I think Adam is too kind to Arizona’s new breach law.
My issues have to do with how various elements of the law might be interpreted:
“materially compromises”: Maybe I am reading too much Sarbanes-Oxley stuff and my sense of what constitutes materiality has been warped, but I would need to be reassured that this term means something “smaller” than it does in the SOX context. I realize this language is present in practically all breach laws, as well as HIPAA, etc.
“acquisition and access” — so if I simply hack in (gain “access”), but the audit trail doesn’t show that I did “acquire” PII, you get to keep quiet? How would acquisition be established?
“substantial economic loss” — So credit card numbers are no biggie, since liability is limited to an insubstantial amount?
“reasonably likely” — So, losing the PII of a bunch of people with no credit history, or those who have been demonstrated (by ID Analytics, or even the FTC) to be unlikely victims (like children on public assistance, say) gets you out of notifying?
I am leery of all these weasel words, and can envision a situation in which it would be in a firm’s interest to figure out just how big a truck could be driven through any of these possibel loopholes.
Also, based solely on Adam’s excerpt, I do not see much difference between the CO and the AZ laws. Each has a ‘reasonably likely’ standard. In fact, I think AZ may have a higher notification threshold overall — reasonable likelihood of substantial economic loss. CO requires reasonable likelihood of misuse. Not all misuses cause substantial economic loss. I would like to know more about case law on these matters. Is there a lawyer in the house?
Ultimately, I guess I am not sure that these so-called new norms are actually norms. The fact that proposed national legislation is weaker than the best from the states shows me that the pendulum is swinging back, or is at least being nudged that way by folks who believe they have alot riding on this.