In the first nine months of 2019, an average of 7.1% of data privacy or security incidents were breaches that required notification. These incidents had passed through a compliant, multi-factor risk assessment to determine the potential harm for affected individuals. Without this assessment, many companies could report a greater percentage of breaches that require notification.
How a regulation defines personal information significantly impacts what could trigger a breach notification obligation. And in the U.S., 2019 saw an expansion in the definition of personal information across multiple laws.
The scope of what qualifies as personal information has continued to broaden since the first data breach notification law went into effect in California in 2003. In 2019, several states added online credentials and/or biometric data to their law’s definition of personal information: Arkansas, Delaware, Ohio, South Carolina, New Jersey, and New York (the SHIELD Act). Virginia played regulatory catch up to other states by adding passport numbers and military ID numbers.
An interesting nuance in the New York SHIELD Act is that “unauthorized access” to personal information now counts as a data breach. This includes “viewing, but not obtaining copies of,” personal information. And in New Jersey, if a resident’s email account is exposed in a breach, the notification cannot be provided to that email.
The addition of biometric data and online credentials represents a shift in the 2018 changes in regulations, which expanded the definition of personal information to include personal account, credit, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Forecast for 2020—More of the Same
In 2020, additional states will continue to add biometric data—which includes fingerprints, facial recognition, and retina scans. The use of this highly sensitive data for identity authentication will only increase over time.
With the emphasis on electronic incidents—including newer categories such as biometric data—regulators tend to overlook paper incidents. While these incidents are explicitly regulated under HIPAA for healthcare entities and the GLBA for the financial industry, only 10 U.S. states currently regulate both unauthorized paper and electronic disclosures.
However, RadarFirst metadata shows, by industry, a significant percentage of notifiable incidents involved paper:
- Healthcare: 28%
- Insurance: 15%
- Financial services: 5%
“Personal Information” Around The World
The expanding definition of personal information in the United States reflects definitions that are already in place globally. For example, biometric data is considered “personal information” under the GDPR in the EU and Australia’s Notifiable Data Breaches scheme. Canada’s PIPEDA also has broad definitions of personal information, meaning any information in any form about an identifiable individual. And the GDPR defines certain kinds of information as being particularly sensitive, including:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Biometric data
- Genetic data
- Health data
- Sex life or sexual orientation
Why the Changes?
Technology has forever altered the way information is disseminated, stored, and used. Thus, data is more accessible than ever before. Back in 2016, Edith Ramirez, then-FTC chairwoman, said, “As consumers use more digital devices and the sophistication of big data analytics increases, it has become significantly easier to identify individuals based on information not traditionally categorized as personal information, making it more difficult to protect their privacy.”
It’s no surprise that legislators are working to keep pace by redefining what is meant by personal information. Experts noted in The National Law Review, “The passage of the SHIELD Act continues the trend, in New York and other states, to enact state-level data privacy and security laws…. As part of compliance efforts, companies should address the identification of the information subject to the SHIELD Act, and update written data security and breach notification policies and related practices, to incorporate new requirements.”
The Challenges for Privacy and Security Teams
As the meaning of personal information continues to expand, it’s likely that your privacy and security teams will face new challenges. Some of these challenges could include:
- An increase in the number of incidents due to the broader scope of personal information, each requiring a multi-factor risk assessment.
- Uncertainty about whether an incident qualifies as a breach, based on a particular jurisdiction’s definition of personal information—and those definitions may vary from state to state and country to country.
It’s critical for your organization’s privacy and security teams to know specifically what data is being collected and why—and then assign a sensitivity score to that data. (The sensitivity of data is used to measure the applicable risk of harm during a multifactor incident risk assessment.)
Automation is the best approach to quickly, consistently, and defensibly address incident response management challenges. Radar, provides automated risk scoring and breach notification decision-support that helps you avoid the pitfalls of over- and under-notifying.
As we move into a new decade and new technologies create new privacy risks, the legal definition of personal information will only continue to expand. We must be ready to respond.
Stay tuned for the next post in this series, in which we discuss the second regulatory trend: increasing specificity in notification timelines. In the meantime, you can learn more by downloading the free ebook: Trends in Changing Data Breach Notification Laws.