YourABA October 2011 Masthead

Data security breach: Is notice required?

If your firm experiences a data security breach, should you inform your clients? In his Business Law Today article, “There Has Been a Data Security Breach: But is Notice Required?” Ronald I. Raether Jr., who practices technology-related litigation at Faruki Ireland and Cox PLL, acknowledges that the answer is complex because the legal standard is not well defined.

“The states and regulators have not provided a clear picture on this point,” he says.

“The states and regulators have not provided a clear picture on this point,” Raether says on legal standard regarding breach notification.

Many states have notification laws, and slight variations among them increase the complexity of analysis. However, according to Raether, “there are some common questions in deciding whether notification is required.”

The first consideration is whether personally identifiable information was involved. Generally, notification laws involve data that includes both personal identifying information (name, address) with confidential or financial information. “Only if the incident involves data covered by the notice statute is further analysis even required.”

However, if protected information was put at risk, the next step is to identify if that information was accessed. In 46 states, if the information was encrypted, notice is not necessary. However, if the hacker had access to the encryption keys, some of those 46 states require notice, despite the presence of encryption.

Back to top

Even without encryption, some states do not necessitate notification at all unless certain other conditions are present. According to Arizona requirements, the breach must “cause or is reasonably likely to cause substantial economic cost to an individual.” And in Florida, notice is not required if law enforcement determines no reasonable likelihood of financial harm to an individual.

Evaluating the risk to the consumer involves a thorough and appropriate investigation that should include interviewing all persons involved in the breach incident. “It is essential at the outset to identify and preserve all relevant records,” writes Raether, citing the importance of log records and audit trails. A forensic analysis should follow next.

Over the last several years, companies experiencing a data breach have trended toward over notification. Raether shares the story of ChoicePoint, which had a security breach in 2005. At the time, only California had a notification law, leading the company to notify only its California customers. The backlash was immediate, and ChoicePoint quickly decided to notify all its customers, regardless of location. Says Raether, “the lesson for the industry—err on the side of over notification.”

Business Law Today is a publication of the Section of Business Law

Back to top



Recent ABA ethics opinions: Email communications


Three tips on using technology to improve client service


Legal tech now: Social media effectiveness, software trends, mobile security, more


Advice on criticizing judicial decisions

When cyber criminals hit—Is the bank liable for your loss?

Ethics of switching firms

Retaining diverse lawyers, eliminating hidden barriers

Data security breach: Is notice required?

Settlement agreements: Eliminating hassle associated with boilerplate language

Get paid faster with credit cards

Technology help desk services within your reach

Easy steps to organize your contacts


Time to renew your membership