Data breaches are a source of major concern for companies across all industries, and for good reason: a data breach can have crippling effects on an organization. Companies that find themselves in the unfortunate position of being the subject of a data breach must have a plan to quickly and efficiently respond to the breach in order to comply with their legal obligations and minimize financial and reputational harm.
Containing the data breach
Most data breaches are caused by cyberattacks involving malware or ransomware, but they can also occur through less sophisticated means such as theft of a physical hard drive, insider leaks, or a simple accident. The first step of an effective data breach response is to engage a digital forensic investigator to immediately contain the attack and identify the scope and type of information that the threat actor may have accessed. Once the universe of compromised or potentially compromised information is known, the company must determine which state or states’ data breach notification laws apply and review the requirements of each applicable jurisdiction to determine its obligations.
State data breach notification laws
Currently, there is no general federal data breach notification statute,[1] but all fifty states have data breach notification laws that require companies to notify individuals when specific types of information have been compromised in a data breach. Generally, these laws require companies to provide notice of a breach to residents whose unencrypted and unredacted “personal information” was or is reasonably believed to have been accessed and acquired by an unauthorized person.
In Pennsylvania, “personal information” is defined to include the first name or first initial and last name in combination with one of the following data elements: social security number, driver’s license/state ID number, or credit card/debit card/financial account number.[2] In other states, personal information may also include unique biometric data, medical information, tax ID numbers, digital signatures, or a username or email address in combination with a password or security question and answer that would permit access to an individual’s financial account.[3] It is universally agreed among all states that personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
In addition to requiring notice to affected residents, state data breach notification laws may impose obligations to provide notice to consumer reporting agencies and state regulators, often depending on the number of residents affected by the breach in a given state.
State data breach notification laws also dictate when notification must occur. Some states require notification “without unreasonable delay” after the scope of the breach has been determined.[4] Other states, however, require notification within a definitive period of time, usually 30 to 90 days after the discovery of the breach.[5] Regardless of the time required for notification, a company that learns it has suffered a data breach must work quickly to identify the universe of individuals whose personal information has been compromised so that notices can be prepared and distributed without delay. Failure to timely report a data breach could expose the company to enforcement actions or penalties by government regulators.
Providing notice
State data breach notification laws typically place the onus on the owner of the data to notify affected persons when personal information has been compromised. For situations in which a vendor stores a database of personal information for a client, under most states’ laws, the vendor’s only obligation is to notify its client about the breach. The burden then falls on the client to notify the affected individuals.
Notice is typically provided via written correspondence, although many states also permit telephonic notice or electronic notice in certain circumstances. While some states provide little to no guidance on what the notice should include, other states set forth a list of items that the notice should address, such as a description of the breach incident, the date or estimated date(s) during which the breach occurred, the type of information subject to unauthorized access, contact information for the major credit reporting agencies, and information for registering for credit monitoring or identity theft prevention services, if offered.[6]
A company that has been the target of a cyberattack is not obligated under state data notification laws to provide notice when no personal information has been compromised. Nevertheless, it is imperative that companies are aware of other legal obligations that may require notification of a breach. For example, if a cybercriminal accesses or attempts to access a company’s confidential business information, the company may have contractual obligations to notify business partners about the scope and extent of the data breach. Oftentimes, contractual data notification provisions are more stringent than state law requirements and include very short timeframes for providing notice of a breach. Additionally, a company’s cybersecurity insurer may have strict reporting obligations with which the company will need to comply to ensure coverage.
Best practices and limiting liability
While it is impossible to guarantee that a data breach will not occur, companies can take steps to improve their data security and make themselves less desirable targets for cybercriminals. Best practices include: mapping the storage of sensitive data, limiting access to sensitive data, purging personal information when it is no longer needed, requiring complex passwords and multi-factor authentication to access networks, using industry-tested security methods such as encryption, regularly monitoring networks for suspicious activity, and verifying that third-party service providers have implemented reasonable security measures. Maintaining strong data security practices and developing a data breach response plan that recognizes the company’s data breach notification requirements will reduce the risk of a cyberattack and help minimize liability in a potential regulatory action or lawsuit.
[1] There are industry-specific federal privacy laws that contain their own notification provisions. For example, the HIPAA Breach Notification Rule requires HIPAA-covered entities to alert patients in the event of a breach of certain protected health information. See HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400-414. Additionally, financial institutions must comply with the notification requirements prescribed by the Federal Interagency Guidance interpreting Section 501(b) of the Gramm-Leach-Bliley Act.
[2] See 73 Pa. Stat. § 2302.
[3] See, e.g., N.Y. Gen. Bus. Law § 899-aa; N.J. Stat. § 56:8-161; Cal. Civ. Code § 1798.29; N.C. Gen. Stat. § 75-61.
[4] See, e.g., 73 Pa. Stat. § 2303; Mass. Gen. Laws 93H § 3; Idaho Code § 28-51-105.
[5] See, e.g., Fla. Stat. § 501.171; Ohio Rev. Code, 1349.19; Del. Code Ann. tit. 6 § 12B-102; Conn. Gen. Stat. § 36a-701b.
[6] See, e.g., Cal. Civ. Code § 1798.29; N.Y. Gen. Bus. Law § 899-aa; 815 Ill. Comp. Stat. 530/10.