In 1748, in response to the request of a friend, Benjamin Franklin offered the following hints in his pamphlet, Advice to a Young Tradesman, Written by an Old One: “Remember that time is money. Remember that credit is money.”
In a patchwork landscape of data breach notification laws, these words have never been so true for American companies preparing for and responding to data breaches.
According to the Identity Theft Resource Center, 92 million records were exposed from 619 data breaches in 2013, 84% of which emanated from the business sector. It is no surprise then that the United States spent more than any other country on notification costs following a breach of identity-type data. That’s $565,020 per incident.
See also: ABCs of Cyber Coverage
The threat is real and may be lying dormant: 66% of all data breaches took months or even years to discover, according to the 2013 Verizon Data Breach Investigation Report. This figure is underscored by the recent discovery of the “Heartbleed” flaw operating on 429 million websites running OpenSSL, a security protocol which is supposed to ensure the privacy of online transactions (you’ve seen it, it looks like this: https). The flaw went unnoticed for two years and left personal information, such as first and last names, dates of birth, social security numbers, driver’s license numbers, credit card information, and bank account information up for grabs.
State laws regarding data breach notifications answer the “W’s and H” of journalism—the who, what, when and how—but answer them in dizzyingly different ways. Each question will be addressed, in turn, cutting straight through the opacity of these laws to arrive at what you need to know to protect your company’s assets today.
Who must comply?
Data breach notification laws apply to nearly any person or entity, however, the statutory language describing each law’s application varies from wide-open to narrowly-tailored. For example, in Alaska, “any person, state, or local government agency (collectively, Entity) that owns or licenses Personal Information in any form in AK that includes the Personal Information of an AK resident” is subject to its data breach notification laws.
Nebraska, on the other hand, states that “an individual, government agency, corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, government, governmental subdivision, agency, or instrumentality, or any other legal entity, whether for profit or not for profit (collectively, Entity), that conducts business in NE and that owns or licenses computerized data that includes Personal Information about a resident of NE” must comply with its data breach notification law.
Oklahoma adds that any entity, whether for-profit or not-for-profit that owns or licenses computerized data that includes the personal information of OK residents is subject to their data breach statute. South Carolina’s statute makes clear that it is applicable to both “natural persons” as well as an individual or corporation, a distinction which becomes important in light of the Supreme Court’s decision in Citizens United v. Federal Election Commission, 558 U.S. 310 (2010), upholding corporate personhood.
What is “personal information?”
Data breach notification laws are triggered when there has been a breach of “personal information.” One of the matters complicating compliance is that there is no uniform definition of personal information. Some states use a baseline definition consisting of the consumer’s name paired with at least one of the following identifiers: Social Security Number, driver’s license number, state identification card number, or financial information (often a bank account number, or debit or credit card number and security code).
Many states, however, have expanded the term beyond that of the common statutory definition: Alaska, Arkansas, California, the District of Columbia, Georgia, Iowa, Kansas, Maine, Maryland, Massachusetts, Missouri, New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, Puerto Rico, South Carolina, Texas, Vermont, Virginia, Wisconsin, and Wyoming included.
For example, California and Missouri have added medical and health-insurance information in their definition of personal information. Iowa has stretched the term a bit further by including “unique biometric data, such as fingerprint, retina, or iris image, or another unique physical representation or digital representation of biometric data” in its definition. Wisconsin has added an individual’s DNA profile to what it considers sensitive personal information for which a company could be held liable in the event of a breach. Finally, Nebraska has added voiceprints to their statutory definition.
There is a growing trend to expand, rather than narrow, those identifiers that constitute personal information. This means that companies need to err on the side of caution with all data that could be considered, now or in the future, sensitive consumer information.
Can the notification obligation be waived?
Whether the notification obligation can be waived hinges on what lawyers commonly say: “It depends.” Alaska, California, the District of Columbia, Hawaii, Illinois, Maryland, Minnesota, Nebraska, Nevada, New Hampshire, North Carolina, Rhode Island, Utah, Vermont, and Washington have all held that a consumer’s contractual waiver of their right to be notified when a breach has occurred is against public policy and thus unenforceable.
If your state’s data breach notification statute permits waivers or is silent on the matter, your company should still proceed with caution. Just because a statute doesn’t say it’s not permitted, doesn’t mean that a court will rule that it is permitted. These provisions are increasingly losing favor with the courts and should not be relied upon.
Who must be notified?
The majority of states require only that the affected customers be notified. However, a number of states require that the attorney general also be notified, usually depending upon the number of customers affected. Those states include California, Hawaii, Indiana, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, South Carolina, and Virginia.
Some states, like New Jersey, even require that disclosure of the breach and any information pertaining thereto be made to the attorney general and state police prior to notifying the affected customer. A growing number of states, including Georgia and Hawaii, also require companies to notify the major national credit unions.
When must notification be given?
The majority of states use a “reasonable standard” for timing notification and most read like this provision from Colorado: “Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.”
However, a handful of states require that notification is made within a specific timeframe. If your company is a clinic, health facility, home-health agency or hospice licensed in California, hurry: you have five days.
If you are a licensee or registrant of the Connecticut Insurance Department, you also have five days from the time the incident is first identified to issue notice to the appropriate persons and agencies. Entities within Florida, Ohio, Vermont, and Wisconsin shall provide notice within 45 days. And, finally, in Maine, notification must be given within seven days following an investigation determining that notification is required.
Remember, time is money. If your company does business or owns or licenses personal information in a number of states, it is critical to maintain a comprehensive data breach response plan which includes notification time frames for each of those states. Update it regularly. It is time-consuming, but in the event of a breach, your company will have more time to focus on mitigating damages.
How must notification be given?
The majority of states hold that notice may be provided by one of the following methods: written notice, telephonic notice, or electronic notice if the company’s primary means of communication with the consumer is by electronic means.
In other words, don’t give your email address to the cashier at _________ if you prefer to find out your identity has been stolen from somewhere other than your spam folder. And remember, credit is money. How your company responds to a data-breach crisis has direct implications on your brand and reputation.
Are alternative methods of notification available?
Yes, in virtually all states, save Utah, substitute notification is available under certain, expressed circumstances. However, the prerequisites to issuing alternative notice differ among the states.
For example, in Arizona, if a company can demonstrate that the cost of providing notification will exceed $50,000 or demonstrate that the affected number of persons to be notified exceeds 100,000, then substitute notice is available. On the other hand, in Arkansas and California, alternative notification methods are available only if the company can show that the cost of providing notice will exceed $250,000 or that the affected class is greater than 500,000 people.
Is there a private cause of action?
No, the majority of data-breach statutes do not explicitly provide a private-right action, which would allow a consumer to file suit against a company that violated a notification statute. However, 10 states do allow for a private right of action.
Companies that own or license private information or do business in Alaska, California, the District of Columbia, Louisiana, Maryland, Minnesota, New Hampshire, North Carolina, South Carolina, and Washington need to be particularly aware of these provisions. A violation of a notification law could mean facing numerous lawsuits for a single act of noncompliance, not to mention consumer-initiated class action suits.
Traditional commercial general liability (CGL) policies will provide little, if any, coverage for losses stemming from cyber-related risks, as standard CGLs cover only damage to tangible property. Limited coverage may exist under the CGL for personal injury or advertising injury; however, as reflected in the newest standard ISO general liability policy form CG 00 01 04 13, the trend is to specifically exclude various types of cyber risk.
ISO has recently developed an e-commerce program, which includes the Financial Institutions Information Security Policy and the Media and Information Security Policy, EC 00 10 01 14. The coverages available through EC 00 10 were specifically developed to protect against the loss of electronic data, including personal information.
In addition to an appropriately outfitted directors & officers liability policy, a modern company should also obtain coverage for cyber-related exposures. Cyber policies come in many shapes and sizes, but generally fall into two camps: first-party coverages and third-party coverages.
First party forms include security liability coverage (protecting against the unauthorized access to or use of insured’s computer network, either internally or externally), privacy liability coverage (protecting insured when privacy laws are violated), and business interruption loss.
Among third-party coverages is information, security and privacy coverage (protecting against loss or compromise of sensitive third-party data, like patient medical records or customer finance records), network security coverage (protecting against damage to a third party’s network because insured’s network caused a breach in data), and media liability/website media content coverage (protecting against defamation, libel, slander, and misuse of trademark).
These policies generally cover expenses related to notification, remediation services (such as providing victims with credit monitoring, identity theft monitoring, restoration of stolen identity, and report of damage credit), regulatory breach expenses, and industry fines.
Data-breach notification statutes by state
“In today’s environment, it’s not a matter of if a data breach will occur, but when it will occur, and how well you respond. Do everything you can to prevent data breaches, but also fully plan out how you will respond if you are breached. Today’s media and business environment demands that two-pronged approach,” advises Brian Lapidus, chief operating officer of Kroll Fraud Solutions.
The warning is clear: companies wanting to protect their money and their credit need to have a data breach response plan in place before it becomes necessary. As they say, “a good offense is a good defense.”
There is no one-size-fits-all approach to prepare your business for this eventuality, as evidenced by the disarray of state notification laws. Therefore, you should tailor your response plan to the unique laws of your state and the unique assets of your business.
To find your state’s data breach notification law, as well as its most recent amendment and effective date, consult the following chart: