Standing in the Breach—State Law Requirements When a Customer Data Breach Occurs
Picture this . . .
Your business has been growing thanks to customer sales over the Internet, with customer orders coming from all around the country. To manage your growth, you have just installed a state of the art computer accounting system. A major feature of the system will improve your customer service by recording and tracking customer account purchases and billing information. The system conversion was a big project and you used some temporary staffing to get the job done. While you are still marveling at how helpful the new system is in responding to customer account inquiries, you get a call from the local FBI office. It seems that one of your former temporary employees has been attempting to sell your customers' account information over the Internet.
There are an infinite number of ways that the security of your customer account information could be breached, from high tech hackers to a janitor walking out the door with a discarded printout of customer information. The breach might even be inadvertent—a lost lap top computer holding unencrypted customer data (passwords are merely an annoyance to sophisticated crooks). But the next question is the same, what to do when the wrong person might have your customers' information?
While there are federal laws regulating financial privacy, such as the Financial Privacy Act, the Fair Credit Reporting Act,1 and the Gramm-Leach-Bliley Act, federal regulation has left a void that many states have filled with their own data breach notification and credit freeze laws, which federal law does not preempt. These differing state statutes impose inconsistent obligations on businesses for reporting data breaches. If a business services customers in different states, then the business has to follow and apply differing state laws and reporting obligations to different customers, a daunting task when a business may service customers in many or all fifty states.2
Does your business have to report data breaches?
The first question should be an easy one, yet, even with this threshold question, different states require different persons to report data breaches. California was among the first to address these issues.3 A majority of states follow California's reporting approach, which requires any company that conducts business in California to report a data breach if that business owns, licenses, or maintains data that is covered by the law ("covered data"). Some states have added their own spin to California's approach. They require any person, whether or not conducting business within the state, to report a data breach if that person owns, licenses, or acquires covered data regardless of where the individual described in the data resides if the state has any basis to assert its jurisdiction.4 Other states are more clearly focused on protecting their own citizens and require a data breach to be reported if the person owns or licenses computerized data that includes personal information of an individual residing in the state.5
Several states also require that "data collectors" or any person that, for any purpose, handles, disseminates, or otherwise deals with nonpublic personal information report data breaches.6 Some states require any person that deals with personal information to report a data breach.7 Hence, more than one state's law may apply and more than one person with responsibility for the data (a "covered person") may have a reporting obligation for the same data breach.
What is "personal information?"
State breach notification statutes defining "personal information" have an assortment of terms affecting the scope of breach notification requirements. The California statute is the model for most states. The California statue defines "personal information" as a combination of a first name, or first initial and last name, in combination with any one or more of the following data elements, when either the name or data elements are not encrypted: social security number; driver's license number or state identification number; or account number, credit or debit card number in combination with any required security code, access code, or password permitting access to an individual's financial account. California has amended this definition to also include medical and insurance information. California does not consider "personal information" to include any information available to the general public from federal, state, or local government records.8 Other states expand their definition to include the following as "personal information": medical information; middle name; or information sufficient to perform identity theft.9 Some states follow California and do not consider publicly available information as "personal information," while other states do not have such an exception in their definitions.10
Does your business have an affirmative obligation to protect data?
Depending on the state in which your company does business, or where your customers reside, your company may have an affirmative obligation to protect data.11 States vary in this affirmative obligation. California does not impose an obligation to protect data while other states require reasonable measures to protect against unauthorized access, while still other states require reasonable security measures and an affirmative obligation to destroy customer records after use.12 Yet, even with these affirmative obligations, some states exempt financial institutions from any obligation to use reasonable measures or to destroy customer records after use.13 Although states may exempt financial institutions federal law and agency rules impose similar obligations on banks and other financial institutions.14
What constitutes a breach?
The way a state statute defines "breach" of data and what the statute requires of a business once a breach has occurred often leads to inconsistent reporting obligations for a business. A data breach in one state may not be a data breach in another state. As a result, a business would have to report what one state defines as a data breach to customers only of that state, when, in actuality, the data breach could have impacted more customers in different states. Companies may choose to report data breaches to some customers in some states, even when not required, for simplicity and consistent treatment of all customers.
Again California serves as the model for many states. California defines a "breach" as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business.15 This approach focuses on the recipient, rather than the loss of data by the company or its agents. As a variation of the California model, some states define a breach as access and acquisition of covered data that is reasonably likely to cause substantial economic loss to an individual or is not likely to cause reasonable harm after an investigation.16 Other states require that the breach be a "material" compromise of the data in combination with an unlawful acquisition by the recipient.17
Does it matter that your data is in paper or electronic formats?
A majority of states require covered persons to report breaches involving unencrypted computerized personal information or a variation of this type of data.18 Other states apply a broader approach to covered data, requiring persons to report data breaches not only of computerized personal information, but computerized data transferred to a different medium, such as paper; and other states also require data breach notification even of written, drawn, spoken, visual, or electromagnetic information.19 States also differ with respect to whether breach notification is required when the data is in an unencrypted form or when encrypted with an encryption key. Some states require persons to report all forms of breached data.20
What notification is required?
After a breach has occurred, California requires a business to notify a California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.21 Other states do not have such a state specific notification law requirement. Where a breach has occurred, some states require businesses to notify "affected individuals," with no limit whether the individuals reside in a specific state.22 Some state statutes do not require notification if there is no reasonable likelihood of harm to customers after an investigation, while other states require businesses to notify customers upon discovery or knowledge of a breach regardless of its potential impact on them.23
How quickly does your business have to report?
State statutes also determine the timeliness in which your business must notify your customers. Although California requires you to notify your customers in the most expedient time possible and without unreasonable delay, generally within 10 days, California also allows your business to delay if a law enforcement agency determines that the notification would impede a criminal investigation.24 Other states do not require the "most expedient time possible" while others allow for a delay of notification to restore the integrity of the data breached computer system to prevent the risk of further unauthorized access before making the announcement.25 Wisconsin requires a "reasonable time" not to exceed forty-five days after learning of the breach. Wisconsin takes into consideration the number of notices and the method in which a business can notify customers.26 North Carolina requires notification without unreasonable delay, consistent with legitimate needs of law enforcement and consistent with any measures necessary to determine sufficient contact information, scope of breach and restore the reasonable integrity, security, and confidentiality of the data system.27 On the other hand, Maryland also requires that notification be sent to its Office of Attorney General prior to communicating with affected consumers, which posts these notifications on its website.28
Who can sue your company for failure to comply with data breach statutes?
State statutes take three different approaches with regards to who can enforce the state data breach statutes. The first approach is that injured customers themselves can bring civil actions against your business.29 The second approach is that the state statute specifies certain government entities to enforce the statutes, such as the state attorney general or designated state departments.30 The final approach is a blend of the first two, where both private and state enforcement may bring actions against persons that fail to comply with the state data breach statutes.31
Some states offer a safe harbor for compliance with other states' statutes
Despite conflicting, overlapping, or contradictory state data breach statutes, some states offer safe harbors recognizing that other states' laws may also apply and some recognize that businesses may implement a more protective approach to data breaches. The California statute deems that a business has complied with the data breach statute if a business maintains their own notification procedures as part of an information security policy that is consistent with California's timing requirements.32 Colorado's statute excepts businesses that are already complying with federal or state laws that require security breach notification procedures.33 Delaware has the same exception and also excepts broadly those persons that maintain their own notification procedures.34
Once a breach has occurred, can customers freeze their credit report file?
Once a data breach has occurred, approximately 46 states and the District of Columbia have enacted security freeze laws which allow customers to freeze their credit report file.35 Security freeze laws prohibit a credit reporting agency from releasing information from a file without "the express authorization of the consumer."36 State security freeze laws also vary widely as to who may enact the security freeze, if there is an exception for insurance, how much the security freeze costs, whether a customer can lift a security freeze for a specific party, and whether there is a charge to lift the freeze for a specific period or a specific party. States have two approaches as to whom the security freeze laws cover. The first approach taken by a minority of states is to allow only identification theft victims to use the freeze laws.37 The second approach allows any consumer to use the security freeze laws when there has been a data security breach.38 States take a varied approach as to charges for freezes and lifting of the freeze for a period of time or indefinitely. States also take a varied approach as to whether it will allow a customer to lift a freeze for a specific amount of time or for a specific party.
What should your business do?
If your business acquires or uses personal information, in any form, there are several steps you can take to mitigate your risk of potential liability when a data breach occurs. The first step is to know your state's security data breach notification and freeze laws, as well as the state laws where your customers reside. Your business must understand these laws in order to know what type of data is covered under the statute, when a reportable breach has occurred, and what type of reporting regimen the state requires of your business.
Next, you should organize a working group of knowledgeable employees in your organization who understand your technology and data storage systems and processes, as well as paper copies of your books and records. You should assess the data security risks facing your company and analyze where and how a breach could occur. Consider everything from high tech to low tech possibilities. After identifying the risks, develop a plan to address and manage those risks. You should periodically review and update this risk assessment, particularly when you make significant changes to your computer systems and business processes that involve customer data. Remember that these are ordinary business records that are discoverable in litigation, so you should consider involving your legal counsel in this self-assessment process.
Finally, you should organize a standing "SWAT Team" of employees in your organization who understand your technology and data storage systems and processes. Your SWAT Team should meet and develop several hypothetical data breach mock drills with scenarios to help you think through and develop written procedures to respond when the real thing occurs. For most businesses, it is not an "if" but "when" the breach occurs. Planning for the event will improve your response time, which may help you mitigate the potential damages resulting from a data breach.
Based on these planning exercises, you should set up a comprehensive data breach notification system in order to respond quickly to any breach in light of the notification requirements of applicable statutes. Your business may be able to take advantage of the safe harbors created by many, but not all, of the states. Most importantly, by taking these steps your business may be able to better protect your customers and your reputation and, hopefully, avoid government enforcement proceedings.
If you need assistance in identifying and understanding the laws and regulations affecting the privacy, security, and response to data breaches, contact a member of the Privacy and Information Security Group at Warner Norcross & Judd LLP. Contact and additional information can be found on our firm's Web site at: /practicesindustries/ServiceDetail.aspx?service=8.
*Jordan Paterra is a third-year law student at Wayne State University Law School.
1Financial Privacy Act, 12 U.S.C. § 3401, et seq.; Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.; Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, et seq.; 2 Richard L. Fischer, The Law of Financial Privacy § 5.01 (2007); see also the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
2To see if your business operates in a state with reporting requirements and to learn what the requirements your state breach notification law places on your business, contact your state legislature or see http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm or http://www.perkinscoie.com/warnernorcrossjudd/media/files/upload/PS_08_06_SecurityBreachNotifcationChart.pdf. For help understanding the requirements your business needs to comply with and setting up a reporting scheme regarding security breaches contact Warner Norcross & Judd LLP.
3Cal. Civ. Code §§ 1798.80-1798.84 (2007 Supp.). California was the first state to create an agency devoted to consumer privacy issues, the California Office of Information Security and Privacy Protection, on the Internet at http://www.oispp.ca.gov/consumer_privacy/default.asp.
4See e.g., Ark. Code Ann. §§ 4-110-101 to -108 (2007 Supp.).
5See, e.g., Md. Code Ann., Com. Law § 14-3501 to -3508 (2007 Supp.).
6See e.g., 815 Ill. Comp. Stat. 530/1 to /30 (2007 Supp.); Vt. Stat. Ann. tit. 9, § 2430 to -2435 (2006).
7See e.g., Mass. Gen. Laws 93H § 1-6 (2007); 2007 Or. Laws 759.
8Cal. Civ. Code §§ 1798.80-1798.84 (2007 Supp.).
9See, e.g., Ark. Code Ann. §§ 4-110-101 to -108 (2007 Supp.); Fla. Stat. ch. 817.5681 (2006); Ga. Code Ann. §§ 10-1-910 to -912 (2007 Supp.).
10See, e.g., Ark. Code Ann. §§ 4-110-101 to -108 (2007 Supp.).
11See, e.g., Code of Massachusetts Regulations at 201 CMR 17.00, "Standards for the Protection of Personal Information of Residents of the Commonwealth," effective in three stages starting on 1/1/2009, issued under Massachusetts General Laws chapter 93H, which addresses information security breaches.
12See e.g., Haw. Rev. Stat. §§ 487N-1 to -4 (2007 Supp.); Md. Code Ann.; Com. Law § 14-3501 to -3508 (2007 Supp.) (requiring reasonable measures to protect against unauthorized access); Ark. Code Ann. §§ 4-110-101 to -108 (2007 Supp.); Mont. Code Ann. § 30-14-1704 (2007); Nev. Rev. Stat. § 603A.220 (2007 Supp.)(requiring reasonable security measures and an affirmative obligation to destroy customer records after use).
13See, e.g., Tex. Bus & Com. Code Ann. § 48.103 (2007 Supp.); Utah Code Ann. § 13-44-101 (2007 Supp.).
14Financial Privacy Act, 12 U.S.C. § 3401 et seq.; Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.
15Cal. Civ. Code §§ 1798.80-1798.84 (2007 Supp.).
16See, e.g., Ariz. Rev. Stat. § 44-7501 (2007 Supp.); Ark. Code Ann. §§ 4-110-101 to -108 (2007 Supp.).
17See, e.g., Fla. Stat. ch. 817.5681 (2006).
18Cal. Civ. Code §§ 1798.80-1798.84 (2007 Supp.).
19See, e.g., Haw. Rev. Stat. §§ 487N-1 to -4 (2007 Supp.); Ind. Code §§ 24-4.9-1-1 to -3-4 (2006).
20See, e.g., Mass. Gen. Laws 93H § 1-6 (2007)
21See, e.g., Cal. Civ. Code §§ 1798.80-1798.84 (2007 Supp.); Mich. Comp. Laws § 445.71 (2007 Supp.).
22See, e.g., Ariz. Rev. Stat. § 44-7501 (2007 Supp.).
23See, e.g., Ark. Code Ann. §§ 4-110-101 to -108 (2007 Supp.); Col. Rev. Stat. § 6-1-716 (2007 Supp.); Fla. Stat. ch. 817.5681 (2006); (not requiring notification if there is no reasonable likelihood of harm to customers after an investigation); 815 Ill. Comp. Stat. 530/1 to /30 (2007 Supp.) (require businesses to notify customers upon discovery or knowledge of a breach regardless of its potential impact on them).
24Cal. Civ. Code §§ 1798.80-1798.84 (2007 Supp.).
25See, e.g., Col. Rev. Stat. § 6-1-716 (2007 Supp.).
26See, e.g., Wis. Stat. § 895.507 (2006).
27See, e.g., N.C. Gen. Stat. § 75-65 (2007).
28Maryland Personal Information Protection Act, MD Stat. Ann. § 14-3504. See http://www.oag.state.md.us/idtheft/businessGL.htm.
29See, e.g., Cal. Civ. Code §§ 1798.80-1798.84 (2007 Supp.); Minn. Stat. § 325E.61 (2007 Supp.); Tenn. Code Ann. § 47-18-2107 (2007 Supp.).
30See, e.g., Ariz. Rev. Stat. § 44-7501 (2007 Supp.); Me. Rev. Stat. Ann. tit. 10, §§ 1346 to 1350-A (2007 Supp.); 2007 Or. Laws 759.
31See, e.g., Haw. Rev. Stat. §§ 487N-1 to -4 (2007 Supp.); N.H. Rev. Stat. Ann. §§ 359-C:19 to :21 (2007 Supp.).
32Cal. Civ. Code §§ 1798.80-1798.84 (2007 Supp.).
33See, e.g., Col. Rev. Stat. § 6-1-716 (2007 Supp.); Me. Rev. Stat. Ann. tit. 10, §§ 1346 to 1350-A (2007 Supp.).
34See, e.g., Del. Code Ann. tit. 6, §§ 12B-101 to -104 (2005).
35http://www.consumersunion.org/campaigns/learn_more/003484indiv.html (last visited July 30, 2008).
362 Richard L. Fischer, The Law of Financial Privacy § 5.07 (2007).
37See, e.g., Ark. Code Ann. §§ 4-110-101 to -108 (2007 Supp.); Kansas Stat. §§ 50-7a01 to -7a04 (2007 Supp.).
38See, e.g., Cal. Civ. Code §§ 1798.80-1798.84 (2007 Supp.); Conn. Gen Stat. § 36a-701b (2007 Supp.); Del. Code Ann. tit. 6, §§ 12B-101 to -104 (2005).