As of January 1, 2020, California became the first state to permit residents whose personal information is exposed in a data breach to seek statutory damages in amounts ranging from $100-$750 per incident, even in the absence of any actual harm, with the passage of the California Consumer Privacy Act (“CCPA”). The class actions that follow are not likely to be limited to California residents, but will also include non-California residents pursuing claims under common law theories. At Red Sky Alliance, we do not provide legal advice; we want to help you avoid cyber threats and data breaches. Legal questions should be addressed with your attorney. As California goes, most times so does the rest of the US.
A successful defense will depend on the ability of the breached business to establish that it implemented and maintained reasonable security procedures and practices appropriate to the nature of the personal information held. The more prepared a business is to respond to a breach, the better prepared it will be to defend a breach lawsuit. To help our clients prepare for the CCPA, Red Sky Alliance is recommending using their service RedXray that will provide businesses with the cyber threat facing their firms daily. Using RedXray will aid in your organizations cyber defense if a breach occurs. RedXray delivers a daily cyber threat report on threats facing your organization, not threats against every company in the world. The RedXray support team can help you mitigate these threats before they become breaches.
Although the US Congress has attempted to agree on federal data breach legislation, as of today, there is no national data breach notification law that applies to most companies. There are federal statutes that apply to financial institutions, common carriers, health care providers, educational institutions, and vendors of health records. If your organization falls within one of the aforementioned categories, be sure to understand the requirements of the relevant federal law and any additional requirements imposed by state law, as state law may apply in addition to federal statutes.
While federal data breach notification law is limited in scope, state data breach laws apply whenever a data breach involves records of that state’s residents. All 50 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving certain types of personally identifiable information.
The following section first summarizes key information about the federal data breach laws. It then explains pertinent state data breach law provisions and highlights important areas in which the state laws diverge. In the event of a breach involving records of consumers who live in multiple states, the laws of those states should be reviewed to ensure that the organization is complying with notification requirements.
Are there any federal laws that apply to your organization?
While there is currently no national data breach notification law, there may be other federal laws that apply to the organization. Federal law most notably implicates organizations in the health care industry, financial institutions, and common carriers.
HIPAA requires health care providers, health plans, healthcare clearinghouses and certain “business associates” 1. to protect covered health information. Covered entities that fall within HIPAA’s scope must notify each impacted individual within 60 days after discovering a breach. 2. Notification under HIPAA must be written unless consent for alternative notification has been given. The written notice must include a description of the incident, the type of health information accessed, protective steps impacted individuals should take, any mitigation the organization is undertaking, and contact information for those individuals who wish to learn more.
The Gramm-Leach-Bliley Act (“GLBA”) regulates financial institutions’ use of consumer nonpublic personal information. In the event of a data breach, if it is found reasonably possible that misuse of compromised personal data will occur, the financial institution should notify its customers.
These federal laws do not supersede state law. Meaning, organizations subject to federal law also must consider the often more stringent state laws at play, although many state laws provide that notification in compliance with HIPAA or the GLBA constitutes proper notice under the state law.
Do the state laws apply to your organization?
Generally, if your organization maintains or transmits Personally Identifiable Information (“PII”) belonging to citizens of a particular state, you should consult the data breach notification law of that state in the event of a breach. Some states maintain that “any entity” is subject to the data breach notification law, while other states limit applicability only to those entities that “conduct business in the state.” Most of the statutes place the onus on the “owner or licensor” to ensure that affected consumers are notified, however, some states (e.g., Rhode Island and Wisconsin) place that obligation on organizations that simply “maintain” consumer information. As discussed below, even if the breached organization does not own or license the consumer information, most state laws will require that the organization timely notify the data owner(s) of the breach so that they may fulfill their notification obligations.
The notification laws typically apply only to consumers who are residents of the state in question. However, Hawaii, New Hampshire, and North Carolina’s statutes do not contain this limitation and apply instead to “affected persons,” while Texas’ statute specifically applies to Texas residents and residents of other states.
The statutes generally require notification in the event of breaches involving the following information: the consumer’s name in combination with their Social Security number, driver’s license number, account number and access code. Some states go even further and require notification in the event other types of information are accessed or acquired. For example, many states (e.g., Arkansas, Nebraska, Washington and Wisconsin) require notification if biometric data is breached. North Dakota requires notification if the consumer’s date of birth or mother’s maiden name are exposed, since this data is often associated with password recovery or identity verification on online accounts.
Several states require notification if certain medical or health information is at issue. Alabama, Arizona, Delaware, Maryland, North Carolina, Montana, and Wyoming have expanded their definitions to include taxpayer identification numbers. Washington recently added student ID number and private key (used for online signatures) to its list of protected information. Some states require notification if military ID and passport numbers are impacted.
Increasingly, states have added the requirement for notification in the event of a breach involving a username or email address in combination with a password or security question and answer that would permit access to an online account. The rationale is that many people use the same username and password across multiple online accounts. Having those credentials stolen in one breach could expose individuals to the risk of having other accounts hacked. Some states, like California and Arizona, permit notification to be electronic for such breaches only.
The state statutes provide that a breach of personal information that is publicly available does not give rise to a notification requirement. Similarly, the breach of personal information that is encrypted generally does not give rise to notification obligations because data is assumed to be sufficiently protected from disclosure if accessed in its encrypted form.
Because not every breach of personal information is likely to lead to a risk of harm to the affected person, many states have included a materiality threshold that limits notification only in cases where the breach “compromises confidentiality, integrity, or security.” A handful of states do not contain any such limitation, however, and appear to require notification in the event of any breach, regardless of the risk of harm flowing from the breach.
What can you do to better protect PII that your organizations collects and stores?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off site storage policies should be adopted and followed.
- Institute cyber threat training for all employees.
- Review and update your cyber threat and information security policies and procedures.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Chubb Insurance.
Red Sky Alliance is in New Boston, NH USA and is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, or a RedXray-Plus demo, please contact the office directly at 888-RED-XRAY or (888)-733-9729, or email firstname.lastname@example.org