March 14 — Rhode Island, Minnesota and California are considering legislation to amend their breach notification laws in response to data breaches involving debit and credit cards used at retailers.
The Minnesota and California bills may move, but the Rhode Island measure is stalled.
Meanwhile, a bill prompted by the retailer security incidents to add data breach notice obligations for the first time in New Mexico has died.
A Rhode Island House bill (H. 7519) was introduced Feb. 13 at the request of state Attorney General Peter Kilmartin (D).
“As we have seen recently in the data breaches of Target and Neiman Marcus, data breaches are occurring more frequently, are more sophisticated and are affecting hundreds of millions of consumers,” Kilmartin said in a March 4 statement.
“It is imperative that our data breach laws provide better protection for consumers and provide the necessary tools to prosecute those who take advantage of stolen consumer information,” Kilmartin said he told the House Judiciary Committee that was considering the measure.
The committee, however, March 4 recommended that the measure be held for further study.
The bill seeks to amend the state's underlying data breach notice statute, which was enacted in July 2005 and took effect March 1, 2006.
H. 7519 would require the addition of a statement in breach notifications to individuals to warn them of the threat of imposters offering to provide help in the wake of a data breach incident. “Unfortunately fraudulent notification of security breaches is increasing with concerning frequency. These imposters use the vulnerability of an individual harmed by a security breach to further victimize them by obtaining their personal information under the guise of trying to assist them,” Kilmartin said.
The bill would remove the requirement that a security access code or password be breached along with a payment card number in order for covered entities to be required to provide notification of a breach. The measure would add personal identification numbers to the list of protected “personal information.”
“The ability for a bad actor to find a consumer's PIN number to a debit card or access personal information through a customer loyalty account is becoming effortless. Therefore, it is necessary that our laws are equipped to handle new trends of data breach practice,” Kilmartin said.
In Minnesota, retail payment card breaches prompted the introduction of a bill (H.F. 2253) that would amend the state's breach notification statute to require all covered entities that face a breach to notify affected individuals within 48 hours of discovering the breach.
The bill's sponsor said it was a direct response to the breach affecting some 40 million credit cards revealed by Minneapolis-based retailer Target Corp.
Under the proposed law, individuals whose personal information was breached by retailers would be entitled to a $100 gift card valid for one year from the retailer and would require covered entities facing a breach to reimburse affected individuals for any fees charged in relation to the breach.
H.F. 2253 would amend the state's 2005 data breach notice law.
The bill is before the House Commerce and Consumer Protection Finance and Policy Committee.
In California, a bill (S.B. 1351) introduced Feb. 21 would require banks, credit unions and other financial institutions to issue only payment cards that include an embedded microchip containing personal data and that require customers to input a PIN at the point of sale to complete a transaction.
Under S.B. 1351, covered entities would have to begin using the chip and PIN technology by Oct. 1, 2015. MasterCard Inc., Visa Inc. and American Express Co. have already set that same date as a deadline for adoption of the chip and PIN technology.
Another bill (A.B. 1710) introduced by Assemblymen Roger Dickinson(D) and Bob Wieckowski(D) seeks to make changes to the data breach notification law.
So far the bill would make only minor nonsubstantive technical changes, but the sponsors—who are respectively the chairmen of the Banking & Finance and Judiciary committees—said they are considering amendments.
Their committees held a joint hearing Feb. 18 at which witnesses called for strengthening state enforcement tools and penalties for consumer data breaches.
Another bill (S.B. 383), which was carried over from the first year of the biennial 2013-2014 legislative session, would tighten consumer privacy in credit card transactions.
The bill, which would amend the Song-Beverly Credit Card Act, passed the Senate Jan. 30 and is pending in the House.
New Mexico's House passed a bill (H.B. 224) that contained a retail payment card breach provision and that would have made New Mexico the 47th state with a data breach law.
But the measure died when lawmakers adjourned for the year.
Rhode Island: H. 7519, as introduced, is available at http://webserver.rilin.state.ri.us/BillText/BillText14/HouseText14/H7519.pdf.
Minnesota: Full text of H.F. 2253, as introduced, is available at http://op.bna.com/pl.nsf/r?Open=dapn-9gps5h.
California: S.B. 1351, as introduced, is available at http://www.leginfo.ca.gov/pub/13-14/bill/sen/sb_1351-1400/sb_1351_bill_20140221_introduced.pdf.
A.B. 1710, as introduced, is available at http://www.leginfo.ca.gov/pub/13-14/bill/asm/ab_1701-1750/ab_1710_bill_20140213_introduced.pdf.
S.B. 383, as amended and passed by the Senate, is available at http://www.leginfo.ca.gov/pub/13-14/bill/sen/sb_0351-0400/sb_383_bill_20140128_amended_sen_v96.pdf.
New Mexico: H.B. 224, as amended on the floor and passed by the House, is available at http://www.nmlegis.gov/Sessions/14%20regular/bills/house/HB0224FHS.pdf.
To view additional stories from Privacy & Security Law Report® register for a free trial now