Every day seems to bring word of a new data breach, and given the stakes of these breaches, it would be easy to assume that dealing with the damage they cause would be a top government priority. Unfortunately, a myriad of conflicting state laws, as well as the lack of one over-arching federal law, creates legal and compliance nightmares for companies that these breaches affect.
For example, in late February and early March 2014, hackers successfully targeted eBay’s corporate network. They accessed as many as 145 million customers’ personal information, including encrypted passwords, addresses and birth dates. But eBay allegedly did not immediately alert its customers, and when this became known, it endured substantial public criticism. The company is now facing a putative class action lawsuit – Green v. eBay. Count Nine of the suit, “Violation of Multi-State Privacy Laws,” alleges eBay violated the data protection laws of 47 states and four U.S. territories. State attorneys general from Florida, Connecticut and Illinois also announced investigations into whether the breach violated state law.
Situations such as this make clear that there is a pressing need to simplify data breach laws. The current patchwork of state laws presents an economic and technical challenge for businesses and consumers, and a headache for compliance counsel. Congress should enact a single federal statute that preempts the proliferating and constantly changing state laws, and provides uniformity and predictability to this emerging and important area of law.
Privacy and Protection
Congress has already addressed the personal data privacy question, except for data protection and breach notification standards. Laws designed to protect the privacy of personal information generally can be grouped into three categories:
- Many federal laws prohibit unauthorized access or collection of private information, including hacking. This extensive body of federal law includes the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act of 1986 and the Children’s Online Privacy Protection Act of 1998.
- Federal laws govern the voluntary disclosure and sale of personal information that was lawfully collected, such as by online retailers. This is governed by, among other federal statutes, the Privacy Act of 1974, the Federal Trade Commission Act of 1914, the Video Privacy Protection Act of 1988 and the Fair Credit Reporting Act of 1971/1999.
- State laws impose data security and notification obligations on organizations that handle private personal information. The purpose of these laws is to minimize the risk that data security is compromised, and to minimize the harm from any breach.
Importantly, no overarching federal statutes govern this third category. Federal law provides anti-breach standards for a handful of specific industries and entities: financial services, healthcare and the federal government itself. But for most companies that handle personal information, including retailers and social media providers, there is no uniform standard for the appropriate response in the event of a data breach.
The Patchwork of State Laws
In the absence of a uniform federal standard, most states have created their own legislation. In 2002, California became the first state to require notification of a breach of personal information. Today, every state except Alabama, New Mexico and South Dakota have laws. Not surprisingly, this has resulted in a patchwork of state laws that sometimes conflict.
For example, most state data breach laws define protected personal information to include some combination of an individual’s first name or first initial and last name, Social Security number, driver’s license number or state-issued ID card number, and account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account.
However, there are numerous variations:
- Georgia’s definition includes any of this information if the combination “would be sufficient to attempt to perform identity theft using that information.”
- Iowa includes “unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.”
- In North Dakota, protected information includes “the individual’s date of birth; the maiden name of the individual’s mother; medical information; health insurance information; an identification number assigned to the individual by the individual’s employer; or the individual’s digitized or other electronic signature.”
Most state breach-notification statutes are broad enough to govern the activity of any entity that owns or maintains personal information. However, Wisconsin’s law only applies to institutions and businesses. Georgia’s law applies to professional “information brokers” and certain state or local agency or subdivisions, including public universities, that qualify as “data collectors.”
In some states, any unauthorized access to information triggers a notification requirement, even if circumstances suggest it will not be, or has not been, used for identity theft. States following this rule include California, Illinois, New York, and Texas. In contrast, Connecticut, Florida, Ohio, and Wisconsin require notification only when the breach of personal information presents a material risk of harm to the victims.
For example, Ohio’s statute requires notice if the breach “causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident.” Florida provides that notice is not required if, after investigating and consulting with law enforcement, the “covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.”
While many state laws allow affected organizations to determine the content of consumer notifications in the event of a breach, some states have their own unique requirements. These typically require, at a minimum, that the notice describe the breach in general terms and the type of sensitive information compromised.
- In Illinois, however, notice must not “include information concerning the number of Illinois residents affected.”
- Hawaii additionally requires that notice contain “advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.”
- Iowa requires that consumers be advised to “report suspected incidents of identity theft to local law enforcement or the Attorney General.”
- Wyoming mandates that notice “shall include a toll free number that the individual may use to contact the person collecting the data” in order to collect “the toll free contact telephone numbers and addresses for the major credit reporting agencies.”
- Puerto Rico requires both a toll free number and an Internet site.
State requirements about the form of notice are equally diverse. Notification via postal mail is generally acceptable, as is notification in electronic form if certain criteria set forth in the federal ESIGN Act are met. Substitute notice via some combination of email, publication and notification of major media is also generally acceptable where the cost or number of notices exceeds a certain threshold.
In most states, this threshold is reached when the cost of providing notice would exceed $250,000, the affected class of noticees exceeds 500,000, or the noticing business does not have sufficient contact information to provide individual notification. In Pennsylvania, however, the threshold is $100,000 in notification costs or 175,000 individuals affected. In Virginia, the threshold is $50,000 in costs or 100,000 individuals. In Utah, notice via publication in a “newspaper of general circulation” is always an option, no matter how small the breach.
The majority of states provide a qualitative (and therefore somewhat ambiguous) requirement for how soon disclosure must be made: generally, disclosure must be made as quickly as possible, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. For instance, California recently amended its notification laws to require that disclosure be made “in the most expedient time possible.” However, in Florida, notice to affected consumers must be provided no later than 30 days after the discovery of the breach, unless a law enforcement agency determines that notice to individuals would interfere with a criminal investigation. Wisconsin has a similar law, but the deadline for notifying consumers is 45 days. In New Jersey, notice may not be provided to customers until it has first been provided to the State Police.
Some states require that notice always be given to the state’s attorney general or consumer reporting agency when notice is given to consumers, while others do not require any such notice. The remainder of states require notice only if a certain number of state residents are affected. Depending on the state, this threshold is met at the level of 500, 1,000 or 10,000 persons.
Some states impose affirmative data security standards upon owners of personal information. Most commonly, states simply require these entities to take “reasonable measures” to protect and secure personal information in electronic form. However, Massachusetts, by regulation, imposes a duty to maintain a written and “comprehensive” information security program. California further requires that businesses that disclose personal information to any third party obtain contractual assurance that the third party will itself implement reasonable security procedures.
Uncertainty, Expense and the Impossibility of Compliance
Congress should enact data security and notification legislation, and likely could rely on the Commerce Clause as a constitutional basis for doing so, given that most data breaches involve interstate commerce. This would also likely allow such legislation to preempt state data security and notification laws.
This uniform federal data breach legislation should resolve at least three major problems: significant uncertainty, estimating the expense of notifying consumers, and the fact that it may be impossible to comply with conflicting state laws.
As for compliance, when a company with a nationwide customer base experiences a data breach, it faces the difficult task of complying with the diverse laws of 47 states. But it may be impossible to follow the law of one state without violating the law of another. For example, notification to Massachusetts residents cannot describe the nature of the breach or the number of state residents affected. But in Florida, describing the nature of the breach is an express requirement. If the affected company has access to individualized contact information for noticees, two separate notices can be provided. But if not, and publication is the only way to provide sufficient notice, it could be impossible to meet Florida’s requirements without running afoul of Massachusetts law (and vice versa).
Keeping up with various state laws comes at a steep cost. According to the Ponemon Institute, which releases an annual report on the cost of data breach incidents, the average cost to a U.S. company for a data breach increased to $5.9 million in 2014, up from $5.4 million last year, and the average cost for each lost or stolen record containing confidential information increased from $188 to $201. Of this, post-breach notification costs averaged approximately $500,000, or one-tenth of the total cost. These substantial notification costs can undoubtedly be reduced with a single federal standard that makes notification simple and predictable for businesses and consumers nationwide.
State laws that mandate rapid notification are a significant cause of increasing costs. The Ponemon study found that organizations that notified customers “too quickly,” without a thorough assessment or forensic examination, incurred an average cost increase of $15 more per record. These costs are likely to have significant consequences in the context of data security. Rather than focusing on data security and response readiness, businesses will inevitably expend significant resources trying to comply with the myriad state laws. Plus, state laws are continually changing, which compounds the problem: Changes to California, Florida, Kentucky and Iowa laws all took effect in 2014.
A single federal standard would provide certainty to industries that maintain personal data. For businesses operating in numerous states, the patchwork model presents a compliance nightmare, particularly as state laws continue to evolve. A single federal standard would simplify data security preparation, present industry with clear notice obligations in the event of a breach, and reduce the likelihood of unnecessarily complex litigation.
A uniform federal standard would also benefit consumers by removing ambiguities over industry practice. Several states, attempting to lessen the burden of compliance, deem a business to be in compliance with data privacy laws if it complies with the laws of its “primary or functional” state. However, several locations could qualify as the “primary” state. The consumer cannot rely on the laws of his or her own state, and must instead hope that the entity storing sensitive personal information is subject to a state with adequate legal standards.
The obvious and simple answer is a single federal standard, which would provide certainty for both businesses and consumers.
Congress has a bevy of options; a number of relevant bills have been introduced in both the Senate and House of Representatives.
Several bills offer Congress the opportunity to create comprehensive data security laws. For instance, the proposed Personal Data Protection and Breach Accountability Act would require regulated businesses to develop broad security measures. A compliant plan must assess risks of future security breaches and develop a program to control those risks, ensure adequate employee training on data security, ensure regular testing of the security system, and monitor and adjust the program. In the event of a breach, businesses must notify affected consumers and provide them a free credit report for a two-year period.
Other proposed laws that similarly seek to establish comprehensive rules on data security and notification requirements include the Personal Data Privacy and Security Act and the Commercial Privacy Bill of Rights Act. Additional options include the Data Security and Breach Notification Act, the Data Security Act, and the Secure and Fortify Electronic Data Act (“SAFE Data Act”).
Where the proposed laws differ is in the details, such as the definition of a covered entity. Under the Commercial Privacy Bill of Rights Act, a business is regulated if it stores data on 5,000 people. Under the Personal Data Protection and Breach Accountability Act, the number is 10,000 people. The bills also differ on enforcement powers. Whereas the Personal Data Protection and Breach Accountability Act would create a private right of action, the Data Security Act expressly would not.
Unfortunately, these proposed statutes have been relegated to the committee stage of the legislative process, and Congress has shown “little appetite” for enacting a law. Making things more difficult, lobbying groups have fought over features of the proposed bills.
That said, momentum may be building for federal data security legislation. President Obama recently called on Congress to enact a “national standard that brings certainty to businesses and keeps consumers safe” and that would preempt the “current patchwork of laws.” At the same time, the President signed an executive order aimed at improving security measures for government credit cards.
To help break the logjam, Congress could consider enacting data breach legislation that shifts the burden of fashioning details to regulators. Several of the proposed bills – including the Data Security and Breach Notification Act and the SAFE Data Act – direct the Federal Trade Commission to promulgate regulations on data security and notification. If Congress cannot agree on the minutia, delegation may be a viable solution.
Uniform, predictable law on data security and notification is urgently needed. Such a law would supplant the patchwork, state-based approach that appears unworkable from both compliance and litigation standpoints. Fortunately, Congress has been presented with a variety of statutory options from which it can craft data breach law. It should enact legislation quickly to protect businesses and consumers.
Jeff Douglass (firstname.lastname@example.org) is a partner in both the Litigation and Data Security and Breach practices at Morris, Manning & Martin, LLP. Ryan Burke and Sam VanVolkenburgh are associates at the firm. They can be reached at (404) 233-7000.
(This article originally appeared on CyberRiskNetwork.com, an Advisen publication.)