde § 2208(e) (2015). 513 OhiO Rev. cOde § 1347.12(A)(6)(a) (effective Sept. 29, 2015). See also OhiO Rev. cOde § 1347.01(E) (2015). 514 Wash. Rev. cOde § 19.255.010(5) (2015). 515 Wash. Rev. cOde § 19.255.010(6) (2015).. 516 aLaska sTaT. §§ 45.48.090(2)(B) and (3) (2015) (stating that the term âcovered personâ includes a government agency, meaning âa state or local governmental agency, except for an agency of the judicial branchâ); see also aLaska sTaT. § 45.48.090(4) (2015) (defining the term âinformation collectorâ to mean a âcovered person who owns or licenses personal information in any formâ on a state resident); caL. civ. cOde § 1798.14 (2015) (directing an agency to maintain only relevant and necessary personal information in its records); ga. cOde § 10-1-911(2) (2015) (defining the term âdata collectorâ to include âany state or local agency or sub- division thereof...or other government entity,â but excepting agency records maintained primarily for traffic safety, law enforcement, or licensing purposes); haW. Rev. sTaT. § 487 N-1 (2015) (chapter also applying to a government or instru- mentality of the state or any county); idahO cOde § 28-51- 104(1) (2015) (defining the term âagencyâ to mean any pub- lic agency as defined in idahO cOde § 74-101); 815 iLL. cOMp. sTaT. § 530/5 (2015) (stating that the term âdata collectorâ includes government agencies); iNdiaNa cOde § 4-1-11-4 (2015) (defining the term âstate agencyâ as set forth in iNdiaNa cOde § 4-1-10-2); see also iNdiaNa cOde § 4-1-11-5(a) (2015) (requiring state agencies to disclose security breaches); kaNsas sTaT. § 50-7a01(f) (2015) (defining term âpersonâ to include a government or governmental subdivi- sion or agency or other entity) and kaN. sTaT. § 3073(1) (2015) (defining the term âagencyâ to include the state, its political subdivision, agency, or similar body); MaiNe Rev. sTaT. tit. 10, § 1347(5) (2015) (defining the term âpersonâ to include agencies of state government); see also MaiNe Rev. sTaT. § 1347(3) (2015) (defining the term âinformation bro- kerâ as being inapplicable to a governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes); Mass. geN. LaWs, ch. 93H, § 1(a) (2015) (defining the term âagencyâ to include
37 In Ohio, the statute defines the term âagency of a political subdivisionâ to mean âeach organized body, office, or agency established by a political subdivi- sion for the exercise of any function of the political subdivision, except that âagency of a political subdi- visionâ does not include an agency that is a covered entity as defined in 45 C.F.R. 160.103, as amended.â519 In some states there is a good faith defense to the disclosure of personal information as long as the personal information was not used for illegitimate purposes and there were no other unauthorized dis- closures of the data.520 D. State Breach Notification Laws Authorizing Civil Penalties or Claims for Damages 1. Overview Although some breach-notification laws provide for enforcement and civil penalties, it appears that only in 13 states and the District of Columbia would a person injured by a data breach have a private right of action,521 and that at least 4 states exempt govern- ment agencies from âenforcement proceedings.â522 Of the states in which the breach notification laws apply to government agencies, the states differ in regard to a right of action against government agencies for a violation of the statute. In some states, no action is permitted against government entities or there is no provision for a private right of action. Some state statutes provide for the imposition of a civil penalty for a violation of the breach notification statute, whereas other states authorize a claim for damages. Some breach notification statutes delegate authority to the attorney general to bring an action for a violation. The statutes typically provide that encryption is a defense to a claim for a data breach for any missing, lost, or stolen data.517 For example, the California breach notification law requires that [a]ny agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unau- thorized person.518 âany agency, â¦authority of the commonwealth, or any of its branches, or of any political subdivision thereofâ); Mich. cOMp. LaWs 445.63 § 3(a) (2015) (defining the term âagencyâ to include âa department, board, commission, office, agency, authority, or other unit of state government of this stateâ); MONTaNa cOde § 2-6-501(6(a) (2015) (defining a state agency to include âan agency, authority, â¦or other instrumentality of the legislative or executive branch of state government,â as well as âan employee of a state agency acting within the course and scope of employmentâ); Nev. Rev. sTaT. § 603A.030 (2015) (defining the term âdata collectorâ to include âany governmental agencyâ¦thatâ¦handles, collects, disseminates or otherwise deals with nonpublic personal informationâ); N.J. sTaT. aNN. § 56:8-161 (2015) (defining a public entity to include the state, county, public agency, political subdivision, or other state public body); OhiO Rev. cOde §§ 1347.01(A) and (b) (2015) (defining state agency and local agency, respectively); see also OhiO Rev. cOde § 1347.01(D) (2015) (defining the term âmaintainâ to mean state or local ownership of, control over, responsibility for, or accountability for data systems and §§ 1347.12(A)(1) and (B)(1) (2015) (defining agency of a political subdivision); OkLa. sTaT. § 24-162(2) (2015) (stating that the term âentityâ includes âgovernments, governmental subdivisions, agen- cies, or instrumentalities, or any other legal entityâ¦.â); 73 pa. cONs. sTaT. § 2302 (2015) (defining the term âentityâ to include a state agency or a political subdivision of the Com- monwealth); R.I. geN. LaWs § 11-49.2-3(a) (2015) (applying to â[a]ny state agency or person that owns, maintains or licenses computerized data that includes personal informa- tionâ¦.â); S.C. cOde §§ 37-1-301(18) and (20) 39-1-90 (2015) (statute applying also to a âgovernmental subdivisionâ); TeNN. cOde § 47-18-2102(9) (2015) (defining the term âper- sonâ to include a âgovernmental agencyâ¦and any other legal or commercial entity however organizedâ¦.â); veRMONT sTaT. tit. 9, ch. 62, § 2430(3) (2015) (defining the term âdata collectorâ to include the state, state agencies, and political subdivisions of the state); va. cOde § 18.2-186.6 (2015) (defining the term âentityâ to include governments, govern- mental subdivisions, agencies, or instrumentalities; see also va. cOde § 42.56.590(b) (2015) (stating that the term âagencyâ has the same meaning as in § 42.56.010); W. va. cOde § 46A-2A-101 (2015) (defining the term âentityâ to include governments, governmental subdivisions, agencies, or instrumentalities); Wis. sTaT. § 134.98(1)(a)(2) (2015) (defining the term âentityâ to include the state and any office, department, independent agency, or state government body, as well as a city, village, town, or county); 14 V.I. cOde § 2208(b) (2015) (applicable to any agency maintaining com- puterized data with personal information). 517 Joerling, supra note 509, at 471. 518 California Security Breach Information Act § 1798.29 (a) (emphasis added). 519 OhiO Rev. cOde § 1347.12(A)(1) (2015). 520 Joerling, supra note 509, at 471. 521 Alaska (but not against government agencies), Cali- fornia, Delaware (treble damages and reasonable attorneyâs fees), Louisiana (actual damages), Maryland, Massachu- setts (in certain situations), Minnesota, New Hampshire, North Carolina, Rhode Island, South Carolina, Virginia, Washington, and the District of Columbia. See State Breach Notification Laws, supra note 511. See Joerling, supra note 509, at 479 N 63 (citing California Security Breach Informa- tion Act, caL. civ. cOde § 1798.84 (2009); D.C. cOde aNN. § 28-3853(a) (2009); N.H. Rev. sTaT. aNN. § 359-C:21(I) (2009); N.C. geN. sTaT. aNN. § 75-65 (2007); OR. Rev. sTaT. aNN. § 646A.624 (2009); S.C. cOde aNN. § 37-20-170 (2008); TeNN. cOde aNN. § 47-18-2107(h) (2009); and Wash. Rev. cOde aNN. § 19.255.010(10)(9) (2007)). See also Sprague and Ciocchetti, supra note 509, at 106 (at that time identifying the District of Columbia and 11 statesâCalifornia, Delaware, Hawaii, Illinois, Louisiana, Maryland, Nevada, North Carolina, Rhode Island, Tennessee, and Washington). 522 Joerling, supra note 509, at 476 (citing haW. Rev. sTaT. aNN. § 487N-2 (2009); fLa. sTaT. aNN. § 817.5681 (2006); Me. Rev. sTaT. aNN. tit. 10, § 1349 (2008); and TeNN. cOde aNN. § 47-18-2107 (2009)).
38 fails to give notice [of a security breach] in accor- dance with section 28-51-105, Idaho Code, shall be subject to a fine of not more than twenty-five thou- sand dollars ($25,000) per breach of the security of the system.â526 Montana Code Section 30-14-142(2) provides that if a court finds that âa person is willfully using or has willfully usedâ an unlawful method, act, or prac- tice, a civil fine of not more than $10,000 may be imposed for each violation. A willful violation occurs when the party committing the violation knew or should have known that the conduct was a violation of Section 30-14-103.527 5. Liability for Damages Several states authorize an action for damages for a violation of the stateâs statute protecting per- sonal information and/or for failure to give notice of a breach of the security of personal information.528 As stated, Californiaâs IPA provides that an indi- vidual may bring a civil action against an agency whenever the agency refuses to comply with an indi- vidualâs lawful request to inspect under Section 1798.34(a); fails to maintain accurate and complete records concerning an individual as further pro- vided in the statute; or â[f]ails to comply with any other provision of this chapter, or any rule promul- gated thereunder, in such a way as to have an adverse effect on an individual.â529 In Ohio, Section 1347.12(G) authorizes the attor- ney general to conduct an investigation and bring a civil action for an alleged failure by a state agency or an agency of a political subdivision to comply with Section 1347.12.530 In South Carolina, a resident who is injured by a violation of the state statute that applies to a breach of the security of âbusiness dataâ may Some of the statutory provisions regarding enforcement, such as for damages or a civil penalty, apply to an agencyâs failure to give notice of a secu- rity breach, whereas some provisions apply to any violation of the stateâs privacy act protecting per- sonal information maintained by an agency. 2. No Action Permitted Against Government Agencies In some states no action is permitted against gov- ernment agencies.523 3. No Provision for a Private Right of Action In some states there appears to be no provision for a private right of action.524 4. Liability for Civil Penalties Some statesâ statutes provide for the imposition of a civil penalty for a violation of a state statute protecting personal information and/or a violation of a requirement that an agency give notice of a breach of the security of personal information.525 In some states, however, a civil penalty will not be assessed unless an agencyâs action was willful or intentional. For example, in Idaho, â[a]ny agency, individual or commercial entity that intentionally 523 See haW. Rev. sTaT. § 487N-3(a) (2015); MaiNe Rev. sTaT. § 1349(2)(A) (2015) (provisions on enforcement and for imposition of civil penalties for violations of Maineâs statute on Notice of Risk to Personal Data not applicable to the state). 524 See ga. cOde § 10-1-910, et seq. (2015); 815 iLL. cOMp. sTaT. § 530/20 (2015) (no specific penalty found that applies to government agencies but a violation constitutes an unlaw- ful practice under the Consumer Fraud and Deceptive Busi- ness Practices Act); iNd. cOde § 4-1-11-2, et seq. (2015) (no provision located that permitted a civil action or imposed a civil penalty for a violation); N.J. sTaT. aNN. § 56:8-166 (2015) (although stating that it is âunlawfulâ¦to willfully, knowingly or recklessly violate sections 10 through 13 of this amenda- tory and supplementary act,â no provision located authoriz- ing a cause of action or imposing a specific civil penalty). 525 aLaska sTaT. § 45.48.080(a) (2015) (stating that an information collector that is a governmental agency is liable to the state for a civil penalty of up to $500 for each state resident who was not notified under aLaska sTaT. 45.48.010â 45.48.090 but total civil penalty may not exceed $50,000); Mich. cOMp. LaWs § 445.72(14) (2015) (applicable to § 445.72âs security breach requirements and providing that â[t]he aggregate liability of a person for civil fines under subsection (13) for multiple violations of subsection (13) that arise from the same security breach shall not exceed $750,000). See Mich. cOMp. LaWs § 445.72(15) (2015) (stating that â[s]ubsec- tions (12) and (13) do not affect the availability of any civil remedy for a violation of state or federal lawâ); R. I. geN. LaWs § 11-49.2-6(a) (2015) (stating that a breach of the stateâs Identity Theft Protection Act âis a civil violation for which a penalty of not more than a hundred dollars ($100) per occur- rence and not more than twenty-five thousand dollars ($25,000) may be adjudged against a defendantâ). 526 idahO cOde § 28-51-107 (2015) (emphasis added). 527 MONT. cOde § 30-14-142(4) (2015). See also MONT. cOde § 30-14-1705 (2015) (incorporating MONT. cOde § 30-14- 142(1)) (authorizing the courts to impose also a civil fine for violating an injunction or temporary restraining order). 528 La. Rev. sTaT. § 3075 (2015) (authorizing a civil action âto recover actual damages resulting from the fail- ure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a personâs personal informationâ); TeNN. cOde aNN. §§ 47-18-2104 and 22105 (2015) (providing, respec- tively, for a private right of action and for civil penalties for a violation of the Tennessee Identity Theft Deterrence Act of 1999). 529 caL. civ. cOde § 1798.45(a)â(c) (2015). See also caL. civ. cOde § 1798.46(b) (2015) (allowing for attorneyâs fees and other litigation costs for violations of §§ 1798.45(b) or (c)) and § 1798.53 (2015) (allowing actions for invasion of privacy except against state or local government agency employees). 530 OhiO Rev. cOde § 1347.12(G) (effective Sept. 29, 2015).
39 breach of the statute.538 In Oklahoma, Oklahoma Statute Section 24-165(A) provides for enforcement and a civil penalty for a violation of the Security Breach Notification Act: âA violation of this act that results in injury or loss to residents of this state may be enforced by the Attorney General or a district attorney in the same manner as an unlawful prac- tice under the Oklahoma Consumer Protection Act.â Subsection (B) grants the attorney general or a district attorney exclusive authority to bring an action either for actual damages for a violation of the act or for a civil penalty not to exceed $150,000 âper breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation.â539 Vermontâs statute on Protection of Personal Infor- mation with respect to all data collectors grants the attorney general with some exceptions âsole and full authority to investigate potential violations of this sub- chapter and to enforce, prosecute, obtain, and impose remedies for a violation of this subchapterâ¦.â540 In Virginia, the attorney general âmay impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single inves- tigation.â541 However, the section does not âlimit an individual from recovering direct economic damages from a violationâ¦.â542 The West Virginia Breach of Security Information law provides that the attorney general has exclusive authority to bring an action; that no civil penalty may be assessed unless the court finds that the defendant has engaged in a course of repeated and willful violations of article 2A; and that no civil pen- alty may exceed $150,000 âper breach of security of the system or series of breaches of a similar nature that are discovered in a single investigation.â543 (1) institute a civil action to recover damages in case of a wilful [sic] and knowing violation; (2) institute a civil action that must be limited to actual damages resulting from a violation in case of a negligent violation of this section; â¦and (4) recover attorneyâs fees and court costs, if successful.531 Furthermore, under South Carolina law, a person âwho knowingly and wilfully [sic] violates this sec- tion is subject to an administrative fine in the amount of one thousand dollars for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs.â532 In Virginia, although the attorney general is authorized to impose a civil penalty for a security breach, the statute also provides that an individual is not limited âfrom recovering direct economic dam- ages from a violationâ¦.â533 In Washington, a customer who is injured by a violation of the stateâs statutory requirement that a notice be given of a breach in the security of per- sonal information may institute a civil action for damages;534 however, an agency is not required to disclose a technical breach of the security system that does not seem reasonably likely to subject a customer to a risk of criminal activity.535 Finally, it may be noted that a number of class actions have been brought against private compa- nies for damages allegedly caused by a breach of security and a theft of PII. However, some cases have been dismissed for lack of standing on the ground that the risk of future injury caused by a breach, such as a possible identity theft, in and of itself is âtoo speculative to confer standing,â536 or because the plaintiff was unable to show an actual injury-in-fact.537 6. Power Delegated to the Attorney General Some of the privacy statutes delegate authority to the attorney general to bring an action for a 531 S.C. cOde §§ 31-1-90(G) (2015). 532 S.C. cOde § 31-1-90(H) (2015) (emphasis added). 533 va. cOde § 18.2-186.6(I) (2015). 534 Wash. Rev. cOde § 42.56.59(10)(a) (2015). 535 Wash. Rev. cOde § 42.56.59(10)(d) (2015). 536 Rosenfeld and McDowell, supra note 509, at 93 (citing In re TJX Cos. Retail Sec. Breach Litig., 527 F. Supp. 2d 209 (D. Mass. 2007) (affirmed by, in part, vacated by, in part, remanded, Amerifirst Bank v. TJX Cos. (In re TJX Cos. Retail Sec. Brach Litig.), 2009 U.S. App. LEXIS 6636 (1st Cir. Mass., Mar. 30, 2009)). 537 Id.; Sprague and Ciocchetti, supra note 509, at 101 (cit- ing Pisciotta v. Old Natâl Bancorp, 499 F.3d 629, 631 (7th Cir. 2007) (applying Indiana law)). 538 kaN. sTaT. § 50-7a02(g) (2015) (empowering the attor- ney general âto bring an action in law or equity to address violations of this section and for other relief that may be appropriateâ); Mass. geN. LaWs ch. 93H, § 3 (2015) (stating that the âattorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriateâ); OhiO Rev. cOde § 1347.12(G) (2015) (stating that the attorney general may conduct an investi- gation and bring a civil action for an alleged failure by a state agency or agency of a political subdivision to comply with § 1347.12); 73 pa. cONs. sTaT. § 2308 (2015) (providing that the attorney general has exclusive authority to bring an action for a violation of the stateâs Breach of Personal Notification Act). 539 OkLa. sTaT. § 24-165(B) (2015). 540 vT. sTaT. tit. 9, § 2435(g)(1) (2015). 541 va. cOde § 18.2-186.6(I) (2015). 542 Id. 543 W. va. cOde § 46A-2A-104(b) (2015) (emphasis added).