ATTORNEY: Perry Gattegno
Pomerantz Monitor January/February 2016
In today’s digitized world, every day, nearly every consumer willingly or unwittingly shares sensitive personal information online. Almost as often, hackers successfully access corporate information databases, taking whatever data they can find.
Fortunately, nearly every state has data breach notification laws that apply to any entity that collects personally identifiable information. Those laws generally require the collecting entity to notify individuals when their personal information has been accessed by an unauthorized user. The first such law, enacted in California in 2003, set the model for data breach notification mechanisms by creating obligations for “any agency that owns or licenses computerized data that includes personal information.” In the case of a breach of security systems, the hacked company must disclose the breach to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The definition of personal information varies from state to state, but it generally includes names, telephone and Social Security numbers, home and e-mail addresses, and any information that falls under the umbrella of “personally identifiable information.” As defined by the California law, this extra information includes credit and financial data that creates access to private accounts, and driver’s license numbers. In California, only unencrypted information that has been transmitted to unauthorized persons must be reported, so California entities can obviate their reporting duties by encrypting all data.
Generally, the statutes include language requiring disclosure of the breach “without unreasonable delay,” (Connecticut, among others), “in the most expedient time possible” (Delaware, among many others) or “as soon as possible” (Indiana, among others). Most states allow the hacked company to wait until “delay is no longer necessary to restore the integrity of the computer system or to discover the scope of the breach,” or also to comply with a criminal or civil investigation by law enforcement. Some states, such as Louisiana, allow the breached entity not to notify consumers of a breach “if after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers.”
In the 13 years since the California law took effect, 47 states, as well as the District of Columbia, Guam, the U.S Virgin Islands and Puerto Rico, have enacted some form of data breach notification law. While they all authorize the local attorney general to enjoin violations and create civil and sometimes criminal penalties against violators, fewer than half the states also grant a private right of action to individuals whose data has been stolen. Civil penalties collectible by the state generally range from $100 to $2,500 per violation, while private rights of action generally permit aggrieved parties to recover actual damages, and often reasonable attorneys’ fees, from the hacked entity. These rights create a strong incentive to disclose these breaches to victims of a data breach. Illinois and California are among the states where a private right of action exists, while New York and Florida are among the states where there is no private right of action.
Nevertheless, holders of confidential data must also weigh the public relations nightmare that often accompanies data breaches, which are becoming high profile – and thus high-stakes – messes requiring immediate clean-up. Failing to comply with the relevant statute not only creates liability, it also causes embarrassment and discourages individuals from entrusting their data to the guilty party.
Even those states that do not have a private right of action may have unfair trade practices statutes that may provide an alternative route to recovery. For instance, the Florida Deceptive and Unfair Trade Practices Act (FDUTPA) allows recovery of damages and attorneys’ fees for “unfair methods of competition, unconscionable acts or practices, and unfair or deceptive acts or practices in the conduct of any trade or commerce.” Because FIPA, Florida’s data breach notification statute, defines a violation as an unfair or deceptive trade practice, the state statutory scheme essentially creates a single private right of action rather than FIPA creating a second one on top of the existing statute. FIPA merely creates a new category that falls under FDUTPA’s umbrella. The interplay around the country between analogous statutes varies by state.
Permitted methods of notification vary by state, but generally written notice, e-mail notice, or telephone/ fax notice are options if the breached entity has such consumer information in its possession. Some states permit alternatives in the vent that none of the previous methods are available, such as “Conspicuous posting of the notice on the Internet Web site page of the [breached] person or business, if the person or business maintains one” and “notification to major statewide media.”
Data breach notification laws confirm and crystallize the duties and obligations of entities that undertake to collect personally identifiable information of individuals. Even the best-intentioned holders of data may occasionally suffer unintentional breaches of information, but these laws incentivize stringent security and prompt action to mitigate harm wherever and whenever it might occur.