All fifty States have enacted some form of a breach notification statute, along with Washington D.C., Guam, Puerto Rico, and the Virgin Islands. The first State enacted breach notification statute came into force in California during 2003, and since then other States have been enacting and amending their own statutes to require various entities, usually businesses, to notify consumers and other parties after a security breach compromises certain sensitive information about those parties. This trend began after data security incidents began increasing in scope, severity, and quantity starting in the late nineties as online business found its footing, and legislative action was spurred on in response to new large-scale breaches.
The basic purpose not change significantly between each State: when a security breach compromises personal or other sensitive information of State residents held by an entity, these laws require those entities to notify those residents about the breach so they can take action to protect themselves. However, there is a great deal of variance about how that purpose is implemented. The statutes differ on what constitutes personal or sensitive information, what entities fall within the scope, what qualifies as a breach that will trigger notification duties, how many people must be affected, how much time the business can take before giving notice, what must be included in the notice, how notice must be delivered, and what penalties can follow from failing to give the required notice. Because of this variety, businesses operating in multiple States need to review the specific statutes and devel.
To illustrate, there are common categories of information protected by effectively every statute— social security numbers, State ID numbers, bank account numbers, or financial card information. But depending on the State, the law might also include medical information as defined by the State or by HIPAA, passwords and online account information, tax ID numbers, biometric data, employer issued IDs, student or other education data, tribal ID, and other data items that may or may not have to be linked to an individual by name. The law might also cover this information even when it is not kept in an electronic form.
Depending on the scope and severity of a breach, a business might have to simultaneously comply with notification duties under conflicting State statutes. Compliance can become quite costly and complex, but the penalties for a failure to make a disclosure when required can be ruinous. The laws usually provide for civil penalties enforceable by a State agency, which might be thousands per day for each violation, but the statutes may also set out criminal penalties or extend a private right of action.
Knowing what State security breach notification statutes might apply to your business is effectively a condition of doing business in any part of the United States, even if only to determine the statute does not apply to the business. There may not be any clear answers to if or how any one statute applies. While there have been enough data breach incidents that observers and analysts can sketch out standard notification practices in various industries, there are enough differences and nuances between each State law that no common compliance regime has emerged. There are companies offering services to help businesses prevent breaches, detect and mitigate incidents, and meet any notification duties. There are also comparatively new cybersecurity or breach insurance offerings that might defray costs of investigation and notification. But even fifteen years after the first statute went into effect, case law applying particular State statutes remains somewhat sparse, and both large and small-scale breach litigation usually ends in settlement with few, if any, precedential rulings. Breach notification compliance remains largely uncharted territory for state court litigators. While it took fifteen years to get notification statutes within each State, we can expect breach notification compliance to be one of the more active areas for data privacy litigation over the next fifteen years.
To stay up to date with changes in Cyber Law, or other pressing legal matters visit our Cyber Lawyer Blog. If you have any questions, comments, or need legal advice call the cyber security attorneys at Goosmann Law Firm in our Omaha, Sioux City, or Sioux Falls offices.