As a result, many people have had the unfortunate task of rebuilding their
credit rating while their financial life is put on hold. While state laws have
been enacted to address this growing problem, these statutes create new compliance
burdens for companies of all sizes with regard to both their business and employment
records.
As bills circulate in Congress, nearly all states have enacted legislation
of one form or another to help individuals protect their personal information
and avoid falling victim to identity theft. These measures range from codifying
the crime of identity theft and increasing civil and criminal penalties to requiring
specific protections for certain types of information, such as Social Security
numbers.
One such measure generally requires entities doing business in the particular
state to provide a notice when there has been an unauthorized breach of personal
information maintained by the entity. Variations of this measure are now on
the books in more than 30 states. While these "security breach notification
laws" may be good news for individuals, the enforcement provisions of these
laws significantly increase the exposure of many businesses to civil actions
by individuals and/or the state attorneys general with regard to the security
of the entity's business and employment records. Exposure to litigation and/or
penalties is enhanced for those businesses with large numbers of employees and
operations in more than one state. This article provides a general discussion
of the common provisions of these laws, as well as some areas where they differ.
The article also offers some preventive strategies.
Who Is Covered?
Most state security breach notification laws apply to any company doing business
in the state that owns or licenses information protected by the applicable state
law. However, in some states, entities required to notify individuals need not
own or license the information, but need only maintain it. While there generally
are no exceptions for small employers, Oklahoma (and until recently Indiana)
limits the application of the law to state agencies. In Georgia and Maine, the
laws apply only to those entities that are in the
business of collecting, maintaining, transferring, and evaluating personal
information for monetary fees or dues. In
these states, therefore, it is unlikely that private companies in their capacity
as employers would be affected.
Many of these laws also apply to entities that maintain such information,
but do not own or license it. For example, a company that provides data storage
services for other companies likely would fall into this category with regard
to the information it maintains for others. In most cases, these companies generally
are required to notify only the company that owns or licenses the information,
but not the individuals who are the subject of the information which has been
breached. In some states, such as Arizona and Florida, the owners and non-owners
of the information may enter into an agreement with regard to who will provide
the notice to individuals.
Some of the states have expressly excluded or deemed to be in compliance
certain entities that have similar obligations under other statutes, regulations,
or programs such as:
- The Gramm Leach Bliley Act of 1999 (15 USC § 6801 et seq.)
- The Federal Interagency Guidance Response Programs for Unauthorized
Access to Consumer Information and Consumer Notice
- The privacy and security regulations issued under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) (45 CFR Parts 160 and
164). Employers, however, generally are not subject the privacy and security
regulations issued under HIPAA. Instead, it is, for example, the health
plan that the employer sponsors that is subject to those requirements under
HIPAA. Accordingly, it follows that the exemption under these state laws
would apply to covered entities under HIPAA, not companies in their capacity
as employers.
- Rules, regulations, procedures, or other guidance established by the
entity's primary or functional federal regulator.
Who Is Protected?
Because these statutes are primarily aimed at preventing identify theft,
they generally protect the personal information of all individuals residing
in the state.
What Information Is Protected?
Most state breach notification laws protect "personal information," which
typically is defined as the first name or first initial and last name of an
individual in combination with the individual's (1) Social Security number,
(2) driver's license number, (3) state identification number, (4) financial
account, debit, or credit card number in combination with any required security
code, access code, or password that would permit access to an individual's account.
Virtually all state breach notification laws exclude public information from
the definition of personal information. In most states with this kind of legislation,
a company that is not otherwise exempt will have to comply with respect to the
personal information it collects, handles, and maintains in the course of its
business, as well as the personal information it collects, handles, and maintains
as an employer.
A handful of states cast a wider net on the types of information that is
protected. In North Dakota, for example, "personal identifying information"
also includes information such as the identification number assigned to an individual
by his or her employer, the maiden name of the individual's mother, and the
individual's digital signature. Similarly, in Georgia, if any of the items described
in (1) through (4) above are breached, and that information is sufficient to
perform or attempt to perform identity theft, even if the person's first or
last name has not been breached, notification likely would be required. In Arkansas,
notification is required if medical information is breached.
Note, however, that almost all states provide what is, in effect, a safe
harbor for encrypted information. That is, if otherwise protected personal information
is subjected to an unauthorized breach, but the information is encrypted, notification
is not required. However, where the breach also gives access to the keys for
unencrypting the encrypted information, the information will be treated as if
it was not encrypted and notification will be required. Thus, one way to limit
exposure under these statutes is to encrypt all of the information that is subject
to these laws; provided, however, that the key to the encryption is not also
accessed.
When Is a Notification Triggered?
Notification is not automatically triggered in all states where there has
been an unauthorized breach of systems containing electronic personal information.
For example, in some states a notice is not required if, after an investigation,
the company determines that the breach likely will not result in harm or the
misuse of the information. In Connecticut, a company may make this determination
after consultation with law enforcement. In Florida and New Jersey, if a company
determines notice is not required because it finds misuse of the information
is not reasonably possible, that determination must be documented and retained
for 5 years. Of course, other states require a notice regardless of whether
there is a likelihood that harm will result.
Most state laws provide that a breach generally is not considered to have
occurred, and, therefore, no notice is required where the personal information
was acquired in good faith by an employee or agent of the business for legitimate
business reasons, provided the information is not used for a purpose unrelated
to the business or subject to further unauthorized disclosures.
Who Must Be Notified?
Where a notification requirement has been triggered, all states require that
notice be provided to the affected residents of the state. Notice to residents
is all that is required in California. In New Jersey, however, the state police
must be notified before affected residents. In Delaware, notice must also be
provided to the state's Department of Justice. Many states' breach-notification
laws also provide that in the case of a single breach, where the number of affected
residents exceeds a certain amount (often 1,000), the covered businesses must
notify consumer reporting agencies, and in some cases certain state agencies.
What Are the Form/Content/Timing Requirements for the Notice?
Form. In general, state breach notification
laws permit the notifications to be provided by either regular or electronic
mail. Notice via telephone also is permitted in states such as Arizona, Colorado,
Connecticut, Hawaii, Montana, and New York. However, under circumstances where
providing notice is a significant burden, virtually all states permit a substitute
notice to be used in place of notifying each affected person individually. For
example, a substitute notice is permitted in California if: (1) the cost to
provide the notice exceeds $250,000, (2) more than 500,000 individuals are affected,
or (3) the company does not have up-to-date contact information.
The substitute notice option generally is fulfilled where the business:
- E-mails the notice to those individuals for whom it has an address;
- Posts the notice in a conspicuous spot on the company's website, and
- Publishes a notice in statewide media.
Content. Most states do not require any
specific content be included in a notice to an individual that their personal
information has been breached. Of course, some states have provided more specific
requirements for the notice. For example, Hawaii requires that the notice be
"clear and conspicuous" and include the following information.
- A description of the incident;
- The types of personal information subject to the breach;
- The actions taken by the company to protect the information;
- A telephone number the individual can call for additional information,
if one exists; and
- Advice directing the person to remain vigilant by reviewing account
statements and monitoring free credit reports.
New Hampshire, New York, and North Carolina have similar content requirements
for the notice. In Wisconsin, the company must indicate that it knows of the
unauthorized use of personal information pertaining to the individual.
Timing. All states generally require that
the notice must be provided as soon as possible and without unreasonable delay,
usually taking into account any measures necessary to determine the scope of
the breach and to restore protections to the system breached. In addition, all
states other than Illinois permit a delay where the notification would hinder
a criminal investigation. Florida, Ohio, and Wisconsin, however, state that
while the notice must be provided as soon as possible, it must not be provided
later than a specific number of days—Florida and Ohio 45 days and Wisconsin
15 days.
Enforcement/Penalties
There generally are two avenues by which these breach notification statutes
are enforced: private rights of action by individuals and actions by the state
Attorney General for civil penalties, damages, and/or injunctive relief. Examples
include:
- In Arizona: enforcement only by Attorney General who may bring an action
to obtain actual damages for a willful and knowing violation and civil penalties
not to exceed $10,000.
- In California, Utah, and Washington: individuals have a private right
of action against violators.
- In Delaware and New Hampshire: residents of the state who are damaged
by a violation of the statute have a private right of action and may obtain triple the amount of actual damages, plus
reasonable attorney fees.
- In Florida: businesses that fail to timely provide notice are subject
to significant administrative penalties based on the time notice is provided;
penalties can be up to $500,000.
- In Louisiana: a private right of action is permitted for actual damages.
- In Nevada: the entity maintaining the personal information that provides
notice pursuant to the state's statute—the "data collector"—may sue the
person that unlawfully obtained or benefited from personal information obtained
from records maintained by the data collector and, if successful, may recover
damages including the reasonable costs of notification, reasonable attorney
fees, and punitive damages.
- In New York: while the statute does not provide for a private right
of action, the Attorney General may recover actual and consequential damages
for residents affected by the failure to notify.
- In Texas: the Attorney General can recover civil penalties of at least
$2,000 but not more than $50,000.
- In Wisconsin: compliance with the statute is not a defense to civil
claims. However, a failure to comply with the statute does not in and of
itself constitute negligence or a breach of a legal duty, although it may
be evidence of such.
Preventive Strategies
Below are some preventive strategies companies can use to address and comply
with these state breach notification requirements.
- Perform an internal audit designed to (a) identify information maintained
in the organization that is subject to breach notification laws; (b) map
the flow of that information throughout the organization; and (c) assess
the risks of unauthorized access and disclosure. This internal audit should
include locating information that is maintained by third parties on behalf
of the organization.
- Determine whether it is possible to collect, reformat, and/or maintain
the information in a way that would cause it not to be "personal information"
as defined in the applicable breach notification statute(s). For example,
some insurance companies have become more willing to use an internally generated
identification number in lieu of an insured's Social Security number.
- Because many of the breach notification statutes do not require notification
for breaches of encrypted information where the key to the encryption has
not also been breached, consider encrypting the personal information maintained
by the company.
- If personal information must be maintained and encryption is not possible
in all cases, adopt policies and procedures to strengthen the privacy and
security of that information. Take measures analogous to those required
under the HIPAA privacy and security regulations, which are a good model
for this purpose.
- Develop protocols to be followed when the organization learns of a breach
of personal information—identify who is in charge of determining whether
there has been a breach, whether notification is required, how notice will
be provided, what the content of the notice will be, communicating with
law enforcement if applicable, etc.
- For companies in multiple jurisdictions, instead of trying to deal with
each state's requirements individually, consider formulating one common
policy based on all of the applicable states that will satisfy all of the
requirements in the respective states.
- Train employees accordingly.
- Develop a record retention policy so that records are maintained no
longer than is necessary; destroy information no longer needed.
- Obtain written assurances from third parties that receive or maintain
personal information on your behalf that they are aware of and prepared
to comply with these and similar laws.
- Monitor legal developments, including pending federal legislation which
may affect the state laws discussed in this article.
Conclusion
Breach notification laws are just one measure states are taking to protect
the personal information of residents in their state. Many measures are already
on the books, with more likely on the way. Companies, therefore, should develop
an overall strategy for protecting information from unauthorized access and
for effectively responding when a breach occurs.