Well this might be the Fed statute that was broken, in addition the individual states have stricker laws regarding the companies requirements to keep the PII intact and not floating around. Think CA and NY are the two with decent laws in that regard. Anyways. the excerpts from the Fed
More info is needed, but they are on the line as to having a little trouble follow them possibly.
C knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law or that constitutes a felony under any applicable State or local law;
# except as provided in paragraphs (3) and (4), a fine under this title or imprisonment for not more than three years, or both, if the offense is --
1. any other production, transfer, or use of means of identification, an identification document, or a false identification document; or
2. an offense under paragraph (3) or (7) of such subsection;
# the offense is an offense under subsection (a)(4) of this section; or
# either --
1. the production, transfer, possession, or use prohibited by this section is in or affects interstate or foreign commerce; or
2. the means of identification, identification documents, false identification document, or document-making implement is transported in the mail in the course of the production, transfer, possession, or use prohibited by this section.
# the term "means of identification" means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any --
1. name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
2. unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
3. unique electronic identification number, address, or routing code; or
4. telecommunications identifying information or access device as defined in section 1029(e);
Oh and just for giggles. Here's the AZ statute the covers ID theft. Seems that the individual DOES NOT HAVE TO SUFFER HARM to be considered as having their id stolen
13-2008. Taking identity of another person or entity; knowingly accepting identity of another person; classification
A. A person commits taking the identity of another person or entity if the person knowingly takes, purchases, manufactures, records, possesses or uses any personal identifying information or entity identifying information of another person or entity, including a real or fictitious person or entity, without the consent of that other person or entity, with the intent to obtain or use the other person's or entity's identity for any unlawful purpose or to cause loss to a person or entity whether or not the person or entity actually suffers any economic loss as a result of the offense, or with the intent to obtain or continue employment.
B. A person commits knowingly accepting the identity of another person if the person, in hiring an employee, knowingly does both of the following:
1. Accepts any personal identifying information of another person from an individual and knows that the individual is not the actual person identified by that information.
2. Uses that identity information for the purpose of determining whether the individual who presented that identity information has the legal right or authorization under federal law to work in the United States as described and determined under the processes and procedures under 8 United States Code section 1324a.
C. On the request of a person or entity, a peace officer in any jurisdiction in which an element of an offense under this section is committed, a result of an offense under this section occurs or the person or entity whose identity is taken or accepted resides or is located shall take a report. The peace officer may provide a copy of the report to any other law enforcement agency that is located in a jurisdiction in which a violation of this section occurred.
D. If a defendant is alleged to have committed multiple violations of this section within the same county, the prosecutor may file a complaint charging all of the violations and any related charges under other sections that have not been previously filed in any precinct in which a violation is alleged to have occurred. If a defendant is alleged to have committed multiple violations of this section within the state, the prosecutor may file a complaint charging all of the violations and any related charges under other sections that have not been previously filed in any county in which a violation is alleged to have occurred.
E. This section does not apply to a violation of section 4-241 by a person who is under twenty-one years of age.
F. Taking the identity of another person or entity or knowingly accepting the identity of another person is a class 4 felony.
NC law has some interesting reading too... Looks like the company needs to work on their Notice of Security Breach, just a little. Wonder if they have notified the Consumer Protection Division too?!?!?!?
§ 75-62. Social security number protection.
(a) Except as provided in subsection (B) of this section, a business may not do any of the following:
(1) Intentionally communicate or otherwise make available to the general public an individual's social security number.
(6) Sell, lease, loan, trade, rent, or otherwise intentionally disclose an individual's social security number to a third party without written consent to the disclosure from the individual, when the party making the disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third party lacks a legitimate purpose for obtaining the individual's social security number.
75-65. Protection from security breaches.
(a) Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. For the purposes of this section, personal information shall not include electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names, parent's legal surname prior to marriage, or a password unless this information would permit access to a person's financial account or resources.
(B) Any business that maintains or possesses records or data containing personal information of residents of North Carolina that the business does not own or license, or any business that conducts business in North Carolina that maintains or possesses records or data containing personal information that the business does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section.
(c) The notice required by this section shall be delayed if a law enforcement agency informs the business that notification may impede a criminal investigation or jeopardize national or homeland security, provided that such request is made in writing or the business documents such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer's law enforcement agency engaged in the investigation. The notice required by this section shall be provided without unreasonable delay after the law enforcement agency communicates to the business its determination that notice will no longer impede the investigation or jeopardize national or homeland security.
(d) The notice shall be clear and conspicuous. The notice shall include all of the following:
(1) A description of the incident in general terms.
(2) A description of the type of personal information that was subject to the unauthorized access and acquisition.
(3) A description of the general acts of the business to protect the personal information from further unauthorized access.
(4) A telephone number for the business that the person may call for further information and assistance, if one exists.
(5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
(6) The toll-free numbers and addresses for the major consumer reporting agencies.
(7) The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General's Office, along with a statement that the individual can obtain information from these sources about preventing identity theft.
(e) For purposes of this section, notice to affected persons may be provided by one of the following methods:
(1) Written notice.
(2) Electronic notice, for those persons for whom it has a valid e-mail address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. § 7001.
(3) Telephonic notice provided that contact is made directly with the affected persons.
(4) Substitute notice, if the business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000) or that the affected class of subject persons to be notified exceeds 500,000, or if the business does not have sufficient contact information or consent to satisfy subdivisions (1), (2), or (3) of this subsection, for only those affected persons without sufficient contact information or consent, or if the business is unable to identify particular affected persons, for only those unidentifiable affected persons. Substitute notice shall consist of all the following:
a. E-mail notice when the business has an electronic mail address for the subject persons. Conspicuous posting of the notice on the Web site page of the business, if one is maintained.
c. Notification to major statewide media.
(e1) In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice.
(f) In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General's Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.
(g) Any waiver of the provisions of this Article is contrary to public policy and is void and unenforceable
(i) A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation.