Many State Data Breach Laws Don't Protect Paper Records

This is likely more in the nature of "news to me" than "news." I learned, or at least I think I learned, that most of the many state data breach notification laws don't reach a common source of privacy violations: personal information snatched by dumpster divers. In Pinero v. Jackson Hewitt Tax Service Inc., decided last week, the court turned back a claim under Louisiana's data security breach notification law, because the mishandled personal information was recorded on paper -- not in electronic form. The records at issue were the plaintiff's tax returns which, along with those belonging to 100 other Jackson Hewitt customers, were found unshredded in a public dumpster.

The Louisiana Database Security Breach Notification Law, La. Rev. Stat. Section 51:3071, authorizes a civil action to recover actual damages resulting from the failure to make a timely notification of a breach that results in the disclosure of personal information.

The statute, at Section 51:3073(2), defines a data breach as "the compromise of the security, confidentiality, or integrity of computerized data." The court said that no breach had occurred here because the plaintiff's personal information was not in computerized form. Paper documents are not protected by the law, it said.

I did a little investigation and, as it turns out, a lot of state laws are written in the same fashion as Louisiana's data breach statute. If other courts interpret "computerized data" the same way as the Louisiana court, then carelessness with paper records containing personal information is not going to get a business in hot water in very many states.

True, some states, such as California and Alaska, protect all records containing personal information regardless of physical form. But most states do not. I learned, before I got weary of clicking and looking, that Arizona, Colorado, Connecticut, Delaware, Florida, Idaho, Illinois, Indiana, Iowa, Maryland, Minnesota, all have data breach notification laws that protect either "computerized data" or "unencrypted computerized data." Florida's statute, Fla. Stats. Section 817.5681(1)(a), is typical:

Any person who conducts business in this state and maintains computerized data in a system that includes personal information shall provide notice of any breach of the security of the system, following a determination of the breach, to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The National Conference of State Legislatures maintains a list of all enacted data breach laws, so jump in if I haven't mentioned your state.

For what it's worth, the first data breach notification law of the 111th Congress, Sen. Diane Feinstein's S. 136, likewise protects only computerized information (Section 13(5) defines personally identifiable information as "any information, or compilation of information, in electronic or digital form serving as a means of identification ...." ) And of course S. 136 preempts states laws. So if S. 136 were to be enacted, would the few states laws that impose security breach notification requirements for mislaid paper records be preempted?

The case is Pinero v. Jackson Hewitt Tax Service Inc., No. 08-3535 (E.D. La., Jan. 7, 2009).