In 1748, in response to the request of a friend, Benjamin Franklin offered the following hints in his pamphlet, Advice to a Young Tradesman, Written by an Old One: “Remember that time is money. Remember that credit is money.” In a patchwork landscape of data breach notification laws, these words have never been so true for American companies preparing for and responding to data breaches.
According to the Identity Theft Resource Center, 92 million records were exposed from 619 data breaches in 2013; 84 percent of which emanated from the business sector. It is no surprise then that the United States spent more than any other country on notification costs following a breach of identity-type data. That’s $565,020 per incident. The threat is real and may be lying dormant: 66 percent of all data breaches took months or even years to discover, according to the 2013 Verizon Data Breach Investigation Report.
State laws regarding data breach notifications answer the “W’s and H” of journalism — the who, what, when and how — but answer them in dizzyingly different ways. I’ll take up each question in turn, cutting straight through the amorphousness of these laws to arrive at what you need to know to protect your company’s assets today.
What is “Personal Information?”
Data breach notification laws are triggered when there has been a breach of “personal information.” One of the matters complicating compliance is that there is no uniform definition of personal information. Some states use a baseline definition consisting of the consumer’s name paired with at least one of the following identifiers: Social Security number, driver’s license number, state identification card number, or financial information (often a bank account number, or debit or credit card number and security code). Many states, however, have expanded the term beyond that of the common statutory definition: Alaska, Arkansas, California, the District of Columbia, Georgia, Iowa, Kansas, Maine, Maryland, Massachusetts, Missouri, New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, Puerto Rico, South Carolina, Texas, Vermont, Virginia, Wisconsin, and Wyoming included.
For example, California and Missouri have added medical and health insurance information in their definition of personal information. Iowa has stretched the term a bit further by including “unique biometric data, such as fingerprint, retina, or iris image, or another unique physical representation or digital representation of biometric data” in its definition. Wisconsin has added an individual’s DNA profile to what it considers sensitive personal information for which a company could be held liable in the event of a breach. Finally, my favorite addition comes from Nebraska, which has added voiceprints to their statutory definition.
There is a growing trend to expand, rather than narrow those identifiers which constitute personal information. This means that companies need to air on the side of caution with all data that could be considered, now or in the future, sensitive consumer information.
Can the Notification Obligation Be Waived?
I hate to use a lawyer’s favorite answer, but “it depends.” Alaska, California, the District of Columbia, Hawaii, Illinois, Maryland, Minnesota, Nebraska, Nevada, New Hampshire, North Carolina, Rhode Island, Utah, Vermont, and Washington have all held that a consumer’s contractual waiver of their right to be notified when a breach has occurred is against public policy and thus unenforceable. If your state’s data breach notification statute permits waivers or is silent on the matter, your company should still proceed with caution. Just because a statute doesn’t say it’s not permitted, doesn’t mean that a court will rule that it is permitted. These provisions are increasingly losing favor with the courts and should not be relied upon.
Who Must Be Notified?
The majority of states require only that the affected customers be notified. However, a number of states require that the Attorney General also be notified, usually depending upon the number of customers affected. Those states include California, Hawaii, Indiana, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, South Carolina, and Virginia. Some states, like New Jersey, even require that disclosure of the breach and any information pertaining thereto be made to the Attorney General and State Police prior to notifying the affected customer. A growing number of states, including Georgia and Hawaii, also require companies to notify the major national credit unions.
When Must Notification Be Given?
The majority of states use a “reasonable standard” for timing notification and most read like this provision from Colorado: “Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.” However, a handful of states require that notification is made within a specific timeframe. If your company is a clinic, health facility, home health agency or hospice licensed in California, hurry, you have five days. If you are a licensee or registrant of the Connecticut Insurance Department, you also have five days from the time the incident is first identified to issue notice to the appropriate persons and agencies. Entities within Florida, Ohio, Vermont, and Wisconsin shall provide notice within 45 days. And, finally, in Maine, notification must be given within 7 days following an investigation determining that notification is required.
Remember, time is money. If your company does business or owns or licenses personal information in a number of states, it is critical to maintain a comprehensive data breach response plan which includes notification time frames for each of those states. Update it regularly. It is time-consuming, but in the event of a breach, your company will have more time to focus on mitigating damages.
How Must Notification Be Given?
The majority of states hold that notice may be provided by one of the following methods: written notice; telephonic notice; or electronic notice, if the company’s primary means of communication with the consumer is by electronic means.
Ergo, don’t give your email address to the cashier at _________ if you prefer to find out your identity has been stolen from somewhere other than your spam folder. And remember, credit is money. How your company responds to a data breach crisis has direct implications on your brand and reputation.
Are Alternative Methods of Notification Available?
Yes, in virtually all states, save Utah, substitute notification is available under certain, expressed circumstances. However, the prerequisites to issuing alternative notice differ among the states. For example, in Arizona, if a company can demonstrate that the cost of providing notification will exceed $50,000 or demonstrate that the affected number of persons to be notified exceeds 100,000, then substitute notice is available. On the other hand, in Arkansas and California, alternative notification methods are available only if the company can show that the cost of providing notice will exceed $250,000 or that the affected class is greater than 500,000 people.
Is There A Private Cause of Action?
No, the majority of data breach statutes do not explicitly provide a private right action, which would allow a consumer to file suit against a company that violated a notification statute. However, ten states do allow for a private right of action. Companies which own or license private information or do business in Alaska, California, the District of Columbia, Louisiana, Maryland, Minnesota, New Hampshire, North Carolina, South Carolina, and Washington need to be particularly aware of these provisions. A violation of a notification law could mean facing numerous lawsuits for a single act of noncompliance, not to mention consumer-initiated class action suits.
Data Breach Notification Statutes by State
“In today’s environment, it’s not a matter of if a data breach will occur, but when it will occur, and how well you respond. Do everything you can to prevent data breaches, but also fully plan out how you will respond if you are breached. Today’s media and business environment demands that two-pronged approach,” advises Brian Lapidus, Chief Operating Officer of Kroll Fraud Solutions. The warning is clear: companies wanting to protect their money and their credit need to have a data breach response plan in place before it becomes necessary. As they say, “a good offense is a good defense.”