Your organization maintains certain information about its own and other organizations’ personnel, such as names, addresses and employment histories. If that data were breached by an unauthorized entity, the individuals whose information was compromised could be vulnerable to identity theft, and the organization’s reputation for reliability could be damaged.
State data breach notification statutes specify when and how breaches must be disclosed. They are written to protect against identity theft but without exposing organizations to excessive reputational risk. For example, some states permit organizations to forgo disclosure of a leak if the personal information was in an encrypted form when breached.
State laws vary, and, because of their extraterritorial application, many different statutes can apply to a single breach, no matter where the organization is located. To determine whether and what disclosure will be required, an organization must examine the laws of every state where individuals reside whose information is included in a breached database. If any individual has to be notified under the law of his or her home state, the organization may consider notifying all affected individuals regardless of the state requirements applicable to them.
Background and Reach of Notification Laws
Most organizations, including nonprofit corporations, are governed by state laws dealing with data security breaches. Financial institutions, insurers and health care providers are also subject to federal privacy and data security laws. Over the last decade, nearly every state has enacted a breach notification law to help protect its residents’ sensitive personal information, without regard to the organization’s location or the state of its creation, or where such information is maintained.
Although there are many variations among states’ notification requirements, most statutes share some general features. For instance:
• The laws generally provide that a security breach occurs when there is unauthorized access to, or receipt of, certain identifying information maintained by an organization.
• The information that is compromised must be sensitive enough to be protected by the notification laws. For example, undermost statutes, a simple list of names, addresses and phone numbers would not trigger a notification requirement.
• An organization’s interest in the breached data typically determines whom it must notify and how quickly. If the organization owns or licenses the data, it is generally required to notify the individuals whose information was compromised “as quickly as possible” or “without unreasonable delay.” If the organization does not own or license the data, the laws generally provide that it must notify the owner (but not the individuals whose information was included), and must do so “immediately.”
• The statutes commonly increase notice requirements (e.g., alerting the media and posting on the organization’s website) if the breach involves more than a predetermined number of individuals.
• The penalties for violating a notification requirement usually include (a) civil fines imposed per resident whom the organization fails to notify, and (b) private actions for damages by individuals injured by a required failure to notify.
• The laws generally apply extraterritorially, so an organization may be subject to proceedings and fines by states with which its only connection is that one of its databases includes information about residents.
Must the Organization Notify Anyone?
Disclosure of a breach in data security poses a risk to the reputation of an organization, so it may prefer to disclose the breach only if and to the extent such notification is required. An organization should be attentive to the following areas in which variations among statutes commonly appear.
Personal Information. Notification is not required unless the information included in the breached database is protected under applicable state law. Protected information is typically referred to as “personal information” and generally defined as including an individual’s name linked to an identifying number, such as (a) Social Security number, (b) driver’s license or state personal identification number, or (c) a financial account or credit or debit card number combined with its access code or password. Other states may protect certain sensitive identifying information, such as Social Security number, whether or not it is linked to a name.
Electronic Data. Some notification laws apply only to computerized data, while others also require notification if paper records are breached.
Encryption. Some states, such as California and Texas, require notification only when the protected personal information is in an unencrypted form when breached. Others, including Michigan and Illinois, mandate disclosure even if the data was encrypted.
Risk-Based Disclosure. A few states, including Michigan, do not require disclosure if the organization determines that the breach has not resulted or is not likely to result in identity theft or other substantial loss or injury to individuals whose information has been compromised. In practice, an organization should think twice before exercising such discretion, because the reasonableness of a decision not to notify individuals may be difficult to prove in hindsight, particularly if any individuals are actually injured by the breach.
To Disclose or Not to Disclose
Although an organization may want to minimize reputational risk by limiting notification to no more than what is required by law, notifying some affected individuals and not others could damage the organization’s image more than would widespread disclosure. Disclosure to only those individuals whose states of residence require disclosure could appear dishonest and unsympathetic; however, disclosure to those who are not technically entitled to notification would reflect the organization’s general concern for the safety of sensitive personal information.
On Track Toward Preemption
The good news is that the tangle of multiple and varying notification requirements might be cleaned up soon. H.R. 2221, the proposed Data Accountability and Trust Act that would federalize notification requirements, is currently under consideration before the House Energy and Commerce Committee. Similar bills have been considered before and died, and disagreements over which variations to enact (as to encryption, timing, etc.) could doom H.R. 2221. Dykema’s government relations professionals in Washington, D.C., are monitoring the course of this legislation, and you can contact the authors below or any Dykema attorney for current information.
To preserve an organization’s relationships with its personnel and contacts, management should work to maximize the protection of sensitive information. However, if despite such protection a data breach occurs, the organization should immediately identify the states where affected individuals reside and conduct a review of each state’s notification law to determine for whom, when and in what form disclosure is required. The organization must then consider the policy question of whether to make minimal required disclosure or to disclose the breach to all individuals whose information was included in the compromised database.