Today, unfortunately, it seems that data breaches are more of a “when it happens to your company,” and not a question of “if it happens to your company.” And it’s a virtual certainty that your business possesses personally-identifiable information of individual residents of different states – whether customers, employees, or third parties – that could be compromised if your business suffers a data breach. Consequently, if your company finds itself as the victim of a data breach, a swift response will likely be required – including a quick assessment of your obligations under the data breach laws of various jurisdictions.
For the first time since states began enacting their own data breach notification laws, all 50 states have now enacted some form of legislation requiring private or governmental entities to notify individuals in such states of security breaches involving their personally identifiable information. Alabama and South Dakota, the last holdouts, enacted their own data breach notification laws to go into effect June 2018 and July 2018, respectively.
In light of this milestone, we thought it would be helpful to re-familiarize our clients and friends with a few of the common elements of state data breach notification statutes, their differences, and why companies should constantly remain vigilant as states consider measures that would amend their existing data breach laws. Here is what you need to be aware of if you collect, process, or store personally-identifiable information about residents of various states.
State data breach laws generally affect businesses that collect personal information from consumers in a particular state; however, each state may have a slightly (or substantially) different definition of what “personal information” or “personally identifiable information” is covered by that state’s data breach laws. (Since the various state statutes employ differing terminology to describe this personal information, this article will use the term “PII” as shorthand for protected personal information that is covered by a given state’s data breach laws.)
The variations in the state data breach statutes extend not only to the definition of what constitutes PII, but can also vary in: (1) what circumstances trigger obligations to notify that a data breach has occurred; (2) parties to whom notification is required; (3) what information should be included in the notification; and (4) enforcement rights afforded to the state and to individuals affected by the data breach. These distinctions can make multi-state notifications of a data breach difficult, especially since no “generally-applicable” data breach notification law has been enacted at the federal level.
Also, be aware that, depending on the industry in which you operate, and also the types, sources, and location of the data involved in a breach, a data breach may also trigger specific obligations under U.S. federal law and perhaps even under the laws of other countries. A discussion of these federal and international data breach obligations is outside the scope of this article – but you should nonetheless keep them in mind and consult with your attorneys to determine whether they are applicable to your business.
State Data Breach Notification Statutes – What To Look Out For
1. Notification Trigger: Determining whether you are obligated by a given state’s law to give notification of a data breach – whether to the affected individuals, to governmental authorities, or perhaps even to other third parties – depends on a careful comparison of the facts of the breach to the precise wording of the applicable statute. In short, you will need to ascertain – likely, very quickly – first, whether the breach is covered by the laws of the given state and, if so, whether the breach itself rises to the level that triggers notification obligations under the applicable statute.
a. Is the information that was breached covered by the laws of a given state? Coverage of such state laws usually applies to the PII of a resident of the subject state. Thus, if you have a data breach, one of the first steps you must take to understand your possible obligations under state data breach laws is to inventory the data to determine (1) to whom the data relates (i.e., which state’s laws may apply to a given individual whose data was breached), and (2) the types of data affected. These are generally the two critical components in determining whether a given state’s data breach laws are implicated in a breach incident.
Once you have identified that a breach affects an individual resident of a given state, you must then assess whether the data that was breached is “PII” within the meaning of the relevant state statute. This second step can be tricky due to the statutes’ varying – and often broad – definitions for what constitutes PII. All of the states, for example, define PII to include the combination of an individual’s name with some type of financial account information such as credit and debit card numbers. However, some states – including Georgia – go farther, extending the scope of their data breach laws to include information that could be used to perform identity theft, even if the individual’s name was not part of the information that was breached. Colorado, for example, recently enacted legislation that expands the current statute’s definition of PII to include: (1) usernames or email addresses, in combination with a password or security questions that would grant access to an online account; and (2) account numbers, or credit or debit card numbers, in combination with any required security code, access code, or password that would permit access to the associated account.
b. Does the breach trigger notification obligations under the applicable statute? State statutes differ as to the criteria for determining whether a company must notify an individual of a data breach. Some states’ laws apply to all businesses equally, while others only apply to certain specified industries. Furthermore, a given statute may specify that the breach must rise to a certain level of severity – based on, for example, number of individuals affected, or likelihood of harm to affected individuals – before there is an obligation to notify others of the breach. Some laws, such as South Dakota’s data breach statute, require reasonable belief that an individual’s PII has been actually acquired in order to trigger the statutory disclosure requirements, while other states, like Connecticut, require notification if there is reasonable belief of unauthorized access to an individual’s PII, even if it is not yet known whether a third party actually acquired the information or gained control of it. In still other states, notification of a breach may not be required unless there is a finding that the breach creates a risk of misuse or harm to the individual.
2. Parties to Whom Notification is Required: If the facts of the data breach trigger notification obligations under a given state’s data breach laws, then you must pay close attention to the statute’s specific requirements regarding to whom notification must be given under the circumstances. In addition to notifying affected individuals, some states require disclosure to the state attorney general and/or to the credit reporting agencies. For example, Alabama’s statute requires providing written notice of the breach to the state Attorney General if the number of Alabama individuals affected by the breach exceeds 1,000. Arizona recently amended its data breach statute to also require notification in writing to the “three largest nationwide consumer reporting agencies” and the attorney general if the breach requires notification to more than 1,000 individuals. South Dakota, however, does not set a threshold for notification and requires that all national credit reporting agencies be notified “without unreasonable delay” if a company is obligated to notify any individuals (even just one) of a data breach.
3. Notification Requirements – Content and Timing: Some states require that certain specific information be provided to the affected individual. Alabama, for example, requires that each notice include, at a minimum: (a) the date, estimated date, or estimated date range of the breach; (b) a description of the PII that was acquired by an unauthorized person as part of the breach; (c) a general description of the actions taken by the company to restore the security and confidentiality of the PII involved in the breach; (d) information as to how a consumer can protect herself from identity theft; and (e) the company’s contact information so that an individual may contact the company to inquire about the breach.
State laws also vary in the timing required for disclosing the breach to affected individuals. Arizona recently amended its data breach statute to require disclosure to affected individuals within 45 days after determination that there was a security system breach, while Colorado recently amended its statute to require notice within 30 days. However, many states do not provide a specific timeframe for notification, which means that determining whether your notification of a breach is “prompt enough” may be at your own peril. Texas, for example, requires disclosure to be made “as quickly as possible” after discovery, while numerous other states impose a uniform – but vague – requirement that notification be given “in the most expedient time possible and without unreasonable delay.”
4. Parties’ Enforcement Rights: In the majority of states, only a state official can enforce the data breach notification laws. However, a small number of states provide affected individuals with a private right of action. In such states, private parties can sue for violations of the state data breach notification laws. California, for example, allows any person injured due to a violation of its data breach notification law to institute a civil action to recover damages, and allows affected individuals to recover a civil penalty of up to $3,000 per violation for any willful, intentional, or reckless violation of the statute.
Despite the fact that only a minority of states currently provide affected individuals with a private right of action, companies should nonetheless work to comply with such state statutes in a timely manner to avoid the risk of an enforcement action by not only the state attorney general, but also by the Federal Trade Commission (“FTC”). Failure to comply with applicable state law – and the publicity associated with an enforcement action by the state – increases the likelihood that the FTC will take notice of the data breach. The FTC has brought numerous enforcement actions against companies concerning poor security practices, alleging that such companies failed to adequately protect the security of individuals’ PII. Such enforcement actions can result in civil penalties and onerous reporting requirements.
In summary: if your company finds that it has suffered a data breach, you will need to move quickly to determine the scope of your legal obligations under various state data breach laws. The first line of attack to determine which states’ breach notification laws apply should be to analyze to whom the affected data relates and what type(s) of data was involved – and then work with your attorneys to ascertain whether a given state’s data breach laws apply and, if so, what your company will need to do to comply with them. The facts and circumstances of every data breach are different, and not every breach will necessitate a multi-state response, however, we hope this article heightens your awareness of the issues you will need to consider, and the inquiries you will need to quickly undertake, in the unfortunate event that your company experiences a data breach.
If you have questions regarding state breach notification laws that may apply to your company, please contact Laura Arredondo-Santisteban at LArredondo@fh2.com.
