The world of data privacy often focuses on how companies are using consumers’ information and what measures those companies take to protect such information.  Each of the fifty states have enacted laws that require entities to notify individuals of security breaches involving personally identifiable information (although those laws vary greatly).  Additionally, twenty-five states have laws that address the data security practices of private sector entities.  But what happens when a privacy breach originates not from a company, but from a government agency?  

Government agencies necessarily hold reams of personal information on individuals, including Social Security numbers, taxpayer information, financial information, and more. Unfortunately, data breaches originating from government agencies are far from unheard of.  In 2015, in what the media dubbed the #PeachBreach, the Georgia Secretary of State accidentally shared the Social Security numbers, birthdates, driver’s license numbers, and other pertinent information of 6.1 million Georgia voters with twelve organizations, including newspapers and political parties.  In 2011, the Texas Comptroller’s Office revealed that the personal information, including Social Security numbers, of 3.5 million Texans had been unintentionally disclosed on a publicly accessible computer for at least a year.  And in 2012, 3.6 million Social Security numbers, and 387,000 taxpayers’ debit and credit card numbers, were exposed when a database server at the South Carolina’s Department of Revenue was hacked (although most of the credit and debit card numbers were encrypted, 16,000 were not).

Many state governments have enacted legislation addressing the security of data held by government agencies.  Twenty-eight states require that state government agencies put reasonable security measures in place to protect data.[1]  These laws generally require that the state’s technology office or agency implement security plans and audit state agencies for compliance with such plans.  Fifteen states require that agencies destroy or dispose of personal information in a manner that renders it unreadable or indecipherable.[2]  In addition, various state and federal laws specifically address health care data, financial or credit information, and other specific types of information.

Although many states have enacted laws addressing data security, states should continue to consider how state agencies handle and protect personal information.  For example, despite the wealth of personal information in the possession of state governments, many states have enacted data disposal laws that apply solely to the private sector and not government agencies.[3]  Laws correcting these discrepancies and further addressing the protection of personal information could help prevent future privacy breaches.

 

[1] Those states are: Alabama, Arizona, California, Colorado, Connecticut, Florida, Georgia, Idaho, Illinois, Indiana, Kansas, Kentucky, Maryland, Massachusetts, Minnesota, Montana, New York, North Carolina, Ohio, Oklahoma, Oregon, South Carolina, Texas, Utah, Virginia, Washington, West Virginia, and Wyoming.  Id.

[2] Those states include Alabama, Alaska, Arizona (applies only to paper records), Arkansas, Hawaii, Illinois, Kansas, Massachusetts, Maryland, Michigan, New Jersey, Oregon, South Carolina, Virginia, and Washington.

[3] Those states are: California, Colorado, Connecticut, Florida, Georgia, Indiana, Kentucky, Louisiana, Montana, Nevada, New Mexico, New York, North Carolina, Rhode Island, Tennessee, Texas, Utah, Vermont, and Wisconsin.