State notice requirements Flashcards
Definition of personal information
Connecticut, and everywhere else:
First name or initial, plus last name, in combination with:
(1) SSN;
(2) Driver’s license or state ID number;
(3) account number or credit or debit card number, plus something allowing access
Two-thirds have additional elements, such as medical and healthcare information, anything related to financial accounts, any type of governmental ID number, biometric data, DNA profile, tax info, mother’s maiden name.
CCPA: real name, postal address, email, SSN, driver’s license or passport number, IP address, protected class characteristics, commercial information, biometric information, internet and network activity, geolocation information, professional and employment information, and certain educational information. Also applies to inferences drawn from this info to create a profile of the consumer.
Almost all states (not Michigan) exclude publicly-available information
Definition of covered entities
Connecticut, and most states: “any person who conducts business in this state and who, in the ordinary course of such person’s business, owns, licenses or maintains” PI.
Georgia: just “information brokers”
CCPA: any “business” that does business in CA and
(a) has annual gross revenues of $25 million +;
(b) uses info of 50,000+ consumers or households (pre-CPRA, or devices); or
(c) for whom 50%+ revenue results from sales of consumers’ personal information.
Definition of breach
Connecticut and most others: “unauthorized access to or acquisition of … personal information, when [unencrypted or similarly unreadable].
Some states, e.g. PA, require the breach to be “material.”
Some states, e.g. KA and SC, require the breach to cause or be likely to cause identity theft or other material harm.
CCPA: unauthorized access, etc. caused by the business’s failure to implement and maintain reasonable security measures and procedures.
Whom to notify
All require notifying consumers. All require third-party notification (i.e. processors must notify controllers).
Roughly two-thirds of states require notifying state AG or other state agency.
Roughly two-thirds require notifying national CRAs.
When to notify
Most common language: “the most expedient time possible an without unreasonable delay.” Most commonly 45 days after discovery of breach is the baseline.
Industry best practice: within 30 days of discovery of the breach (so 45 days could be considered unreasonable in some states).
Can be tolled by a criminal investigation.
Most stringent: Puerto Rico - must notify Department of Consumer Affairs within 10 days.
What to include in notification letter
North Carolina is most extensive, including:
(1) a description of the type of personal information involved;
(2) a description of the general acts the business took to prevent further unauthorized access;
(3) a phone number for further assistance, if available;
(4) advice that the person remain vigilant by reviewing account statements and monitoring free credit reports;
(5) the numbers and addresses for the major CRAs;
(6) the numbers and addresses for the FTC and NC AG and a statement that the person can get information from those sources about preventing identity theft.
Oregon: include advice to report suspected identity theft to law enforcement.
MA and WV: advice on how to obtain a police report and get a credit freeze.
MA: CANNOT describe the nature of the breach or the number of residents affected. Other states: MUST include general description.
How to notify affected parties
Written notice always required first. In some states, telephone or email/text are ok if a person has explicitly chosen them as an alternative.
In many states, such as Connecticut, businesses can use alternate forms of notice where written notice would place an undue burden on the businesses. E.g. email, conspicuous posting on website, notification to major state-wide media.
When to notify state AG or state agency
Roughly 2/3 jurisdictions require it.
Most commonly, it’s requires as soon as possible.
Maryland and NJ: before notifying consumers
Washington: no later than notifying consumers.
Montana: at the same time as notifying consumers.
Illinois: within 5 business days of notifying Secretary of HHS (for HIPAA, I assume?)
Iowa: within 5 business days of notifying consumers
Louisiana: within 10 days of notifying consumers
Vermont: within 14 days of discovering the breach or sending notice to consumers, whichever is sooner (and it will always be within 14 of the breach, no? How can you send notice before discovering the breach?)
CA, Maine, NH, NY, SD: no specific timing mentioned.
Many states have a threshold for number of affected consumers before notifying state AG:
ND and Oregon: 250+ residents.
CA, DE, FL, IO, RI: 500+.
AL, MI, NM: 1000+.
Many states: only if business determines breach has caused actual damage or is likely to do so.
When notice is required to CRAs
Roughly 2/3s of states require it under certain circumstances.
MN and RI: 500+ residents affected.
AL, AK, CO, DC, FL, HI, IN, KA, KN, ME, MA, MI, MS, NV, NJ, NM, NC, OH, OR, PA, SC, SD, TN, VT, VA, WV, WS: 1000+ residents affected.
ME, NH: 1000+ affected, regardless of residency.
NY: 5000+
GA, TX: 10,000+
MT: always (?) coordinate notifications with CRAs
Exceptions to notification
- Entities subject to more stringent breach notification laws (follow them instead).
- Entities can follow their own information security procedures as long as they are compatible with state law.
- In most states, safe harbor for encrypted, redacted, unreadable or unusable information. Many states explicitly say encryption only counts if the private key was not compromised.
Everywhere except Connecticut: no notification required if breach did not “confidentiality, security and integrity of the information.”
Massachusetts: must encrypt personal information on laptops and portable devices, or sent over networks
Enforcing authority
Most states, incl. Connecticut: state AGs.
CCPA: new agency
Private right of action
12 states other than CA have a private right of action.
CCPA: private right of action for breaches involving sensitive personal information, with statutory damages: $100 to $750 per incident. Also get actual damages. In order to get damages, breach must be the result of business’s failure to implement and maintain reasonable security procedures and practices.
Data destruction laws
35 states have them. Generally apply to the same entities as breach notification laws. Basically all require “reasonable measures” to safeguard against unauthorized access connected to disposal.
Some have private rights of action.
Most exempt entities subject to GLBA, FCRA, and HIPAA.
