Ride the Lightning

Lawyers Need to Know About State Data Breach Notification Laws

May 2, 2017

I read a nice post from Logikcull last week about why lawyers need to know about state data breach notification laws. 48 states have data breach notification laws and they are all over the map in what they require. As I've noted before, with New Mexico's recent data breach law being adopted, only Alabama and South Dakota do not have such laws.

If you represent a client that does business nationally, you are going to have to slog through a lot of laws. If you fail to competently help your client to comply with all these laws, your firm could be at legal risk – and certainly would be likely to suffer reputational damage.

Many of these data breach notice laws share some consistent, common traits. In general, an organization is required to send a notice to potentially affected customers or clients whenever someone unlawfully acquires others' personal information without authorization, and in turn compromises the security, confidentiality or integrity of the information.

In most states, this information includes social security numbers, driver license numbers, identification card numbers, credit & debit account numbers, and financial account login credentials. If a data breach occurs, these organizations are required to send notices to customers or clients either by mail or electronically to inform them about the breach and what steps they can take to prevent identity theft or fraud of their data. Failure to comply with these statutes often results in monetary fines or, in certain states, civil liability.

But there are so many variables that it is mind-boggling. Some state statutes, such as New Jersey's, are triggered if someone simply obtained unauthorized access to personal confidential information without actually acquiring information. Notice delivery requirements vary as well. Some states require organizations to notify the state's Attorney General directly, while some states exempt firms and other entities from the requirements entirely if they implement their own data notice protocol.

A growing number of states, including Massachusetts and California, are now publishing searchable data breach notice archives that allow potential clients and the public to research any law firm's data breach history & reputation. Did I hear you say "uh-oh"? Significantly, these data breach archives don't just cover cybercriminal activity; even stolen laptops are fair game for mandated disclosure. All of this could lead to revelations that current and potential clients could find off-putting.

Beyond reputational damage, law firms could be severely fined for noncompliance. In Texas, for example, law firms would be required to pay at least $2,000-$50,000 per violation, with a $250,000 maximum penalty amount per breach for failure to comply with all notice requirements.

Although exemptions to the statutes exist, state legislatures are making it hard for law firms to qualify for them. While many states incorporate safe harbors that excuse firms from sending notices for breaches of encrypted personal data, these safe harbor provisions are not universal. States such as California, for example, do not grant immunity if the firm's encryption keys and credentials were stolen and there was a reasonable belief that the stolen keys or credentials would have revealed private information. In general, firms are only exempt if they regularly follow their own notice procedures or if the state attorney general's office advises against sending notices for public safety and policy reasons.

The morale of the story is that you want to be on Santa's list but not on the list of publicly searchable data breaches.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
http://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson