January 19, 2017

Data Breach Notification: State Law Requirements

Catherine Bragg

Companies operating in the construction industry do not usually consider themselves much of a target for cyberattacks seeking sensitive personal information.  Such attacks usually bring to mind a data breach within a retail company that collects credit card information through thousands of daily transactions, or the relatively recent security breach of the United States Office of Personnel Management that compromised the personal information of millions of U.S. citizens.  As a result, companies in the construction markets may not focus sufficiently on the state laws that require notification of a breach of this type of information.  However, a cyberattack that targets sensitive infrastructure project information or government facility data may also expose a company’s sensitive employee information as collateral damage.  Alternatively, well-intentioned employees sometimes make mistakes, such as when a firm’s payroll administrator downloads a spreadsheet of employee names, birthdates and Social Security numbers to a non-encrypted portable storage device to catch up on work at home, but then loses the device on the train.

One thing is clear, bad actors are constantly testing the fences of companies of all sizes and in all industries.  To help protect their residents from the threat of identity theft, 47 states have passed data breach notification laws that require companies to make certain disclosures to residents after a cyberattack that compromises sensitive personal information.

Contractors, consultants and vendors provide a wide range of services in the construction industry that may involve personal information. Aside from internally administrating payrolls and providing employee benefit programs to employees, firms may also do the following:

  • collect W-9s from landowners in the acquisition of easement rights;
  • manage financial data of residents qualifying for state energy efficiency programs;
  • collect background check information for subcontractor personnel;
  • provide security consulting for public utility network upgrades;
  • sell specialized engineering software to the public through a website.

All of these activities make it imperative that companies understand the laws governing data breach notification.

This article examines the typical provisions of state data breach notification laws, including who must comply, what information is protected, how a breach is defined and what should be included in a notice.

Who must comply with data breach notification laws?

At a minimum, most state laws require that a person or company that conducts business in a state and “owns” or “licenses” sensitive personal information about residents of that state are required to disclose a breach that results in the access to that data by an unauthorized person.  A number of states do not require that companies formally conduct business in the state for the notice obligation to exist.  For example, under Massachusetts law, a “corporation, association, partnership or other legal entity” that “receives, stores, maintains, processes, or otherwise has access to personal information [of a Massachusetts resident] in connection with the provision of goods or services or in connection with employment” must comply with the notice requirement.

Many companies outsource the management of certain types of data, (e.g., payroll and purchasing) to a third party provider.  It has become a best practice to store all types of data in the cloud to be managed by a hosting vendor.  Data management service providers and other vendors that host data on behalf of another company are obligated under most state laws to provide immediate notice to their client company of a breach that impacts the personal information entrusted to them by that company. A company’s notice obligation is not eliminated simply because it entrusted the management of sensitive personal information to another party. The notice obligation for a company is triggered as soon as it is notified by its data management service provider that a breach of its personal information has occurred.

What information is protected? 

The common goal of state data breach notification laws is to protect state residents’ sensitive personal identifiable information from access by an unauthorized party, thereby helping to avoid the threat of identity theft.  

Most state laws define personal information as a combination of pieces of information that discloses the identity of someone.  For example, in Nevada, personal information is defined as a natural person’s first name or first initial and last name in combination with one or more other data elements that include: Social Security number, driver’s license number, credit card number, health insurance identification number, electronic mail address with password. Under California’s statute, the definition of personal information is much broader and can include “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual,” where “information” may include many different data elements.  Most state laws exclude from the definition of personal information any information that is publicly available by legal means. 

What type of breach triggers notice? 

Under most states’ laws, the notice requirement is triggered when a data breach results in the acquisition of a state resident’s personal information by someone who is not authorized to have it.   The burden is upon the company that owns the data or licenses it to determine that it has experienced a breach of its network system and that the data acquired or accessed was personal information (as defined by applicable state law).

Where data that is lawfully acquired is used in an unauthorized manner, this activity is usually viewed as a breach.  In Massachusetts, “a good faith but unauthorized acquisition of personal information…for lawful purposes” that results in “further unauthorized disclosure” is considered a breach that gives rise to the notice requirement.  This additional complexity requires that companies evaluate the data access privileges within their organizations and that they become better aware of who has access to their personal data that is held by a service provider.

As companies better develop their defenses to cyberattacks, they are starting to use software that can detect intruding electronic “agents” or large data downloads that signal the existence of a breach.  In other situations, the theft of physical equipment such as a server or a laptop are events that clearly suggest that data is at risk.  In most states, a disclosure of a breach is required “as quickly as possible” following the discovery or receipt of notice that “personal information” was or is reasonably believed to have been acquired an unauthorized person.”

Who should receive notice and what should be in it?

In most states, the most important recipient of a notice of data breach is the individual whose personal information was accessed.  Notice must also typically be given to the relevant state’s Attorney General’s office and Division of Consumer Protection.  In states such as California, the law provides very clear and specific guidance regarding the format of the notice and the information that it must contain, requiring that the notice be written in “plain language”; that it describe the type of personal information accessed; that it state whether notice was delayed due to a criminal investigation; and that it provide contact information for major credit reporting agencies. Most states mandate that notice be provided in the form of a written mailing; however, electronic or telephonic notice can be acceptable under certain circumstances.

Exemptions from Notice

A data breach of unencrypted personal information in almost all circumstances triggers the notice requirement.  Many state laws contain a provision that a data breach that exposes encrypted data must include the disclosure of the key or method of decrypting the data in order to fall under the notice requirement.  Oregon provides a special exemption to the notice requirement where the notifying company determines “after an appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies…that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm.”

Local law enforcement are given special privilege to delay the notice requirement under most state laws in the interest of a criminal investigation.  Notice of the breach must be given promptly after the conclusion of an investigation, and in some states must include a disclosure that that the notice was delayed because of an investigation. 

Cyber Risk Insurance and Data Breach Notification

Many companies are buying cyber risk insurance to comply with what has been established as a basic requirement in the construction industry by owners, developers, state agencies and other clients. Policies are purchased with the view that they will help defray the costs of a potential breach such as: plaintiff lawsuits, breach notification mailings, forensics investigations, credit monitoring, and regulatory defense.  Because some policies carry exclusions, such as the exclusion of coverage for liability from a breach of data housed by a third-party vendor, every company should understand what its cyber insurance policy will pay for and what it will not pay for before a breach occurs.

Best Practices for Compliance

  • Companies should track which states they operate in and whether sensitive personal information of state residents is owned or held by a third party service provider hired by the company.
  • Data management service providers should be contractually bound to protect the sensitive personal information entrusted to them and agree to comply with applicable state law(s) regarding breach notification.
  • Companies should know what a cyber risk insurance policy will pay for in the event of a breach (or a breach of a contracted data management vendor) and beware of any policy exclusions that can create unexpected costs associated with the notice requirement.

Conclusion

Companies in the construction industry are beginning to adopt the view that a cyberattack is a “when” scenario, and no longer an “if” scenario.   The reports of attacks on companies that store construction project data for buildings, infrastructure, manufacturing facilities, utilities, etc. highlights the need for additional diligence in establishing and maintaining data security measures.

Failure to comply with notice requirements can result in significant fines and penalties.  Companies must understand their obligations under these laws while they are strengthening their current data security procedures.  As most of us where taught: it is always better to be safe than sorry, and companies should assume that they can always do more to protect their personal information.

For a full list of data breach notification laws in 47 states and the District of Columbia, and links to those statutes, access the National Conference of State Legislatures website at: www.ncsl.org.

Entity:
Topic:

Catherine Bragg

TRC Companies, Inc., New York, NY, Division 11 (Corporate Counsel)