State Comparison of Computer Security Breach Laws

In 2003, the California Database Security Breach Act was passed. California was the first state to protect any state agency, person, or company that does business in its state regardless of where it resides. The act requires a business to inform its customers who reside in California within 48 hours if a breach of personal information has occurred. Since 2003, many states have passed laws to protect their citizens. In 2006, New Jersey passed a similar law and in comparison is very much like the California Database Security Breach Act. Currently, Alabama, Kentucky, New Mexico, and South Dakota have no laws regarding electronic data breaches.

Security Breach Notification Laws

“In 2008, California extended its data breach notification law to encompass incidents including electronic medical and health insurance information” (Ciampa, 2009, p. 14). With this addition, California attempted to protect its citizens from all types of security breaches.

New Jersey’s Law

In January 2006, the New Jersey “Disclosure of breach of security to customers” statute (N.J.S.A 56:8-163) was enacted. This statute dictates that any organization that “conducts business in New Jersey, or any public entity that compiles or maintains computerized records that include personal information, shall disclose any breach of security of those computerized records following discovery or notification of the breach to any customer who is a resident of New Jersey whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person” (American Institute of CPAs [AICPA], 2011). The discovery of a breach of a customer’s personal information will be reported in the fastest time possible and without delay. Any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system must be consistent with the requirements of law enforcement. This breach of security must be documented in writing and retained for five years. The New Jersey statute is limited to the security breach of an individual’s first name or first initial and last name linked with a social security number, a driver’s license number, state identification card number, bank account number, credit/debit card number, security code, access code, or password that permits access to an individual’s financial account.

California’s Law

The California Security Breach Information Act (SB 1386) is a law which requires that an organization that conducts business in the state and collects personal information is to notify each person in its database should there be a security breach involving such information including a social security number, driver’s license number, bank account number, credit/debit card number, or security code or password for accessing an individuals financial account.
California citizens must be notified when their information is illicitly obtained from a server or database with other personal information (Data Governance Institute, 2008).

Security Discloser Law Comparison: New Jersey versus California

California and New Jersey are very similar in their protection of their citizens. California added protection for medical and health insurance information. New Jersey does not have medical and health insurance information protection, but the federal Health Insurance Portability and Accountability Act of 1996 (HIPPA) protects US citizens. Unfortunately, HIPPA does not require organizations to disclose any security breaches. I would recommend that New Jersey update its statute to include notification of security breaches of all forms of information infringements including medical and health insurance related security violations to its citizens.

There have been copious security breaches in 2012, too numerous to list, both on a nationwide level as well as a state-by-state level. As recently as November 2012, a security breach was reported at South Jersey Healthcare (SJH), a regional medical center in Vineland. Omnicell, provider of automated medication dispensing services for SJH, announced that one of its devices with personal information was stolen and not encrypted. However, the device was password protected. Omnicell mailed notification letters and established a dedicated call center to assist the affected patients (NJ.com, 3012).

Conclusion
On a daily basis, people are faced with attacks such as fake emails, website messages, telephone calls, or texts, appearing to be from legitimate businesses avoiding anti-spam software and Internet security filters. Criminals use sophisticated attacks to steal data from organizations’ databases for financial gain. Most American states have created laws to protect their citizens’ personal and financial data.

California paved the way for security breach protection and notification for its citizens in 2003, and fortunately, most states have followed suit.