Expanding PII Laws and Redacting for Privacy

In 2015, more than half of US State Legislatures introduced bills relating to data breaches. Fourteen states passed some or all of their bill’s  provisions, and an additional five states are in pending status. Rising concern for personal identification information, or PII, has taken to state senate floors in efforts to curb identity theft, maintain privacy, and promptly notify individuals of a breach. Wyoming perhaps expanded PII laws more than any other state, and Montana added certain types of identification, but only when attributed to a first and last name. At the same time, a recent court rulingdemonstrates that information which does not in and of itself identify an individual may legally be sold to a third party.

In February, New York state enacted a requirement to redact PII from court papers. Though New York has always required that Social Security numbers be redacted from court documents, this law stipulates that taxpayer identification numbers, birth dates, full names of minors, and financial account numbers are also PII and must be redacted in both paper and e-file cases. Responsibility for redaction falls on those submitting the documents, so law firms must take on the procedure of redacting themselves. Documents are submitted in good faith, but failure to redact all necessary PII can result in heavy fines, requiring firms to search each document with a fine-toothed comb.

California recently passed a law adapting requirements for data breach notification following the surge in massive data breaches in 2014. The new law, effective January 1, 2016, holds companies liable for compromised encrypted data, whereas the current law only accounts for unencrypted personal information. With that, the state expanded PII to include information collected through automated license plate recognition systems, like those used on interstate highways. As lawmakers crackdown on data breaches, the amount of information deemed sensitive increases at each step, and law firms find themselves under more work as PII definitions expand. Every PII addition means finding and implementing all instances where redaction is necessary in a case load.

PII laws are rapidly expanding nationwide, and lawmakers are making privacy a priority. The uptick in data breaches has state governments pushing to bridge the gap between effective business transactions and consumer protection. As that gap narrows, however, we will see an increased need for redacting private information, and at greater volumes, which is where automated redaction tools come in to help pick up the slack.