Information security incidents involving personally identifiable information and other sensitive organizational data are almost inevitable in the current environment. Organizations across the world reported more than 100,000 incidents in 2015, according to the Verizon 2016 Data Breach Investigations Report.
The frequency with which incidents occur make it essential that your organization be prepared to address its cybersecurity and information security risks. Earlier editions of our 7 Ways to Strengthen Cybersecurity series covered how incidents frequently arise, the types of attacks that may occur and what can be done to prevent them. Responding to an incident is also essential. After the cybersecurity breach has been stopped, you will be faced with how to communicate what happened to the parties affected by the breach. Who needs to be contacted and when may vary depending on your physical location.
State Reporting Obligations
According to the National Conference of State Legislatures, 47 states have information security incident legislation. State laws affect all types of organizations, from private and public companies to not-for-profit organizations and governmental entities. Laws vary by the state, but typically define when a breach has occurred, the timing and/or method of the notice and who must be included in the breach notification.
Organizations need a clear idea of what the state requirements are in the jurisdictions in which you operate. Most state laws apply to organizations that conduct activity within the state or that own licenses or computerized data that includes personal information within state jurisdictions.
Define Incidents That Are Security Breaches
Once you have determined the state notification laws that apply, you must then understand the definitions of security breaches by state. The definitions are fairly nuanced. Alaska, Hawaii and Louisiana, for example, define security breach both as incidents where unauthorized access has occurred and incidents where there is reasonable belief that a breach occurred. States including California, Missouri and Illinois (effective January 1, 2017) include medical information in the type of data compromised that would indicate a security breach. Arizona's law defines security breach as the unauthorized access of unencrypted data that, if compromised, would lead to economic loss to the individual. The law in Kansas stipulates that the unauthorized access to unencrypted data must have the chance to cause identify theft in order for the victim organization to be subject to the notification laws.
Evaluate What Else May Be Affected by the Law
The extent that an organization's third parties are covered by the notification requirements also varies. In Maine, third-party claim databases maintained by property and casualty insurance providers are excluded from the notification requirements. Most states require third parties that are maintaining data on behalf of another identify to notify the owner or holder of the license of the data if a security breach has occurred because the owner/licensee of the data will be subject to the breach notification laws. Third parties in Florida have a 10-day time limit to notify the owner of the data.
Timing and Form of the Notifications
Timing is essential with notification laws. Many states put specific time limits on when the individuals whose data were compromised must be notified. States including Ohio, Tennessee and Rhode Island regulations give breached organizations 45 days after the discovery of a breach to notify affected parties. Other states have more general guidelines, including "without unreasonable delay" and "as soon as expedient."
State Attorneys General may also need to be notified in some scenarios. With some laws, including those of California, Hawaii and Missouri, the Attorney General gets involved when the number of affected individuals reaches a threshold. Florida requires notification to the Florida Department of Legal Affairs if more than 500 people are affected. Organizations subject to Nebraska requirements only notify the state Attorney General if the breach was likely to have caused harm to individuals. States including Colorado, Arizona and Kansas do not require the Attorney General to be notified.
How penalties are assessed for noncompliance with state notification laws also varies by state. Some opt for flat penalty for the breach. In Arizona, it's up to $10,000 per a breach or series of similar breaches discovered in a single investigation. Florida takes a more stringent approach and treats the violation as it would an incident of deceptive trading. Organizations that fail to meet the notification requirements could face up to $50,000 per day after a 30-day period, up to $500,000. California allows individuals affected by the breach to seek financial relief from the organization that was breached; many states do not allow private cause of action.
The bottom line is that following the specific requirements for alerting relevant parties to the breach is essential to minimizing your risk of penalties. There is no one size fits all with notification laws, so a careful evaluation of the jurisdictions that may be affected by a breach is highly recommended. If you have any specific comments, questions or concerns about the aftermath of a cybersecurity or information security breach, please contact us.
Seven Ways to Strengthen Your Cybersecurity
- Monitor the Human Element
- Secure the Small Things
- What We Can Learn from Other Incidents
- Know Your State Notification Laws
- Questions to Ask About Third-Party Providers
- Logical Security
- What Management Should Know About the IT Environment
Published on November 15, 2016