GPSOLO December 2008
Your Duty If You Discover a Data Breach
As both a former solo and former small firm attorney, I understand the difficulties and stresses that the business of law adds to the practice of law. Not only do you need to master the legal aspects of practicing law, but you also must worry about marketing, client relations, office management, and a whole host of other business-related duties and responsibilities. Often it feels as if practicing law is at best 20 percent of your day while running the small business that is your practice makes up the other 80 percent.
It’s no surprise that preparing for a data breach is at the end of your to do list. However, attorneys ignoring the growing public awareness, regulatory requirements, and increasing liabilities associated with data breaches should be warned that they do so at their own peril and potentially put at risk the very survival of their firm.
What Is a Data Breach?
Generally when we use the term “data breach” (also known as “information security breach,” “breach incident,” and “data security breach”), we are talking about an event that releases the personally identifiable information (PII) of an individual without that individual’s consent or knowledge. PII is usually defined as being composed of name, address, and some combination of the following:
- Date of birth
- National and state identification number (in the United States this means Social Security Number and driver’s license number; in Canada this means Social Insurance Number and driver’s license number)
- Account numbers for credit card or debit cards
- Passwords and codes
- Biometric data (e.g., fingerprints)
An unauthorized release of PII can happen in any number of ways, including the loss or theft of a laptop, improperly secured wireless networks, poor document retention and destruction policies, and unauthorized access or copying by a rogue employee.
How Much Notice Is Legally Required?
Currently breach notification is governed under state law; numerous attempts to pass a federal breach notification law have failed to make it out of committee. In 2003 the state of California passed the first state data breach notification law, which requires entities that release PII to notify consumers if and when their unencrypted, electronic PII has been released without their consent. This law, commonly referred to by its original bill number, SB-1386, set the tone for the rest of the nation. Since then 43 other states, as well as Puerto Rico and the District of Columbia, have passed similar statutes. The resulting patchwork of statutes often requires a more generalized approach to breach notification requirements, especially if the breach affects citizens of multiple states.
Breach notification laws are too varied and numerous for a proper state-by-state breakdown in the limited space of this article. However, these laws have not evolved much since the enactment of California’s SB-1386. Most other states have merely provided further refinements or limitations on that pioneering statute. Consequently, all of the various state, district, and territorial regulations share common themes that can be broken down into six general areas of the regulation.
Type of data. Applicability of the regulation generally depends on the form that the information takes. Some jurisdictions exclude password-protected data or encrypted data. Some jurisdictions exclude hard-copy data altogether, although this seems to be changing as states attempt to expand the reach of their breach notification requirements beyond electronic documents to include hard-copy paper documents as well. Still other states leave the decision to notify up to the institution causing the breach and require that notification be made in a breach only if there is reasonable likelihood that harm would result from said breach.
Source of breach. Applicability of the regulation also depends on the type of entity releasing data. Some breach notification laws exclude government agencies from the need to provide notice whereas others do not. Private entities are covered under all breach notification requirements.
Time frame for notification. Notification must be accomplished within a “reasonable” amount of time; when not specified in the statute, “reasonable” is generally understood to be within four or five weeks of discovery. Some statutes do specify the precise time limit for notification. Florida’s law, for instance, clearly prescribes that notification be made within 45 days of discovery of the breach. Nearly all breach notification regulations, regardless of the state, provide for a law enforcement exception to notification. This means that notification is to be provided subject to approval by law enforcement conducting an investigation. Should law enforcement request that an entity delay notification in order to complete its investigation or to not prematurely alert a data thief of the investigation, then an entity may delay notification as needed without incurring liability or being in violation of the statute.
Form and method of notification. The preferred form of notification seems almost universally to be via regular mail in hard-copy format. However, as the cost of notification in large breaches can be very high, many breach notification laws provide for alternative means of communication to the notification recipient if a particular cost or volume threshold is reached. This threshold amount ranges considerably depending on the state and could be as low as $5,000 (or more than 1,000 prospective breach notification recipients) and as high as $250,000 (or 500,000 prospective notification recipients), with this higher limit being more of the norm than the exception.
Alternative means of notification can include notification via telephone, e-mail, publication on the company website, publication in newspapers, and disclosure to the media. Some provisions require additional notification be made to third parties as well. Often this means that the credit reporting agencies or credit bureaus must be notified prior to mailing. New Jersey’s statute, for example, requires that if more than 1,000 state residents are to be notified, each consumer reporting agency shall also be notified of the timing, distribution, and content of the notices going out.
Methods of enforcement. The methods of enforcement of breach notification laws vary. For instance, California allows any individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service to enforce the law. This is a stark contrast to states like Arizona, where only the state attorney general can enforce the law. Although many states fall squarely into one camp or the other, states like New Hampshire allow for enforcement by both the consumer and the state attorney general.
Penalties. Penalties for violation of notification regulations vary considerably and include injunctive relief, fines (usually up to $10,000 per incident but in some statutes as high as $500,000), damages (whatever the measure may be), equitable relief, direct economic damages, and attorney fees.
What Is My Duty?
Obviously, there is an affirmative duty arising under state statutes to provide notification of the breach incident to those affected individuals. The problem is that, although notification is the minimum standard, it merely provides consumers with notice that their information may have been placed at risk. This still leaves consumers with nothing but the fear that someone may be misusing their information. Therefore, there is a growing movement toward offering monitoring services to notification recipients. These monitoring services come in many different variations, but the concept is the same. They provide electronic monitoring (e.g., via Internet and e-mail notification) of credit files and public records such as those of the motor vehicle departments, county recorders, civil and criminal courts, and other publicly available databases, which vary state to state. The cost for these types of monitoring services can also differ considerably depending on the type and source of the monitoring.
This movement has progressed even further. Although notification provides consumers with knowledge that their PII has been disclosed, and monitoring offers consumers the ability to track their information if it is being misused, consumers still must clean up the mess on their own if their PII is subsequently misused for fraudulent purposes such as identity theft. This is why an ever-increasing number of businesses that suffer a breach now offer both monitoring and identity fraud resolution services to their breach notification recipients. This approach is the best method of mitigating the potential and yet untested levels of liability that arise as the result of a data breach.
What Solutions Are on the Horizon?
As breach notification regulations have been enacted in almost every state and territory of the United States, the solutions on the horizon are expanding rapidly. The most significant solutions are those being made available through the commercial insurance industry. Because many of the costs associated with the handling of a breach are not difficult to assess and can be quite significant, insurance providers are filling the gap. Currently a growing number of business owner policies as well as commercial package policies are making data breach endorsements available to their insureds. These often include reimbursement for costs such as, but not limited to:
- drafting, printing, and mailing breach notification letters;
- monitoring products for breach notification recipients; and
- associated support services including:
- breach preparedness documents and templates;
- education and risk assessment assistance;
- breach consulting;
- call center-assistance for breach notification recipients;
- fraud and identity theft resolution services for breach notification recipients who have become victims of identity-related fraud and identity theft; and
- placement of fraud alerts with the bureaus for breach notification recipients wishing to place such a fraud alert.
With the mounting costs of breaches varying from anywhere between $90 and $305 per lost record (according to John Leyden, “How Much Do Security Breaches Cost Anyway?,” The Register, April 12, 2007, www.theregister.co.uk/2007/04/12/breach_cost_estimate), insuring against these risks is an ideal solution. It is only a matter of time before these types of insurance solutions filter down to general liability and professional liability policies. Once this begins to happen, practicing law without data breach coverage will become just as reckless and inadvisable as practicing law without malpractice insurance. Considering the likely negligible costs that this additional coverage will incur, there should be no reason that within the next five years every law office, big or small, will have some sort of breach coverage in place. In the end, if you do have this type of service and coverage in place, your clients and your bottom line will thank you.
Eduard F. Goodman, J.D., LL.M., is general counsel and chief privacy officer for Identity Theft 911, LLC. He may be reached at firstname.lastname@example.org.