Published by Al Saikali

May 2012

Maybe it’s because I’m in New York City for a few days this week, but this article in the Wall Street Journal and this one in the New York Times caught my eye.  New York City has surpassed Boston as the #1 tech sector for Internet and mobile technologies on the east coast.  The story was based on a report released by the Center for an Urban Future.  Here are some of the key findings from the report:

  • “[T]here has been an explosion of tech start-ups in New York City, most of which are companies that leverage the Internet and mobile technologies.”  Specifically the Center for Urban Future identified 486 digital start-ups formed in NYC since 2007 that received angel, seed, or VC funding, and there are over 1,000 web-based technology start-ups in the city.
  • NYC was the only technology region in the country to see an increase in the number of venture capital deals between 2007 and 2011.
  • The start-ups located in NYC are growing significantly.  Fifteen have raised more than $50 million in investments, 27 have raised at least $25 million in investments, and 81 have raised at least $10 million.
  • The NYC technology sector has created 52,900 jobs in the past few years, a 28.7% increase for that sector (as compared to the 3.6 percent growth rate in the NYC private jobs sector generally).
  • This explosion in growth appears to be sustainable.  The start-ups are less focused on building new technology and more focused on applying existing technology to traditional industries like advertising, media, fashion, finance, and health care.

This last finding is perhaps the most significant because the application of existing technology to industries in which New York City already excels, appears to be lynchpin to the city’s strong tech growth and a distinguishing factor from the “dot com” bubble in the late 90’s.  The report is well worth reading as a case study of how and why a city develops a strong technology sector.  This is great news for my favorite city in the world!

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

The title of this blog entry is somewhat of a misnomer because there is no single national data breach notification law that governs all information the same way as the state data breach notification laws do.  So, for the time being, companies and consumers are forced to determine which state data breach notification laws apply to them and what the differences are between them.  Nevertheless, there are federal laws that require disclosure of data breaches in certain instances, and usually these laws are “industry specific.”

Examples of federal laws that require data breach notification are two laws governing the health care industry – the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).  Together, these laws require “covered entities” and many of their service providers to maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of “protected health information” (commonly referred to as “PHI”).  A covered entity is a health plan, a health clearinghouse, or a health care provider who transmits health information.

If there is a breach, the covered entity must notify the individuals whose information has been accessed (and law enforcement) without unreasonable delay and no later than 60 days after the breach was discovered.  (The law also requires notification to the media in cases where the breach affects more than 500 individuals).  Whether there is a breach that triggers the duty to notify depends on whether, with some exceptions, there was an impermissible use or disclosure that compromises the security or privacy of the PHI such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.  The notice must state what occurred, what type of information was accessed by the breach, what steps individuals should take in response, what is being done to investigate, mitigate, and protect against further harm, and contact information should be provided.  HITECH imposes these same notification requirements on the covered entity’s vendors and service providers.

Another example of a federal data breach notification requirement is found within the Gramm-Leach-Bliley Act (GLB), which governs companies engaged in financial services.  Under GLB, when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct an investigation to determine the likelihood that the information has been or will be misused.  If there is a determination that the misuse has occurred or is reasonably possible, the institution must notify the affected customer as soon as possible, save a law enforcement determination that notification will interfere with a criminal investigation.

Sometimes a company’s duty to disclose may be required by a government agency.  For example, publicly traded companies need to be aware of the October 13, 2011, SEC Disclosure Guidance:  Topic No. 2.  Although the guidance is not the law but rather an agency’s interpretation of the law, it clearly states that publicly traded companies should report significant instances of cyber incidents to the SEC. The company must determine whether a reasonable investor would consider information about the incident important to an investment decision.  In making this determination, a company should consider several factors, set forth in the guidance, in determining whether to make the disclosure.  The guidance also states what information should be in the disclosure.

These examples and the descriptions of them are admittedly very superficial and are not meant to capture the entire universe of federal laws requiring data breach notification.  The point of this post is that there is no uniform federal data breach notification law.  Data breach notification requirements at the federal level arise from a variety of laws and other legal authority.  As a result, a company that believes it may have suffered a data breach must consult the laws of any state where any of its customers reside, a variety of federal legal sources that regulate the company’s industry, and—as will be explained in an upcoming post—international law. If your company has customers overseas, it will need to be aware of data breach notification requirements abroad.  The next part of this series on data breach notification laws will focus on Europe as a case study of how data breaches notifications are addressed in other countries.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

In 2005, a company called ChoicePoint, which collected personal and financial information for millions of consumers, was the victim of a security breach.  Criminals stole from ChoicePoint personal information for more than 145,000 individuals.  The floodgates opened and a variety of other corporations and organizations revealed similar data breaches that had resulted in unauthorized access to the personal information of 52 million individuals.

As a result of the ChoicePoint breach, states began enacting data breach notification laws that required companies and organizations to disclose major data breaches.  California was the first such state, and its law has been the model for data breach notification laws all over the country.  See  Cal. Civ. Code §§ 56.06, 1785.11.2, 1798.291798.82   In fact, the only states that do not currently have data breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota.

This blog post discusses how these data breach notification laws operate generally, keeping in mind that there are some differences from state to state.  The most important issues are who/what is protected by the laws, when is a data breach considered to have occurred so that the law is triggered, when should notification take place and what must the notice contain, and what are the penalties for failure to comply with the laws.

What/who is protected by data breach notification laws?  The laws protect the “personal information” of a state’s residents.  Personal information is usually defined as a person’s name in combination with some other private information such as a social security number, driver’s license number, account/credit card number, medical information, or health insurance information.  Some states have expanded the definition to include biometric data, fingerprints, retina images, and DNA profiles.  Personal information does not include publicly available information such as publicly available property information or criminal records.  The laws apply to any person or business that conducts business in the state where the law exists, including businesses not located in the state that are collecting information about the state’s residents, and any state agency that owns or licenses personal information.

When are the data breach notification laws triggered?  Data breach laws typically apply when there is an unauthorized acquisition of computerized data.  It includes a wide range of activity, from the intentional (hacking, theft, and corporate espionage, for example) to the negligent (losing a hard drive containing private customer information, or misdirecting electronic information).  Most data breach notification laws, however, do not apply to data that is encrypted (though the level of encryption and whether encryption is required at rest and/or in motion, is not clear) and sometimes the laws do not apply if the information is redacted.

When should notification of the data breach take place?  Once a company has determined that it was a victim of a data breach, it must usually provide notice of the breach to those individuals whose data has been accessed in an unauthorized manner.  Some states provide a specific deadline for when notice must take place, but many states simply require that disclosure take place within “the most expedient time possible and without unreasonable delay.”  An organization’s disclosure can usually be delayed if it would impede an ongoing criminal investigation.  In some states, notice is not required if, after an independent investigation or consultation with law enforcement, there is a determination that the breach did not result in harm to consumers.  In certain states there is a requirement for service providers who suffer data breaches to notify the companies that hired them of the breach.

What must be in the notice?  If a determination is made that notice must be provided, then the data breach notification laws usually provide how that notice must be provided (i.e., what information should be in the notice).  The notice should be clear, and as easy to understand as possible.  The notice should explain what information was accessed and it may need to include a credit reporting agency’s telephone number.  Many states require that notice of the breach also be provided to the state Attorney(s) General.

What are the penalties for failure to comply?  If an organization does not comply with the requirements of a data breach notification statute it can be subject to significant administrative penalties of thousands of dollars per day after the disclosure deadline.  Additionally, many states have created a private cause of action (i.e., you can be sued) for not following the data breach notification requirements.

In short, it is important, once an organization suspects that it might be the victim of a data breach, to immediately engage legal counsel to assist in determining whether the breach requires disclosure and, if so, how and when the disclosure should take place.  It should be evident from the above information that the data breach notification laws vary from state to state, so any disclosure notice should be tailored with all relevant state and federal data breach notification laws in mind.  The fact that there are so many different data breach notification statutes is a compelling reason why Congress should step in and pass legislation that makes the data breach notification requirements more uniform.  Congress previously considered such legislation, but it did not become law.

Speaking of federal data breach notification laws, in addition to the state laws governing data breach notifications, there are also federal and international laws that govern data breaches.  Those laws impose even more notification requirements.  They will be discussed in the next post.  Stay tuned.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.