Last year, companies like LinkedIn and Yahoo had their fair share of data breaches. In May, a hacker stole 6.5 million encrypted passwords from LinkedIn and posted them to a Russian crime forum. What’s even better is the hacker sold an additional 117 million email and password combinations to a handful of other websites on a dark-web marketplace. And, just last month, Yahoo announced that its data theft was much worse than they originally let on by announcing that more than one billion accounts were affected. Keep in mind; this issue has been going on since 2013.
Let’s not forget about the data breaches from Ashley Madison, eBay, and JP Morgan Chase. I could list a handful of additional data breaches, but the problem is clear — over the past few years, there has definitely been a problem with keeping user’s private information (PI) private.
This is why businesses need to take huge steps to protect the usernames, email addresses, passwords, and security questions and answers its consumers use. However, the issue is that the definition of what information qualifies as PI varies greatly amongst different states. Take a look:
- User Data: Nevada and Rhode Island’s definition of PI are broad in what constitutes user data. They consider a username, email address, or “unique identifier” to be PI when combined with a password, security question and answer, or an “access code” that would permit access to an online account.
- Private Information (PI): The definition of a data breach in Nevada, Rhode Island, and Wyoming are narrow in that they require at least a last name and first initial to be disclosed in order for user data to qualify as PI. This is similar to the definition of PI for social security numbers and driver’s license numbers.
- Expanding the Definition: California, Florida, and Wyoming have laws mandating that either a username or email address constitutes PI when combined with a password or security question and answer that would permit access to an online account — even if no first or last name or other personally identifiable information is disclosed. California first expanded the definition of PI to include usernames and email addresses in January 2014. Florida was next to enact this law in July 2014, and Wyoming followed in July 2015. Illinois, Nebraska, and Nevada are the latest to add usernames or email addresses to the definition of PI when they are combined with information that would permit access to an online account.
For some websites, users don’t even need to provide their first or last name, have an access code, or a “unique identifier.” If those accounts are hacked, it is simply too easy for hackers to piece together information and hack their way into another website that belongs to the user — one that has more personal information, such like a social security number.
Hopefully, with the advent of the technology age, Congress can catch up with the times and mandate a national law similar to what California mandated in 2014. In the meantime, all states should consider following in California’s footsteps by expanding the definition of PI to include usernames and email addresses — even if no first or last name or other personally identifiable information is disclosed.