Multiple Government Laws and Regulations Make Data Security Breach Recovery Efforts Complicated in the U.S.
By Jonathan M. Joseph, Christian & Barton, LLP
Security experts considered 2011 the "Year of the Breach" due to the sheer volume of data breaches experienced by governmental entities, large companies and small organizations. These breaches included external attacks, deceptive practices, accidental data loss from misplaced laptops or hard drives, and files posted to public sites. The reality is that a data breach may occur even in the best run organizations—and preparation is the best defense.
Entities that collect and maintain personal or sensitive data must be aware of the breach notification laws and guidelines for all of the countries in which their customers reside, regardless of the country or state where the business or data was located.
European Union member countries and Canada are notable examples among the international community that have established regulations that must be followed if their residents are affected in the event of a breach. In the United States, growing alarm over data breaches in the health care industry prompted Congress to enact nationwide data breach notification requirements in the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009. Concern at the state level, which has been driven, in part, by breaches of state information systems, has resulted in 46 state legislatures enacting a panoply of data breach notification laws as well.
Many of these state laws apply to information stored about residents in a state even when the entity that maintains the data is located outside the state. Therefore, in the event of a data breach it may be necessary to consider multiple government laws and regulations beyond where the business primarily operates. And given the myriad of international, federal, state and industry requirements, overlap and even conflict is to be expected.
Develop an Incident Plan
An incident plan is crucial to manage the timeline in the event of an actual breach. Analysis of an organization's stored electronic information, such as a breakdown of location by country, state and the type of data on the system, is an extremely helpful first step in preparing to address the consequences of a breach with various audiences. These audiences include employees, consumers, media, and obligations to regulators and law enforcement.
Early efforts to locate advisors on handling data breach situations within a particular jurisdiction will save needed time that can be devoted to addressing the data breach and the notification requirements. Consider if contact with affected audiences will require translation services, and if necessary, identify the appropriate resources in advance. Maintaining insurance policy protection for losses and damages that can arise from a data breach also should be considered.
Time is of the Essence
Notification timing operates within a critical window, and varies by government and industry. Generally, the clock begins to tick once a breach has been recognized.
In the U.S., some state laws will expressly provide an exemption from notification requirements if the entity has complied with certain requirements under federal law. In other cases, the state laws are more comprehensive than federal law, in which case both may need to be considered.
State security breach notification laws have many similar components but also vary widely in certain details. Many of the laws require notification of affected individuals if information, which is unencrypted personal information (as defined by each state's law), has been acquired by an unauthorized party and it is reasonably likely to be misused. On the other hand, a significant number of states make the notification trigger the fact that the information was accessed by an unauthorized party—regardless of the likelihood the information will be misused.
Identify Notification Triggers
The incident plan should include an analysis to determine the type of information subject to notification requirements under state law. For example, the access to an individual's name without further data associated with the name, such as a Social Security or driver's license number, is unlikely to trigger a notification requirement under many state laws. A few states have specific notification requirements around health information, but the majority has a single state law that is triggered by unauthorized access to a database that contains identifiable personal information, often including health information.
States vary on the mode of notification. All states permit notification via the U.S. Postal Service, and many permit notification via email. However, most require the ability to verify the email was received. Many states allow for alternate notification, such as through the media, if the expense of mail notification exceeds a certain threshold. The amount of such threshold varies widely.
Typically, there is no requirement for due diligence in terms of locating affected individuals. States often will allow for notices to be sent to the last known address of the individual. However, each state's law should be consulted on this point. It is also a best practice for U.S.-based businesses to contact their international customers on at least an annual basis to make an effort to maintain useable addresses.
The form that notifications must take is fairly similar across the United States. Most states require the letter to inform the individual of the circumstances around the breach, provide information about notifying credit reporting agencies and reviewing credit reports, and being vigilant about inquiries from creditors. Additional state-specific information may also be required.
In addition to providing notification to the affected individuals, many states require that a specific state agency or the state's attorney general be notified. Often there are specific formats that such notifications need to take.
Law enforcement often will become involved early on. All of the state laws provide for a delay in notification if law enforcement determines notification would impede their investigation. Often it is necessary to obtain a letter from law enforcement to this effect, and in any case, such a letter would be a recommendation to document such a request.
Jonathan M. Joseph
Christian & Barton, LLP, Richmond, Virginia