Responding to an Unauthorized Breach of Electronic Personal Information

As a result, many people have had the unfortunate task of rebuilding their credit rating while their financial life is put on hold. While state laws have been enacted to address this growing problem, these statutes create new compliance burdens for companies of all sizes with regard to both their business and employment records.

As bills circulate in Congress, nearly all states have enacted legislation of one form or another to help individuals protect their personal information and avoid falling victim to identity theft. These measures range from codifying the crime of identity theft and increasing civil and criminal penalties to requiring specific protections for certain types of information, such as Social Security numbers.

One such measure generally requires entities doing business in the particular state to provide a notice when there has been an unauthorized breach of personal information maintained by the entity. Variations of this measure are now on the books in more than 30 states. While these "security breach notification laws" may be good news for individuals, the enforcement provisions of these laws significantly increase the exposure of many businesses to civil actions by individuals and/or the state attorneys general with regard to the security of the entity's business and employment records. Exposure to litigation and/or penalties is enhanced for those businesses with large numbers of employees and operations in more than one state. This article provides a general discussion of the common provisions of these laws, as well as some areas where they differ. The article also offers some preventive strategies.

Who Is Covered?

Most state security breach notification laws apply to any company doing business in the state that owns or licenses information protected by the applicable state law. However, in some states, entities required to notify individuals need not own or license the information, but need only maintain it. While there generally are no exceptions for small employers, Oklahoma (and until recently Indiana) limits the application of the law to state agencies. In Georgia and Maine, the laws apply only to those entities that are in the business of collecting, maintaining, transferring, and evaluating personal information for monetary fees or dues. In these states, therefore, it is unlikely that private companies in their capacity as employers would be affected.

Many of these laws also apply to entities that maintain such information, but do not own or license it. For example, a company that provides data storage services for other companies likely would fall into this category with regard to the information it maintains for others. In most cases, these companies generally are required to notify only the company that owns or licenses the information, but not the individuals who are the subject of the information which has been breached. In some states, such as Arizona and Florida, the owners and non-owners of the information may enter into an agreement with regard to who will provide the notice to individuals.

Some of the states have expressly excluded or deemed to be in compliance certain entities that have similar obligations under other statutes, regulations, or programs such as:

• The Gramm Leach Bliley Act of 1999 (15 USC § 6801 et seq.)
• The Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Consumer Notice
• The privacy and security regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (45 CFR Parts 160 and 164). Employers, however, generally are not subject the privacy and security regulations issued under HIPAA. Instead, it is, for example, the health plan that the employer sponsors that is subject to those requirements under HIPAA. Accordingly, it follows that the exemption under these state laws would apply to covered entities under HIPAA, not companies in their capacity as employers.
• Rules, regulations, procedures, or other guidance established by the entity's primary or functional federal regulator.

Who Is Protected?

Because these statutes are primarily aimed at preventing identify theft, they generally protect the personal information of all individuals residing in the state.

What Information Is Protected?

Most state breach notification laws protect "personal information," which typically is defined as the first name or first initial and last name of an individual in combination with the individual's (1) Social Security number, (2) driver's license number, (3) state identification number, (4) financial account, debit, or credit card number in combination with any required security code, access code, or password that would permit access to an individual's account. Virtually all state breach notification laws exclude public information from the definition of personal information. In most states with this kind of legislation, a company that is not otherwise exempt will have to comply with respect to the personal information it collects, handles, and maintains in the course of its business, as well as the personal information it collects, handles, and maintains as an employer.

A handful of states cast a wider net on the types of information that is protected. In North Dakota, for example, "personal identifying information" also includes information such as the identification number assigned to an individual by his or her employer, the maiden name of the individual's mother, and the individual's digital signature. Similarly, in Georgia, if any of the items described in (1) through (4) above are breached, and that information is sufficient to perform or attempt to perform identity theft, even if the person's first or last name has not been breached, notification likely would be required. In Arkansas, notification is required if medical information is breached.

Note, however, that almost all states provide what is, in effect, a safe harbor for encrypted information. That is, if otherwise protected personal information is subjected to an unauthorized breach, but the information is encrypted, notification is not required. However, where the breach also gives access to the keys for unencrypting the encrypted information, the information will be treated as if it was not encrypted and notification will be required. Thus, one way to limit exposure under these statutes is to encrypt all of the information that is subject to these laws; provided, however, that the key to the encryption is not also accessed.

When Is a Notification Triggered?

Notification is not automatically triggered in all states where there has been an unauthorized breach of systems containing electronic personal information. For example, in some states a notice is not required if, after an investigation, the company determines that the breach likely will not result in harm or the misuse of the information. In Connecticut, a company may make this determination after consultation with law enforcement. In Florida and New Jersey, if a company determines notice is not required because it finds misuse of the information is not reasonably possible, that determination must be documented and retained for 5 years. Of course, other states require a notice regardless of whether there is a likelihood that harm will result.

Most state laws provide that a breach generally is not considered to have occurred, and, therefore, no notice is required where the personal information was acquired in good faith by an employee or agent of the business for legitimate business reasons, provided the information is not used for a purpose unrelated to the business or subject to further unauthorized disclosures.

Who Must Be Notified?

Where a notification requirement has been triggered, all states require that notice be provided to the affected residents of the state. Notice to residents is all that is required in California. In New Jersey, however, the state police must be notified before affected residents. In Delaware, notice must also be provided to the state's Department of Justice. Many states' breach-notification laws also provide that in the case of a single breach, where the number of affected residents exceeds a certain amount (often 1,000), the covered businesses must notify consumer reporting agencies, and in some cases certain state agencies.

What Are the Form/Content/Timing Requirements for the Notice?

Form. In general, state breach notification laws permit the notifications to be provided by either regular or electronic mail. Notice via telephone also is permitted in states such as Arizona, Colorado, Connecticut, Hawaii, Montana, and New York. However, under circumstances where providing notice is a significant burden, virtually all states permit a substitute notice to be used in place of notifying each affected person individually. For example, a substitute notice is permitted in California if: (1) the cost to provide the notice exceeds $250,000, (2) more than 500,000 individuals are affected, or (3) the company does not have up-to-date contact information.

The substitute notice option generally is fulfilled where the business:

• E-mails the notice to those individuals for whom it has an address;
• Posts the notice in a conspicuous spot on the company's website, and
• Publishes a notice in statewide media.

Content. Most states do not require any specific content be included in a notice to an individual that their personal information has been breached. Of course, some states have provided more specific requirements for the notice. For example, Hawaii requires that the notice be "clear and conspicuous" and include the following information.

• A description of the incident;
• The types of personal information subject to the breach;
• The actions taken by the company to protect the information;
• A telephone number the individual can call for additional information, if one exists; and
• Advice directing the person to remain vigilant by reviewing account statements and monitoring free credit reports.

New Hampshire, New York, and North Carolina have similar content requirements for the notice. In Wisconsin, the company must indicate that it knows of the unauthorized use of personal information pertaining to the individual.

Timing. All states generally require that the notice must be provided as soon as possible and without unreasonable delay, usually taking into account any measures necessary to determine the scope of the breach and to restore protections to the system breached. In addition, all states other than Illinois permit a delay where the notification would hinder a criminal investigation. Florida, Ohio, and Wisconsin, however, state that while the notice must be provided as soon as possible, it must not be provided later than a specific number of days—Florida and Ohio 45 days and Wisconsin 15 days.

Enforcement/Penalties

There generally are two avenues by which these breach notification statutes are enforced: private rights of action by individuals and actions by the state Attorney General for civil penalties, damages, and/or injunctive relief. Examples include:

• In Arizona: enforcement only by Attorney General who may bring an action to obtain actual damages for a willful and knowing violation and civil penalties not to exceed $10,000.
• In California, Utah, and Washington: individuals have a private right of action against violators.
• In Delaware and New Hampshire: residents of the state who are damaged by a violation of the statute have a private right of action and may obtain triple the amount of actual damages, plus reasonable attorney fees.
• In Florida: businesses that fail to timely provide notice are subject to significant administrative penalties based on the time notice is provided; penalties can be up to $500,000.
• In Louisiana: a private right of action is permitted for actual damages.
• In Nevada: the entity maintaining the personal information that provides notice pursuant to the state's statute—the "data collector"—may sue the person that unlawfully obtained or benefited from personal information obtained from records maintained by the data collector and, if successful, may recover damages including the reasonable costs of notification, reasonable attorney fees, and punitive damages.
• In New York: while the statute does not provide for a private right of action, the Attorney General may recover actual and consequential damages for residents affected by the failure to notify.
• In Texas: the Attorney General can recover civil penalties of at least $2,000 but not more than $50,000.
• In Wisconsin: compliance with the statute is not a defense to civil claims. However, a failure to comply with the statute does not in and of itself constitute negligence or a breach of a legal duty, although it may be evidence of such.

Preventive Strategies

Below are some preventive strategies companies can use to address and comply with these state breach notification requirements.

1. Perform an internal audit designed to (a) identify information maintained in the organization that is subject to breach notification laws; (b) map the flow of that information throughout the organization; and (c) assess the risks of unauthorized access and disclosure. This internal audit should include locating information that is maintained by third parties on behalf of the organization.
2. Determine whether it is possible to collect, reformat, and/or maintain the information in a way that would cause it not to be "personal information" as defined in the applicable breach notification statute(s). For example, some insurance companies have become more willing to use an internally generated identification number in lieu of an insured's Social Security number.
3. Because many of the breach notification statutes do not require notification for breaches of encrypted information where the key to the encryption has not also been breached, consider encrypting the personal information maintained by the company.
4. If personal information must be maintained and encryption is not possible in all cases, adopt policies and procedures to strengthen the privacy and security of that information. Take measures analogous to those required under the HIPAA privacy and security regulations, which are a good model for this purpose.
5. Develop protocols to be followed when the organization learns of a breach of personal information—identify who is in charge of determining whether there has been a breach, whether notification is required, how notice will be provided, what the content of the notice will be, communicating with law enforcement if applicable, etc.
6. For companies in multiple jurisdictions, instead of trying to deal with each state's requirements individually, consider formulating one common policy based on all of the applicable states that will satisfy all of the requirements in the respective states.
7. Train employees accordingly.
8. Develop a record retention policy so that records are maintained no longer than is necessary; destroy information no longer needed.
9. Obtain written assurances from third parties that receive or maintain personal information on your behalf that they are aware of and prepared to comply with these and similar laws.
10. Monitor legal developments, including pending federal legislation which may affect the state laws discussed in this article.

Conclusion

Breach notification laws are just one measure states are taking to protect the personal information of residents in their state. Many measures are already on the books, with more likely on the way. Companies, therefore, should develop an overall strategy for protecting information from unauthorized access and for effectively responding when a breach occurs.