Summary: In 1748, in response to the request of a friend, Benjamin Franklin offered the following hints in his pamphlet, Advice to a Young Tradesman, Written by an Old One: "Remember that time is money. Remember that credit is money." In a patchwork landscape of data breach notification laws, these words have never been so true for American companies preparing for and responding to data breaches.
The Identity Theft Resource Center® (ITRC), is a nationally recognized nonprofit organization established to support victims of identity crime. According to the ITRC, 92 million records were exposed from 619 data breaches in 2013 when we first addressed this issue. By 2017 that number had increased to 197 million records exposed, with 1,579 from data breaches. In 2018, ITRC tracked an extreme jump at 126 percent in the number of consumer records exposed (446.5 million) from data breaches. The most recent update of statistics from the ITRC tracked records for data breaches was for the third quarter 2020 which revealed a 30 percent drop in number (846 breaches) year over year compared to 2019 (1,190 breaches).
In 2018, the majority of exposed records came from the business sector, but with the lowest rate of exposure per breach; while the healthcare field had the second largest number of breaches and the highest rate of exposure per breach. While the business sector remained in lead position in number of breaches (644) and exposed records in 2019, the financial sector way surpassed both the business sector and the medical/healthcare field in the number of sensitive records exposed at 100.6 million, with just 108 breaches, compared to 644 breaches in the business sector and 525 in the medical/healthcare field. While the business sector had a record number of exposed records, 99.99 percent of those exposed were of non-sensitive nature. In fact, the reduction in the number of exposed sensitive and nonsensitive records from 2018 to 2019 is staggering, dropping from 438.9 million sensitive and 1 billion 570.6 million nonsensitive records in 2018 to 18.8 million sensitive, 705.1 million nonsensitive exposed records in 2019.
The breaches in 2019 were due primarily to:
- Data exposure from unsecured databases – a number of large organizations failed to add a password to protect their cloud-based data. There is no way of knowing if the data was downloaded by criminals and it may take months or even years before the data surfaces in criminal data marketplaces to know for certain.
- Growth of stolen email addresses and logins giving access to accounts.
- Third-party vendor cyber attacks or accidental release of sensitive information.
- Convenience – consumers/businesses wanting ease of data and frictionless transactions, using shortcuts to strong security tools and easy-to-use or duplicated usernames and passwords.
Data breach costs are long term, and being slow to detect and contain a breach can have huge financial consequences. According to a 2019 Cost of Data Breach Study by IBM Security/Ponemon Institute, the average total cost of a data breach increased by 1.6 percent from the previous year and 12 percent over the past five years. Data breach now costs businesses an average of $3.92 million. The study looked at the long-term effects of data breaches, highlighting the fact that organizations continue to pay the price of a data breach for years after the initial incident.
Breaches are so expensive because they affect different aspects of a company's operations, with lost or stolen information creating limitations and liabilities that can take years to move past. About 67 percent of the breach costs come in the first year, about 22 percent in the next twenty-four months and 11 percent three years after the incident. If a company has a large number of client records breached, they are held liable and that becomes an ongoing cost.
State laws regarding data breach notifications answer the "W's and H" of journalism—the who, what, when and how—but answer them in dizzyingly different ways. Each question will be addressed in turn, cutting straight through the obscurity of these laws to arrive at what you need to know to protect your company's assets today.
Topics Covered:
Data breach notification statutes by state
Who Must Comply?
Data breach notification laws apply to nearly any person or entity, however, the statutory language describing each law's application varies from wide-open to narrowly-tailored. For example, in Alaska, "any person, state, or local government agency (collectively, Entity) that owns or licenses Personal Information in any form in AK that includes the Personal Information of an AK resident" is subject to its data breach notification laws. Nebraska, on the other hand, states that "an individual, government agency, corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, government, governmental subdivision, agency, or instrumentality, or any other legal entity, whether for profit or not for profit (collectively, Entity), that conducts business in NE and that owns or licenses computerized data that includes Personal Information about a resident of NE must comply with its data breach notification law. Both Oklahoma and Vermont add that any data collector or entity, whether for-profit or not-for-profit that owns or licenses computerized data that includes personally identifiable information or login credentials of state residents is subject to their data breach statute. South Carolina's statute makes clear that it is applicable to both "natural persons" as well as an individual or corporation, a distinction which becomes important in light of the Supreme Court's decision in Citizens United v. Federal Election Commission, 558 U.S. 310 (2010), upholding corporate personhood.
What Is "Personal Information"?
Data breach notification laws are triggered when there has been a breach of "personal information." One of the matters complicating compliance is that there is no uniform definition of personal information. Some states use a baseline definition consisting of the consumer's name paired with at least one of the following identifiers: Social Security number, driver's license number, state identification card number, or financial information (often a bank account number, or debit or credit card number and security code). Many states, however, have expanded the term beyond that of the common statutory definition: Alaska, Arkansas, California, the District of Columbia, Florida, Georgia, Iowa, Kansas, Maine, Maryland, Massachusetts, Missouri, New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, Puerto Rico, Rhode Island, South Carolina, Texas, Vermont, Virginia, Wisconsin, and Wyoming included.
For example, California, Florida, Missouri, Oregon, Rhode Island have added medical and health insurance information in their definition of personal information. Some states, including Florida and Rhode Island expand the definition to include email address when used in combination with any security code, access code, or password or personal identification number that would permit access to an individual's personal, medical, insurance or financial account. Iowa has stretched the term a bit further by including "unique biometric data, such as fingerprint, retina, or iris image, or another unique physical representation or digital representation of biometric data" in its definition. Arkansas and Oregon also include biometric data in the definition. Wisconsin has added an individual's DNA profile to what it considers sensitive personal information for which a company could be held liable in the event of a breach. Finally, Nebraska has added voiceprints to their statutory definition.
Over the past several years, many states have taken steps to expand, rather than narrow, those identifiers that constitute personal information. This means that companies need to err on the side of caution with all data that could be considered, now or in the future, sensitive consumer information.
Can the Notification Obligation Be Waived?
Whether the notification obligation can be waived hinges on what lawyers commonly say: "It depends." Alaska, California, the District of Columbia, Hawaii, Illinois, Maryland, Minnesota, Nebraska, Nevada, New Hampshire, North Carolina, Rhode Island, Utah, Vermont, and Washington have all held that a consumer's contractual waiver of their right to be notified when a breach has occurred is against public policy and thus unenforceable. If your state's data breach notification statute permits waivers or is silent on the matter, your company should still proceed with caution. Just because a statute doesn't say it's not permitted, doesn't mean that a court will rule that it is permitted. These provisions are increasingly losing favor with the courts and should not be relied upon.
Who Must Be Notified?
The majority of states require only that the affected customers be notified. However, a number of states require that the Attorney General also be notified, usually depending upon the number of customers affected. Those states include Arkansas, California, Hawaii, Indiana, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, South Carolina, Oregon, Vermont and Virginia. Some states, like New Jersey, even require that disclosure of the breach and any information pertaining thereto be made to the Attorney General and State Police prior to notifying the affected customer. A growing number of states, including Georgia, Hawaii and Oregon also require companies to notify the major national credit unions. Florida requires notification to the Department of Legal Affairs within thirty days of any breach affecting 500 or more individuals.
When Must Notification Be Given?
The majority of states use a "reasonable standard" for timing notification and most read like this provision from Colorado: "Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system." However, a handful of states require that notification is made within a specific time frame. If your company is a clinic, health facility, home health agency, or hospice licensed in California, hurry, you have five days. If you are a licensee or registrant of the Connecticut Insurance Department, you also have five days from the time the incident is first identified to issue notice to the appropriate persons and agencies. Entities within Florida, Ohio, Vermont, and Wisconsin shall provide notice within forty-five days. And, finally, in Maine, notification must be given within seven days following an investigation determining that notification is required.
Remember, time is money. If your company does business or owns or licenses personal information in a number of states, it is critical to maintain a comprehensive data breach response plan which includes notification time frames for each of those states. Update it regularly. It is time-consuming, but in the event of a breach, your company will have more time to focus on mitigating damages.
How Must Notification Be Given?
The majority of states hold that notice may be provided by one of the following methods: written notice; telephonic notice; or electronic notice, if the company's primary means of communication with the consumer is by electronic means.
California has specific and detailed notification requirements and the notice must contain specified information or use a prescribed form, and requires no smaller than ten point font text in the written notification.
In other words, don't give your email address to the cashier at _________ if you prefer to find out your identity has been stolen from somewhere other than your spam folder. And remember, credit is money. How your company responds to a data breach crisis has direct implications on your brand and reputation.
Are Alternative Methods of Notification Available?
Yes, in virtually all states, save Utah, substtell itute notification is available under certain, expressed circumstances. However, the prerequisites to issuing alternative notice differ among the states. For example, in Arizona, if a company can demonstrate that the cost of providing notification will exceed $50,000 or demonstrate that the affected number of persons to be notified exceeds 100,000, then substitute notice is available. On the other hand, in several states including Arkansas, California, Montana and Oregon, alternative notification methods are available only if the company can show that the cost of providing notice will exceed $250,000 or that the affected class is greater than 350,000 people in Oregon or 500,000 people in Arkansas, California or Montana.
Is There a Private Cause of Action?
No, the majority of data breach statutes do not explicitly provide a private right action, which would allow a consumer to file suit against a company that violated a notification statute. However, ten states do allow for a private right of action. Companies that own or license private information or do business in Alaska, California, the District of Columbia, Louisiana, Maryland, Minnesota, New Hampshire, North Carolina, South Carolina, and Washington need to be particularly aware of these provisions. A violation of a notification law could mean facing numerous lawsuits for a single act of noncompliance, not to mention consumer-initiated class action suits.
Coverage Options
Traditional commercial general liability (CGL) policies will provide little, if any, coverage for losses stemming from cyber-related risks, as the standard CGL policy covers only damage to tangible property. Limited coverage may exist under the CGL for personal injury or advertising injury; however, as reflected in the newest standard ISO general liability policy form CG 00 01 04 13, the trend is to specifically exclude various types of cyber risk.
It is becoming increasingly important that companies today obtain coverage for cyber-related exposures, and small businesses are especially vulnerable. Based on information from the U.S. Small Business Administration (SBA), a recent survey revealed 88 percent of small business owners felt their business was vulnerable to a cyber attack. However, many businesses can't afford professional IT solutions, they have limited time to devote to cybersecurity, or they don't know where to begin.
Cyber policies come in many shapes and sizes, but generally fall into two camps: First-Party Coverages and Third-Party Coverages. First party forms include security liability coverage (protecting against the unauthorized access to or use of insured's computer network, either internally or externally), Privacy Liability Coverage (protecting insured when privacy laws are violated), and business interruption loss. Among third-party coverages is information, security and privacy coverage (protecting against loss or compromise of sensitive third-party data, like patient medical records or customer finance records), network security coverage (protecting against damage to a third party's network because insured's network caused a breach in data), and media liability/website media content coverage (protecting against defamation, libel, slander, and misuse of trademark). These policies generally cover expenses related to notification, remediation services (such as providing victims with credit monitoring, identity theft monitoring, restoration of stolen identity, and report of damage credit), regulatory breach expenses, and industry fines.
In July 2017, ISO introduced a filing for a new cyber coverage form for small- to mid-sized commercial risks under coverage form CY 00 01 01 18, accompanied by several new endorsements. With this filing, the ISO E-Commerce Program was renamed to the ISO Cyber Program to expand the types of coverages addressed in the program. The filing also included enhancements to the ISO Information Security Protection (ISP) Cyber coverage forms and optional multi-state endorsements. See the FC&S Contract Analysis of the ISO Commercial Cyber Insurance Policy.
Looking forward, ISO will be replacing the current cyber form with a proposed effective date of November 11, 2021. The new Commercial Cyber Insurance Policy form (CCI) CY 00 02 and a new Information Security Protection Cyber Policy form (ISP) CY 00 03 will provide significant enhancements over the current CY 00 01 and ISP CY 00 10 policy forms. Financial Institutions Information Security Protection Cyber Policy CY 00 11 and the Media And Information Security Protection Cyber Policies CY 00 12 and CY 00 13 are also being withdrawn to streamline the cyber product, with the coverages from these policies included in the new ISP coverage form. As with any new ISO product, we will be providing a contract analysis of each of these new replacement forms in the near future.
In addition to the ISO products, there are a number of proprietary cyber products available in the marketplace.
Includes copyrighted material of Insurance Services Office Inc., with its permission.
Data Breach Notification Statutes by State
As once advised by Brian Lapidus, Managing Director and Global Breach Notification Leader, Cyber Risk, of Kroll, a Division of Duff & Phelps: "In today's environment, it's not a matter of if a data breach will occur, but when it will occur, and how well you respond. Do everything you can to prevent data breaches, but also fully plan out how you will respond if you are breached. Today's media and business environment demands that two-pronged approach," advised. The warning is clear: companies wanting to protect their money and their credit need to have a data breach response plan in place before it becomes necessary. As they say, "a good offense is a good defense."
There is no one-size-fits-all approach to prepare your business for this eventuality, as evidenced by the disarray of state notification laws. Therefore, you should tailor your response plan to the unique laws of your state and the unique assets of your business.
To find your state's data breach notification law, as well as its most recent amendment and effective date, consult the following chart (as of 1/26/2021):
State | Statute | Amended or Effective Date
|
Alabama | Code of Ala. § 8-38-2 | June 1, 2018 |
Alaska | Alaska Stat. § 45.48.010 et seq. | July 1, 2009, updated April 15, 2019 and July 23, 2019 |
Arizona | Ariz. Rev. Stat. § 18-545 | August 6, 2016 |
Arkansas | Ark. Code § 4-110-101 et seq. | August 12, 2005 |
California | Cal. Civ. Code §§ 1798.29, 1798.80, et seq. | January 1, 2020 |
Colorado | Colo. Rev. Stat. § 6-1-716 | September 1, 2006 |
Connecticut | Conn. Gen Stat. § 36a-701b | October 1, 2020, Update October 2021 |
Delaware | Del. Code tit. 6, § 12B-101 et seq. | September 4, 2018 |
District of Columbia | D.C. Code § 28- 3851 et seq. | June 17, 2020 |
Florida | FL Stat. § 501.171 (2014) | July 1, 2014 |
Georgia | Ga. Code §§ 10-1-910, -911, -912; § 46-5-214 | May 5, 2005 |
Guam | 9 GCA § 48-10 et seq. | March 13, 2009 |
Hawaii | Haw. Rev. Stat. § 487N-1 et seq. | July 1, 2008 |
Idaho | Idaho Stat. § 28-51-104 to -107 | July 1, 2015 |
Illinois | 815 ILCS §§ 530/1 to 530/25 | January 1, 2012 |
Indiana | Ind. Code §§ 4-1-11-1 et seq., 24-4.9 et seq. | June 30, 2006 |
Iowa | Iowa Code §§ 715C.1, 715C.2 | July 1, 2018 |
Kansas | Kan. Stat. § 50-7a01 et seq. | January 1, 2007 |
Kentucky | KRS § 365.732 et seq. | July 15, 2014 |
Louisiana | La. Rev. Stat. § 51:3071 et seq. | January 1, 2006 |
Maine | Me. Rev. Stat. tit. 10 § 1347 et seq. | September 19. 2019 |
Maryland | Md. Code Com. Law §§ 14-3501 et seq. | January 1, 2018 |
Massachusetts | ALM GL ch. 93H, § 1 et seq. | October 31,2007 |
Michigan | Mich. Comp. Laws §§ 445.63, 445.72 | April 1, 2011 |
Minnesota | Minn. Stat. §§ 325E.61, 325E.64 | January 1, 2006 |
Mississippi | Miss. Code § 75-24-29 | July 1, 2011 |
Missouri | Mo. Rev. Stat. § 407.1500 | August 28, 2009 |
Montana | Mt. Code Annotated § 30-14-1704 | October 1, 2015 |
Nebraska | Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006., 2005 Bill Text NE L.B. 876 | April 11, 2006 |
Nevada | Nev. Rev. Stat. §§ 603A.010 et seq., 242.183 | October 1, 2017 |
New Hampshire | N.H. Rev. Stat. §§ 359-C:19, et seq. | January 1, 2007 |
New Jersey | N.J. Stat. § 56:8-163 | May 10, 2019 |
New Mexico | N.M. Stat. Ann. § 57-12C-1 | June 16, 2017 |
New York | N.Y. Gen. Bus. Law § 899-aa | May 10, 2019 |
North Carolina | N.C. Gen. Stat §§ 75-61, 75-65 | October 1, 2009 |
North Dakota | N.D. Cent. Code § 51-30-01 et seq. | August 1, 2015 |
Ohio | Ohio Rev. Code §§ 1347.12, et seq. | September 29, 2015 |
Oklahoma | 24 Okl. St. § 161 to -166 | November 1, 2008 |
Oregon | Oregon Rev. Stat. § 646A.600 et seq. | January 1, 2020 |
Pennsylvania | 73 Pa. Stat. § 2301 et seq. | June 20, 2006 |
Puerto Rico | Puerto Rico § 4051 et seq. | June 19, 2008 |
Rhode Island | General Assembly § 11-49.3-2 | July 2, 2015 |
South Carolina | S.C. Code § 39-1-90, 2013 H.B. 3248 | April 23, 2013 |
South Dakota | SDCL 22-40-19 to 22-40-26 | July 1, 2018 |
Tennessee | Tenn. Code § 47-18-2107 | July 1, 2016 |
Texas | Tex. Bus. & Com. Code § 521.002, et seq. | September 1, 2009 |
Utah | Utah Code § 13-44-101 et seq. | May 12, 2009 |
Vermont | Vt. Statutory Title 9 §§ 2430, 2435 | January 1, 2019 |
Virgin Islands | V.I. Code tit. 14,§2209 | October 17, 2005 |
Virginia | Va. Code §§ 18.2-186.6, 32.1-127.1:05 | March 10, 2020 |
Washington | Wash. Rev. Code §§ 19.255.010, 42.56.590 | March 1, 2020 |
West Virginia | W.V. Code §§ 46A-2A-101 et seq. | June 7, 2008 |
Wisconsin | Wis. Stat. § 134.98 | March 28, 2008 |
Wyoming | Wyo. Stat. § 40-12-501 et seq. | July 1, 2015 |