When governing information, it works well to identify and bundle rules (for legal compliance, risk, and value), identify and bundle information (by content and context), and then attach the rule bundles to the information bundles. Classification is a great means to that end, by both framing the questions and supplying the answers. With a classification scheme, we have an upstream “if-then” (if it’s this kind of information, then it has this classification), followed by a downstream “if-then” (if it’s information with this classification, then we treat it this way). A classification scheme is simply a logical paradigm, and frankly, the simpler, the better. For day-to-day efficiency, once the rules and classifications are set, we automate as much and as broadly as possible, thereby avoiding laborious individual decisions that reinvent the wheel.
Easy so far, right? One of the early challenges is to identify and bundle the rules, which can be complicated. For example, take security rules. Defining what information fits in a protected classification for security controls can be daunting, given the various overlapping legal regimes in the United States for PII, PHI, financial institution customer information, and the like. So, let’s take a look, over several posts, at legal definitions for protected information, starting with PII under state statutes.
Although a few states have affirmative security program requirements for PII, most notably Massachussets, the primary source of state PII law is found in breach notification statutes. State breach notification statutes truly are a crazy quilt, with several states amending their statutes in just the last six months, since our last post on the topic. Forty-seven states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands have statutes mandating notification of individuals whose personally identifiable information, as defined by statute, is breached, leaving only Alabama, New Mexico, and South Dakota without. And, under the Texas statute, companies doing business in Texas that have a PII breach must follow the Texas notification requirements for affected residents of these three outlier states.
These laws are triggered by the affected individual’s residency, not where the breach occurred. So, when a company with customers or employees in many different states seeks to clarify what information it will protect as PII, it must reconcile a wide range of state breach notification laws, with conflicting definitions.
Scope of PII
State breach notification laws define what is Protected Information within their purview – generally, a state resident’s name combined with another identifier useful for identity theft, such as the individual’s Social Security number, driver’s license or other governmental identification number, or financial account number with access information. But many states include other combination elements in their PII definition:
- Medical information (Arkansas, California, Florida, Missouri, Montana, North Dakota, Nevada, Oregon as of 1/1/16, Puerto Rico, Rhode Island as of 7/2/16, Texas & Wyoming)
- Health insurance information (California, Florida, Missouri, North Dakota, Oregon as of 1/1/16, Rhode Island as of 7/2/16, Texas & Wyoming)
- Unique biometric data or DNA profile (Iowa, Nebraska, North Carolina, Oregon as of 1/1/16, Wisconsin & Wyoming)
- Shared secrets or security token for authentication (Wyoming)
- Taxpayer ID or other taxpayer information (Maryland, Montana, Puerto Rico & Wyoming)
- IRS identity protection PIN (Montana)
- Email address or Internet account number, with security access information (Florida & North Carolina, Rhode Island as of 7/2/16 )
- Digital or electronic signature (North Dakota)
- Employment ID number if combined with security access information(North Dakota)
- Birthdate (North Dakota)
- Birth or marriage certificate (Wyoming)
- Maiden name of individual’s mother (North Dakota)
- Work-related evaluations (Puerto Rico)
- Information collected through an automated license plate recognition system (California as of 1/1/2016)
In Florida, Georgia, and Maine, and also Oregon as of Jan. 1, 2016, notification requirements can attach to specified identification data even without the individual’s name, if such information would sufficiently enable identity theft.
All state breach notification laws apply to PII in electronic or computerized form. But in Alaska, Hawaii, Massachusetts, North Carolina, Washington, and Wisconsin, a breach of PII in any medium, including paper records, can result in notification obligations. Indiana and Iowa reach a similar result by applying notification requirements to breaches of computerized data that has been transferred to any other medium, including paper.
These state-level PII definitions help organizations craft their security classification categories for protected information. But many organizations will have additional regulatory frameworks for data security, which must also be considered.