Data Breach Notification Laws

Question 1

How many states have data breach notification laws?

Answer 1

all 50

Question 2

preemption of state data breach notification laws

Answer 2

Fair and Accurate Credit Transactions Act (FACTA) preempted many state laws related to consumer credit reports, but states retained power to enact laws addressing identity theft

Question 3

What are the key components of state data breach notification laws?

Answer 3

• key terms such as definition of personal information, covered entities and security breach
• notification requirements
• enforcement

Question 4

What does “personal information” cover under state data breach notification laws?

Answer 4

in majority of laws, includes individual’s first name or first initial and last name in combination with any one, or more, the following data:
1. SS #
2. driver’s license # or state ID card #
3. financial account # or credit/debit card #, often in combination with any required security code, access code, or passwords that would permit access to an individual’s financial account

Question 5

What does “covered entities” include under state data breach notification laws?

Answer 5

in most states, “covered entities” include those:
1. that conduct business in the state; and
2. that, in the ordinary course of such person’s business, maintain computerized data that includes PI

Question 6

What is defined as a “security breach” under state data breach notification laws?

Answer 6

often includes following elements:

• unauthorized access to or acquisition of electronic files or computerized data containing personal information, which compromises confidentiality, security or integrity of information
• when access to the PI has not been secured by encryption or any other method; or
• technology that renders the PI unreadable or unusable

nearly all states apply a risk-of-harm analysis in determining whether an incident involving personal data constitutes a regulated breach

Question 7

Who do you typically notify under state data breach notification laws?

Answer 7

typically affected parties, state AG or other state agencies and nationwide CRAs

• primary recipients are those state residents who are at risk because their PI has (potentially) been exposed based on the level of unauthorized access or harm
• ⅔ of states require covered entities that have detected a data breach to notify state AG and/or other state agencies
• ⅔ of states require notify CRAs of a data breach

Question 8

When do you notify of a breach under state data breach notification laws?

Answer 8

common phrase is “as expeditiously as possible and without unreasonable delay” which allows affected entity to conduct a reasonable investigation to determine scope of breach and restore reasonable integrity of data system

• numerous states specify limit with 45 days after discovery of breach being most common
• industry best practice is to report within 30 days after discovery

Question 9

What do you include in a notification letter under state data breach notification laws?

Answer 9

almost ½ of states mandate specific content be included in the notification such as:

• description of incident in general terms
• approximate date of incident
• description of type of PI that was subject to unauthorized access and acquisition
• description of general acts of business to protect PI from further unauthorized access
• telephone # for business that person may call for further information and assistance
• conspicuous notice on company’s website indicating how person may contact company for further info
• list of steps person may take to protect against identity theft
• toll-free numbers and addresses for major consumer reporting agencies
• toll-free numbers, addresses and websites for FTC and relevant offices of AG, along with statement that the individual can obtain info from these sources about preventing identity theft

Question 10

How should you notify under state data breach notification laws?

Answer 10

generally focus on providing written notification to affected parties using postal mail (email or telephone usually OK if affected party has opted into that mode of communication)

Question 11

What are the notice requirements for state AGs under state data breach notification laws?

Answer 11

• approximately ⅔ of states require entities who detected a data breach to notify state AG and/or other state agencies
• ½ of states have threshold for # of people affected (either state residents or total # of individuals)
• most commonly focuses on notice being made as soon as possible, and often mirrors req for notice to affected individuals

Question 12

What are the notice requirements for CRAs under state data breach notification laws?

Answer 12

• ⅔ of states require entities notify nationwide CRAs of a data breach
• most common approach is without unreasonable delay

Question 13

What are four exceptions to providing data breach notification under state data breach notification laws?

Answer 13

• entities subject to another more stringent data breach notification law (e.g., HIPAA and GLBA)
• entities subject to own notification policy
• data subject to safe harbor provision within state data breach notification law (all laws include safe harbor for data that was encrypted, redacted, unreadable or unusable and encryption exception typically applies only when key remains secure)
• can delay when data breach is suspected to be result of criminal activity for a reasonable period of time if law enforcement determines the notification will impede a criminal investigation

Question 14

What does enforcement look like under state data breach notification laws?

Answer 14

in each of 50 states, covered entities subject to civil penalties if they violate state data breach notification law

• in ⅓ of states, state AG can impose fines
• in nearly 15 states, affected parties can file lawsuit pursuant to state law’s private right of action to recover for damages due to breach
• CA has statutory damages of $100-$750 per incident