By Nick Akerman and Melissa Krasnow.
Melissa Krasnow is a corporate partner in the Minneapolis office of Dorsey & Whitney LLP who also is a Certified Information Privacy Professional and a member of the International Association of Privacy Professionals Publication Advisory Board.
What does a company do if it is faced with a possible or actual breach of customer, employee or shareholder personal data? California enacted the first state data breach notification law in 2003, obligating companies to notify individuals whose personal data had been compromised in a data breach. Since then, 45 more states have followed California’s lead in responding to the national epidemic of identity theft. This article provides an overview of these laws, describes some best practices that have developed in response to them and addresses the calls for a federal data-breach law.
The 46 state laws generally require companies to notify individuals if there is a reasonable basis to believe that there has been a compromise of their personal data. See, e.g., Calif. Civ. Code §1798.82. Some states also necessitate determining whether there is a “risk of harm” from the breach to such individuals. See, e.g., Conn. Gen. Stat. §36a-701b(b). These state laws typically cover such nonpublic personal information as name, together with a social security number, driver’s license number or account, credit or debit card number information that would permit access to an individual’s financial account. A handful of states also cover name plus medical information. See, e.g., Calif. Civ. Code §1798.82(e)-(f). When medical information is involved, companies should also review the federal Health Information Technology for Economic and Clinical Health (HITECH) Act data breach rule, which covers protected health information. 45 CFR Parts 160 and 164, Subpart D. The state laws require that affected individuals be provided with adequate timely notice so they can take steps to protect their personal information and prevent identity theft.
Enforcement of these state laws varies. The California law provides for lawsuits by private individuals who have been injured by virtue of not being notified. Calif. Civ. Code §1798.84(b). A number of states like New York and Minnesota charge the State Attorney General with enforcement. N.Y. Gen. Bus. Law §899-aa6(a); M.S.A. §325E.61. Finally, some state laws provide for fines of varying amounts. N.Y. Gen. Bus. Law §899-aa6(a); Fla. Stat. Ann §817.5681(1)(b).
There is no foolproof way to guard against computer hackers or the theft of an employee laptop. One preventative measure to minimize the risk of a data breach is to establish a data compliance program, which a recent Massachusetts privacy regulation requires. 201 CMR 17.00 et seq. Such a program mandates appointing a security coordinator, establishing security policies, minimizing risks to employees and third parties that have contact with the company’s personal data, training the workforce, regularly auditing the program and enforcing the policies and protocols to data incidents and breaches.
A key component of this proactive approach is encrypting personal data so if it is compromised, it is not automatically exposed and cannot be easily deciphered. The state laws generally do not apply when the personal data involved in a breach are encrypted. Also, the Massachusetts privacy regulation requires all personal data to be encrypted if transmitted via the Internet or wirelessly or stored on laptops or portable devices. 201 CMR 17.04.
A company must stand ready to respond once aware or informed of a possible or actual data incident or breach. There should be a mechanism for reporting a possible or actual data incident or breach, and employees should be sensitized to its importance. Time is of the essence in determining whether a data breach has occurred or is likely to occur, whether notification is required or advisable. If notification is required or advisable, then providing it must also be done quickly. Although a number of states, such as California, provide leeway by requiring that notice be provided in the “most expedient time possible and without unreasonable delay,” other states such as Wisconsin, define a more precise time period. Calif. Civ. Code §1789.82(a); Wis. Stat. §134.98.
Suspicion that a data breach may have occurred and having a “reasonable basis” to believe a data breach actually occurred requiring notification is a distinction with practical consequences. For example, that two Web site customers complain within 24 hours that someone used their credit card information to buy merchandise on other Web sites does not mean that your company’s Web site was necessarily breached. It is suspicious and should cause your company to investigate whether the site was breached or whether it was simply a coincidence having nothing to do with the integrity of the company’s Web site.
For that reason, it is critical your company be investigative-ready before the issue arises. Investigative-ready means selecting in advance a person or firm who will conduct the investigation of a company’s computer network and equipment. That computer investigator should be forensically trained and experienced in testifying in court and have credibility with the government agencies the company may ultimately have to convince that it acted properly and reasonably, particularly if it is determined that there is no factual basis to conclude that a data breach occurred.
State laws generally permit notification to “be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.” See, e.g., Calif. Civ. Code §1798.82(c). Notifying law enforcement of a data breach has three practical effects: It may delay when notification must be made; it is a common element of notifications to state attorney generals, regulators and affected individuals; it sends a message to affected individuals that your company is taking an important step to protect them.
If a data breach is determined to have occurred and it is determined that notification of affected individuals is required or advisable, the different state law requirements for notification must be considered. One notable example is that the Massachusetts law does not permit notification of affected individuals of “the nature of the breach.” Instead, the notification must advise about “the consumer’s right to obtain a police report, how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze, and any fees required to be paid to any of the consumer reporting agencies.” Mass. Gen. Laws, Ch. 93H, §3(a). For a breach involving medical information that also is determined to be a breach of protected heath information under the HITECH Act, those requirements also must be addressed.
In addition to notifying affected individuals, a company must also notify state attorney generals, state regulators or consumer reporting agencies under some state laws. New York and North Carolina each requires a particular notification to the State AG, and New York also requires a particular notification to the New York Consumer Protection Board and Office of Cyber Security. N.C. Gen. Stat. § 75-65(f); N.Y. Gen. Bus. Law §899-aa8(a). New Jersey requires notification to the state police. N.J. Stat. §56:8-163(12.c.).
Because these notifications are likely to be publicized in the press and via the Internet, they should be drafted accordingly. For example, notifications sent to the New Hampshire Attorney General are automatically posted on the state attorney general’s Web site (http://doj.nh.gov/consumer/breaches.html). Although not required by law, it is common to include an offer in the notifications for free identity-theft services. Public companies should also consider whether disclosure should be made in their filings with the U.S. Securities and Exchange Commission.
Finally, a company’s responsive actions to the data incident or breach should be carefully documented. If asked by any regulator or sued, a company must be able to credibly explain the cause of the incident or breach and the basis for determining whether notification be made. The Massachusetts regulation and best practices also dictate that a company conduct a post-incident review to analyze lessons learned to prevent future incidents and breaches and to make any changes to the company’s practices for protecting personal data, including becoming aware of and responding to a data incident or breach.
There have been calls for data-breach notification to be more uniform and the subject of a federal law. Recently, the U.S. Department of Commerce issued a green paper on privacy recommending consideration of a comprehensive commercial data-breach framework for electronic records that includes notification provisions; encourages companies to implement strict data-security protocols; and allows states to build upon the existing framework in limited ways, tracking the effective protections from state laws. Department of Commerce Internet Policy Task Force, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework (Dec. 16, 2010). But until a federal data-breach law that pre-empts the state laws is enacted, the state laws must continue to be followed.