In 2005, a company called ChoicePoint, which collected personal and financial information for millions of consumers, was the victim of a security breach. Criminals stole from ChoicePoint personal information for more than 145,000 individuals. The floodgates opened and a variety of other corporations and organizations revealed similar data breaches that had resulted in unauthorized access to the personal information of 52 million individuals.
As a result of the ChoicePoint breach, states began enacting data breach notification laws that required companies and organizations to disclose major data breaches. California was the first such state, and its law has been the model for data breach notification laws all over the country. See Cal. Civ. Code §§ 56.06, 1785.11.2, 1798.29, 1798.82 In fact, the only states that do not currently have data breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota.
This blog post discusses how these data breach notification laws operate generally, keeping in mind that there are some differences from state to state. The most important issues are who/what is protected by the laws, when is a data breach considered to have occurred so that the law is triggered, when should notification take place and what must the notice contain, and what are the penalties for failure to comply with the laws.
What/who is protected by data breach notification laws? The laws protect the “personal information” of a state’s residents. Personal information is usually defined as a person’s name in combination with some other private information such as a social security number, driver’s license number, account/credit card number, medical information, or health insurance information. Some states have expanded the definition to include biometric data, fingerprints, retina images, and DNA profiles. Personal information does not include publicly available information such as publicly available property information or criminal records. The laws apply to any person or business that conducts business in the state where the law exists, including businesses not located in the state that are collecting information about the state’s residents, and any state agency that owns or licenses personal information.
When are the data breach notification laws triggered? Data breach laws typically apply when there is an unauthorized acquisition of computerized data. It includes a wide range of activity, from the intentional (hacking, theft, and corporate espionage, for example) to the negligent (losing a hard drive containing private customer information, or misdirecting electronic information). Most data breach notification laws, however, do not apply to data that is encrypted (though the level of encryption and whether encryption is required at rest and/or in motion, is not clear) and sometimes the laws do not apply if the information is redacted.
When should notification of the data breach take place? Once a company has determined that it was a victim of a data breach, it must usually provide notice of the breach to those individuals whose data has been accessed in an unauthorized manner. Some states provide a specific deadline for when notice must take place, but many states simply require that disclosure take place within “the most expedient time possible and without unreasonable delay.” An organization’s disclosure can usually be delayed if it would impede an ongoing criminal investigation. In some states, notice is not required if, after an independent investigation or consultation with law enforcement, there is a determination that the breach did not result in harm to consumers. In certain states there is a requirement for service providers who suffer data breaches to notify the companies that hired them of the breach.
What must be in the notice? If a determination is made that notice must be provided, then the data breach notification laws usually provide how that notice must be provided (i.e., what information should be in the notice). The notice should be clear, and as easy to understand as possible. The notice should explain what information was accessed and it may need to include a credit reporting agency’s telephone number. Many states require that notice of the breach also be provided to the state Attorney(s) General.
What are the penalties for failure to comply? If an organization does not comply with the requirements of a data breach notification statute it can be subject to significant administrative penalties of thousands of dollars per day after the disclosure deadline. Additionally, many states have created a private cause of action (i.e., you can be sued) for not following the data breach notification requirements.
In short, it is important, once an organization suspects that it might be the victim of a data breach, to immediately engage legal counsel to assist in determining whether the breach requires disclosure and, if so, how and when the disclosure should take place. It should be evident from the above information that the data breach notification laws vary from state to state, so any disclosure notice should be tailored with all relevant state and federal data breach notification laws in mind. The fact that there are so many different data breach notification statutes is a compelling reason why Congress should step in and pass legislation that makes the data breach notification requirements more uniform. Congress previously considered such legislation, but it did not become law.
Speaking of federal data breach notification laws, in addition to the state laws governing data breach notifications, there are also federal and international laws that govern data breaches. Those laws impose even more notification requirements. They will be discussed in the next post. Stay tuned.
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.