By Reid J. Schar and Kathleen W. Gibbons, Jenner & Block LLP
It has been publicly reported that since 2005, 608,278,176 records containing sensitive personal information have been breached in 3,818 separate security incidents in the United States.1 Data breaches of personal information have become an unfortunate reality that present a wide array of legal problems for victim companies.2 When a data breach occurs, companies face federal enforcement actions, lawsuits from consumers whose information was compromised, and shareholder derivative suits. In addition, companies face sizable penalties if they fail to comply with the numerous, and sometimes contradictory, requirements of state data breach notification statutes.3
Currently, 46 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have notification requirements for breaches of “personal information.”4 The only four states without a data breach notification law are Alabama, Kentucky, New Mexico, and South Dakota.5
These state notification laws cover not only the companies that own or license a consumer's personal information, but also companies that maintain or control personal information they do not own, such as a vendor that manages a database of subscription information for a magazine. In the event that a company that maintains, but does not own, personal information suffers a breach, the company that actually owns or licenses the information is still responsible for proper notification to consumers.6
While most state notification statutes have similar elements, there are important differences. In many cases, a one-size-fits-all approach to notification will not suffice, particularly since states amend their laws over time. This article highlights a number of variations in data breach notification laws across states and the problems they present for companies with customers in multiple states, making clear the need for companies to maintain a comprehensive and regularly updated data breach response plan.
One of the first questions a company must address in the wake of a data breach is whether the information improperly accessed triggers state breach notification laws. It is a breach of “personal information” that triggers the state data breach notification laws.7 Many state statutes use a common definition of “personal information,” consisting of the consumer's name (usually first name or first initial and last name) and at least one of the following pieces of information: Social Security number, driver's license number or state identification card number, or financial information (typically a credit card number, debit card number, or account number and any codes or passwords needed to access the same).8
A growing number of state statutes, however, incorporate expanded definitions of “personal information.” Arkansas, California, and Missouri include medical information in their definitions, with California and Missouri also including health insurance information. Iowa's definition of “personal information” includes “unique biometric data, such as fingerprint, retina, or iris image, or another unique physical representation or digital representation of biometric data.” The definition of “personal information” in the Nebraska and Wisconsin statutes includes the same biometric data as the Iowa statute, with the addition of voiceprints. The Wisconsin definition also includes an individual's DNA profile.
Maryland's statute includes “An Individual Taxpayer Identification Number,” and Oregon's includes a passport number. Wyoming's statute includes a tribal identification card. In addition to the common elements shared by most states, the North Dakota statute includes a person's date of birth, mother's maiden name, employer-provided identification number, and digitized or other electronic signature, and the statute was recently amended to include medical and health insurance information. It is likely additional states will alter their definition of “personal information” as this area of the law evolves.
State statutes vary in their identification of the circumstance that triggers a company's notification obligations.
A number of states use an approach that resembles strict liability—requiring notification if personal information “was or is reasonably believed to have been” obtained by an unauthorized person, regardless of the likelihood that the consumer will become the victim of identity theft, fraud, or other harm.9
Other states take a different approach and permit companies to evaluate the risk of harm to consumers in determining whether to provide notification.10 These statutes typically require notification if it is reasonably likely that the unauthorized access to the consumer personal information will result in misuse of the information, harm to the consumer, or identity theft.11 Some states affirmatively require companies to conduct “in good faith a reasonable and prompt investigation” to determine the likelihood that personal information has been or will be misused.12 Other states do not set forth a particular method by which a company may determine the likelihood of misuse, but in practice an investigation is the typical route followed in these states as well.
In addition to differences in notification triggers, the modes by which states permit notification vary. Almost every state notification statute explicitly allows companies that have experienced data breaches to provide written and email13 notification of the breach to affected consumers, though many require that the email notice be “consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code,” which requires companies seeking to use email notice to obtain affirmative consumer consent.14According to Section 7001, the necessary consent may only be obtained after, among other requirements, the consumer has received specified information related to the consumer's rights, the nature of the consent, the means by which the consumer can withdraw consent, and the hardware and software requirements for the email notice.15
The one state that does not explicitly permit email notification is Wisconsin, which requires a company to provide notice “by mail or by a method the entity has previously employed to communicate with the subject of the personal information.”
Twenty-six states authorize telephonic notice,16 though some impose restrictions on a company's use of phone notification. Michigan, for example, allows companies to notify consumers by phone, but prohibits the use of prerecorded messages and requires that, unless a consumer has given express consent to telephonic notice, the company must provide written or email notice if the phone call does not result in a live conversation with the consumer within three business days of the initial attempted contact.
All states, with the exception of Utah, permit some form of substitute notice, which typically consists of a combination of email notification (which for substitute notice need not comply with Section 7001), a message posted on the company's website, and publication in statewide media.17 The availability of substitute notice, however, is only triggered if a company can demonstrate that notice will cost more than a specified threshold amount or must be provided to a certain number of people, again above a threshold, or that the company lacks sufficient contact information to proceed with a standard method of notification. The triggering thresholds for substitute notice vary greatly among states. At the low end, Maine and New Hampshire permit the use of substitute notice if the cost exceeds $5,000 or the company must notify more than 1,000 individuals. At the other extreme, 20 states only permit substitute notice if the affected company can demonstrate that the cost will exceed $250,000 or it must notify at least 500,000 individuals.18
Adding to the notification complexity are variations in notification content. Sixteen states prescribe particular content for the notifications, certain of which are specific and burdensome.19 For example, California has extensive content requirements including: (a) the name and contact information of the company; (b) the types of personal information subject to the breach; (c) the date of the breach (actual, estimate, or range); (d) whether notice was delayed for a law enforcement investigation; (e) a general description of the incident; and, under certain circumstances, (f) contact information for the major credit reporting agencies.
Companies also must be cognizant of states' prescribed notification time limits and acceptable bases for notification delay. All states with data breach notification laws permit companies to delay notifying affected consumers if necessary to accommodate a law enforcement investigation. Almost all statutes also allow companies to delay notification if necessary to investigate the incident and restore system security.21
Even when no delay is appropriate, most statutes do not specify a particular time limit for notification, merely stating that companies must provide notice “in the most expedient time possible” and/or “without unreasonable delay.” How these terms are defined is open to interpretation and leaves companies vulnerable to lawsuits arising from relatively short delays. For instance, in California, where notification must be made “in the most expedient time possible and without unreasonable delay,” a company has been sued for untimely notification for providing notice 15 days after one breach and 18 days after another.22
Other states have specific time limits, with several requiring companies to notify affected consumers within 45 days of breach discovery.23 Under the Maine statute, if a company delays notification for law enforcement purposes, it must provide the consumer notice no more than seven days after being informed that such notice will no longer interfere with the investigation.
In many states, those who maintain or control personal information without owning it, such as the vendors noted earlier, must notify the owner of the personal information “immediately” after discovery of the breach.24 Other states, however, involve more relaxed standards such as “as soon as practicable”25 or “without unnecessary delay.”26 The Florida statute requires a nonowner to notify the company that owns the personal information within 10 days of discovering the breach, while Georgia requires that the notification take place within 24 hours of breach discovery.
Companies must be aware that in certain states, notifying only affected consumers is insufficient. Twelve states require companies to notify the state attorney general, although even these notification requirements differ among states depending on the number of affected consumers.27
Many states also require companies to notify the major national credit reporting agencies of a breach.28 For example, Massachusetts requires companies to notify the attorney general, the director of consumer affairs and business regulation, and, eventually, credit reporting agencies if a company will be notifying any Massachusetts residents. Georgia requires notification to credit agencies if the data breach requires the company to provide notice to more than 10,000 residents. A number of other states fall in between.
The Hawaii statute requires companies notifying more than 1,000 Hawaiian residents to notify the state of Hawaii's Office of Consumer Protection as well as the credit reporting agencies. The New Jersey statute requires that companies notify the state police, while South Carolina requires notification to the state consumer protection division if more than 1,000 South Carolina residents are affected. In addition to the state attorney general, the New York statute requires that companies notify “the department of state and the state office of cyber security and critical infrastructure coordination.”
Companies attempting to bypass the notification obligations by requiring consumers to contractually waive their notification rights should know that in several states such waiver is not permissible. At least 16 states, including California and Illinois, among others, hold that a consumer's waiver of statutory notification rights is against public policy, and therefore “void and unenforceable.”29
Although not all state statutes have explicit penalty provisions for failure to comply with notification procedures, those that do offer yet another example of substantial variation. Some states simply provide a maximum civil penalty per breach.30 Other states calculate the penalty based on the number of consumers affected.31 Under Michigan's statute, a company that knowingly fails to provide the required notice to a consumer may face a civil fine of not more than $250 per failure, with a maximum fine of $750,000 for notification failures arising from the same security breach.
Florida and Ohio both calculate penalties based on the length of the notification delay. For example, Florida imposes an administrative fine on companies that do not provide notification within the statutorily required 45 days. The fine is calculated as $1,000 per day the breach goes undisclosed for the first 30 days, and $50,000 for each 30-day period thereafter for up to 180 days. If notification is not completed within 180 days, the company is subject to a fine of up to $500,000. Still other states calculate the penalties through a hybrid approach, factoring in both the number of notification failures and the length of the delay.32
A variety of states allow their attorneys general to bring an action based on a company's violation of their notification statutes.33 Several lawsuits alleging violations of state notification statutes have been filed by state attorneys general, including those in Connecticut,34 Vermont,35 and Indiana.36
Adding to potential company woes, 10 states explicitly provide a private right of action, allowing consumers to file civil suits against companies that violate notification provisions.37 In such states, including California and Virginia, noncompliant companies could face dozens of lawsuits for a single noncompliant response to a breach. In addition, as breaches become more prevalent, consumer-initiated class action suits alleging failure to comply with notification procedures become a greater possibility.
In early 2013, plaintiffs in California filed a class action lawsuit against a wholesale food service company alleging, among other things, violations of California's data breach notification statute.38 The plaintiffs specifically allege that the defendants violated the notification statute “by failing to disclose [the data breaches] in the most expedient time possible and without unreasonable delay.”39 Plaintiffs' claims arose in connection with two separate data breaches. The defendants began notifying consumers approximately 18 days after learning of the first breach and approximately 15 days after learning of the second breach. Plaintiffs claim that defendants waited too long in both instances. Plaintiffs are requesting statutory damages, actual damages, and punitive damages.
In the absence of a universally applicable federal law on the subject, varied state data breach notification laws create a complicated patchwork of requirements. As states amend their laws, the landscape continues to shift. Companies that do business in multiple jurisdictions are at significant risk of failing to comply with one or more state notification statutes should a breach occur.
Rapid notification through states' prescribed procedures is essential to minimize exposure in the wake of a data security breach. It is critically important that companies maintain a comprehensive and regularly updated data breach response plan. Companies should also ensure that they have quick access to experienced outside counsel who are prepared to assist in identifying relevant laws and preparing compliant notifications. As the number of data breaches continues to rise, companies must be aware of the varied and complex network of state data breach notification laws and be prepared to provide all necessary notifications.
Reid J. Schar, a partner at Jenner & Block LLP in Chicago, co-chairs the firm's White Collar Defense and Investigations Practice. Schar regularly leads domestic internal investigations and international Foreign Corrupt Practices Act investigations, and he represents clients in a variety of complex litigation matters including theft of trade secrets. Kathleen W. Gibbons, an associate in Jenner & Block's Chicago office, is a member of the firm's Litigation Department.
©2014 The Bureau of National Affairs, Inc. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of The Bureau of National Affairs, Inc.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. The Bureau of National Affairs, Inc. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
To view additional stories from Bloomberg Law® request a demo now