Given the unrelenting onslaught of cyber attacks peppering the news, it is a good time for inside counsel to brush up on the laws designed to address data breaches. In a prior column, I discussed potential theories of civil liability for data breaches. Here, we take a bird’s eye view of state laws mandating notification in the event of unauthorized access to personal information.
Almost every state has such laws. While they vary in their specifics, the basic elements of these statutes are the same. Since we don’t have enough space to do a detailed analysis of each and every one of these statutes, we will instead review the common elements and illustrative examples. For those interested in a deeper dive, an excellent resource can be found online.
The foundation of data breach notification laws is the definition of personal information, the unauthorized acquisition of which may trigger the notification provisions. A primary focus of these laws is to protect people against various forms of identity theft. Accordingly, the statutory definitions of personal information include data that is not normally publicly available, associated with a person’s name. This kind of data can be used to provide false authentication or unauthorized access to accounts or other potentially valuable assets. While there are some differences in the laws of various states, personal information typically includes a combination of a person’s name, address or phone number linked with: a) a social security number, b) a driver’s license or other state identification number, or c) account numbers along with any security code or password required to access the account. Some states also include medical or health insurance information.
Another key factor is the definition of what constitutes a security breach. Unauthorized acquisition of personal information almost certainly qualifies. In some states, a reasonable belief of unauthorized access also qualifies. The latter can arise under circumstances where it has been determined that a security breach permitting access has occurred, but the available facts are not sufficient to show that personal information was actually accessed, even though such access was available.
When personal information has been breached under the definitions set forth in the statute, the provisions governing whether notice is required are triggered. Notice to state residents whose information was breached is required under most statutes. However, state laws vary on this point. For example, the law may not require notification to the individual if the entity maintaining the personal information conducts an appropriate investigation, provides written notification to the attorney general and determines that there is no reasonable likelihood of harm to the individual.
Notification to consumer reporting agencies is also commonly required under certain circumstances. Typically, such notification is triggered based on the number of individuals who had to be notified under the statute. 500 to 1,000 is the general range for the threshold.
Data breach laws also address the timing of notification. When notification is required, it must be given as soon as possible. Reasonable delay is permitted insofar as necessary to investigate and restore the integrity of the system that was breached.
Various modes of notification are available to affected entities. For example, good old-fashioned written or telephonic notice may be sufficient. Under certain situations electronic notice may also be an option. Where statutory conditions for allowing electronic notice are not present, a substitute may be available if certain thresholds are met. For example, under Alaska’s statute, if the cost of providing notice exceeds $150,000 or more than 300,000 individuals must be notified, substitute notice including a combination of email notice, conspicuous posting on the entity’s Web site and notification to major statewide media may be utilized.
However, some of the laws recognize that law enforcement investigations of cybercrime may warrant suspending notice requirements. It is harder to catch the perpetrator if it knows it has been discovered. Accordingly, notice may be delayed temporarily until the law enforcement agency conducting the investigation determines that such notice will no longer impede the investigation.
Violations of breach notification laws carry financial penalties. Civil penalties in the range of several hundred dollars for each state resident notified, with a cap of about ten times that amount, are normal. There are other kinds of provisions in various state laws that are not covered here. For example, there may be special provisions for third-parties who operate systems that maintain personal information, but do not own or have the right to license that data. There are also provisions dictating whether a private right of action exists under the statute, and different treatment in various respects if the entity that was breached is a governmental agency.
It is hardly controversial to observe that it is becoming increasingly likely that personal information has been or will be the target of unauthorized access. Such unauthorized access may be at the hands of organized crime syndicates operating in jurisdictions outside the reach of U.S. law enforcement, or simply the result of lax security practices. Regardless of the cause of unauthorized access to personal information, business enterprises and others entrusted with such data need to be cognizant of breach notification laws and the nuances in the statutes enacted by different states.
The views expressed are those of the author and do not necessarily represent the views of Ernst & Young LLP.