In terms of the information subject to exposure, social security numbers took the top spot in 2021: 1,136 data compromises exposed social security numbers, an alarming 202% increase from the number of SSNs compromised in 2020 and 204% higher than the second-most common type of compromised data for 2021, personal health information (558 compromises). Driver's license and bank account numbers both topped 400 (447 and 409 compromises, respectively) with other types (251 compromises) and email/password (246 compromises) bringing up the rear. And, just as the trend has been since 2017, the total number of compromises (1,862) was greater than the number of sensitive records exposed (1,543).

According to the ITRC report, which only includes data from publicly-reported companies in the United States, cyberattacks accounted for 87% (1,613) of the 1,862 total compromises in 2021, with human and system errors at 10% (179) and physical attacks at 3% (51). While both cyberattacks and human and system errors both increased in 2021 after a decrease in 2020, physical attacks decreased in both 2020 and 2021. Why? Data compromises occur where the data is; as the world has moved online, so has cyber crime. For example, there were 321 ransomware attacks in 2021, more than double the number from 2020 and nearly quadruple the total from 2019. The ITRC estimates that, at this rate, ransomware will be the most common root cause of data compromises in 2022 over phishing.

The ITRC has also identified a handful of disturbing trends where individuals may inadvertently be making it easier for cybercriminals to access their data. In the release of their 2021 report on data breaches, the ITRC revealed that though the total number of victims decreased in 2021, the number of people subject to multiple data breaches in one calendar year "remains excessively high." The organization also pointed out that less than 5% of individuals who are victims of a data compromise take the most effective protective action after receiving notice of a data breach. For 2021, that trend would mean fewer than 14.6 million people of the nearly 294 million victims implemented the most effective protections.

State laws regarding data breach notification tell companies who to notify, how that notice must be sent or published, what the notice must include, and when the notice must be made. The answers to these questions can and often do vary from state-to-state. Each question will be addressed in turn, untangling the legal jargon and explaining what you need to know if your company's records are ever subject to a breach.

Topics Covered:

Who must comply?

What is "personal information"?

Can the notification obligation be waived?

Who must be notified?

When must notification be given?

How must notification be given?

Are alternative methods of notification available?

Do consumers have a private cause of action?

Coverage options

Data breach notification statutes by state

Who Must Comply?

Data breach notification laws apply to nearly every person or entity who conducts business in a state. However, the statutory language defining "person" and "entity" is not uniform. For example, in Alaska, the data breach notification laws apply to any governmental agency and anyone doing business in Alaska who has more than 10 employees. Nebraska, on the other hand, states that the rules apply to any individual, government agency, corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, government, governmental subdivision, agency, or instrumentality, or any other legal entity, whether for profit or not for profit conducting business in Nebraska who owns or licenses computerized data that includes Personal Information about a Nebraska resident.

What Is "Personal Information"?

Data breach notification laws are triggered when there has been a breach of "personal information." One of the matters complicating compliance is that there is no uniform definition of personal information. Some states use a baseline definition consisting of the consumer's first name or initial and last name paired with at least one of the following identifiers: social security number, driver's license number, state identification card number, or financial information, which often means a bank account number or debit or credit card number and security code). Over the past several years, however, many states have taken steps to expand, rather than narrow, the identifiers that constitute personal information. Modern technological advances and the mass migration to digitized records have made certain types of personal information either available or more readily available than ten or twenty years ago. Companies should err on the side of caution with all data that could be considered, now or in the future, sensitive consumer information.

For example, California, Florida, Missouri, Oregon, and Rhode Island have added medical and health insurance information in their definition of personal information. Florida and Rhode Island expanded the definition to include email addresses or usernames when used in combination with any security code, access code, password, or personal identification number that would permit access to an individual's personal, medical, insurance or financial account; several states also count the security questions and answers often used in account recovery as personal information. Arkansas, Iowa, Oregon, and several other states have decided that "personal information" also includes biometric data, such as fingerprints, retinal scans, DNA profiles, and similar statistics. The definition for Nebraska even includes an individual's voice print.

Can the Notification Obligation Be Waived?

Whether the notification obligation can be waived often hinges on a phrase much beloved by legal professionals: It depends. While a majority of states are silent on the matter of waiver, thirteen states–Arkansas, Alaska, Colorado, Hawaii, Illinois, Maryland, Minnesota, Nebraska, Nevada, North Carolina, Utah, Vermont, and Washington–and the District of Columbia all have provisions expressly stating that a consumer's waiver of the right to be notified of a data breach goes against public policy and is therefore void and unenforceable. However, the lack of an express provision concerning waiver does not equate an enforceable waiver.

Who Must Be Notified?

Every state requires affected customers to be notified of a data breach; twelve states–Connecticut, Idaho, Maine, Maryland, Massachusetts, Montana, Nebraska, New Hampshire, New York, North Carolina, Vermont, and Virginia–also require the entity reporting the breach to send notice to the state Attorney General any time a breach is reported. A large number of states require entities to inform the state Attorney General of a breach only if a certain number of state residents must be notified, with the threshold ranging from 50 (District of Columbia) to 1,000 (Alabama, Alaska, Arizona, Arkansas, Colorado, Hawaii, Missouri, New Mexico); the information required for the report to the state Attorney General varies by state. Some states, like New York and New Jersey, even require that disclosure of the breach and any information pertaining to it be made to the State Police prior to notifying affected customers. A growing number of states also require companies to notify major national credit reporting agencies if a company has to notify more than a certain number of consumers; for a majority of the states requiring such notice, the threshold is 1,000 people. However, two states (Minnesota, Rhode Island) have a 500 person threshold; New York sets the bar at 5,000 people; and two states (Georgia, Texas) established a whopping 10,000 person threshold before companies must notify consumer reporting agencies. Only South Dakota requires notification of a breach be sent to major credit reporting agencies any time a data breach is reported.

When Must Notification Be Given?

The majority of states adhere to the "within a reasonable time" standard for timing notification; most read like the provision from Colorado: "Notice must be made in the most expedient time possible and without unreasonable delay, but not later than [thirty] days after the date of determination that a security breach occurred, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system" (C.R.S. 6-1-716, brackets added). The exact number of days a company has to notify consumers may vary. On the other hand, if the company is a clinic, health facility, home health agency, or hospice licensed in California: hurry! These entities have only five days after discovering the breach to provide the required notice. Licensees and registrants of the Connecticut Insurance Department also have just five days from the time the incident is first identified to notify the appropriate people and agencies.

Remember: time is money. If your company does business or owns or licenses personal information in multiple states, it is critical to maintain a comprehensive data breach response plan that includes notification time frames for each state where you have or do business. Update the procedures regularly. It is time-consuming, but in the event of a breach, your company will have more time to focus on mitigating damages. Even with updated procedures, check the data breach statutes of affected states before sendingany notifications, as requirements can change overnight.

How Must Notice Be Given?

The majority of states hold that notice may be provided by one of the following methods: written notice; telephonic notice; or electronic notice, if the company's primary means of communication with the consumer is electronic.

California has specific and detailed notification requirements and the notice must contain specified information or use a prescribed form, and requires no smaller than ten point font text in the written notification.

In other words, don't give your email address to the cashier at the supermarket if you prefer to find out your identity has been stolen from somewhere other than your spam folder. And remember that credit is money. How your company responds to a data breach crisis has direct implications on your brand and reputation.

Are Alternative Methods of Notification Available?

Yes. Every state has a baseline for when substitute notification is permitted, though the exact prerequisites will differ. For example, in Arizona, if a company can demonstrate that the cost of providing notification will exceed $50,000 or demonstrate that more than 100,000 people must be notified, then substitute notice is available. In Iowa, the costs of notice must exceed $250,000 or more than 350,000 people have to be notified before substitute notice is allowed. Most, if not all, states also permit substitute notice if the notifying entity does not have enough contact information to contact every person who needs to be contacted. The most common methods of substitute notice include a post on the entity's website, if there is one, email notice, if email addresses are available, and notice to major local and/or statewide media; a majority of states require a company using substitute notice to implement all three methods of substitute notice.

Is There a Private Cause of Action?

In general, no. The majority of data breach statutes either expressly state or imply that an individual consumer does not have a private right of action against a company for any misconduct related to a data breach. However, eleven states allow consumers affected by a data breach to file suit against the company: Alaska, California, Delaware, the District of Columbia, Louisiana, Maryland, Minnesota, New Hampshire, North Carolina, South Carolina, and Washington. The Delaware statute merely says "Nothing in this chapter [Delaware Code Title 6, Chapter 12B] may be construed to modify any right which a person may have at common law, by statute, or otherwise." The remaining states have statutes explicitly stating, whether read alone or in conjunction with related statutes, that consumers whose information was compromised have the right to sue the company subject to the breach. Each state has guidelines for what companies can do to avoid being sued as well as standards for what consumers must do in order to file a suit after a data breach.

Coverage Options

Traditional commercial general liability (CGL) policies will provide little coverage, if any, for losses stemming from cyber-related risks, as the standard CGL policy covers only damage to tangible property. Limited coverage may exist under the CGL for personal injury or advertising injury; however, as reflected in the newest standard ISO general liability policy form, CG 00 01 04 13, the trend is to specifically exclude various types of cyber risk.

It is becoming increasingly important that companies today obtain coverage for cyber-related exposures; small businesses are especially vulnerable. Larger corporations have more financial resources and manpower that aren't necessarily available to smaller businesses.

A good cyber policy should be the first point of contact; it can help ensure proper compliance with notification laws and tell the insured who to contact and when to do so. For example, if an IT department initially reports that social security numbers have been compromised, but later the investigation reveals only email addresses were compromised, it could lead to unnecessary consumer panic, additional threats by bad actors, and even legal liability for the entity.

Even before an attack, an insurer can assist the insured in establishing an incident response plan, evaluating backup options, and training employees on how to spot phishing and spoofing emails, among other services. Some insurers will have a team ready to begin working through the process as soon as a breach is discovered. Though some states require companies to notify police of a data breach, law enforcement may not have the resources to handle such attacks, nor is it necessarily their job to do so. A handful of states have proposed legislation that would prohibit some businesses from paying a ransom for breached data, though no such legislation has yet become law. Sometimes, a business can be added onto a vendor's or provider's policy as an additional insured if there is a written contract in place. Some companies find the cyber insurance application process daunting; if so, an insurance broker can provide assistance. If the business has privacy concerns over some of the questions asked or is concerned with revealing privileged information, a broker may be able to find out if such questions may legally be asked.

Cyber policies come in many shapes and sizes, but they generally fall into two camps: First-Party Coverages and Third-Party Liability Coverages. First-party Coverage is for costs incurred by the insured resulting from a breach and offers the broadest coverage for stolen, published, or disseminated data. Coverage examples include security liability (protecting against the unauthorized access to or use of insured's computer network, internally or externally), privacy liability (protecting insured when privacy laws are violated), and business interruption loss. The value of the insurance policy is often in the first-party costs, where the insurer can have investigators and teams available to devote themselves to the breach, so the insured can begin restoring backups and continuing business as usual while this is taking place.

Third-party liability insurance covers claims made against the insured by others and may include defense costs and settlements or judgments. Included in third-party coverage are information, security, and privacy coverage (protecting against loss or compromise of sensitive third-party data, like patient medical records or customer finance records), network security coverage (protecting against damage to a third party's network because insured's network caused a breach in data), and media liability or website media content coverage (protecting against defamation, libel, slander, and misuse of trademark). These policies generally cover expenses related to notification, remediation services (such as providing victims with credit monitoring, identity theft monitoring, restoration of stolen identity, and report of damage credit), regulatory breach expenses, and industry fines.

In November, 2021, ISO updated its cyber products and replaced the 2018 forms, providing better coverage and a more streamlined product for small to mid-sized commercial and financial businesses. The newest cyber policy forms from ISO, Commercial Cyber Insurance Policy (CCI) CY 00 02 and Information Security Protection Cyber Policy (ISP) CY 00 03 provide significant enhancements over the original cyber forms. Detailed contract analyses of these forms are available here: Cyber Contract Analyses

In addition to the ISO products, there are a number of proprietary cyber products available in the marketplace. These non-standard forms all differ and must be read with a keen eye on coverages, definitions, and notification requirements. Every proposal must be independently evaluated; companies can't assume that all or most cyber policies provide the same coverages or define terms in the same way. It may be best to involve both the broker and legal counsel when seeking to understand policy language and terms. At FC&S, also analyze proprietary coverage forms for subscribers in the same manner we analyze ISO forms.

Data Breach Notification Statutes by State

With today's technology and the skill of hackers, it is almost inevitable that any business that maintains a database containing individual customer information will be hacked. Ransomware is often used by hackers to gain significant sums of money as many companies will pay the ransom to regain control of data or prevent data from being released on the black market. There is no one-size-fits-all approach to prepare your business to handle a data breach, as evidenced by the disarray of state notification laws. Therefore, you should tailor your response plan to the unique laws of your state and the unique assets of your business.

To find your state's most recent data breach notification laws, see this chart.