Loyola University Chicago School of Law, JD 2017
When a data breach occurs in an organization, determining whether there is a duty to notify can get complicated quickly. In investigating a breach, the specific facts of the incident become extremely important, as not every breach will require notification. The residency of the individuals impacted will determine which state laws apply and, inconveniently, each state has their own definitions of a legal breach and of when a duty to notify arises. Other factors may further dictate your notification obligations, such as guidelines issued by the regulator of your industry and any contracts between your organization and other vendors.
Why are data breach notification laws important?
As technology continues to develop and society becomes more dependent than ever on its luxuries and conveniences, the risk for data and privacy breaches becomes of even greater concern. The rate at which technology has been developing begs the question of whether security developers can keep up with protecting the data and private information of individuals and businesses alike. When you take together WikiLeaks, the breach of the Democratic National Committee, and the most recent Yahoo.com data breach, which compromised over 500 million user accounts and making it one of the largest in history, is clear that computer hackers and data know-hows are getting smarter about how to inappropriately access and retrieve data. This is where data breach notification laws become important. But as breaches become bigger and bigger, crossing what seems like endless jurisdictions, it becomes difficult and quickly complex to determine what laws apply and the process one needs to go through to fulfill legal obligations.
So you had a data breach – now what?
After catching wind of a potential data breach, two questions are important to address:
- What laws apply?
- Will the facts give rise to a legal breach that require a need for notice?
In order to answer these questions, the first thing one must do is investigate. It may seem like an obvious first step, but gathering as much information as possible is imperative to determining next steps. Even if you or your organization feels as if there may not be a breach or a legal obligation, doing nothing is never a good idea. The last thing you want is to find out later down the road that you should have done something on the assumption that you had no obligation. Operating under these assumptions will cause headaches and a lot of extra work after the fact.
Once you have gathered the necessary facts, you may begin answering the first question: What laws apply? To determine this, you must find out the residency of the impacted individuals. Who was affected and where they reside is not always an obvious answer, can require a lot of digging around. Now, say you are involved in a breach implicating a large number of people and crossing many state lines. This is where it can get tricky, and here’s why: All but three states have their own data breach notification laws, and while they all have some commonalities, they all vary in some way or another. The applicable state law may also have a unique definition of what a “legal breach” is and whether you need to provide notification.
It does not look like the different state laws are going to become any easier to navigate as time goes on either. Recently, Tennessee amended its data breach notification law to require notification of affected individuals regardless of whether the personal information involved in the breach was encrypted or not. This is the first state to expand their data breach notification laws to remove an encryption safe harbor. Usually if the information accessed was encrypted then there is no legal obligation to notify affected individuals.
If you can’t easily determine where each affected individual resides, then it is best to just assume all state laws apply. Another word of advice: if you have an individual that lives in one of the three states without data breach notification laws, treat them in the same way as those in states who do have laws. As a matter of good principles and public relations, it is never wise to treat some individuals differently, especially as a company or organization. Weeding your way though the different state laws can get complicated, and fast. And this does not even get into what happens if you have internationally based individuals!
What about federal laws?
Unfortunately, a uniform federal data breach notification law does not exist. Depending on what kind of company you may be and what type of information was accessed, different federal laws could apply. The main question you will need to ask yourself to determine which federal laws you must follow is: “Who is my primary regulator and what do they say are the requirements?”
HIPAA has a very specific data breach notification requirement for covered entities and business associates relating to breaching compromising protected health information. If information involves a financial institution, then you must look to the Gramm-Leach-Bliley Act, which has its own specific security obligations to follow. If the information involved network devices, such as cell phones, you will also have to look to the FTC for guidance. Fannie Mae has also issued its own guidelines related to its breaches.
Other miscellaneous factors to consider:
- Different contracts may also have legal obligations written within them. Vendor contracts will often say you need to notify the vendor in the instance of a breach.
- Insurance companies may have provisions relating to investigations and notice requirements. Insurers more often want to become involved and notified as early on as possible.
- Credit card breach? All credit card schemes have different standards that relate to data breach notifications. Be careful here. If you do not meet the standards and the failure to meet those standards caused the incident, the company may come after you for fraud losses and for fines and penalties.
Will navigating the laws ever get any easier?
A uniform federal data breach notification law would be a welcome addition to perhaps quell the storm of complexity and variation amongst the different state and federal laws. There have been a few different attempts at this over recent years. The Personal Data Protection and Breach Accountability Act of 2011, introduced to the Senate in late 2011, aimed to hold companies accountable when they stored personal data and information in order to deter data breaches. More recently, the Senate introduced the Data Security and Breach Notification Act of 2015, which would preempt state laws and require businesses to implement “reasonable security measures” to protect personal information and notify consumers when their information may be in the hands of hackers, but only if the information involves “identity theft, economic loss or economic harm.” So far, neither bill has passed either chamber of Congress.
As a compliance or security officer, it is imperative to remain abreast of the different laws and guidelines, both state and federal (and potentially international), that may apply to a particular incident. Until the U.S. establishes a uniform federal law covering data breach notification, the process will continue to be a tedious one. Due to the potential penalties and fines associated with different laws, the role of a compliance or privacy officer continues to be highly important for the health and financial stability of an organization. As always, preventive measures are key, so proper policies and procedures should be in place and continually updated to prevent and mitigate the risk that comes along with privacy and data security.