Breach Notification Regulations
California was the first state to have a breach notification law. It required businesses to notify their customers if they suffered a data breach that disclosed personal data. Many states have modeled their own breach notification laws on the California law. This section discusses the California breach notification law, as well as the laws in other states.
California Breach Notification Act
California’s Database Security Breach Notification Act law went into effect on July 1, 2003, and has been updated several times. The California legislature created the law after a security breach at a state-operated data facility. The legislature recognized that identity theft was one of the fastest growing crimes in California. It stated that people must act quickly to limit the harm caused by identity theft. The purpose of the law was to give California residents timely information so that they can protect themselves.
The law applies to anyone who owns or uses computerized data that contains the unencrypted personal information of a California resident.6 It applies to:
- State agencies
- Nonprofit organizations
- Private organizations
- Businesses
It also can apply to businesses that are not actually located in California. It actually covers any entity that stores the personal information of a California resident. Under the law, an entity must notify California residents of a breach of its computer systems and give notice if unauthorized individuals access and take the resident’s unencrypted data.
FYI
Under California law, a security breach means unauthorized acquisition of computerized data. It must “compromise the security, confidentiality, or integrity of personal information” held by an entity.7 This definition is confusing from an information security perspective because it refers to security and separately to confidentiality and integrity. Confidentiality and integrity are part of the standard definition of security. This type of imprecise definition is why information security professionals and lawmakers must work together to create laws that impact information security.
The law defines personal information very broadly as information that allows a person to be identified. Personal information is a person’s first name (or first initial) and last name. The person’s name is combined with any of the following:
- SSN
- Driver’s license number or California Identification Card number
- Account number, or credit or debit card number, along with any security code, access code, or password that would allow access to a person’s account
- Medical information
- Health insurance information
- Unique biometric information
- Information collected through the state’s automated license plate recognition system
Under the law, personal information is unencrypted data. If any of the data is unencrypted, then all of the information is considered personal information. Information that is available to the public through government records is not personal information. The law also states that a username or email address, when combined with a password or answer to a security question, is personal information if those elements could be used to access an online account.
The law requires entities to notify California residents whenever a security breach occurs. They must also notify residents as quickly as possible if they reasonably believe that a breach has occurred. Under the law, there are two reasons to delay notification. The first is to figure out the scope of the security breach. An entity must do this so that it can notify the right people.
The second reason to delay notification is if law enforcement requires it. Law enforcement can allow entities to delay notification if they are conducting a criminal investigation. The entity must make the required notification as soon as possible after it is determined that it will not hurt the investigation.
The law requires entities to give written notice to California residents, and that the notice be written in plain language and clearly identify the entity making the notice. It must also contain the following headings:
- What Happened
- What Information Was Involved
- What We Are Doing
- What You Can Do
- For More Information
The law also contains a model security breach notification template that entities can use.
Sometimes providing notice to a large number of people can be very expensive. The California law allows entities to use a different type of notice if the entity can prove that:
- The cost of giving written notice is greater than $250,000.
- The number of people to be notified is greater than 500,000.
- It does not have sufficient contact information.
If an entity can prove one of these situations, it does not have to give individual written notices. Instead, it must do all of the following to provide “substitute notice” of the breach:
NOTE
Under the California law, encrypted means rendering data “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” Think about whether this definition is sufficient to evaluate the effectiveness of the encryption method used.
- Notify affected people by email if the entity has an email address for the person.
- Post notice of the security breach on its website (if it has one) for at least 30 days.
- Notify major statewide media outlets about the breach.
The California law provides a safe harbor for entities that encrypt personal information. A safe harbor is a legal concept that refers to specific actions someone can take to show a good-faith effort to stay within the law and avoid prosecution. Entities that properly encrypt the personal information that they own or maintain do not have to follow the notification requirements if they have a data breach.
NOTE
In the law, a plaintiff can generally recover only damages in the amount that he or she has actually lost because of harm or injury.
Finally, the law gives California residents a limited private cause of action against entities that do not follow the law. Residents who are harmed when an entity does not follow the law can sue for damages.8
Other Breach Notification Laws
After the ChoicePoint breach, many other states created breach notification laws. Today, all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have breach notification laws.9 Many states based their laws on the California law, but there are some differences. They include:
- Activities that constitute a breach
- The time for notifying residents
- Requirements that a notification contain certain types of information
- Minimum requirements for encryption
- Civil or criminal penalties for failing to notify affected people
Additionally, unlike the California law, most other state laws typically do not allow a private cause of action for failure to give notification.
Activities That Constitute a Breach
The California law applies to unauthorized acquisition of unencrypted personal information. If attackers access the data, that is enough to trigger the law’s notification requirements. Some other states require a showing of harm before notification is required. This means that attackers must not only access the data, but do something with it. For instance, the attackers must steal, copy, or change the data before notification is required. In addition, some sort of harm therefore must be anticipated. Stealing data is an anticipated harm under these laws. You must review the definition of breach carefully in each law to see what triggers the notification requirements.
For example, Ohio law requires more than unauthorized acquisition to trigger notification. Under Ohio law, residents must be notified if the security breach reasonably causes a material risk of identity theft or other fraud to the resident.10 The risk of harm can also be a future risk of harm. In this law, the material risk of identity theft is enough to require notification.
NOTE
Alabama was the last state to enact a breach notification law.
Time for Notification
Under the general California breach notification law, entities must give notice in the most expedient time possible without unreasonable delay. A majority of states follow the California approach. However, some states require that entities give notice within a certain period.
NOTE
Some other states that employ some sort of harm standard include Hawaii, Massachusetts, and Virginia. Guam also has such a provision. Look up the breach notification law for your state to study its breach definition.
Ohio law, for example, requires that notification be given to state residents in the most expedient time possible. However, that law also states that entities must give this notice no later than 45 days after the discovery of the breach.11 Florida has a similar requirement and requires notification within 30 days.12
Entities Excluded From Breach Notification Laws
Some states exclude some kinds of entities from their breach notification laws because these entities are already subject to other laws with specific data security requirements. Many of these other laws have security and privacy obligations that are stricter than the states’ own laws. If the entities are following these other laws, then a security breach may be less likely. In some cases, state lawmakers determined that making entities follow both the state breach notification law and the other laws would be too hard. It might hurt businesses operating in the state.
Some states exempt financial institutions covered by the Gramm-Leach-Bliley Act (GLBA). GLBA requires these institutions to protect a customer’s nonpublic financial information through security safeguards. They also must follow privacy rules. Breaches may be less likely if an institution follows GLBA. Many states exempt these entities from notification laws. They include Alaska, Connecticut, Indiana, and Minnesota.
Some states also exempt entities that are covered by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA-covered entities must follow rules designed to protect personally identifiable health information, as well as the HIPAA Privacy and Security Rules. Recent amendments also impose breach notification rules on HIPAA-covered entities. These rules may be even stricter than some state notification laws. States that exempt HIPAA-covered entities from their laws include Arizona, Rhode Island, and Wisconsin.
In Maine, an entity can only delay notification to help a criminal investigation. In that case, an entity must give notice once law enforcement determines that the notification will not hurt the investigation. At that point, the entity must provide notice within 7 days.13
NOTE
A business day is an official workday. Business days are the days of the week that include Monday through Friday. Saturday and Sunday are not business days. Public holidays also are not business days.
Contents of Notification
Some states do not specify the types of information that should be included in a notice of a data breach. Alaska is one of these states. There is a growing trend, however, to specify the types of information that should be included in a notice. States do this to make sure that residents get enough information to protect themselves.
TIP
Remember, the reason for notification is to let people protect themselves from identity theft. Any delay in notifying people should be as short as possible.
North Carolina law requires that notice be given in a “clear and conspicuous” form.14 This means that it needs to be easily understandable. The notice also must:
- Describe the incident in general terms.
- Describe the type of personal information that was involved in the breach.
- Describe how the entity is going to protect the personal information from additional unauthorized access.
- Provide a telephone number for the entity, if one exists, that a person may call for more information.
- Advise the person being notified to review his or her account statements and get a free credit report.
- Provide the toll-free telephone numbers and addresses for the major consumer reporting agencies.
- Provide the contact information for the FTC and the North Carolina attorney general’s office, along with a statement that these sources have additional information about preventing identity theft.
North Carolina also allows entities to notify residents by telephone, but only if the entity makes direct contact with the people whose data was accessed in the breach. Colorado law allows notice to be given in written and electronic form.15 It also allows notice by telephone.
Encryption Requirements
The California law provides an encryption safe harbor. Entities do not need to give notice of a breach if the personal information in their computer system was encrypted. California law does not specify the lowest level of encryption needed to use the safe harbor. It also does not reference any industry standards.
Many other states also provide an encryption safe harbor. However, most states do not specify a minimum level of encryption needed to take advantage of the safe harbor.
TIP
Remember, a safe harbor is an action someone can take to show a good-faith effort to stay within the law.
Some states, however, do specify the encryption standards required to take advantage of the safe harbor. For instance, Massachusetts defines encryption as the use of a 128-bit or higher algorithmic process to transform data.16
Indiana also provides an encryption safe harbor. Its law says that data is encrypted if it is changed by an algorithmic process. It must be changed into a form that is unreadable without the use of a confidential process or key.17
NOTE
Algorithms are mathematical computations used to solve a problem and to encrypt data.
The Indiana law also addresses key management. For portable electronic devices, such as laptop computers, the data must be protected by encryption and the encryption key cannot be stored on the device. Indiana law also says that data is considered encrypted if it is secured by any other method that makes the data unreadable or unusable.
Penalties for Failure to Notify
Some states can impose penalties for violations of their breach notification laws. In Texas, for example, the state can assess a fine against an entity that does not notify affected people.18 The law states that an entity can be fined at least $2,000 for a violation. However, the fine cannot be larger than $50,000 for a single violation.
Other states have more complicated penalty structures. Under Florida law, an entity that does not provide notification within 30 days of a breach faces potentially large fines,19 such as a $1,000-per-day fine for every day that the entity fails to give notice after the 30-day limit. This penalty is in effect for the first 30 days after the 30-day limit. After that, the fine increases to $50,000 for each additional 30-day period that the entity fails to give notice. This extends up to 180 days (about 6 months) after the 30-day mark for giving notice. If entities do not give notification within 180 days after a breach, the state may fine them up to $500,000. FIGURE 9-1 illustrates the Florida fine structure.
FIGURE 9-1
Florida fine structure for failure to give notification.
Private Cause of Action
California law does not assess any penalties against an entity that does not follow the notification law. However, it does allow a person a private cause of action against those entities. For example, people can sue the private entity for any damages they have because they did not receive notification in a timely manner. Some states, such as Alaska, Maryland, and South Carolina, allow a private cause of action; however, most states do not. The states that do not are generally seeking to protect the entity’s business. They also do this to protect the court system, as it could be burdensome to the court system to process many individual cases. Instead, most of these states allow the state attorney general to pursue an action against the entity for failure to give notification. These states include Iowa, Michigan, and Oklahoma.
NOTE
In Indiana, the failure to give notice is a deceptive act. The state attorney general’s office has the power to prosecute deceptive acts. The fine for each act can be up to $150,000.20
Every state now has a breach notification law to protect its residents. The laws have some similarities, and some laws also have unique requirements. These laws can be very confusing to businesses that operate in several states, because breaches at these entities are almost certainly going to affect people in many states. If this happens, an entity will have to review the laws of several states to properly notify people about the breach.
Breach notification is hard for entities because states have different laws about what constitutes a breach. An incident can be a breach in one state, but not another. It also can be hard if entities must give notice in a certain way or within a certain time. Differing penalties for noncompliance may also be a problem. Because the laws all have different nuances, it may not be enough for an entity to comply with the laws of its own state. FIGURE 9-2 provides a general decision tree that entities can follow in reviewing a security breach to see if notice is required.
FIGURE 9-2
Breach notification decision tree.
The lack of uniformity among states may place additional burdens on businesses that experience a security breach. People also may be confused if they get notices that do not look similar. Notices might look different depending upon the law that the entity followed in creating the notice. A federal breach notification law would help eliminate this confusion. Federal laws have been proposed from time to time. As of this writing, no such act has yet passed Congress.