The current draft of the proposed revisions to the EU Data Protection Directive would import into the law of EU member states an obligation to notify data subjects in the event of a security breach as a result of which personal identifiable information is compromised. Based on current estimates of the timeline for adoption of the new legislation, it is likely that those laws may not come into force until late 2014 or 2015. Many European companies may currently be unaware that such an obligation already exists under the laws of several states in the US.
The US does not have comprehensive data protection legislation that covers all businesses and all citizens, and there are a plethora of data protection laws that provide protections similar to those found in the EU with respect to certain industries (e.g. financial services) and certain types of data (e.g. health care related). A number of states, however, have enacted legislation in the area of security breaches that impose a notification obligation similar to those currently being proposed by the EU. The legislation introduced in each state can vary widely in terms of the type of information involved in the breach in order to trigger a notification obligation and the types of notification required. For example, the legislation in Virginia relates only to medical data or to data collected by a financial institution.
One of the original states to enact such legislation was California, and the terms of that legislation should be of interest to foreign companies doing business in the states. A person or company that conducts business in California and holds information about California residents has an obligation to notify residents of that state if there is a security breach that involves the compromise or reasonably likely compromise of a data subject’s personal information. Foreign business owners should note that the notification obligation does not make it necessary to have a place of business in California to be subject to the statute. In addition, a notification to California residents would be required if the breach of security occurred only in the United Kingdom. The notification to data subjects required by California law must be made as expeditiously as possible. The terms of legislation adopted by each of the states differ, and businesses should analyze the requirements for each state in which they do business in order to be ready in the event that a breach were to occur.
Businesses should check with their insurance providers, as several insurance companies are currently offering cyber liability policies. In the absence of such a policy, however, businesses may be covered by their traditional commercial liability policy, as was determined in the recent case, Retail Ventures, Inc. v. National Union Fire Insurance Co., where the policy holder was able to successfully argue for recovery of an amount in excess of $4 million incurred with respect to handling the fallout from the security breach and responding to government investigations following a security breach that affected the data of more than one million of the policy holder’s customers.