Given the recent frequency of reported data security breaches across the country, almost every state has implemented stringent data security breach laws that require companies to notify their customers of a potential data security breach. The laws of other states may apply to your business (whether you know it or not!) if you sell products or services to customers over the Internet. In the unfortunate event your business suffers a data breach, you must be immediately prepared to address the following issues: (1) when you must notify others of a data security breach, (2) who you must notify of a data security breach, (3) the contents of the notification and (4) the timing of such notification. A quick review of the data breach security laws of other states reveals that your business cannot have a "one size fits all" approach to these four issues.
Notification Triggers
The first issue confronted by a business suffering a data breach is whether they must notify third parties of the data breach. It is imperative that a business be certain whether it must notify residents of a particular state of a data security breach as the failure to notify residents of a particular state could subject your business to a lawsuit, investigation or fine.
While many states require notification when "personal information" is compromised, state statutes define the term "personal information" differently. For instance, Pennsylvania defines "personal information" to include an individual’s first name, or first initial and last name, in combination with and linked with any of the following data elements, when the data elements are not encrypted or redacted:
Social Security number;
driver’s license number or a state identification card;
financial account number, credit or debit card number, in combination with any required security code, access code or password.
Some states, however, expand the definition of "personal information." For example, Maine does not require an individual’s first or last name to be included if that individual’s Social Security number, driver’s license number or financial account number gives sufficient information for an unauthorized person to fraudulently assume the identity of an individual.
Furthermore, states take different views over what qualifies as a data breach. Most states define a data breach as some form of unauthorized access to personal information. States such as Florida, Montana and Tennessee, however, narrowly define a data breach as the unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information. Significantly, the Florida statute does not require notification if, after an appropriate investigation, it is determined that the breach has not and will not likely result in harm.
Who Must Be Notified of a Data Security Breach Under The Act
The second issue businesses confront is who must be notified of a data security breach. Many states obviously require disclosure to the individual whose information has been compromised. Some states, however, require third party notification. For instance, Massachusetts requires businesses that suffer a data security breach to notify the State Attorney General and Massachusetts Office of Consumer Affairs. New York requires businesses to notify the New York Attorney General, New York State Consumer Protection Board, New York State Office of Cyber Security & Critical Infrastructure Coordination and the New York Department of Consumer Affairs (provided a resident of New York City was affected by the breach).
Some states only require third party notification in the event the data breach affects a certain number of that state’s residents. For instance, South Carolina and Virginia require businesses to provide notification to their respective state’s Consumer Protection Divisions only if the data breach affects more than 1,000 residents at one time.
Finally, many states require that in the event the data breach affects more than 1,000 individuals, businesses must "notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in Section 603 of the Fair Credit Reporting Act." These include the major credit reporting agencies: Experian, Equifax and TransUnion.
The Content of Notice
The third issue is the form and timing of notices. While many states acknowledge certain basic information that must be included in a data breach notice, some states have unique requirements, For example, New Hampshire's data breach statute includes a provision requiring that the content of the Notice to New Hampshire residents include the actual date of the alleged security breach. Massachusetts’ data breach statute also has a unique notice provision. The statute specifically states: "[t]he notice to be provided to the resident shall include, but not be limited to, the consumer’s right to obtain a police report, how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze, and any fees required to be paid to any of the consumer reporting agencies, provided however, that said notification shall not include the nature of the breach or unauthorized acquisition or use or the number of residents of the commonwealth affected by said breach or unauthorized access or use."
The Timing of Notice
The fourth issue confronted by businesses is the timing of notice. Many states do not set forth a specific deadline for notification. Other states have specific timelines for notification. New York requires businesses to notify residents of a data security breach within 120 days. Florida and Ohio require businesses to notify individuals within forty-five (45) days following discovery of the breach. Given these specific deadlines, any company or agency that collects and stores private information must be familiar with the data breach notification requirements of other states.
How to Avoid the Penalties of Non-Compliance
To avoid the consequences of non-compliance, businesses cannot take a "one size fits all" approach to data breach notification. Businesses entrusted with the obligation of storing private information must have a data security breach policy in place that allows them to effectively respond to a data breach incident. Such a policy should allow them to quickly identify the name and address of the individuals whose information was compromised. Once companies know the states in which customer information has been compromised, they can best develop a plan to notify affected individuals and ensure compliance with the data breach notification laws of the states in which their customers reside.
_______________________________________________________________
James E. Kurack, Jr., is a senior associate with the law firm of Obermayer Rebmann, Maxwell & Hippel LLP. He focuses his practice on representing businesses and individuals with respect to data security breach issues.
He can be reached at 215-665-3169 or james.kurack@obermayer.com.
