Data Breach Notification Laws Flashcards
2-4 questions
How many states have data breach notification laws?
all 50
preemption of state data breach notification laws
Fair and Accurate Credit Transactions Act (FACTA) preempted many state laws related to consumer credit reports, but states retained power to enact laws addressing identity theft
What are the key components of state data breach notification laws?
- key terms such as definition of personal information, covered entities and security breach
- notification requirements
- enforcement
What does “personal information” cover under state data breach notification laws?
in majority of laws, includes individual’s first name or first initial and last name in combination with any one, or more, the following data:
1. SS #
2. driver’s license # or state ID card #
3. financial account # or credit/debit card #, often in combination with any required security code, access code, or passwords that would permit access to an individual’s financial account
What does “covered entities” include under state data breach notification laws?
in most states, “covered entities” include those:
1. that conduct business in the state; and
2. that, in the ordinary course of such person’s business, maintain computerized data that includes PI
What is defined as a “security breach” under state data breach notification laws?
often includes following elements:
- unauthorized access to or acquisition of electronic files or computerized data containing personal information, which compromises confidentiality, security or integrity of information
- when access to the PI has not been secured by encryption or any other method; or
- technology that renders the PI unreadable or unusable
nearly all states apply a risk-of-harm analysis in determining whether an incident involving personal data constitutes a regulated breach
Who do you typically notify under state data breach notification laws?
typically affected parties, state AG or other state agencies and nationwide CRAs
- primary recipients are those state residents who are at risk because their PI has (potentially) been exposed based on the level of unauthorized access or harm
- ⅔ of states require covered entities that have detected a data breach to notify state AG and/or other state agencies
- ⅔ of states require notify CRAs of a data breach
When do you notify of a breach under state data breach notification laws?
common phrase is “as expeditiously as possible and without unreasonable delay” which allows affected entity to conduct a reasonable investigation to determine scope of breach and restore reasonable integrity of data system
- numerous states specify limit with 45 days after discovery of breach being most common
- industry best practice is to report within 30 days after discovery
What do you include in a notification letter under state data breach notification laws?
almost ½ of states mandate specific content be included in the notification such as:
- description of incident in general terms
- approximate date of incident
- description of type of PI that was subject to unauthorized access and acquisition
- description of general acts of business to protect PI from further unauthorized access
- telephone # for business that person may call for further information and assistance
- conspicuous notice on company’s website indicating how person may contact company for further info
- list of steps person may take to protect against identity theft
- toll-free numbers and addresses for major consumer reporting agencies
- toll-free numbers, addresses and websites for FTC and relevant offices of AG, along with statement that the individual can obtain info from these sources about preventing identity theft
How should you notify under state data breach notification laws?
generally focus on providing written notification to affected parties using postal mail (email or telephone usually OK if affected party has opted into that mode of communication)
What are the notice requirements for state AGs under state data breach notification laws?
- approximately ⅔ of states require entities who detected a data breach to notify state AG and/or other state agencies
- ½ of states have threshold for # of people affected (either state residents or total # of individuals)
- most commonly focuses on notice being made as soon as possible, and often mirrors req for notice to affected individuals
What are the notice requirements for CRAs under state data breach notification laws?
- ⅔ of states require entities notify nationwide CRAs of a data breach
- most common approach is without unreasonable delay
What are four exceptions to providing data breach notification under state data breach notification laws?
- entities subject to another more stringent data breach notification law (e.g., HIPAA and GLBA)
- entities subject to own notification policy
- data subject to safe harbor provision within state data breach notification law (all laws include safe harbor for data that was encrypted, redacted, unreadable or unusable and encryption exception typically applies only when key remains secure)
- can delay when data breach is suspected to be result of criminal activity for a reasonable period of time if law enforcement determines the notification will impede a criminal investigation
What does enforcement look like under state data breach notification laws?
in each of 50 states, covered entities subject to civil penalties if they violate state data breach notification law
- in ⅓ of states, state AG can impose fines
- in nearly 15 states, affected parties can file lawsuit pursuant to state law’s private right of action to recover for damages due to breach
- CA has statutory damages of $100-$750 per incident