- ABA Groups
- Resources for Lawyers
- About Us
Over the last year, a record number of organizations suffered a data security breach exposing some type of personal identifiable information. As the number of data breaches continues to rise at an unprecedented rate, organizations increasingly rely on attorneys to navigate the maze of state data breach notification laws and assist them in avoiding potential lawsuits and possible government investigations. Below are a few basic tips that will help you minimize your client's risk of liability during a data security breach.
Determine Which State Data Breach Notification Laws Apply
Over forty states have some type of data breach notification statute requiring organizations to notify individuals whose personal information has been compromised. In many cases, organizations are subject to the data breach notification law of each state in which their customers reside. Organizations that conduct business globally may be required to comply with the data breach notification laws of foreign countries. Therefore, do not make the mistake of simply complying with the data breach notification law of the jurisdiction in which your client is located. Given that certain jurisdictions require notification within a specified period of time, the issue of what state laws apply should be determined within days of learning about the data security breach.
Do Not Forget that State Data Breach Notification Laws Differ
State data breach notification requirements differ in several respects. For instance, some states such as Massachusetts and New Jersey require organizations to notify state agencies of a data security breach while states such as Pennsylvania do not. States also differ with respect to the time in which notification must be provided. Some states also require different information to be contained in the data breach notification letter. Given the differences in state statutes, do not assume that compliance with one state data breach notification statute will result in compliance with all statutes.
Determine Whether Notification Is Required
From a customer relations view, nothing can be worse than providing notification of a data breach when no personal identifiable information has been accessed. Consequently, make sure that the incident you are responding to requires your client to provide notification before sending thousands of data breach notification letters. Many states require notification when personal identifiable information is acquired or accessed by an unauthorized individual. In cases where personal data is lost or misplaced, you must advise your client to immediately investigate into whether the data has been acquired or accessed by an unauthorized person. If your client has absolutely no reason to believe that personal information has been accessed, you should document the reason for this belief in detail and refrain from sending notification letters if you are not required to do so.
Coordinate with Appropriate Law Enforcement Authorities
Careful consideration must be given as to when and how to coordinate with law enforcement. Ideally, you should gain an understanding as to how and when the data breach occurred to determine the most appropriate law enforcement agency to notify. Many state data breach notification laws allow organizations to delay notification if law enforcement determines that notification will impede a criminal investigation. Before relying on this exception, make sure you receive written confirmation from law enforcement that the notice would impede their investigation.
Carefully Draft Notification Letters
Notification letters should clearly describe: (1) the incident, (2) the type of personal information compromised, (3) the steps your client is taking to protect individuals against further data security breaches, (4) guidance as to how the affected individuals can protect themselves against identity theft in the future and (5) a dedicated telephone number to answer questions about the data security breach. Before sending notification letters, you should advise your client to designate customer service representatives to answer questions about the data breach. Of course, all representatives should provide consistent responses to any inquiries. Consideration should also be given to offering a period of free credit monitoring services to the individuals affected.
About the Author
James E. Kurack, Jr., is a senior associate with the law firm of Obermayer Rebmann Maxwell & Hippel LLP. He focuses his practice on representing businesses and individuals with respect to privacy and data security issues. Mr. Kurack maintains a blog dedicated to privacy and data security issues affecting Pennsylvania businesses at www.paprivacyanddatasecurity.blogspot.com. He can be reached at firstname.lastname@example.org.