Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations Are there specific security obligations that must be complied with?

Sector-specific laws impose information safeguarding requirements on covered entities in certain industry sectors. For example, the Gramm-Leach-Bliley Act requires financial institutions in the United States to establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of their customers' personally identifiable financial information. Similarly, Health Insurance Portability and Accountability Act covered entities and their service providers (known as business associates) must, pursuant to the Health Information Technology for Economic and Clinical Health Act, implement specific administrative, physical and technical safeguards to protect and ensure the confidentiality of protected health information.

Certain states have laws which impose general information security standards on organisations that maintain personal information. For example, California law requires organisations that own or license personal information about California residents to implement and maintain reasonable security procedures to protect the information from unauthorised access, use, disclosure, destruction or modification. Similarly, Massachusetts Standards for the Protection of Personal Information require organisations that hold personal information about Massachusetts residents to maintain a comprehensive, written information security programme to protect that personal information (note that the Massachusetts law applies to both consumer and employee data). At least eight other states have information security laws which require organisations to implement reasonable security measures with respect to certain types of information.

Nevada law requires that businesses encrypt customer personal information if the information is transmitted electronically outside the business’s secure system, other than via fax, and when moving a data storage device containing personal information outside the logical or physical controls of the business. Nevada’s encryption law also requires businesses collecting payment card information in Nevada to comply with the Payment Card Industry Data Security Standard. Minnesota law similarly codifies selected requirements of the Payment Card Industry Data Security Standard, including prohibitions on storing payment card data once a transaction is completed.

Several state laws impose specific information security requirements with respect to certain types of sensitive personal information. For example, Connecticut and New Jersey require data security safeguards and security practices for health insurance information. Over a dozen states (eg, California and New York) also impose safeguarding requirements with respect to social security numbers.

Breach notification Are data owners/processors required to notify individuals in the event of a breach?

Since California’s breach notification law in 2003, 48 US states, the District of Columbia, Guam, Puerto Rico and the US Virgin Islands have enacted data breach notification laws that require affected individuals to be notified in the event of an information security breach. There is no national data breach notification requirement. Organisations which have experienced a data breach must comply with the legal requirements of each state in which affected individuals reside. Minor variations in the state breach laws can create compliance challenges when residents of multiple jurisdictions are affected. For example, certain state breach laws include provisions that limit the notification requirement to include only those breaches that pose a risk of harm to affected individuals, or exempt entities that are subject to federal regulations regarding breach notification. However, other state breach laws require notification in the event of unauthorised access regardless of the likelihood of harm or the applicability of federal regulations. Accordingly, determining whether notification is legally required pursuant to state breach laws requires a fact-specific, state-by-state analysis.

In the event of a data breach, the entity that owns or licenses the data typically bears responsibility for notifying affected individuals. Where a service provider of a data owner experiences an information security breach, the state laws generally impose an obligation on the service provider to notify the data owner on discovering the breach, and the data owner is then required to notify affected individuals.

Additionally, sector-specific laws impose notification obligations on covered entities, including financial institutions and healthcare entities. Pursuant to the Interagency Guidance on Response Programmes for Unauthorised Access to Customer Information and Customer Notice (the interagency guidance) – issued in 2005 by federal banking regulators – a financial institution that becomes aware of an incident involving unauthorised access to or use of “sensitive customer information” must promptly notify its primary federal regulator (as well as appropriate law enforcement authorities if the incident involves federal criminal violations that require immediate attention). The entity also must notify affected customers if misuse of sensitive customer information “has occurred or is reasonably possible”. Regarding healthcare, the Health Information Technology for Economic and Clinical Health Act and the breach notification section of the Final Omnibus Rule require:

Health Insurance Portability and Accountability Act covered entities that experience an information security breach involving unsecured protected health information to notify affected individuals; and business associates of Health Insurance Portability and Accountability Act covered entities to notify the covered entity following discovery of such a breach.

Are data owners/processors required to notify the regulator in the event of a breach?

Over half of the states require organisations to notify the state attorney general or other state agency in the event of a legally cognisable security breach. Some states require notification to state regulators when an entity chooses to rely on the state law’s notification harm threshold as a basis for not notifying affected residents. Additionally, sector-specific laws require regulator notification by covered entities as discussed above. For example, the interagency guidance requires financial institutions to notify their primary federal regulator and law enforcement authorities (where appropriate) in the event of a breach. Similarly, Health Insurance Portability and Accountability Act covered entities must provide notice of data breaches to the Department of Health and Human Services.              

Click here to view the full article.