Data breaches are a source of major concern for companies across all industries, and for good reason: a data breach can have crippling effects on an organization. Companies that find themselves in the unfortunate position of being the subject of a data breach must have a plan to quickly and efficiently respond to the breach in order to comply with their legal obligations and minimize financial and reputational harm.
Containing the data breach
Most data breaches are caused by cyberattacks involving malware or
ransomware, but they can also occur through less sophisticated
means such as theft of a physical hard drive, insider leaks, or a
simple accident. The first step of an effective data breach
response is to engage a digital forensic investigator to
immediately contain the attack and identify the scope and type of
information that the threat actor may have accessed. Once the
universe of compromised or potentially compromised information is
known, the company must determine which state or states' data
breach notification laws apply and review the requirements of each
applicable jurisdiction to determine its obligations.
State data breach notification laws
Currently, there is no general federal data breach notification
statute,1 but all fifty states have data breach
notification laws that require companies to notify individuals when
specific types of information have been compromised in a data
breach. Generally, these laws require companies to provide notice
of a breach to residents whose unencrypted and unredacted
"personal information" was or is reasonably believed to
have been accessed and acquired by an unauthorized person.
In Pennsylvania, "personal information" is defined to include the first name or first initial and last name in combination with one of the following data elements: social security number, driver's license/state ID number, or credit card/debit card/financial account number.2 In other states, personal information may also include unique biometric data, medical information, tax ID numbers, digital signatures, or a username or email address in combination with a password or security question and answer that would permit access to an individual's financial account.3 It is universally agreed among all states that personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
In addition to requiring notice to affected residents, state data breach notification laws may impose obligations to provide notice to consumer reporting agencies and state regulators, often depending on the number of residents affected by the breach in a given state.
State data breach notification laws also dictate when notification must occur. Some states require notification "without unreasonable delay" after the scope of the breach has been determined.4 Other states, however, require notification within a definitive period of time, usually 30 to 90 days after the discovery of the breach.5 Regardless of the time required for notification, a company that learns it has suffered a data breach must work quickly to identify the universe of individuals whose personal information has been compromised so that notices can be prepared and distributed without delay. Failure to timely report a data breach could expose the company to enforcement actions or penalties by government regulators.
Providing notice
State data breach notification laws typically place the onus on the
owner of the data to notify affected persons when personal
information has been compromised. For situations in which a vendor
stores a database of personal information for a client, under most
states' laws, the vendor's only obligation is to notify its
client about the breach. The burden then falls on the client to
notify the affected individuals.
Notice is typically provided via written correspondence, although many states also permit telephonic notice or electronic notice in certain circumstances. While some states provide little to no guidance on what the notice should include, other states set forth a list of items that the notice should address, such as a description of the breach incident, the date or estimated date(s) during which the breach occurred, the type of information subject to unauthorized access, contact information for the major credit reporting agencies, and information for registering for credit monitoring or identity theft prevention services, if offered.6
A company that has been the target of a cyberattack is not obligated under state data notification laws to provide notice when no personal information has been compromised. Nevertheless, it is imperative that companies are aware of other legal obligations that may require notification of a breach. For example, if a cybercriminal accesses or attempts to access a company's confidential business information, the company may have contractual obligations to notify business partners about the scope and extent of the data breach. Oftentimes, contractual data notification provisions are more stringent than state law requirements and include very short timeframes for providing notice of a breach. Additionally, a company's cybersecurity insurer may have strict reporting obligations with which the company will need to comply to ensure coverage.
Best practices and limiting liability
While it is impossible to guarantee that a data breach will not
occur, companies can take steps to improve their data security and
make themselves less desirable targets for cybercriminals. Best
practices include: mapping the storage of sensitive data, limiting
access to sensitive data, purging personal information when it is
no longer needed, requiring complex passwords and multi-factor
authentication to access networks, using industry-tested security
methods such as encryption, regularly monitoring networks for
suspicious activity, and verifying that third-party service
providers have implemented reasonable security measures.
Maintaining strong data security practices and developing a data
breach response plan that recognizes the company's data breach
notification requirements will reduce the risk of a cyberattack and
help minimize liability in a potential regulatory action or
lawsuit.
Footnotes
1 There are industry-specific federal privacy laws that
contain their own notification provisions. For example, the HIPAA
Breach Notification Rule requires HIPAA-covered entities to alert
patients in the event of a breach of certain protected health
information. See HIPAA Breach Notification Rule, 45 C.F.R.
§§ 164.400-414. Additionally, financial institutions must
comply with the notification requirements prescribed by the Federal
Interagency Guidance interpreting Section 501(b) of the
Gramm-Leach-Bliley Act.
2 See 73 Pa. Stat. § 2302.
3 See, e.g., N.Y. Gen. Bus. Law § 899-aa; N.J. Stat. §
56:8-161; Cal. Civ. Code § 1798.29; N.C. Gen. Stat. §
75-61.
4 See, e.g., 73 Pa. Stat. § 2303; Mass. Gen. Laws 93H §
3; Idaho Code § 28-51-105.
5 See, e.g., Fla. Stat. § 501.171; Ohio Rev. Code, 1349.19;
Del. Code Ann. tit. 6 § 12B-102; Conn. Gen. Stat. §
36a-701b.
6 See, e.g., Cal. Civ. Code § 1798.29; N.Y. Gen. Bus. Law
§ 899-aa; 815 Ill. Comp. Stat. 530/10.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.