Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
44 clause challenges are made to state legislation rather than to state common law claims.605 In Crowley v. Cybersource Corporation,606 in which the plaintiff brought a class action pursuant to the Federal Wiretap Act and the ECPA, the court held that state law claims for unjust enrichment, inva- sion of privacy, fraud by concealment, and breach of contract were not in violation of the Constitution on the theory âthat only Congress may enact legislation regarding the Internet. â¦Amazon cites no cases removing commercial activity from the reach of state tort law on dormant commerce clause groundsâ¦. Indeed, the Third Circuit has expressed doubt as to whether state common law claims could violate the dormant commerce clause.â607 XI. APPLICATION OF STATE DATA-BREACH NOTIFICATION LAWS TO TRANSIT AGENCIES A. State Data-Breach Notification Statutes Transit agencies that use electronic payment systems may be required to comply with state law on the giving of notice when there is a breach of data security. Although â[s]tate data breach notification laws vary in their details,â they typically include âstandards for notification, the types of personal data that trigger the laws, and the causes of action they allow.â608 For example, the California Security Breach Information Act ârequires companies that electronically store unencrypted personal informa- tion on a California resident to notify the resident in the event of any unauthorized access to this infor- mation,â regardless of whether âa security breach occurs within the state or out of state, and whether the business is located in California or not.â609 As of July 2016, all states except for Alabama, New Mexico, and South Dakota have laws requiring that notice be given to the public if there is a secu- rity breach that involves data containing personal information.610 In some states, the laws apply to local governments and agencies. For example, a California statute authorizes a plaintiff to sue for damages599 when someone (2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network. (3) Knowingly and without permission uses or causes to be used computer services.⦠(6) Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section. (7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.600 There are other state statutes that apply to state and local government agencies and to the confidentiality, privacy, and/or security of âelec- tronic communicationsâ and âstored data.â601 An issue that may arise with state legislation is whether federal legislation preempts state law. In Bansal v. Russ,602 however, a federal court in Pennsylvania held that the Federal SCA does not preempt Pennsylvaniaâs Wiretapping and Electronic Surveillance Control Act that prohibits unlawful access to stored communications.603 Claims under state law may also be challenged on the basis of the âdormant commerce clauseâ doctrine. As explained in one article, â[t]he dormant Commerce Clause is preoccupied with state economic protec- tionism. â¦[T]he Supreme Court has applied a virtu- ally fatal form of strict scrutiny to state laws that discriminate against interstate commerce and a more forgiving balancing test that practically rubber- stamps other laws that only incidentally affect interstate commerce.â604 Usually dormant commerce 599 cal. Penal coDe § 502(e) (2016). 600 cal. Penal coDe §§ 502(c)(2), (3), (6), and (7) (2016). 601 See ala. coDe § 41-10-399 (2016); ariz. stat. ann. § 13-3016 (2016); fla. stat. § 501.171(2) (2016); and Minn. stat. § 13.15 (2016). 602 513 F. Supp. 2d 264 (E.D. Pa. 2007), cert. denied, Bansal v. Microsoft Hotmail, 129 S. Ct. 2395, 173 L. Ed. 2d 1326 (2009). 603 Bansal, 513 F. Supp. 2d at 282â283. See also In re National Security Agency Telecommunications Records Litigation, 483 F. Supp. 2d 934, 939 (N.D. Cal. 2007) (hold- ing that the SCA did not completely preempt state law privacy claims against telephone companies for alleged disclosure of subscriber calling records to the government). 604 Norman R. Williams, The Dormant Commerce Clause: Why Gibbons v. Ogden Should be Restored to the Canon, 49 st. louis L.J. 817 (2005). 605 Crowley, 166 F. Supp. 2d 1263, 1272 (N.D. Cal. 2001) (citing Camden County Bd. of Chosen Freeholders v. Beretta U.S.A. Corp., 123 F. Supp. 2d 245, 254 (D. N.J. 2000)). 606 166 F. Supp. 2d 1263 (N.D. Cal. 2001). 607 Id. at 1272 (citations omitted). 608 Graves, supra note 122, at 119â20 (footnotes omitted). 609 Mark MacCarthy, Information Security Policy in the U.S. Retail Payments Industry, stan. tech. l. rev. 3, at P17 (2011) (citing cal. civ. coDe § 1798.92). 610 See National Conference of State Legislatures, Security Breach Notification Laws (2016) (citing alaska stat. § 45.48.010, et seq.; ariz. rev. stat. § 44-7501; ark. coDe § 4-110-101, et seq.; cal. civ. coDe §§ 1798.29 and 1798.80, et seq.; colo. rev. stat. § 6-1-716; conn. gen stat. § 36a-701b; Del. coDe tit. 6, § 12B-101, et seq.; fla.
45 unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a state agency or an agency of a political subdivision and that causes, reason- ably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state.612 The term âpersonal informationâ includes a personâs name, SSN, driverâs license number, credit card numbers, security codes, PINs, or passwords.613 For example, the Ohio statute provides that an agency must disclose a breach of the security of personal information data. Personal information is defined to be an individualâs name, consisting of the individualâs first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable: (i) Social security number; (ii) Driverâs license number or state identification card number; (iii) Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individualâs financial account.614 The State of Washingtonâs breach notification law applies to personal information, a term that (5) â¦means an individualâs first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (a) Social security number; (b) Driverâs license number or Washington identification card number; or A data breach may be defined âas a loss or theft of, or other unauthorized access to, data containing sensitive personal information that results in the potential compromise of the confidentiality or integ- rity of the data.â611 In Ohio, the term âbreach of the security of the systemâ is defined to mean 612 ohio rev. coDe § 1347.12(B)(1) (2016). 613 See alaska stat. § 45.48.090(7)(A) (2016); cal. civ. coDe § 1798.29(g) (2016); ga. coDe ann. § 10-1-911(c) (2016); haw. rev. stat. § 487 N-1 (2016); iDaho coDe § 28-51-104(5) (2016); 815 ill. coMP. stat. § 530/5 (2016); inD. coDe § 4-1- 11-3 (2016); kansas stat. ann. § 50-7a01(g) (2016); la. rev. stat. §§ 3073(4)(a) and (b) (2016); Maine rev. stat. tit 10, § 1347(6) (2016); Mass. gen. laws ch. 93H, § 1(a) (2016); Mich. coMP. laws 445.63 §§ 3(q) and (r) (2016) (defining personally identifying information and personal informa- tion, respectively); Montana coDe ann. §§ 2-6-501(4)(a) and (b) (2016); nev. rev. stat. § 603A.040 (2016); N.J. stat. ann. § 56:8-161 (2016); ohio rev. coDe § 1347.01(E) (2016); okla. stat. §§ 24-162(6) and 74-3113.1(D)(2) (2016); 73 Pa. cons. stat. § 2302 (2016); R.I. gen. laws § 11-49.2-5(c) (2016); S.C. coDe § 39-1-90(D)(3) (2016); vt. stat. tit. 9, ch. 62, § 2430(5)(A) (2016) (defining the term âpersonally identifiable informationâ); va. coDe § 18.2-186.6(A) (2016); wash. rev. coDe § 19.255.010(5) (2016); W. va. coDe, art. 2A, § 46A-2A-101(6) (2016), wis. stat. § 134.98(1)(b) (2016); and 14 V.I. coDe § 2208(e) (2016). 614 ohio rev. coDe § 1347.12(A)(6)(a) (2016) (emphasis supplied). See also ohio rev. coDe § 1347.01(E) (2016). stat. §§ 501.171, 282.0041, and 282.318(2)(i); ga. coDe §§ 10-1-910 to 912 and § 46-5-214; haw. rev. stat. § 487N-1, et seq.; iDaho stat. §§ 28-51-104 to 107; 815 ill. coMP. stat. §§ 530/1â530/25; inD. coDe § 4-1-11, et seq. and 24-4.9, et seq.; iowa coDe §§ 715C.1-715C.2; kan. stat. § 50-7a01, et seq., ky. rev. stat. §§ 365.732 and 61.931- 61.934; la. rev. stat. §§ 51:3071, et seq. and 40:1300.111 to 1300.116; Me. rev. stat. tit. 10, § 1347; et seq.; MD. coDe coM. law § 14-3501, et seq., MD. state govât coDe §§ 10-1301-1308; Mass. gen. laws § 93H-1, et seq.; Mich. coMP. laws §§ 445.63 and 445.72; Minn. stat. §§ 325E.61 and 325E.64; Miss. coDe § 75-24-29; Mo. rev. stat. § 407.1500; Mont. coDe §§ 2-6-504 and 30-14-1701, et seq.; neb. rev. stat. §§ 87-801 to 807; nev. rev. stat. §§ 603A.010, et seq. and 242.183; N.H. rev. stat. §§ 359- C:19 to C:21; N.J. stat. §§ 56:8-161 to 163; N.Y. gen. bus. law § 899-aa and N.Y. state tech. law § 208; N.C. gen. stat. §§ 75-61 and 75-65; N.D. cent. coDe § 51-30-01, et seq., ohio rev. coDe §§ 1347.12, 1349.19, and 1349.191- 192; okla. stat. §§ 74-3113.1 and 24-161-166; or. rev. stat. §§ 646A.600 to 646A.628; 73 Pa. stat. § 2301, et seq.; R.I. gen. laws § 11-49.2-1, et seq.; S.C. coDe § 39-1-90; tenn. coDe § 47-18-2107; teX. bus. & coM. coDe §§ 521.002 to 521.053 and teX. eD. coDe § 37.007(b)(5); utah coDe § 13-44-101, et seq.; vt. stat. tit. 9, §§ 2430 and 2435; va. coDe §§ 18.2-186.6 and 32.1-127.1:05; wash. rev. coDe §§ 19.255.010 and 42.56.590; w.va. coDe § 46A-2A-101, et seq.; wis. stat. § 134.98; wyo. stat. § 40-12-501, et seq.; and D.C. coDe § 28- 3851, et seq.), http://www.ncsl.org/ research/telecommunications-and-information-technology/ security-breach-notification-laws.aspx (last accessed Sept. 24, 2016). See also Mintz Levin, State Data Security Breach Notification Laws (2016), hereinafter referred to as âState Breach Notification Laws,â https://www.mintz. com/newsletter/2007/PrivSec-DataBreachLaws-02-07/ state_data_breach_matrix.pdf (last accessed Sept. 24, 2016) (analyzing state laws by data and consumers pro- tected; the statutesâ definition of a breach; covered enti- ties; notice procedures, timing, and exemptions; whether encryption is a safe harbor; preemption; penalties; and whether the statutes create a private right of action) and Robert Sprague & Corey Ciocchetti, Preserving Identities: Protecting Personal Identifying Information through Enhanced Privacy Policies and Laws, 19 al. L. J. sci. & tech. 91, 104â05 (2009), hereinafter referred to as âSprague & Ciocchetti.â 611 Froomkin, supra note 196, at 1025 (footnote omitted) (internal quotation marks omitted). See discussion of state notification laws in Dana Rosenfeld & Donnelly McDowell, Moving Target: Protecting Against Data Breaches Now and Down the Road, 28 antitrust ABA 90 (2014), hereinafter referred to as âRosenfeld & McDowellâ; John A. Fisher, Note: Secure My Data or Pay the Price: Consumer Remedy for the Negligent Enablement of Data Breach, 4 wM. & Mary bus. l. rev. 215 (2013), hereinafter referred to as âFisherâ; Jill Joerling, Note: Data Breach Notification Laws: An Argument for a Comprehensive Federal Law to Protect Consumer Data, 32 wash. u. J.l. & Polây 467 (2010), hereinafter referred to as âJoerlingâ; and Robert Sprague & Corey Ciocchetti, supra note 610.
46 and civil penalties, it appears that in only 13 states and the District of Columbia would a person injured by a data breach have a private right of action,618 and that at least 4 states exempt government agen- cies from âenforcement proceedings.â619 (c) Account number or credit or debit card number, in combina- tion with any required security code, access code, or password that would permit access to an individualâs financial account.615 (6) For purposes of this section, âpersonal informationâ does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. 616 B. Data-Breach Notification Laws Applicable to Transit Agencies Although the breach-notification statutes apply to businesses and commercial entities as defined in each statute, in at least 23 states the statutes also apply to government agencies.617 Although some breach-notification laws provide for enforcement 615 wash. rev. coDe § 19.255.010(5) (2016). 616 wash. rev. coDe § 19.255.010(6) (2016). 617 alaska stat. §§ 45.48.090(2)(B) and (3) (2016) (stat- ing that the term âcovered personâ includes a government agency, meaning âa state or local governmental agency, except for an agency of the judicial branchâ). See also alaska stat. § 45.48.090(4) (2016) (defining the term âinformation collectorâ to mean a âcovered person who owns or licenses personal information in any formâ on a state resident); cal. civ. coDe § 1798.14 (2016) (directing an agency to maintain only relevant and necessary per- sonal information in its records); ga. coDe § 10-1-911(2) (2016) (defining the term âdata collectorâ to include âany state or local agency or subdivision thereof...or other gov- ernment entityâ but excepting agency records maintained primarily for traffic safety, law enforcement, or licensing purposes); haw. rev. stat. § 487 N-1 (2016) (chapter also applying to a government or instrumentality of the state or any county); iDaho coDe § 28-51-104(1) (2016) (defining the term âagencyâ to mean any public agency as defined in iDaho coDe § 74-101); 815 ill. coMP. stat. § 530/5 (2016) (stating that the term âdata collectorâ includes government agencies); inDiana coDe § 4-1-11-4 (2016) (defining the term âstate agencyâ as set forth in inDiana coDe § 4-1-10-2); see also inDiana coDe § 4-1-11-5(a) (2016) (requiring state agencies to disclose security breaches); kan. stat. § 50-7a01(f) (2016) (defining term âpersonâ to include a government or governmental subdivision or agency or other entity) and kan. stat. § 3073(1) (2016) (defining the term âagencyâ to include the state, its political subdivision, agency, or similar body); Me. rev. stat. tit. 10, § 1347(5) (2016) (defining the term âpersonâ to include agencies of state government); see also Me. rev. stat. § 1347(3) (2016) (defining the term âinformation brokerâ as being inappli- cable to a governmental agency whose records are main- tained primarily for traffic safety, law enforcement, or licensing purposes); Mass. gen. laws, ch. 93H, § 1(a) (2016) (defining the term âagencyâ to include âany agency⦠authority of the commonwealth, or any of its branches, or of any political subdivision thereofâ); Mich. coMP. laws 445.63 § 3(a) (2016) (defining the term âagencyâ to include âa department, board, commission, office, agency, authority, or other unit of state government of this stateâ); Montana coDe § 2-6-501(6(a) (2016) (defining a âstate agencyâ to include âan agency, authority, â¦or other instrumentality of the legislative or executive branch of state government,â as well as âan employee of a state agency acting within the course and scope of employmentâ); nev. rev. stat. § 603A.030 (2016) (defining the term âdata collectorâ to include âany governmental agencyâ¦thatâ¦handles, collects, disseminates or otherwise deals with nonpublic personal informationâ); N.J. stat. ann. § 56:8-161 (2016) (defining a âpublic entityâ to include the state, county, public agency, political subdivision, or other state public body); ohio rev. coDe §§ 1347.01(A) and (b) (2016) (defin- ing âstate agencyâ and âlocal agency,â respectively); see also ohio rev. coDe § 1347.01(D) (2016) (defining the term âmaintainâ to mean state or local ownership of, control over, responsibility for, or accountability for data systems and §§ 1347.12(A)(1) and (B)(1) (2016) (defining agency of a political subdivision); okla. stat. § 24-162(2) (2016) (stating that the term âentityâ includes âgovernments, governmental subdivisions, agencies, or instrumentalities, or any other legal entityâ¦.â); 73 Pa. cons. stat. § 2302 (2016) (defining the term âentityâ to include a state agency or a political subdivision of the Commonwealth); R.I. gen. laws § 11-49.2-3(a) (2016) (applicable to â[a]ny state agency or person that owns, maintains or licenses comput- erized data that includes personal informationâ¦.â); S.C. coDe §§ 37-1-301(18) and (20) and 39-1-90 (2016) (statute applying also to a âgovernmental subdivisionâ); tenn. coDe § 47-18-2102(9) (2016) (defining the term âpersonâ to include a âgovernmental agencyâ¦and any other legal or commercial entity however organizedâ¦.â); vt. stat. tit. 9, ch. 62, § 2430(3) (2016) (defining the term âdata collectorâ to include the state, state agencies, and political subdivisions of the state); va. coDe § 18.2-186.6 (2016) (defining the term âentityâ to include governments, governmental subdi- visions, agencies, or instrumentalities; see also va. coDe § 42.56.590(b) (2016) (stating that the term âagencyâ has the same meaning as in § 42.56.010); W. va. coDe § 46A-2A- 101 (2016) (defining the term âentityâ to include govern- ments, governmental subdivisions, agencies, or instrumen- talities); wis. stat. § 134.98(1)(a)(2) (2016) (defining the term âentityâ to include the state and any office, depart- ment, independent agency, or state government body, as well as a city, village, town, or county); and 14 V.I. coDe § 2208(b) (2016) (applicable to any agency maintaining computerized data with personal information). 618 Alaska (but not against government agencies), California, Delaware (treble damages and reasonable attor- neyâs fees), Louisiana (actual damages), Maryland, Massachusetts (in certain situations), Minnesota, New Hampshire, North Carolina, Rhode Island, South Carolina, Virginia, Washington, and the District of Columbia. See State Breach Notification Laws, supra note 610. See Joerling, supra note 611, at 479 N 63 (citing California Security Breach Information Act, cal. civ. coDe § 1798.84; D.C. coDe ann. § 28-3853(a); N.H. rev. stat. ann. § 359-C:21(I); N.C. gen. stat. ann. § 75-65; or. rev. stat. ann. § 646A.624; S.C. coDe ann. § 37-20-170; tenn. coDe ann. § 47-18-2107(h); and wash. rev. coDe ann. § 19.255.010(10). See also Sprague & Ciocchetti, supra note 615, at 106 (at that time identifying the District of Columbia and 11 statesâCalifornia, Delaware, Hawaii, Illinois, Louisiana, Maryland, Nevada, North Carolina, Rhode Island, Tennessee, and Washington). 619 Joerling, supra note 611, at 476 (citing haw. rev. stat. ann. § 487N-2; fla. stat. ann. § 817.5681; Me. rev. stat. ann. tit. 10, § 1349; and tenn. coDe ann. § 47-18-2107).
47 of the security of personal information.626 Some state privacy statutes allow a plaintiff to recover actual damages for a privacy violation, whereas other state statutes specify criminal liability for a violation. In some states, however, a civil penalty will not be assessed unless an agencyâs action was willful or intentional. For example, in Idaho, â[a]ny agency, indi- vidual or commercial entity that intentionally fails to give notice [of a security breach] in accordance with section 28-51-105, Idaho Code, shall be subject to a fine of not more than twenty-five thousand dollars ($25,000) per breach of the security of the system.â627 Montana Code Section 30-14-142(2) provides that if a court finds that âa person is willfully using or has willfully usedâ an unlawful method, act, or prac- tice, a civil fine of not more than $10,000 may be imposed for each violation. A willful violation occurs when the party committing the violation knew or should have known that the conduct was a violation of Section 30-14-103.628 D. Liability for Damages Some states authorize an action for damages for a violation of the stateâs statute protecting personal information and/or for failure to give notice of a breach of the security of personal information.629 Some of the statutory provisions regarding enforcement, such as for damages or a civil penalty, apply to an agencyâs failure to give notice of a secu- rity breach, whereas some provisions apply to any violation of the stateâs privacy act protecting personal information maintained by an agency. Of the states in which the breach-notification laws apply to government agencies, the states differ in regard to a right of action against government agen- cies for a violation of the statute. In some states, no action is permitted against government entities,620 or there is no provision for a private right of action.621 The statutes typically provide that encryption is a defense to a claim for a data breach for any missing, lost, or stolen data.622 For example, the California breach-notification law requires that [a]ny agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.623 In some states, there is a good faith defense to the disclosure of personal information, as long as the personal information was not used for illegitimate purposes and there were no other unauthorized disclosures of the data.624 Moreover, in the event of an unintentional release of data, there may be a good faith defense that has also been codified in some state statutes.625 C. Liability for Civil Penalties Some statesâ statutes provide for the imposition of a civil penalty for a violation of a state statute protecting personal information and/or a violation of a requirement that an agency give notice of a breach 620 See haw. rev. stat. § 487N-3(a) (2016) and Me. rev. stat. § 1349(2)(A) (2016) (stating that provisions on enforce- ment and for imposition of civil penalties for violations of Maineâs statute on Notice of Risk to Personal Data are not applicable to the state). 621 See ga. coDe § 10-1-910, et seq. (2016); 815 ill. coMP. stat. § 530/20 (2016) (no specific penalty found that applies to government agencies but a violation constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act); inD. coDe § 4-1-11-2, et seq. (2016) (no provi- sion located that permitted a civil action or imposed a civil penalty for a violation); and N.J. stat. ann. § 56:8-166 (2016) (although stating that it is âunlawfulâ¦to willfully, knowingly or recklessly violate sections 10 through 13 of this amenda- tory and supplementary act,â no provision located authoriz- ing a cause of action or imposing a specific civil penalty). 622 Joerling, supra note 611, at 471. 623 California Security Breach Information Act, cal. civ. coDe § 1798.29(a) (emphasis supplied). 624 Joerling, supra note 611, at 471. 625 iowa coDe § 22.10(3)(b)(2) (2016). 626 alaska stat. § 45.48.080(a) (2016) (stating that an information collector that is a governmental agency is liable to the state for a civil penalty of up to $500 for each state resident who was not notified under alaska stat. §§ 45.48.010 to 45.48.090, but total civil penalty may not exceed $50,000); Mich. coMP. laws § 445.72(14) (2016) (applicable to § 445.72âs security breach require- ments and providing that â[t]he aggregate liability of a person for civil fines under subsection (13) for multiple violations of subsection (13) that arise from the same security breach shall not exceed $750,000.00). See also Mich. coMP. laws § 445.72(15) (2016) (stating that â[s]ubsections (12) and (13) do not affect the availability of any civil remedy for a violation of state or federal lawâ); R.I. gen. laws § 11-49.2-6(a) (2016) (stating that a breach of the stateâs Identity Theft Protection Act âis a civil violation for which a penalty of not more than a hundred dollars ($100) per occurrence and not more than twenty-five thousand dollars ($25,000) may be adjudged against a defendantâ). 627 iDaho coDe § 28-51-107 (2016) (emphasis supplied). 628 Mont. coDe § 30-14-142(4) (2016). See also Mont. coDe § 30-14-1705 (2016) (incorporating Mont. coDe § 30-14- 142(1) (authorizing the courts to also impose a civil fine for violating an injunction or a temporary restraining order). 629 la. rev. stat. § 51:3075 (2016) (authorizing a civil action âto recover actual damages resulting from the fail- ure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a personâs personal informationâ); and tenn. coDe ann. §§ 47-18-2104 and 22105 (2016) (providing, respectively, for a private right of action and for civil penalties for a violation of the Tennessee Identity Theft Deterrence Act of 1999).
48 is not prohibited âfrom recovering direct economic damages from a violationâ¦.â636 In Washington, a customer who is injured by a violation of the stateâs statutory requirement that a notice be given of a breach of security of personal information may institute a civil action for damages;637 however, an agency is not required to disclose a technical breach of a security system that does not seem reasonably likely to subject a customer to a risk of criminal activity.638 Finally, it may be noted that a number of class actions have been brought against private compa- nies for damages allegedly caused by a breach of security and a theft of PII. Some cases have been dismissed, however, for lack of standing because a risk of future injury caused by a breach, such as a possible identity theft, in and of itself is âtoo specula- tive to confer standingâ639 or because a plaintiff was unable to show an actual injury-in-fact.640 E. Enforcement Power Delegated to the Attorney General Some of the privacy statutes delegate authority to the attorney general to bring an action for a breach of the statute.641 Oklahoma Statute Section 24-165(A) provides for enforcement and a civil penalty for a violation of the Security Breach Notification Act: A violation of this act that results in injury or loss to resi- dents of this state may be enforced by the Attorney General or a district attorney in the same manner as an unlawful practice under the Oklahoma Consumer Protection Act. As stated, Californiaâs IPA provides that an individual may bring a civil action for damages and costs against an agency whenever the agency fails to maintain accurate and complete records concerning an individual as further provided in the statute, or âto comply with any other provision of this chapter, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual.â630 In Ohio, Ohio Revised Code Section 1347.12(G) authorizes the attorney general to conduct an inves- tigation and to bring a civil action for an alleged fail- ure by a state agency or an agency of a political subdivision to comply with Section 1347.12.631 An Oregon statute states that â[a] person aggrieved by an intentional violation of ORS 802.175 to 802.187 may bring an action at law against a person who has knowingly obtained or used personal information about the aggrieved personâ¦for actual damages or $2,500, whichever is greater, plus attorney fees and court costs reasonably incurred in the action.â632 Under Minnesotaâs MGDPA, supra, actual damages are recoverable for a disclosure of private or confiden- tial data, as well as exemplary damages of not less than $1,000 or more than $15,000 for each willful violation of the MGDPA.633 In South Carolina, a resident who is injured by a violation of the state statute that applies to a breach of security of âbusiness dataâ may (1) institute a civil action to recover damages in case of a wilful [sic] and knowing violation; (2) institute a civil action that must be limited to actual damages resulting from a violation in case of a negligent violation of this section; â¦and (4) recover attorneyâs fees and court costs, if successful.634 Furthermore, under South Carolina law, a person âwho knowingly and wilfully [sic] violates this section is subject to an administrative fine in the amount of one thousand dollars for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs.â635 In Virginia, although the attorney general is authorized to impose a civil penalty for a security breach, the statute also provides that an individual 630 cal. civ. coDe §§ 1798.45(a)â(c) (2016). See also cal. civ. coDe § 1798.46(b) (2016) (allowing for attorneyâs fees and other litigation costs for violations of §§ 1798.45(b) or (c)) and § 1798.53 (2016) (allowing actions for invasion of privacy except against state or local government agency employees). 631 ohio rev. coDe § 1347.12(G) (2016). 632 or. rev. stat. § 802.191(1) (2016). 633 Minn. stat. § 13.08, subdiv. 1 (2016). 634 S.C. coDe § 39-1-90(G) (2016). 635 S.C. coDe § 39-1-90(H) (2016) (emphasis supplied). 636 va. coDe § 18.2-186.6(I) (2016). 637 wash. rev. coDe § 42.56.59(10)(a) (2016). 638 wash. rev. coDe § 42.56.59(10)(d) (2016). 639 Rosenfeld & McDowell, supra note 611, at 93 (citing In re TJX Cos. Retail Sec. Breach Litig., 527 F. Supp. 2d 209 (D. Mass. 2007), affirmed by, in part, vacated by, in part, remanded by, Amerifirst Bank v. TJX Cos. (In re TJX Cos. Retail Sec. Brach Litig.), 2009 U.S. App. LEXIS 6636, at *1 (1st Cir. Mass., Mar. 30, 2009)). 640 See Rosenfeld & McDowell, supra note 611, at 93 and Sprague & Ciocchetti, supra note 615, at 101 (citing Pisciotta v. Old Natâl Bancorp, 499 F.3d 629, 631 (7th Cir. 2007) (applying Indiana law)). 641 kan. stat. § 50-7a02(g) (2016) (empowering the attor- ney general âto bring an action in law or equity to address violations of this section and for other relief that may be appropriateâ); Mass. gen. laws ch. 93H, § 3 (2016) (stating that the âattorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriateâ); ohio rev. coDe § 1347.12(G) (2016) (stating that the attorney general may conduct an investi- gation and bring a civil action for an alleged failure by a state agency or agency of a political subdivision to comply with § 1347.12); and 73 Pa. cons. stat. § 2308 (2016) (pro- viding that the attorney general has exclusive authority to bring an action for a violation of the stateâs Breach of Per- sonal Notification Act).