Data Breach Notification Laws Flashcards

2-4 questions

You may prefer our related Brainscape-certified flashcards:
1
Q

How many states have data breach notification laws?

A

all 50

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

preemption of state data breach notification laws

A

Fair and Accurate Credit Transactions Act (FACTA) preempted many state laws related to consumer credit reports, but states retained power to enact laws addressing identity theft

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the key components of state data breach notification laws?

A
  • key terms such as definition of personal information, covered entities and security breach
  • notification requirements
  • enforcement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does “personal information” cover under state data breach notification laws?

A

in majority of laws, includes individual’s first name or first initial and last name in combination with any one, or more, the following data:
1. SS #
2. driver’s license # or state ID card #
3. financial account # or credit/debit card #, often in combination with any required security code, access code, or passwords that would permit access to an individual’s financial account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does “covered entities” include under state data breach notification laws?

A

in most states, “covered entities” include those:
1. that conduct business in the state; and
2. that, in the ordinary course of such person’s business, maintain computerized data that includes PI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is defined as a “security breach” under state data breach notification laws?

A

often includes following elements:

  • unauthorized access to or acquisition of electronic files or computerized data containing personal information, which compromises confidentiality, security or integrity of information
  • when access to the PI has not been secured by encryption or any other method; or
  • technology that renders the PI unreadable or unusable

nearly all states apply a risk-of-harm analysis in determining whether an incident involving personal data constitutes a regulated breach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who do you typically notify under state data breach notification laws?

A

typically affected parties, state AG or other state agencies and nationwide CRAs

  • primary recipients are those state residents who are at risk because their PI has (potentially) been exposed based on the level of unauthorized access or harm
  • ⅔ of states require covered entities that have detected a data breach to notify state AG and/or other state agencies
  • ⅔ of states require notify CRAs of a data breach
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When do you notify of a breach under state data breach notification laws?

A

common phrase is “as expeditiously as possible and without unreasonable delay” which allows affected entity to conduct a reasonable investigation to determine scope of breach and restore reasonable integrity of data system

  • numerous states specify limit with 45 days after discovery of breach being most common
  • industry best practice is to report within 30 days after discovery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What do you include in a notification letter under state data breach notification laws?

A

almost ½ of states mandate specific content be included in the notification such as:

  • description of incident in general terms
  • approximate date of incident
  • description of type of PI that was subject to unauthorized access and acquisition
  • description of general acts of business to protect PI from further unauthorized access
  • telephone # for business that person may call for further information and assistance
  • conspicuous notice on company’s website indicating how person may contact company for further info
  • list of steps person may take to protect against identity theft
  • toll-free numbers and addresses for major consumer reporting agencies
  • toll-free numbers, addresses and websites for FTC and relevant offices of AG, along with statement that the individual can obtain info from these sources about preventing identity theft
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How should you notify under state data breach notification laws?

A

generally focus on providing written notification to affected parties using postal mail (email or telephone usually OK if affected party has opted into that mode of communication)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the notice requirements for state AGs under state data breach notification laws?

A
  • approximately ⅔ of states require entities who detected a data breach to notify state AG and/or other state agencies
  • ½ of states have threshold for # of people affected (either state residents or total # of individuals)
  • most commonly focuses on notice being made as soon as possible, and often mirrors req for notice to affected individuals
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the notice requirements for CRAs under state data breach notification laws?

A
  • ⅔ of states require entities notify nationwide CRAs of a data breach
  • most common approach is without unreasonable delay
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are four exceptions to providing data breach notification under state data breach notification laws?

A
  • entities subject to another more stringent data breach notification law (e.g., HIPAA and GLBA)
  • entities subject to own notification policy
  • data subject to safe harbor provision within state data breach notification law (all laws include safe harbor for data that was encrypted, redacted, unreadable or unusable and encryption exception typically applies only when key remains secure)
  • can delay when data breach is suspected to be result of criminal activity for a reasonable period of time if law enforcement determines the notification will impede a criminal investigation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does enforcement look like under state data breach notification laws?

A

in each of 50 states, covered entities subject to civil penalties if they violate state data breach notification law

  • in ⅓ of states, state AG can impose fines
  • in nearly 15 states, affected parties can file lawsuit pursuant to state law’s private right of action to recover for damages due to breach
  • CA has statutory damages of $100-$750 per incident
How well did you know this?
1
Not at all
2
3
4
5
Perfectly