3 New State Laws Expand Data Breach Obligations
In the past month, Indiana, Wisconsin and Nebraska have enacted data breach notification statutes requiring companies to notify a consumer if that consumer's personal information is acquired by an unauthorized individual. Though other states have enacted similar statutes, these new laws increase the amount of information that is protected, the number of consumers who must be notified and the number of companies that must issue notification.
What is a data breach notification statute? To date, 26 states and Puerto Rico have enacted laws requiring companies maintain consumers' personal information to disclose when an unauthorized individual obtains that information. Most state statutes define "personal information" as any data that associate an individual's name with either their Social Security number, driver's license number or one of their financial account numbers.
If such information is acquired or accessed by an unauthorized person, most of the laws require that the company notify the affected consumers. Some statutes also require the company to notify state consumer protection agencies, law enforcement agencies and the credit reporting agencies: Equifax, TransUnion and Experian. Failure to issue notifications in a reasonable time may lead to fines imposed by the state or a lawsuit by affected consumers. Though penalties for noncompliance vary under each statute, several impose fines as high as $10,000 per day of violation. As a data breach may trigger several - and in some cases, all - of the states' statutes, failure to abide by the laws can lead to staggering liability.
The three new statutes differ in several important respects from previous notification laws. First, Nebraska and Wisconsin's laws enlarge the type of information protected. Along with Social Security numbers, driver's license numbers and account numbers, both states protect "biometric data." This includes fingerprints, voiceprints, retina or iris images, DNA profiles and any other "unique physical representations."
Second, though most state laws require companies to notify that state's residents of a data breach, Wisconsin requires companies based in its state to notify all consumers of the breach, regardless of the state, or even the country, in which they live.
Finally, the Indiana statute purports to regulate companies outside Indiana to an unprecedented degree. Most state laws claim to apply to companies that "do business" within the state. Indiana's statute claims that any company owning or using "personal information of an Indiana resident for commercial purposes" is doing business within the state. Based upon this definition, the law would appear to apply to a company based in Florida, doing business only with Florida residents, that has information concerning even one Indiana resident in its database. As a practical matter it is uncertain whether courts would uphold this provision.
The best way to prevent liability from state breach laws is to be proactive in preventing a data breach from occurring in the first place and to decide, in advance, what your company will do if a breach occurs.
Every company maintains personal information should develop a written policy on how it will safeguard its information. Not only is such a policy useful in preventing breaches, but for many companies having such a policy is required under the Gramm-Leach-Bliley Act (which applies to "financial institutions") or under various state laws (which apply to companies other than financial institutions).
That policy should include a description of what your company will do if a data breach occurs. This description should take into account all of the state notification laws that might apply, not just the laws of the state in which your company is located. At the very least, a policy should specify what events will cause your company to issue notifications, what forms those notifications will take (e.g., letter, telephone, e-mail) and which state agencies will be notified. As some jurisdictions require notification in as little as 10 days following a breach, having this information on hand can be invaluable in ensuring that your company complies with applicable laws quickly and efficiently.
It is doubtful that Indiana, Wisconsin and Nebraska will be the last states to enact data breach laws. Other states are considering similar statutes, and Congress is considering more than a half-dozen notification proposals. This much is certain: Companies should not wait until the dust settles and all the states and the federal government have legislated on this matter. High fines can result for not complying with statutes now on the books.