When data breaches occur, one of the first questions organizations seek to answer is whether any personally identifiable information – or PII for short – was impacted in the breach.

Briefly in this article, we will give an overview of the state and federal laws and regulations that govern PII notice requirements. Those include state privacy laws, HIPAA, and other federal statutes. There are also international data privacy regimes, but for purposes of this article, we'll be focusing on state and federal U.S. privacy laws that may trigger notice requirements following a breach.

Data Owners vs. Non-Owners

Many privacy laws and regulations in the U.S. impose different requirements on owners versus third party processors of data.

For example, California's CCPA defines "third party" as an entity other than the business that directly collects personal information from consumers, such as those that receive transferred data. Similarly, sector-specific laws also have particular regulations for third parties. For instance, third parties that provide services to covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are generally business associates who must provide contractual privacy assurances.

In light of these distinctions, a threshold question following a data breach is whether the targeted organization is the owner of the data, in which case it may have PII notice obligations under applicable laws–or whether the organization is merely holding or processing the data for another data owner. If the organization is not the owner, the applicable statutes likely provide a timeframe by which the organization needs to notify the owner.

If the organization is itself the owner of the data, however, it must carefully evaluate what its notice obligations to individuals whose PII was impacted in a data breach.

Under the various state PII notice laws, some specify that organizations have as little as 30 days after the breach to notify residents of that state. Other state laws, such as California, do not specify a number of days but instead require that notice must be given as soon as possible and without unreasonable delay.

U.S. PII Laws

State Privacy Laws

To date there is no federal all-encompassing privacy law impacting every person or organization. Therefore, individual states have passed their own laws and regulations to address issues regarding personal data usage.

Each state defines PII slightly differently. Often, the definitions require a combination of a person's last name, first initial, and some other data elements, which commonly include financial account numbers, Social Security numbers, or other government-issued ID numbers. Some state definitions may also include email address with password, or in small number of states, electronic signature.

One of the best-known examples of a state privacy law regime is the combination of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). The CCPA went into effect in 2020, while the CPRA, which has often been described as an amendment to the CCPA, became operative in 2023. These California laws include a private cause of action for data breaches related to PII, and provide statutory damages of $100 - $750 per person.

HIPAA

Health information is one of the major areas involving sensitive personal data. The U.S. Department of Health and Human Services (HHS) produces guidance on HIPAA. HIPAA required national standards for electronic health care transactions and mandated the adoption of Federal privacy protections for individually identifiable health information.

HIPAA's Privacy Rule provides federal protections for personal health information (PHI) held by covered entities. Protected information includes medical records, conversations with providers, electronic insurance data, and billing records. Covered entities, which consist of health plans, health care clearinghouses, and health providers that conduct business electronically, must abide by HIPAA regulations. Business associates or third parties that provide administrative, financial, and record keeping services to covered entities also fall within the HIPAA framework.

HIPAA's Breach Notification Rule requires covered entities to provide notification of a breach of unsecured protected health information to affected individuals, the Secretary of HHS, and, in certain circumstances, the media.

Federal Statutes other than HIPAA

Along with HIPAA, there are numerous federal statutes and agency rules regarding PII. Federal laws regulate the collection, use, processing, and disclosure of PII through various regulations. These rules differ based on the type of information as well as the characteristics of the consumer.

For example:

(i) Under an amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act that was announced in October 2023, the Federal Trade Commission will require non-banking financial institutions to notify the agency as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. The notice to the FTC must include certain information about the event, such as the number of consumers affected or potentially affected.

(ii) The Federal Communications Commission also has a data breach reporting rule that applies to breaches of customer proprietary network information, or CNPI for short.

(iii) Another example, although it's not specific to PII, is an SEC rule adopted in July 2023, that will require publicly traded companies to disclose material cybersecurity incidents within four business days of the company's determination that the cybersecurity incident is material.

When data breaches involve companies in certain regulated industries such as financial institutions, telecommunications, and publicly traded companies, it's important to quickly consult experienced counsel to consider whether any of these specialized rules may apply to the PII review and notification process, especially because these specialized agency rules often have their own specific deadlines for notification that may differ from state PII notice timeframes.

Next Steps

Incident response counsel is a critical resource in this process. They can work with organizations to analyze requirements under applicable laws. They can also assist with or coordinate review of any exfiltrated documents for PII – a process which may include AI-driven review to search through documents and flag PII.

Incident response counsel can also help coordinate PII notice mailings to impacted individuals, and coordinate any notifications that may need to be made to state regulators or federal agencies.

It's important to note that class action litigation may follow in the wake of any PII notification process. Incident response counsel and data breach litigation counsel can assist organizations in understanding what to expect if litigation ensues, and in coordinating with cyber insurers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.