In the aftermath of a data security incident, entities should prioritize the identification and containment of the security risk.  There is no general data breach notification law in the US, so in order to determine what legal obligations apply, an entity will need to determine the location—in particular, the state—of any individuals whose personal information was involved in the incident.  As of April 2018, all 50 states plus the District of Columbia, Puerto Rico, Guam, and the British Virgin Islands have adopted their own data breach notification laws.  While many of these laws contain similar notification triggers, obligations, and timelines, there are some important differences that could affect reporting obligations.¹

In the EU, GDPR imposes a 72-hour reporting requirement.  Companies need to be able to quickly determine if any of the data involved in the breach is subject to GDPR.²

The key questions to answer include:

• What are the applicable laws?  While many breaches likely will only implicate the state-level data breach notification laws, there are federal requirements imposed by HIPAA, the Communications Act, and other laws related to breaches of certain kinds of information held by certain parties.  And if you have any personal data protected by GDPR that is subject to the breach, you may have only 72 hours to report the breach to the appropriate authority.  Companies need to know which laws apply to them to ensure proper compliance.
• What is “personal information”?  Each state’s definition of “personal information” will inform whether information compromised in the incident triggers notification.  For example, nearly all states consider social security numbers to be personal information, but only a few state laws cover biometric information.³
• Timeline for notification.  In many states, notifications must be issued “without undue delay,” though some states impose a more rigid time frame, such as Florida’s law, which requires notification within 30 days.⁴
• Notify regulators?  Some states require notification to state regulators.  Maryland, for example, requires notification to the Attorney General before issuing any consumer notices.  Some states only require notifications to regulators if a certain threshold is met, such as if more than 500 or 1,000 individuals were affected by the incident.  A number of states do not require notification to regulators at all.⁵
• Exemptions?  A number of states exempt covered entities from notification if, for example, the data was encrypted or redacted.⁶
• How the law is enforced.  There is no uniform data breach enforcement mechanism.  Several state statutes are enforced by the state attorneys general who may seek civil penalties and/or injunctions for violations.  A number of states also provide a private right of action.⁷
• Content of notifications.  Several state laws, such as those of California, Florida, and Hawaii, require that notifications to individuals or regulators contain certain descriptions of the event and may include a requirement to provide credit monitoring services.⁸

A complete assessment of state data breach laws is crucial because even small companies can experience a security incident that triggers notification in multiple states.

¹ See generally, Nat’l Conference of State Legislatures, State Data Breach Notification Laws (Sep. 29, 2018), available here.

² Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), art. 33.

³ Compare 815 Ill. Comp. Stat. 530/5 (2019) (including biometric information in the definition of personal information), with Tenn. Code § 47-18-2107(3)(A) (defining personal information without reference to biometric information).

⁴ Compare Alaska Stat. § 45.48.010(b) (2017) (requiring notification “in the most expeditious time possible and without unreasonable delay”), with Fla. Stat. § 501.171(3)(a) (requiring notification within 30 days).

⁵ Compare Neb. Rev. Stat. § 87-803(2) (requiring notice be provided to the state attorney general at the same time as notice is provided to state residents), with Nev. Rev. Stat. § 603A.220 (requiring notification only to affected individuals).

⁶ See, e.g., D.C. Code § 28-3851(1) (“Acquisition of data that has been rendered secure, so as to be unusable by an unauthorized third party, shall not be deemed to be a breach of the security of the system.”).

⁷ See, e.g., Haw. Rev. Stat. § 487N-3 (providing for enforcement by the state attorney general and a private right of action).

⁸ See Cal. Civ. Code § 1798.82; Fla. Stat. § 501.171; Haw. Rev. Stat. § 487N-2.