Legal Issues Concerning Transit Agency Use of Electronic Customer Data (2017)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

44 clause challenges are made to state legislation rather than to state common law claims.605 In Crowley v. Cybersource Corporation,606 in which the plaintiff brought a class action pursuant to the Federal Wiretap Act and the ECPA, the court held that state law claims for unjust enrichment, inva- sion of privacy, fraud by concealment, and breach of contract were not in violation of the Constitution on the theory “that only Congress may enact legislation regarding the Internet. …Amazon cites no cases removing commercial activity from the reach of state tort law on dormant commerce clause grounds…. Indeed, the Third Circuit has expressed doubt as to whether state common law claims could violate the dormant commerce clause.”607 XI. APPLICATION OF STATE DATA-BREACH NOTIFICATION LAWS TO TRANSIT AGENCIES A. State Data-Breach Notification Statutes Transit agencies that use electronic payment systems may be required to comply with state law on the giving of notice when there is a breach of data security. Although “[s]tate data breach notification laws vary in their details,” they typically include “standards for notification, the types of personal data that trigger the laws, and the causes of action they allow.”608 For example, the California Security Breach Information Act “requires companies that electronically store unencrypted personal informa- tion on a California resident to notify the resident in the event of any unauthorized access to this infor- mation,” regardless of whether “a security breach occurs within the state or out of state, and whether the business is located in California or not.”609 As of July 2016, all states except for Alabama, New Mexico, and South Dakota have laws requiring that notice be given to the public if there is a secu- rity breach that involves data containing personal information.610 In some states, the laws apply to local governments and agencies. For example, a California statute authorizes a plaintiff to sue for damages599 when someone (2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network. (3) Knowingly and without permission uses or causes to be used computer services.… (6) Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section. (7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.600 There are other state statutes that apply to state and local government agencies and to the confidentiality, privacy, and/or security of “elec- tronic communications” and “stored data.”601 An issue that may arise with state legislation is whether federal legislation preempts state law. In Bansal v. Russ,602 however, a federal court in Pennsylvania held that the Federal SCA does not preempt Pennsylvania’s Wiretapping and Electronic Surveillance Control Act that prohibits unlawful access to stored communications.603 Claims under state law may also be challenged on the basis of the “dormant commerce clause” doctrine. As explained in one article, “[t]he dormant Commerce Clause is preoccupied with state economic protec- tionism. …[T]he Supreme Court has applied a virtu- ally fatal form of strict scrutiny to state laws that discriminate against interstate commerce and a more forgiving balancing test that practically rubber- stamps other laws that only incidentally affect interstate commerce.”604 Usually dormant commerce 599 cal. Penal coDe § 502(e) (2016). 600 cal. Penal coDe §§ 502(c)(2), (3), (6), and (7) (2016). 601 See ala. coDe § 41-10-399 (2016); ariz. stat. ann. § 13-3016 (2016); fla. stat. § 501.171(2) (2016); and Minn. stat. § 13.15 (2016). 602 513 F. Supp. 2d 264 (E.D. Pa. 2007), cert. denied, Bansal v. Microsoft Hotmail, 129 S. Ct. 2395, 173 L. Ed. 2d 1326 (2009). 603 Bansal, 513 F. Supp. 2d at 282–283. See also In re National Security Agency Telecommunications Records Litigation, 483 F. Supp. 2d 934, 939 (N.D. Cal. 2007) (hold- ing that the SCA did not completely preempt state law privacy claims against telephone companies for alleged disclosure of subscriber calling records to the government). 604 Norman R. Williams, The Dormant Commerce Clause: Why Gibbons v. Ogden Should be Restored to the Canon, 49 st. louis L.J. 817 (2005). 605 Crowley, 166 F. Supp. 2d 1263, 1272 (N.D. Cal. 2001) (citing Camden County Bd. of Chosen Freeholders v. Beretta U.S.A. Corp., 123 F. Supp. 2d 245, 254 (D. N.J. 2000)). 606 166 F. Supp. 2d 1263 (N.D. Cal. 2001). 607 Id. at 1272 (citations omitted). 608 Graves, supra note 122, at 119–20 (footnotes omitted). 609 Mark MacCarthy, Information Security Policy in the U.S. Retail Payments Industry, stan. tech. l. rev. 3, at P17 (2011) (citing cal. civ. coDe § 1798.92). 610 See National Conference of State Legislatures, Security Breach Notification Laws (2016) (citing alaska stat. § 45.48.010, et seq.; ariz. rev. stat. § 44-7501; ark. coDe § 4-110-101, et seq.; cal. civ. coDe §§ 1798.29 and 1798.80, et seq.; colo. rev. stat. § 6-1-716; conn. gen stat. § 36a-701b; Del. coDe tit. 6, § 12B-101, et seq.; fla.

45 unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a state agency or an agency of a political subdivision and that causes, reason- ably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state.612 The term “personal information” includes a person’s name, SSN, driver’s license number, credit card numbers, security codes, PINs, or passwords.613 For example, the Ohio statute provides that an agency must disclose a breach of the security of personal information data. Personal information is defined to be an individual’s name, consisting of the individual’s first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable: (i) Social security number; (ii) Driver’s license number or state identification card number; (iii) Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual’s financial account.614 The State of Washington’s breach notification law applies to personal information, a term that (5) …means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (a) Social security number; (b) Driver’s license number or Washington identification card number; or A data breach may be defined “as a loss or theft of, or other unauthorized access to, data containing sensitive personal information that results in the potential compromise of the confidentiality or integ- rity of the data.”611 In Ohio, the term “breach of the security of the system” is defined to mean 612 ohio rev. coDe § 1347.12(B)(1) (2016). 613 See alaska stat. § 45.48.090(7)(A) (2016); cal. civ. coDe § 1798.29(g) (2016); ga. coDe ann. § 10-1-911(c) (2016); haw. rev. stat. § 487 N-1 (2016); iDaho coDe § 28-51-104(5) (2016); 815 ill. coMP. stat. § 530/5 (2016); inD. coDe § 4-1- 11-3 (2016); kansas stat. ann. § 50-7a01(g) (2016); la. rev. stat. §§ 3073(4)(a) and (b) (2016); Maine rev. stat. tit 10, § 1347(6) (2016); Mass. gen. laws ch. 93H, § 1(a) (2016); Mich. coMP. laws 445.63 §§ 3(q) and (r) (2016) (defining personally identifying information and personal informa- tion, respectively); Montana coDe ann. §§ 2-6-501(4)(a) and (b) (2016); nev. rev. stat. § 603A.040 (2016); N.J. stat. ann. § 56:8-161 (2016); ohio rev. coDe § 1347.01(E) (2016); okla. stat. §§ 24-162(6) and 74-3113.1(D)(2) (2016); 73 Pa. cons. stat. § 2302 (2016); R.I. gen. laws § 11-49.2-5(c) (2016); S.C. coDe § 39-1-90(D)(3) (2016); vt. stat. tit. 9, ch. 62, § 2430(5)(A) (2016) (defining the term “personally identifiable information”); va. coDe § 18.2-186.6(A) (2016); wash. rev. coDe § 19.255.010(5) (2016); W. va. coDe, art. 2A, § 46A-2A-101(6) (2016), wis. stat. § 134.98(1)(b) (2016); and 14 V.I. coDe § 2208(e) (2016). 614 ohio rev. coDe § 1347.12(A)(6)(a) (2016) (emphasis supplied). See also ohio rev. coDe § 1347.01(E) (2016). stat. §§ 501.171, 282.0041, and 282.318(2)(i); ga. coDe §§ 10-1-910 to 912 and § 46-5-214; haw. rev. stat. § 487N-1, et seq.; iDaho stat. §§ 28-51-104 to 107; 815 ill. coMP. stat. §§ 530/1–530/25; inD. coDe § 4-1-11, et seq. and 24-4.9, et seq.; iowa coDe §§ 715C.1-715C.2; kan. stat. § 50-7a01, et seq., ky. rev. stat. §§ 365.732 and 61.931- 61.934; la. rev. stat. §§ 51:3071, et seq. and 40:1300.111 to 1300.116; Me. rev. stat. tit. 10, § 1347; et seq.; MD. coDe coM. law § 14-3501, et seq., MD. state gov’t coDe §§ 10-1301-1308; Mass. gen. laws § 93H-1, et seq.; Mich. coMP. laws §§ 445.63 and 445.72; Minn. stat. §§ 325E.61 and 325E.64; Miss. coDe § 75-24-29; Mo. rev. stat. § 407.1500; Mont. coDe §§ 2-6-504 and 30-14-1701, et seq.; neb. rev. stat. §§ 87-801 to 807; nev. rev. stat. §§ 603A.010, et seq. and 242.183; N.H. rev. stat. §§ 359- C:19 to C:21; N.J. stat. §§ 56:8-161 to 163; N.Y. gen. bus. law § 899-aa and N.Y. state tech. law § 208; N.C. gen. stat. §§ 75-61 and 75-65; N.D. cent. coDe § 51-30-01, et seq., ohio rev. coDe §§ 1347.12, 1349.19, and 1349.191- 192; okla. stat. §§ 74-3113.1 and 24-161-166; or. rev. stat. §§ 646A.600 to 646A.628; 73 Pa. stat. § 2301, et seq.; R.I. gen. laws § 11-49.2-1, et seq.; S.C. coDe § 39-1-90; tenn. coDe § 47-18-2107; teX. bus. & coM. coDe §§ 521.002 to 521.053 and teX. eD. coDe § 37.007(b)(5); utah coDe § 13-44-101, et seq.; vt. stat. tit. 9, §§ 2430 and 2435; va. coDe §§ 18.2-186.6 and 32.1-127.1:05; wash. rev. coDe §§ 19.255.010 and 42.56.590; w.va. coDe § 46A-2A-101, et seq.; wis. stat. § 134.98; wyo. stat. § 40-12-501, et seq.; and D.C. coDe § 28- 3851, et seq.), http://www.ncsl.org/ research/telecommunications-and-information-technology/ security-breach-notification-laws.aspx (last accessed Sept. 24, 2016). See also Mintz Levin, State Data Security Breach Notification Laws (2016), hereinafter referred to as “State Breach Notification Laws,” https://www.mintz. com/newsletter/2007/PrivSec-DataBreachLaws-02-07/ state_data_breach_matrix.pdf (last accessed Sept. 24, 2016) (analyzing state laws by data and consumers pro- tected; the statutes’ definition of a breach; covered enti- ties; notice procedures, timing, and exemptions; whether encryption is a safe harbor; preemption; penalties; and whether the statutes create a private right of action) and Robert Sprague & Corey Ciocchetti, Preserving Identities: Protecting Personal Identifying Information through Enhanced Privacy Policies and Laws, 19 al. L. J. sci. & tech. 91, 104–05 (2009), hereinafter referred to as “Sprague & Ciocchetti.” 611 Froomkin, supra note 196, at 1025 (footnote omitted) (internal quotation marks omitted). See discussion of state notification laws in Dana Rosenfeld & Donnelly McDowell, Moving Target: Protecting Against Data Breaches Now and Down the Road, 28 antitrust ABA 90 (2014), hereinafter referred to as “Rosenfeld & McDowell”; John A. Fisher, Note: Secure My Data or Pay the Price: Consumer Remedy for the Negligent Enablement of Data Breach, 4 wM. & Mary bus. l. rev. 215 (2013), hereinafter referred to as “Fisher”; Jill Joerling, Note: Data Breach Notification Laws: An Argument for a Comprehensive Federal Law to Protect Consumer Data, 32 wash. u. J.l. & Pol’y 467 (2010), hereinafter referred to as “Joerling”; and Robert Sprague & Corey Ciocchetti, supra note 610.

46 and civil penalties, it appears that in only 13 states and the District of Columbia would a person injured by a data breach have a private right of action,618 and that at least 4 states exempt government agen- cies from “enforcement proceedings.”619 (c) Account number or credit or debit card number, in combina- tion with any required security code, access code, or password that would permit access to an individual’s financial account.615 (6) For purposes of this section, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. 616 B. Data-Breach Notification Laws Applicable to Transit Agencies Although the breach-notification statutes apply to businesses and commercial entities as defined in each statute, in at least 23 states the statutes also apply to government agencies.617 Although some breach-notification laws provide for enforcement 615 wash. rev. coDe § 19.255.010(5) (2016). 616 wash. rev. coDe § 19.255.010(6) (2016). 617 alaska stat. §§ 45.48.090(2)(B) and (3) (2016) (stat- ing that the term “covered person” includes a government agency, meaning “a state or local governmental agency, except for an agency of the judicial branch”). See also alaska stat. § 45.48.090(4) (2016) (defining the term “information collector” to mean a “covered person who owns or licenses personal information in any form” on a state resident); cal. civ. coDe § 1798.14 (2016) (directing an agency to maintain only relevant and necessary per- sonal information in its records); ga. coDe § 10-1-911(2) (2016) (defining the term “data collector” to include “any state or local agency or subdivision thereof...or other gov- ernment entity” but excepting agency records maintained primarily for traffic safety, law enforcement, or licensing purposes); haw. rev. stat. § 487 N-1 (2016) (chapter also applying to a government or instrumentality of the state or any county); iDaho coDe § 28-51-104(1) (2016) (defining the term “agency” to mean any public agency as defined in iDaho coDe § 74-101); 815 ill. coMP. stat. § 530/5 (2016) (stating that the term “data collector” includes government agencies); inDiana coDe § 4-1-11-4 (2016) (defining the term “state agency” as set forth in inDiana coDe § 4-1-10-2); see also inDiana coDe § 4-1-11-5(a) (2016) (requiring state agencies to disclose security breaches); kan. stat. § 50-7a01(f) (2016) (defining term “person” to include a government or governmental subdivision or agency or other entity) and kan. stat. § 3073(1) (2016) (defining the term “agency” to include the state, its political subdivision, agency, or similar body); Me. rev. stat. tit. 10, § 1347(5) (2016) (defining the term “person” to include agencies of state government); see also Me. rev. stat. § 1347(3) (2016) (defining the term “information broker” as being inappli- cable to a governmental agency whose records are main- tained primarily for traffic safety, law enforcement, or licensing purposes); Mass. gen. laws, ch. 93H, § 1(a) (2016) (defining the term “agency” to include “any agency… authority of the commonwealth, or any of its branches, or of any political subdivision thereof”); Mich. coMP. laws 445.63 § 3(a) (2016) (defining the term “agency” to include “a department, board, commission, office, agency, authority, or other unit of state government of this state”); Montana coDe § 2-6-501(6(a) (2016) (defining a “state agency” to include “an agency, authority, …or other instrumentality of the legislative or executive branch of state government,” as well as “an employee of a state agency acting within the course and scope of employment”); nev. rev. stat. § 603A.030 (2016) (defining the term “data collector” to include “any governmental agency…that…handles, collects, disseminates or otherwise deals with nonpublic personal information”); N.J. stat. ann. § 56:8-161 (2016) (defining a “public entity” to include the state, county, public agency, political subdivision, or other state public body); ohio rev. coDe §§ 1347.01(A) and (b) (2016) (defin- ing “state agency” and “local agency,” respectively); see also ohio rev. coDe § 1347.01(D) (2016) (defining the term “maintain” to mean state or local ownership of, control over, responsibility for, or accountability for data systems and §§ 1347.12(A)(1) and (B)(1) (2016) (defining agency of a political subdivision); okla. stat. § 24-162(2) (2016) (stating that the term “entity” includes “governments, governmental subdivisions, agencies, or instrumentalities, or any other legal entity….”); 73 Pa. cons. stat. § 2302 (2016) (defining the term “entity” to include a state agency or a political subdivision of the Commonwealth); R.I. gen. laws § 11-49.2-3(a) (2016) (applicable to “[a]ny state agency or person that owns, maintains or licenses comput- erized data that includes personal information….”); S.C. coDe §§ 37-1-301(18) and (20) and 39-1-90 (2016) (statute applying also to a “governmental subdivision”); tenn. coDe § 47-18-2102(9) (2016) (defining the term “person” to include a “governmental agency…and any other legal or commercial entity however organized….”); vt. stat. tit. 9, ch. 62, § 2430(3) (2016) (defining the term “data collector” to include the state, state agencies, and political subdivisions of the state); va. coDe § 18.2-186.6 (2016) (defining the term “entity” to include governments, governmental subdi- visions, agencies, or instrumentalities; see also va. coDe § 42.56.590(b) (2016) (stating that the term “agency” has the same meaning as in § 42.56.010); W. va. coDe § 46A-2A- 101 (2016) (defining the term “entity” to include govern- ments, governmental subdivisions, agencies, or instrumen- talities); wis. stat. § 134.98(1)(a)(2) (2016) (defining the term “entity” to include the state and any office, depart- ment, independent agency, or state government body, as well as a city, village, town, or county); and 14 V.I. coDe § 2208(b) (2016) (applicable to any agency maintaining computerized data with personal information). 618 Alaska (but not against government agencies), California, Delaware (treble damages and reasonable attor- ney’s fees), Louisiana (actual damages), Maryland, Massachusetts (in certain situations), Minnesota, New Hampshire, North Carolina, Rhode Island, South Carolina, Virginia, Washington, and the District of Columbia. See State Breach Notification Laws, supra note 610. See Joerling, supra note 611, at 479 N 63 (citing California Security Breach Information Act, cal. civ. coDe § 1798.84; D.C. coDe ann. § 28-3853(a); N.H. rev. stat. ann. § 359-C:21(I); N.C. gen. stat. ann. § 75-65; or. rev. stat. ann. § 646A.624; S.C. coDe ann. § 37-20-170; tenn. coDe ann. § 47-18-2107(h); and wash. rev. coDe ann. § 19.255.010(10). See also Sprague & Ciocchetti, supra note 615, at 106 (at that time identifying the District of Columbia and 11 states—California, Delaware, Hawaii, Illinois, Louisiana, Maryland, Nevada, North Carolina, Rhode Island, Tennessee, and Washington). 619 Joerling, supra note 611, at 476 (citing haw. rev. stat. ann. § 487N-2; fla. stat. ann. § 817.5681; Me. rev. stat. ann. tit. 10, § 1349; and tenn. coDe ann. § 47-18-2107).

47 of the security of personal information.626 Some state privacy statutes allow a plaintiff to recover actual damages for a privacy violation, whereas other state statutes specify criminal liability for a violation. In some states, however, a civil penalty will not be assessed unless an agency’s action was willful or intentional. For example, in Idaho, “[a]ny agency, indi- vidual or commercial entity that intentionally fails to give notice [of a security breach] in accordance with section 28-51-105, Idaho Code, shall be subject to a fine of not more than twenty-five thousand dollars ($25,000) per breach of the security of the system.”627 Montana Code Section 30-14-142(2) provides that if a court finds that “a person is willfully using or has willfully used” an unlawful method, act, or prac- tice, a civil fine of not more than $10,000 may be imposed for each violation. A willful violation occurs when the party committing the violation knew or should have known that the conduct was a violation of Section 30-14-103.628 D. Liability for Damages Some states authorize an action for damages for a violation of the state’s statute protecting personal information and/or for failure to give notice of a breach of the security of personal information.629 Some of the statutory provisions regarding enforcement, such as for damages or a civil penalty, apply to an agency’s failure to give notice of a secu- rity breach, whereas some provisions apply to any violation of the state’s privacy act protecting personal information maintained by an agency. Of the states in which the breach-notification laws apply to government agencies, the states differ in regard to a right of action against government agen- cies for a violation of the statute. In some states, no action is permitted against government entities,620 or there is no provision for a private right of action.621 The statutes typically provide that encryption is a defense to a claim for a data breach for any missing, lost, or stolen data.622 For example, the California breach-notification law requires that [a]ny agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.623 In some states, there is a good faith defense to the disclosure of personal information, as long as the personal information was not used for illegitimate purposes and there were no other unauthorized disclosures of the data.624 Moreover, in the event of an unintentional release of data, there may be a good faith defense that has also been codified in some state statutes.625 C. Liability for Civil Penalties Some states’ statutes provide for the imposition of a civil penalty for a violation of a state statute protecting personal information and/or a violation of a requirement that an agency give notice of a breach 620 See haw. rev. stat. § 487N-3(a) (2016) and Me. rev. stat. § 1349(2)(A) (2016) (stating that provisions on enforce- ment and for imposition of civil penalties for violations of Maine’s statute on Notice of Risk to Personal Data are not applicable to the state). 621 See ga. coDe § 10-1-910, et seq. (2016); 815 ill. coMP. stat. § 530/20 (2016) (no specific penalty found that applies to government agencies but a violation constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act); inD. coDe § 4-1-11-2, et seq. (2016) (no provi- sion located that permitted a civil action or imposed a civil penalty for a violation); and N.J. stat. ann. § 56:8-166 (2016) (although stating that it is “unlawful…to willfully, knowingly or recklessly violate sections 10 through 13 of this amenda- tory and supplementary act,” no provision located authoriz- ing a cause of action or imposing a specific civil penalty). 622 Joerling, supra note 611, at 471. 623 California Security Breach Information Act, cal. civ. coDe § 1798.29(a) (emphasis supplied). 624 Joerling, supra note 611, at 471. 625 iowa coDe § 22.10(3)(b)(2) (2016). 626 alaska stat. § 45.48.080(a) (2016) (stating that an information collector that is a governmental agency is liable to the state for a civil penalty of up to $500 for each state resident who was not notified under alaska stat. §§ 45.48.010 to 45.48.090, but total civil penalty may not exceed $50,000); Mich. coMP. laws § 445.72(14) (2016) (applicable to § 445.72’s security breach require- ments and providing that “[t]he aggregate liability of a person for civil fines under subsection (13) for multiple violations of subsection (13) that arise from the same security breach shall not exceed $750,000.00). See also Mich. coMP. laws § 445.72(15) (2016) (stating that “[s]ubsections (12) and (13) do not affect the availability of any civil remedy for a violation of state or federal law”); R.I. gen. laws § 11-49.2-6(a) (2016) (stating that a breach of the state’s Identity Theft Protection Act “is a civil violation for which a penalty of not more than a hundred dollars ($100) per occurrence and not more than twenty-five thousand dollars ($25,000) may be adjudged against a defendant”). 627 iDaho coDe § 28-51-107 (2016) (emphasis supplied). 628 Mont. coDe § 30-14-142(4) (2016). See also Mont. coDe § 30-14-1705 (2016) (incorporating Mont. coDe § 30-14- 142(1) (authorizing the courts to also impose a civil fine for violating an injunction or a temporary restraining order). 629 la. rev. stat. § 51:3075 (2016) (authorizing a civil action “to recover actual damages resulting from the fail- ure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person’s personal information”); and tenn. coDe ann. §§ 47-18-2104 and 22105 (2016) (providing, respectively, for a private right of action and for civil penalties for a violation of the Tennessee Identity Theft Deterrence Act of 1999).

48 is not prohibited “from recovering direct economic damages from a violation….”636 In Washington, a customer who is injured by a violation of the state’s statutory requirement that a notice be given of a breach of security of personal information may institute a civil action for damages;637 however, an agency is not required to disclose a technical breach of a security system that does not seem reasonably likely to subject a customer to a risk of criminal activity.638 Finally, it may be noted that a number of class actions have been brought against private compa- nies for damages allegedly caused by a breach of security and a theft of PII. Some cases have been dismissed, however, for lack of standing because a risk of future injury caused by a breach, such as a possible identity theft, in and of itself is “too specula- tive to confer standing”639 or because a plaintiff was unable to show an actual injury-in-fact.640 E. Enforcement Power Delegated to the Attorney General Some of the privacy statutes delegate authority to the attorney general to bring an action for a breach of the statute.641 Oklahoma Statute Section 24-165(A) provides for enforcement and a civil penalty for a violation of the Security Breach Notification Act: A violation of this act that results in injury or loss to resi- dents of this state may be enforced by the Attorney General or a district attorney in the same manner as an unlawful practice under the Oklahoma Consumer Protection Act. As stated, California’s IPA provides that an individual may bring a civil action for damages and costs against an agency whenever the agency fails to maintain accurate and complete records concerning an individual as further provided in the statute, or “to comply with any other provision of this chapter, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual.”630 In Ohio, Ohio Revised Code Section 1347.12(G) authorizes the attorney general to conduct an inves- tigation and to bring a civil action for an alleged fail- ure by a state agency or an agency of a political subdivision to comply with Section 1347.12.631 An Oregon statute states that “[a] person aggrieved by an intentional violation of ORS 802.175 to 802.187 may bring an action at law against a person who has knowingly obtained or used personal information about the aggrieved person…for actual damages or $2,500, whichever is greater, plus attorney fees and court costs reasonably incurred in the action.”632 Under Minnesota’s MGDPA, supra, actual damages are recoverable for a disclosure of private or confiden- tial data, as well as exemplary damages of not less than $1,000 or more than $15,000 for each willful violation of the MGDPA.633 In South Carolina, a resident who is injured by a violation of the state statute that applies to a breach of security of “business data” may (1) institute a civil action to recover damages in case of a wilful [sic] and knowing violation; (2) institute a civil action that must be limited to actual damages resulting from a violation in case of a negligent violation of this section; …and (4) recover attorney’s fees and court costs, if successful.634 Furthermore, under South Carolina law, a person “who knowingly and wilfully [sic] violates this section is subject to an administrative fine in the amount of one thousand dollars for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs.”635 In Virginia, although the attorney general is authorized to impose a civil penalty for a security breach, the statute also provides that an individual 630 cal. civ. coDe §§ 1798.45(a)–(c) (2016). See also cal. civ. coDe § 1798.46(b) (2016) (allowing for attorney’s fees and other litigation costs for violations of §§ 1798.45(b) or (c)) and § 1798.53 (2016) (allowing actions for invasion of privacy except against state or local government agency employees). 631 ohio rev. coDe § 1347.12(G) (2016). 632 or. rev. stat. § 802.191(1) (2016). 633 Minn. stat. § 13.08, subdiv. 1 (2016). 634 S.C. coDe § 39-1-90(G) (2016). 635 S.C. coDe § 39-1-90(H) (2016) (emphasis supplied). 636 va. coDe § 18.2-186.6(I) (2016). 637 wash. rev. coDe § 42.56.59(10)(a) (2016). 638 wash. rev. coDe § 42.56.59(10)(d) (2016). 639 Rosenfeld & McDowell, supra note 611, at 93 (citing In re TJX Cos. Retail Sec. Breach Litig., 527 F. Supp. 2d 209 (D. Mass. 2007), affirmed by, in part, vacated by, in part, remanded by, Amerifirst Bank v. TJX Cos. (In re TJX Cos. Retail Sec. Brach Litig.), 2009 U.S. App. LEXIS 6636, at *1 (1st Cir. Mass., Mar. 30, 2009)). 640 See Rosenfeld & McDowell, supra note 611, at 93 and Sprague & Ciocchetti, supra note 615, at 101 (citing Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 631 (7th Cir. 2007) (applying Indiana law)). 641 kan. stat. § 50-7a02(g) (2016) (empowering the attor- ney general “to bring an action in law or equity to address violations of this section and for other relief that may be appropriate”); Mass. gen. laws ch. 93H, § 3 (2016) (stating that the “attorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate”); ohio rev. coDe § 1347.12(G) (2016) (stating that the attorney general may conduct an investi- gation and bring a civil action for an alleged failure by a state agency or agency of a political subdivision to comply with § 1347.12); and 73 Pa. cons. stat. § 2308 (2016) (pro- viding that the attorney general has exclusive authority to bring an action for a violation of the state’s Breach of Per- sonal Notification Act).