Guide to Data Breach Preparedness and Response

Date: Sep 09, 2011


The world of information technology has vastly expanded over the past few decades. Consumers can now shop online, pay bills, check bank accounts, and update information all with the click of a button. Information can be aggregated from different sources. Businesses manage global HR systems, from hiring through the administration of retirement and pension benefits, online. These consumers entrust personal information to many different types of businesses on a daily basis and expect companies to safeguard their information during collection, retention, and disposal.

Despite growing awareness of the need for strong data security, however, data breaches continue to occur at an alarming rate. According to the Identity Theft Resource Center ("ITRC"), in 2010 there were 662 reported data breaches, affecting over 16 million records.[1] Major data breaches in 2011 by companies like Sony, Epsilon, and Wellpoint have triggered multi-million dollar, class action lawsuits alleging a failure to safeguard personal information and/or a delay in the notification of the breach. The Sony PlayStation data breaches alone compromised personal information of more than 100 million individuals and resulted in more than 50 class action lawsuits and potential actions by state attorneys general. Sony has estimated that the breaches will cost the company $170 million by the end of fiscal year 2011.

With growing sophistication of hackers, the number of data breaches are on the rise. In turn, lawsuits are being filed at an unprecedented rate, making it more important than ever for companies to be prepared for a data breach. This guide will provide a brief overview of the laws governing data breach notification to help companies improve data breach preparedness and response and minimize the risk of liability in the aftermath of a data breach.

Data Breach Notification Laws

Forty-six states and the District of Columbia have enacted legislation requiring notification of security breaches involving personal information. Only Alabama, Kentucky, New Mexico, and South Dakota do not have data breach laws.[2] While adoption of a preemptive, federal standard has been a goal of many key businesses, and a variety of bills have been introduced, at present the matter is left to state law, creating complexities in terms of breach notifications due to differences in the applicable legal requirements.

When a data breach occurs, a company must notify every individual whose personal information was breached. Notification of a breach is governed by the laws in the state where the individual whose data was breached resides. This means that multiple state laws could apply to the same breach, depending on where affected individuals reside. States have differing thresholds for triggering a company's breach notification obligation, but most state laws contain five main components:

Definition of Personal Information: The type of personal information breached is key to determining notification requirements. In all states with data breach notification laws (except D.C.), personal information includes first name/initial and last name plus another personal identifying element, such as a social security number, driver's license number, state identification number, or an account number, credit or debit card number combined with any PIN, password or access code. Some states have expanded the definition to include additional personal information, such as medical and health insurance information, employer taxpayer identification number, or biometric data. In all states, except the District of Columbia and Oregon, the notification obligation is triggered when personal information is unencrypted (Oregon law does not specify the form). In addition, all state laws except Oregon apply to computerized information, although a handful of states require notification if personal information contained in any form (electronic, paper, etc.) is compromised.

Timing of Notification: States generally require notice to be given in the most expedient time possible and without undue delay. Some states set time limits for notifying consumers of a breach. For example, Florida, Ohio, and Wisconsin require notification no later than 45 days after discovery of the breach, while California guidance states that notification should be provided within 10 days. Most state laws allow notification to be delayed to protect a criminal investigation.

Form of Notice: Affected individuals should generally be notified using one of three methods: written notice, electronic notice (with customer's consent), or telephonic notice. In certain cases, companies may give substitute notice in lieu of providing notice to each individual by providing all of the following: (1) e-mail notice to each affected consumer (if e-mail address is available), (2) notice to major statewide media, and (3) posting of the notice in a conspicuous place on the agency or company's website. Substitute notice is typically allowed only if the cost of providing notice to each affected consumer would exceed a certain dollar amount or involve a certain number of affected individuals, each being determined on a state-by-state basis.

Content of Notice: Seventeen states require certain information to be disclosed in notices to consumers. These states generally require that notices to individuals include: (a) a description of the data breach, (b) approximate date of the breach of security, (c) type of personal information disclosed, (d) contact information for the business making the notification, including address and toll-free number, where a consumer may call for further information and assistance, and (e) contact information for consumer reporting agencies. These requirements, however, can vary between states, with some requiring more (or less) information than others. For example, Massachusetts requires notices to include: (1) the consumer's right to obtain a police report, (2) how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze, and (3) any fees required to be paid to any consumer reporting agency; provided, however, that the notification must not include the nature of the breach or the number of residents affected by the breach. This means that state-specific notices may be required.

Notification to Third Parties: Certain states also require notice to be provided to state agencies and/or credit reporting agencies. Thirteen states currently require notice to agencies, such as the state's Attorney General, Office of Consumer Protection, or the state police.[3] Some states always require notification to state agencies, while others set thresholds for notification based on the number of consumers required to be given notice. Over half of the states also require notice to be provided to the three major credit reporting agencies, if certain notice thresholds are met.

While there are many similarities in state data breach notification laws, the differences add administrative complexity and cost to the breach response process. Moreover, companies need to consider whether notifications are needed where violations of privacy or security policies or promises occur, irrespective of data breach notification laws. The significant increase in privacy and security lawsuits illustrates the need for companies to adopt strategic defensive approaches to safeguarding personal information by carefully managing the information collected, adopting security procedures appropriate for the sensitivity of the data collected, deleting and de-identifying outdated data, and understanding the steps to be taken following a data breach. 

For more information on privacy and data security issues, please contact
Sheila Millar (+1 202.434.4143, millar@khlaw.com),
Tracy Marshall (+1 202.434.4234, marshall@khlaw.com

[2] Texas recently amended its data breach notification law to require companies to not only notify consumers in Texas, but to also notify residents of states that have not enacted their own law requiring such notification, i.e., Alabama, Kentucky, New Mexico, and South Dakota. While the legal authority of the state to impose an extra-territorial reporting requirement is questionable, the amendments will take effect September 1, 2012.

[3] Effective January 1, 2012, California will also require notice to be provided to the state Attorney General, if notice is given to more than 500 state residents.