Has your business considered what obligations you would have to notify people in the event of a cyber-attack that compromises some or all of your IT systems? Have you cataloged all the data you collect and where it is stored so that you can determine whose information is impacted by a breach? If not, you are certainly not alone. With the continuing increase in cyber-attacks and particularly ransomware, combined with laws that are imposing shorter and shorter notice deadlines, it is important for all businesses to understand the scope of their potential notification obligations in the event they fall victim to an attack.
Breach notification requirements obligate organizations that are collecting, storing, processing, or otherwise in possession of personally identifiable information to notify the individuals if the information is compromised in a security breach. In addition to notifying the identified individuals, many states require that the Attorneys General offices and the Credit Reporting Agencies be notified, depending on how many identified individuals in the state received notices. If you are missing contact information for some of the identifiable individuals, if the number of identified individuals is particularly high, or if the cost of the required notifications is excessive, you may have the option to, or be required to, provide substitute notice in lieu of or in addition to individual notices. In most cases, substitute notice requires notification to be placed prominently on your website as well as distributed through the media, in print, on television, and/or by radio.
In the United States, certain Federal Laws govern obligations to report data breaches in particular industries, including:
Beyond the federal laws, all 50 states have data breach reporting laws, and they all have different requirements for determining whether a breach has occurred and for the notices that are required. For data breach reporting statutes, most businesses have to comply with the law of a given state if they have a breach that compromises the personal information of a resident of that state. This means that businesses must consider the scope of the data they collect and store in order to determine whether they are likely to have obligations to report under the laws of a given state.
If your business has information on an individual residing in a given state, two key questions in assessing reporting requirements are the nature of the data involved and whether or not the incident meets the definition of a reportable breach.
Even though the definition of personally identifiable information differs from state to state, and the states use different terminology to define the data that triggers reporting obligations, personally identifiable information in general is information that does, or can be used to, identify, locate or contact an individual, alone or when combined with other personal or identifying information and is usually information known to create a significant risk of identity theft, fraud or other harm if compromised. When considering the differing definitions in the U.S. you can usually expect personally identifiable information that triggers a breach reporting requirement to include a person's first name or first initial and last name, together with one or more of the following:
Identification Numbers such as a –
Account Numbers such as a –
Personal Characteristics / Biometrics, including
Medical information or medical history
In many states, even if the data constitutes personal information triggering reporting requirements, there are exceptions to the reporting requirements if the data is already publicly available or when it is encrypted or de-identified, but not all states address those exclusions so clearly.
When determining your obligations to comply with a particular data breach notification law, a key requirement is to determine whether the information involved qualifies as personal information, personal data, or other protected form of data or information under the relevant state's data breach reporting law.
When assessing breach reporting obligations, you also must determine if the incident qualifies as a "security breach" or "data breach" under the relevant statute. In some states, a breach occurs when the personally identifiable information has been accessed and acquired by an unauthorized person, but in other states, it is enough if the personally identifiable information is accessed by an unauthorized person. Some states allow exceptions to the notification requirements if you can document that there is low risk of harm to the identified individuals based on the circumstances of the breach. To rely on this type of exception to the notice requirement, the decision should be well documented, and the documentation must be maintained as specified in the statute. In addition, some states require that the Office of the Attorney General be notified of your determination to rely on this exception.
When considering breach notification obligations, organizations should consider not only the individuals who are their customers or patients but also the individuals who work for them. In addition, if the nature of your business includes collecting information about individuals other than your customers, vendors, or employees, you may have reporting obligations to those other individuals as well. Knowing and documenting what information the organization holds about which individuals, why you hold that information, and where that information is stored, can go a long way toward facilitating breach notification obligations should the situation arise.
A complete discussion of the notification requirements is beyond the scope of this article, but there are some key points to remember. The content requirements for the notices also vary by state, as do the requirements for how notices must be delivered. Do not just assume you can send the same notice to all individuals. Also be aware of the timing requirements for each state, which are usually measured from the time you had knowledge of the breach. While many of the states identify their timing requirements to be "without undue delay" be aware that many Attorneys General still evaluate the process undertaken by the organization to determine if notice was provided promptly. In some states that are penalties for providing late notice.
Some states exempt certain businesses from compliance with the state's privacy law. Again these exemptions vary by state, but some of the typical categories are:
Despite these exemptions, it is important to carefully consider the terms of the exemption. For example, if state law requires more protection for Protected Health Information than HIPAA does, HIPAA requires compliance with the state requirement. In that case, complying with HIPAA might exempt you from complying with the state statute, but then HIPAA on its terms would require you to comply with certain portions of the state statute. Consistent with the theme of privacy laws in the United States, sorting through the conflicting obligations requires careful analysis of the requirements.
Just as the requirements of the various state statutes differ, the methods of enforcing these statutes and the penalties that can be assessed differ by state as well. Most states authorize their Attorney General to enforce the statutes, but some states also have options for private causes of action seeking damages for failure to properly protect information or failure to properly notify individuals under the breach notification requirements.
The remedies available for failure to comply with data breach notification laws include injunctions to prevent further violations, monetary penalties, and reasonable costs. The range of the monetary penalties varies significantly, and while some states include caps for the total penalties that can be assessed either per consumer or per incident, other penalties can reach well into six figures particularly when the violations impact 10,000 or more residents.
Beyond the injunctive or monetary penalties, organizations should also consider the negative publicity that accompanies failure to protect the personally identifiable information of its employees, customers, or other parties. Such a determination can cause consumers to lose confidence in the organization and cause other organizations or individuals to seek greater contractual assurances that the organization will comply with the privacy laws. In addition, if you are seeking insurance coverage for future incidents, you may find that it is harder or at least more expensive to obtain such coverage. Litigation risks in states with a private cause of action also open the door for class action lawsuits or other claims for damages arising as a result of the breach.
While data breach reporting requirements vary by state, knowing which state laws apply to your business and identifying common requirements and standards across those states can help streamline your breach reporting requirements in the event of a breach. Maintaining a solid understanding of the data you collect, store, process, and ultimately dispose of makes it easier to assess reporting requirements resulting from any particular breach and can go a long way to reducing the costs associated with a data security incident.