These days, you cannot watch the news without hearing about a security breach where personal information is stolen and private data has been exposed. We put all of our important information onto the public domain and rely on businesses and other entities to protect it for us. It is highly likely that you or someone you know has had their personal information compromised whether from the large scale breaches at Target, Home Depot, Sally Beauty Supply, Trump Hotels, Ashley Madison, Blue Cross Blue Shield, and CVS; or on a smaller scale at a local business. Anyone who uses a credit cards or shops online is at risk. If personal information is stolen, bank accounts can be hacked, credit cards charged, home addresses could be revealed, social security numbers can be stolen, and so on. People may not even know that the information has been stolen until years later when they try to get a loan or a new credit card and realize their credit is destroyed.
Keeping all these breaches in mind, it is nearly impossible to get by these days without using a credit card or shopping online, so we must all put our faith in the hands of the business we patronize to provide enough security to protect our personal information. But what happens when companies fail to protect our information? Are there any consequences? What if the businesses do not provide sufficient security? Or what if they do the best they can but the security is still breached?
Nevada continues to pass laws to protect personal information
Nevada Revised Statute 603A governs proper data protection for any “data collectors” who deal with nonpublic personal information whether it be driver’s licenses, social security numbers, credit cards or user names and passwords. Such data collectors are required to take “reasonable security measures” to protect records from unauthorized access, use, modification, or disclosure. Data collectors are required to maintain certain security standards, sometimes by using encryption, to protect personal data. If companies take credit cards they must comply with “Payment Card Industry Data Security Standards” which require encryption for information transferred electronically. For companies that do not accept credit cards, Nevada law still requires them to encrypt data transferred electronically.
In an effort to keep up with the ever increasing amount of personal information being transferred electronically, Nevada recently updated its statute to expand the definition of “personal information.” Prior to July 1, 2015 personal information required to be protected included social security numbers, driver’s license or identification numbers, and any account numbers in combination with passwords that permit access to a financial account. After July 1, 2015 personal information now includes medical information numbers, health insurance information numbers, driver authorization numbers, or user names/login information that in combination with a password or security question would permit access to an online account. This expansion of the meaning of personal information now seems to cover just about anything a consumer would be uniquely identified by at a business or on the internet, whether it be shopping with an online account, requesting a referral for a doctor visit, or subscribing to an online service.
Data collectors are not responsible for damages caused by a security breach as long as they are complying with the reasonable security standards outlined in the statute. If a business reasonably believes personal information has been stolen, they must provide the potential victims with notice right away.
Nevada considers itself to be the “gold standard” in consumer breach and notification laws1)See Senate Committee on Commerce, Labor and Energy, April 24, 2015 at page 4.. Nevada also prides itself on being “business-friendly” by having uncomplicated, clear and reasonable guidelines for what business need to do to comply with protection of consumer data2)Id.. The new guidelines expanding the definition of personal information was thought to incentivize businesses to protect the data or force them to go public with their breach by providing notice to the public.
Any press is good press? Or is it?
But are there any remedies to really protect a harmed consumer? It does not really appear so at this time in Nevada. Although businesses do have to notify individuals when the personal information is compromised, I am not convinced this is all that much of an incentive to do use all possible efforts to protect information. For example, Target was brought to the forefront of the news recently for its large scale data breach, but I do not know anyone who loves to shop there any less. I would make an educated guess that any number of my soccer mom friends are enjoying a stroll through Target as I write this. Not only that, but my home-improvement-enthusiast husband still goes to Home Depot at least once a week despite having to get an entirely new debit card when his information was breached a few months back. Point being that I just do not think it is a sufficient disincentive for companies to have to “out” themselves after a breach. Studies are showing that consumers are used to breaches and do not seem overly concerned about it. Typically consumers are not held responsible for unauthorized credit card charges and likely are not inconvenienced by more than a phone call to the bank.
Many companies that have suffered from security breaches have provided identity protection services at no charge for a certain amount of time. That is certainly helpful and likely comes at a substantial cost for the business, but it is not required. Connecticut recently passed legislation that will require identify theft protection to be provided in the event of a breach. California also requires these services.
What else can Nevada do to protect the personal information of her citizens?
In the future, Nevada may implement a law to require companies to provide these identity protection services. But it appears that most do anyway in an effort to show their customers that they care and that they will work hard to protect their data in the future. But is this enough? It is hard to say.
It is my perception that many of these computer hackers live abroad. Additionally, I believe that where there’s a will there’s a way, and if criminals are looking to find a way to steal personal information, they will always be one step ahead of the security game. So can we really fault a store for falling victim to an extremely sophisticated hacker when they took “reasonable measures” to protect my identity as required by law? Maybe. Say, for example, if someone does not receive notice of a breach because they changed their address since shopping at a certain store and they do not opt in to identity protection. Maybe a few years go by and this person is denied for a car loan because someone else has been taking out loans in his or her name and ruined the credit score of the victim. The consumer is innocent, so who should s/he blame? The store that permitted the data breach? Maybe.
Perhaps in the future, legislators would consider a private cause of action by a wronged consumer against a business who suffered a breach. Even if the business took reasonable protection measures, should an innocent consumer really be left holding the proverbial bag of harm when s/he now cannot buy a car? If this happens to a large number of people, maybe a class action suit would be a way to address wronged consumers. In that scenario, the benefit of a class action lawsuits come to fruition as a consumer who suffered only a small amount could seek redress without incurring substantial attorney’s fees. But, on the other hand, I can understand how a store who took all best efforts to stay up to date on the cutting edge of security protection should not be held liable for falling victim to a sophisticated scammer. If a business follows all laws and procedures, maybe it is unfair to require the entity to pay damages for a breach they could not have anticipated.
Since Nevada likes to stay on the forefront of consumer data protection, we will have to wait and see how these issues play out in the future. But for now, keep checking those credit reports and be on the lookout for any strange activity.