Data privacy compliance continues to bedevil executive management, especially chief information officers. The list of businesses and other organizations confronted with high-profile data security breaches is extensive and touches many sectors: ChoicePoint, Circuit City, the Department of Veterans Affairs, Wells Fargo, Emory University, the Georgia Technology Authority, Aetna, Hotels.com and, most recently, the retailer TJX (T.J. Maxx and Marshalls), among many others.

Breaches of data privacy — whether due to unauthorized access or accidental disclosure — impose specific obligations upon the entity holding the data under what is currently a patchwork of somewhat unclear state laws. Provided below is an overview of these state laws and some suggested approaches to dealing with data breach issues.

State Data Breach Notification Laws

In July 2007, Michigan became the 36th state to put into effect a law imposing specific obligations in the event of a data security breach. Among these states are Georgia, California, Florida, New York, Illinois and virtually all the states in the Southeast — in short, practically every state in which the nation’s most significant business centers are located. Most of these states patterned their laws after California’s pioneering statute, which in 2002 became the first such state law addressing notification requirements.

The general structure of most of the state notification statutes is the same: a “person” (defined very broadly to include most businesses) or agency is under an obligation to provide specified timely notices to individuals within a given state whose personally identifiable information held by such person or agency has been improperly accessed or disclosed. However, the difficulty in compliance becomes clear when even a handful of the state laws are compared. Definitions differ, scope varies and triggering events are not always comparable.

Because many states patterned their breach notification statute after California’s, it is useful to review that statute as a standard reference point. California Code Section 1798.82(a) states, in part: “Any person or business that conducts business in California, and that owns or licenses computerized data
that includes personal information, shall disclose any breach of the security of the system … to any resident of California whose unencrypted personal information was … acquired by an unauthorized person.” This language is intended to have a very broad scope and is the essential obligation imposed by most state laws. However, because many variations exist as to key terms and qualifications, an inconsistent compliance pattern exists.

For instance, Florida, Tennessee and other states require that the breach must have “materially” compromised the personal information, but do not provide sufficient guidance on this materiality threshold. Another significant area where the states differ is the scope of the covered personal information. California’s law covers a person’s name in combination with a social security number, driver’s license number or account number, while others, such as Georgia, do not require in all cases that a person’s name be connected with other data. Some states include birth dates and other information types. Moreover, Georgia’s law applies only to “information brokers,” meaning persons or entities that collect personal data that is made available for a fee.

The form and timing of notices that must be provided and exceptions also vary. Generally, the statutes require notice to be provided in the most expedient manner possible without unreasonable
delay — a formulation laden with ambiguity. A small number of states also require notification to consumer credit bureaus and governmental agencies, although the threshold for such reporting varies. And this is just the tip of the iceberg.

{photo1-center}

Except for truly localized businesses, the reality for most businesses and organizations is that the content of their various databases and information repositories of whatever type most likely include information on individuals in numerous states. It is also worth noting that a significant minority of states with data breach notification laws do not require that a company actually do business in the state to be covered by the law. As a result, most businesses do not have the luxury of
limiting their review to the laws of only their home state.

The general structure of most of the state notification statutes is the same: a “person” or agency is under an obligation to provide specified timely notices to individuals within a given state whose personally identifiable information held by such person or agency has been improperly accessed or disclosed.

Most of the notification statutes provide that violations may only be the subject of an administrative action by the state agency charged with enforcing the law — most typically, the state attorney general. Applicable civil penalties are steep, usually ranging from $10,000 to $50,000 per violation with some states imposing even stricter sanctions. In addition, at least a dozen states allow private causes of action, which raises the very real specter of class actions and their attendant substantial
costs. In the aftermath of the massive data breach suffered in 2006 by the retailer TJX at its T.J. Maxx and Marshalls stores, at least eight class actions have been filed against that company from banking groups, consumers and shareholders seeking recovery of costs and other damages incurred in dealing with that breach. It is estimated that TJX has already spent more than $20 million dealing with this situation.

Federal Proposals

In light of the divergent state laws dealing with notification of data breaches and the related compliance burden, many business groups reluctantly have championed legislation at the federal level to bring uniformity to this area. While several notable bills have been proposed in Congress, to date
no applicable federal legislation has been enacted. Among the many reasons that none of the widely discussed bills has been passed thus far has been the inability to reconcile the inherent competing interests between consumer groups, who want to have federal requirements layered onto co-existing state requirements, and the demands of the business community for a single federal regime that would preempt state laws and possibly relax some of the more stringent state requirements, such as those imposed by California.

What T o Do

In the absence of a uniform federal approach, a business faced with a data security breach, or one contemplating how to respond in the event of such an occurrence, should consider the following:

• Most fundamentally, comply with any applicable state laws and assume that if the personal data of a resident of any particular state is implicated, you will have to comply with that state’s statute or at least review the statute to determine whether compliance is required. Skilled counsel can assist you with this.
• Adopt a “best practices” approach when faced with a breach, which is evolving into using the lowest common denominator as the safest course of action. Thus, if any data under your control or which was obtained through you (for instance, by a contractor of yours) is improperly accessed or disclosed, you should consider erring on the side of providing notice to affected individuals as a matter
  of good business policy. While you may not be liable in any event, by being overly cautious and proactive in dealing with the situation, you will have established good potential defenses to claims that may arise, and you will also minimize adverse customer reactions.
• Include a provision in your agreements with contractors, service providers and anyone else to whom you allow access to your data that imposes an affirmative obligation on them to provide you prompt notice of any breaches of which they become aware and to hold you harmless from any resulting problems caused by their negligence. Many of the notable data breach cases have involved significant delays by third parties in reporting known breaches, which potentially compounds any resulting problems.
• Implement a clear plan now that assigns defined roles and responsibilities in the event of the most-likely-to-occur data breach scenarios in your business. A swift response in such an event will help to minimize any adverse impact.
• Evaluate security measures governing access to, encryption of, and portability of, sensitive data and correct any deficiencies. Notably, many of the most egregious data security breaches have involved misplaced or stolen laptop computers that reportedly required no password access or other
  security restrictions.

While several notable bills have been proposed in Congress, to date no applicable federal legislation has been enacted

Looking Forward

The foregoing is only a brief summary of data breach notification issues, which should be seen in the broader context of a still-developing legal framework — statutorily and through case law — directed toward imposing minimum security standards on the handling of sensitive data. It is almost certainly the case that in the near future some form of broad federal legislation will be enacted dealing with
data breach notification. Additional prominent data breach cases may finally tip the balance on the federal side. Until then — and, most likely, even after — the various states can be expected to continue enacting new laws and modifying existing ones in this area. As an example, the TJX case noted
earlier has already prompted at least six states to propose amendments to their data breach laws to impose further costs on merchants who bear some responsibility for data breaches. Given this environment, businesses must be alert to the fact that compliance requirements for data breaches will continue to be subject to an uncertain and evolving legal landscape for some time to come.

The author wishes to thank Cylinda Parga, Elizabeth Spivey and Jared Westbroek, SGR Summer Associates, for their assistance in compiling the information contained in the chart.