adam's notes

How State Breach Notification Laws Differ

  • Many breach notification laws are based on California, but some differences include:
    • Activities that constitute a breach
    • The time for notifying residents
    • Requirements that a notification contain certain types of information
    • Minimum requirements for encryption
    • Civil or criminal penalties for failing to notify affected people
    • most state laws typically do not allow a private cause of action for failure to give notice

Activities That Constitute a Breach

  • California law applies to unauthorized acquisition of unencrypted personal information
    • attackers just access the data
  • other states require showing harm before notification is required
    • attackers must access the data and do something with it
  • must review definition of breach carefully under each law to see what triggers notification requirements
    • E.g.,
      • Ohio law requires notification if the security breach reasonably causes a material risk of identity theft or other fraud to the resident
        • can be a future risk of harm

Time For Notification

  • In California, entities must give notice in the most expedient time possible without unreasonable delay
  • most states follow this approach
  • some states require entities give notice within certain period
    • E.g.,
      • Ohio
        • requires notification be given to state residents in most expedient time possible
        • but also states no later than 45 days after the discovery of the breach
      • Florida requires notification within 30 days
      • Maine, entity can only delay notification to help a criminal investigation

Entities Excluded From Breach Notification Laws

  • some states exclude entities from breach notification laws
    • because they are subject to other laws with specific data security requirements
    • usually stricter requirements
    • E.g., GLBA and HIPAA

Contents of Notification

  • some states do not specify the types of information to include in a breach notice
    • E.g., Alaska
  • North Carolina law requires notice to be given in a “clear and conspicuous” form
    • must:
      • Describe the incident in general terms
      • Describe the type of personal information that was involved
      • Describe how the entity is going to protect the personal information from additional unauthorized access
      • Provide a telephone number for the entity, if one exists, that a person may call for more information
      • Advise the person being notified to review his or her account statements and get a free credit report
      • Provide the toll-free telephone numbers and addresses for the major consumer reporting agencies
      • Provide contact info for FTC and NC AG office
    • allows entities to notify residents by telephone
  • Colorado law allows notice to be given in written and electronic form
    • allows notice by telephone

Encryption Requirements

  • California law provides an encryption safe harbor
    • do not need to give notice of a breach if the personal information was encrypted
    • does not specify the lowest level of encryption needed
    • does not reference any industry standards
  • some states specify encryption standards
    • E.g.,
      • Massachusetts defines encryption as the use of a 128-bit or higher algorithm
      • Indiana states that data is encrypted if it is changed by an algorithmic process
        • must be changed into a form that is unreadable without the use of a confidential process or key
        • for portable devices, data must be protected by encryption and the encryption key cannot be stored on the device
        • law states that data is encrypted if it is secured by any other method that makes the data unreadable or unusable

Penalties for Failure to Notify

  • states can impose penalties for violations of their breach notification laws
    • E.g.,
      • Texas can assess a fine against an entity that does not notify affected people
        • at least $2,000 for a violation
        • cannot be larger than $50,000 for a single violation
  • some states have more complicated penalty structures
    • E.g.,
      • Florida can fine large amounts if entity does not notify within 30 days
        • $1,000-per-day for everyday after the 30-day limit
          • goes on for 30 days after the limit
        • then, fine increases to $50,000 for each additional 30-day period
          • repeats for 180 days
        • if still not notified, then can be fined $500,000

Private Cause of Action

  • Cali law does not assess penalties against entities that do not follow the notification law
    • does allow a private cause of action against an entity
      • E.g., person can sue for damages
  • Other states allow private cause of action:
    • Alaska
    • Maryland
    • South Carolina
  • Most states do not allow a private cause of action
    • because they are generally seeking to protect the entity’s business
    • also to protect the court system from many individual cases
    • instead usually they allow the state AG to pursue action
      • E.g., Iowa, Michigan, and Oklahoma

Graph View

Backlinks