Detangling the Web of State Data Breach Notification Laws
Although most state statutes share key elements, there are major differences governing each. There is no one-size-fits-all approach that can answer the statute needs of every state.
Security breaches resulting in information leaks have become a major problem for victim companies in the United States. Since 2005, there have been 608,278,176 recorded data reported to have been breached in 3,818 separate incidents. In the unfortunate incident of a data breach, a company faces legal accountability to its consumer and to the state, often in the form of sizeable penalties, or lawsuits from consumers whose privacy has been compromised. Companies are also subjected to meticulous, sometimes contradicting requirements of state data breach notification statutes. Today almost every state has its own breach notification statutes, including the District of Columbia, Guam, Puerto Rico, and the Virgin Islands. Only Alabama, Kentucky, New Mexico, and South Dakota, are without data breach notification laws.
State notification laws are designed to be comprehensive, covering not only the companies that own or license the consumer’s sensitive personal information, but extends to third party vendors involved in data management and control. Even if the one that suffers the breach is the managing third party, the company that directly owns the consumer’s information is the one responsible for the consumer’s notification.
Although most state statutes share key elements, there are major differences governing each. There is no one-size-fits-all approach that can answer the statute needs of every state since their statutes are amended individually over time. In this article, variations in data breach notification laws across the country will be given focus, and the problems they represent for companies with consumers in multiple states will be examined.
The first step a company must take is to determine whether or not the breach falls ‘personal information’ leak that provokes the state breach notification law. ‘Personal information’ can be defined in many different ways, but many state statutes adopt the same definition. Usually it is information that contains a user’s name and at least one of the following: Social Security number, driver’s license number or state identification card number, or financial information (typically a credit card number, debit card number, or account number and any codes or passwords needed to access the same).
The definition is continuously challenged and amended in many other states including Arkansas, California, and Missouri which included medical health insurance information. Iowa extends the definition to include “unique biometric data, such as fingerprint, retina, or iris image, or another unique physical representation or digital representation of biometric data.”
In Nebraska and Wisconsin statutes, ‘personal information’ means information containing the same biometric data as the Iowa statute, with the addition of voiceprints. Individual DNA fingerprints are also included in Iowa’s statute considering the existence of a gene profile bank.
Other additions exist in other states such as “An Individual Taxpayer Identification Number” for Maryland. Wyoming’s statute includes a tribal identification card and Oregon’s includes a passport number. In addition to the basic information common to most states, the North Dakota statute includes a person’s date of birth, mother’s maiden name, employer-provided identification number, and digitized or other electronic signature, and recently the statute was amended to also include medical and health insurance information. As law and crime evolves, amendments to most state statutes are always possible.
Most states use a method that is similar to strict liability, therefore requiring notification if personal information “was or is reasonably believed to have been” obtained by an unauthorized person, regardless of the likelihood that the consumer will become the victim of identity theft, fraud, or other harm. Identification of incidents varies in different states considering the existing statutes of their law.
While in other states, they allow companies to assess the level of jeopardy the risk may bring to consumers before notifying a breach. Other states take a different approach and permit companies to evaluate the risk of harm to consumers in determining whether to provide notification. A notification is strictly enforced when the inappropriately collected information might be misused i.e. identity theft. There is a wide range of possibilities a company is allowed to consider before sending a notification, some requiring “in good faith, a reasonable and prompt investigation.
Some states do not follow a particular method to determine if the information might be subjected to improper use, but all the same applies the typical process of investigation following an incident.
Method of Notification
Perhaps another hoop companies must jump through is the complicated methods of notification set for every state. Almost every state notification statute explicitly allows companies to send in written and emailnotification of the breach to possibly affected consumers. Many require that the email notification follow the “provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code.” Meaning, if a company decides to send email notification, there must be consent from the consumer. Section 7001 states that the necessary consent may only be obtained after, among other requirements, the consumer has received specified information related to the consumer’s rights, the nature of the consent, the means by which the consumer can withdraw consent, and the hardware and software requirements for the email notice.
Wisconsin is the only state that does not allow electronic notification. The state insists that the company must provide notice only by mail or a method that has been previously used to communicate with the consumer whose personal information has been compromised.
Notice by telephone is also acceptable, with some restrictions in some states. There are 26 states that authorize telephonic notice. Michigan, allows companies to notify the consumers by phone, but prohibits the use of prerecorded messages and requires that, unless a consumer has given express consent to telephonic notice. In the event that a company is not able to reach a certain consumer by telephone notice, a written notice or email is required to be sent to the consumer within 3 business days after the initial try.
There is also such a thing as a substitute notice. It consists of a mix of email notification, a post on the company’s website, and publication in media circulating around the state. The substitute notice, however, is only triggered if a company can prove that notice will cost more than a specified threshold amount, or there are a great number of people that must be notified resulting, again, in an amount above a threshold. It could also be the case that the company does not have adequate contact information on the consumer to be able to send notice via the usually accepted methods. Thresholds for every state vary with the low end at $5,000, or 1,000 individuals, for Maine and New Hampshire. At the other end, 20 states permit substitute notice if the affected company can prove that the cost will exceed $250,000 or it must notify at least 500,000 individuals.
Content of Notification
The content of the notifications are also guided by state statutes. There are 16 states that prescribe particular content for the notifications. In California for example, extensive content requirements include (a) the name and contact information of the company; (b) the types of personal information subject to the breach; (c) the date of the breach (actual, estimate, or range); (d) whether notice was delayed for a law enforcement investigation; (e) a general description of the incident; and, under certain circumstances, (f) contact information for the major credit reporting agencies.
Time Limit and Acceptable Delays
Most state statutes do not specify a certain amount of time of delay that companies must recognize. Delays are necessary in order for the companies to accommodate a law enforcement investigation before notifying consumers of the breach. As no delay is appropriate, statutes do not set an exact time limit for breach notifications, just that companies must provide notice “in the most expedient time” and/or “without unreasonable delay.”
Other states, however, have strict time limits, mostly requiring notice 45 days after he breach. Under the Maine statute, if a company delays notification for law enforcement purposes, it must provide the consumer notice no more than seven days after being informed that such notice will no longer interfere with the investigation.
In the case of third party vendors, consumers must be immediately notified once a breach is discovered. Other states, however, are more relaxed that notifications can be dispensed “as soon as practicable.” The Florida statute requires a non-owner to notify the company that owns the personal information within 10 days of discovering the breach, while Georgia requires that the notification take place within 24 hours of breach discovery.
Whom to Notify
Again, in different states, breach notification statutes vary in whom to notify. Twelve states require companies to notify the state attorney general, depending on the requirements of the state and the number of affected consumers. Many states also require major national credit reporting agencies to be notified of a breach. In Massachusetts, companies have to notify the attorney general, the director of consumer affairs and business regulation, and, eventually, credit reporting agencies if a company will be notifying any Massachusetts residents. Georgia requires notification to credit agencies if the data breach requires the company to provide notice to more than 10,000 residents.
The Hawaii statute entails companies notifying more than 1,000 Hawaiian residents to notify the state of Hawaii’s Office of Consumer Protection in addition to the credit reporting agencies. The New Jersey statute requires that the state police are notified, while South Carolina requires notification to the state consumer protection division if more than 1,000 South Carolina residents are compromised. In addition to the state attorney general, the New York statute requires that companies notify “the department of state and the state office of cyber security and critical infrastructure coordination.”
In some states, companies cannot sidestep the notification obligations by requiring consumers to contractually waive their notification rights. At least 16 states, including California and Illinois, stand that a consumer’s waiver of statutory notification rights is against public policy, and therefore “void and unenforceable.”
Damages and Penalties
At the moment, not all states have penalty provisions for failure to comply to breach notification laws. Some states simply offer a maximum civil penalty per breach, while others have a more complicated procedure where they calculate the penalty based on the number of consumers affected. In Michigan, a company that deliberately fall short of the mandatory notice to a consumer may face a civil fine of not more than $250 per failure, with a maximum fine of $750,000 for notification failures from the same security breach. Florida and Ohio both calculate penalties based on the length of the notification delay. The fine is calculated as $1,000 per day that the breach goes undisclosed for the first 30 days, and $50,000 for each day lapse after that for up to 180 days. If notification is not completed within 180 days, the company is subject to a fine of up to $500,000.
Some states impose penalties based on a combination of all the others.
Private Rights of Action
Private right of action is explicitly provided for in some states so consumers can take legal action against companies who violated the privacy security of their personal information. Companies that don’t comply could face a great number of lawsuits on such states, including California and Virginia. As breaches occur more frequently nowadays, consumer initiated retribution becomes a greater woe for victim companies.
For instance, in early 2013, plaintiffs in California filed a class action lawsuit against a wholesale food service company alleging a number of violations, one of those being California’s data breach notification statute. The plaintiffs presented that the food service company violated the notification statute “by failing to disclose [the data breaches] in the most expedient time possible and without unreasonable delay.” The plaintiffs’ claims are due two separate data breaches where they were notified approximately 18 days after learning of the first breach, and approximately 15 days after learning of the second breach. The plaintiffs claim that the defendants ‘waited too long’ in both instances. The defendants are facing penalty requests for statutory damages, actual damages, and punitive damages.
Without a universal approach on how to address network breaches, the process of consumer notification becomes a tangled web of meticulous and confusing requirements. As each state updates its laws, companies with multi-state operations are set to fail at one of the statutes governing notification, ever a breach occurs. Breach notifications are meant to alleviate damages but without a uniform procedure, consumers are left waiting to be acknowledged sometime a little too late.
It is critical that companies maintain a comprehensive and regularly updated data breach response plan. Companies should also ensure that they have at their disposal, a trusted and experienced legal counsel to help in identifying relevant laws and preparing compliant notifications. The number of data breaches only increases through time, companies must know the state statutes and maintain a comprehensive and regularly updated data breach response plan.