Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Several sector-specific privacy and data protection laws provide for information security obligations.  Almost all US states enforce broad data security and data breach notification laws that apply to sensitive personal data. About two-thirds of the states have legislation that requires companies to implement reasonable information security measures, at least in the disposal context. Data security laws also generally require companies holding certain personal information about state residents to:

  • implement and maintain reasonable security procedures and practices in order to protect information from unauthorised access, destruction, use, modification or disclosure;
  • take reasonable steps to destroy personal information that is no longer to be retained or to make it otherwise unreadable or undecipherable; and
  • contractually require third parties to which the company discloses personal information to maintain reasonable security procedures (see, for example, Cal Civ Code § 1798.81.5 (2007); Md Code Ann, Com Law § 14-3503).

Some states impose more rigorous information security requirements. For instance, Massachusetts requires entities to develop and implement a written comprehensive information security programme (see 201 Mass Code Regs § 17.02). The regulation requires employee training, adoption of encryption standards and regular monitoring and establishes requirements for securing computer systems (id §§ 17.03–17.04). These requirements are passed through to third-party vendors engaging in business with entities subject to the regulation (id § 17.03(2)(f)). These requirements include:

  • taking reasonable steps to select and retain third-party service providers capable of maintaining appropriate security measures; and
  • requiring that the third-party service providers implement and maintain appropriate security measures by contract for any personal information or data. 

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

Data breach notification laws in 47 states require corporate and government entities to take particular actions in the event of a data security breach or suspected breach (see, for example, 815 Ill Comp Stat 530/5, 530/10; NY Gen Bus Law § 899-AA; Tenn Code Ann § 47-18-2107; Tex Bus and Com Code § 521.053). Once the notification threshold has been met, which varies by state, entities must notify state residents whose personal information has been affected by the breach. Some states require notification of any unauthorised access to or acquisition of covered personal data, although most require such notifications only when there is risk of a harm, such as identity theft. As a rule, notification must be provided by the entity that owns the data, which is generally the entity that collected the data from the data subject. The breach laws generally require service providers (or data processors) that merely process data on another entities’ behalf to provide notice to the data owner, and for the data owner to then fulfil the notification obligations under state law. As state data breach notification laws apply based on the state of residence of the affected data subject, it is not unusual for a data breach to implicate multiple and varying state data breach notification standards and requirements.

Are data owners/processors required to notify the regulator in the event of a breach?

Notice to law enforcement, consumer reporting agencies, and the state attorney general or other regulators also may be required where the state data breach notification law has been triggered. A small minority of states, including Florida, also require notification to a regulator in the event of a breach when the entity determines that notification of a data breach to the data subjects is not required under the law pursuant to an analysis that the incident has not exceeded a risk of harm threshold.

Click here to view the full article.