Click here to see video

Jennings, Strouss & Salmon attorney, Andy J. Chambers responds to the question, “What are a company’s obligations in the event of a data breach?”

It has become common practice for companies to electronically compile and store information regarding its customers. As a result, it have become a daily phenomenon of news headlines involving major data breaches. One of the most notable data breaches involved Target, where over 40 million customers had their credit and debt card information exposed or accessed by hackers. The question is, “what are a company’s obligations in the event of a data breach?”

In Arizona, these obligations are set forth by statute. A company first needs to understand what is considered covered personal information? There are two elements defined in the Arizona statute. The first is a customer’s name. The second element is when a customer’s name is combined with either the customer’s social security number, driver’s license number, or critical financial account information. The next issue to consider is, what constitutes a breach? For purposes of the statute, a breach is any unauthorized acquisition or access of the covered personal information that causes or is likely to cause substantial financial harm to the affected individuals. A company then needs to consider what its obligations are in the event of a breach. There are essentially three requirements. First, the company must have some method in place to detect a data breach. Second, when a company has notice of or reason to believe there may have been a potential data breach, it must conduct a prompt and reasonable investigation to confirm the breach and determine the scope of effected individuals. Last, the statute requires prompt notice to all affected individuals, defining prompt as being in the most expedient manner possible without unreasonable delay.

Here are additional points to consider:

  • The Arizona data breach statute does not apply to personal information that’s stored in an encrypted or sufficiently redacted format. So, if the company is encrypting its data or redacting it in an appropriate manner, it is not going to be subject to the notification requirements
  • If a company conducts business in a specialized industry, such as financial services, education, or healthcare, undoubtedly it is going to be subject to additional federal requirements in the event of a data breach
  • A company can mitigate the risks of a data breach in advance by purchasing specialized cyber insurance, which will respond to and cover costs associated with breach response
  • Failure to comply with breach response requirements can result in substantial civil liability. A notable case involved a series of related class actions against a significant educational institution here in Arizona based on failure to comply with the statutory breach response requirements
  • In the event of a data breach, it is critical that a company consult with both experienced cybersecurity legal counsel and vendors to assist in the breach response, as well as legal compliance