The State by State Push for Better Breach Notification Laws

Successful businesses know how to effectively and routinely communicate important information to customers, shareholders, and other key stakeholders. This information, however, isn’t always routine and isn’t always good news. Incidents like a cybersecurity breach can radically change business operations overnight and in dire instances, even shut businesses down.

When it comes to cyber crises, maintaining a timely and effective chain of communication can be challenging. What compounds this difficulty is having to adhere to state-by-state laws that mandate how and when you notify your company’s customers and stakeholders. In short, not only does your crisis communications plan have to be comprehensive enough to cope with a cyber incident, but it must also have the capacity to adhere to any specific industry regulations and state breach notification laws applicable to your business.

Navigating the ambiguity of your legal requirements as a business owner is no simple task. Staying updated on your industry’s legal requirements in your state is hard enough, but what if you don’t have a dedicated CIO or CISO to tackle these requirements?

Where to Start

On June 1, 2018 Alabama’s Data Breach Notification Act of 2018 goes into full effect. Maybe you’re not an Alabaman, so what? The Alabama legislation is significant because it now means that all 50 states and U.S. territories have data breach notification laws. These laws typically have requirements for businesses that outline who needs to comply with the law, what definitions like “personal information” mean, what constitutes a breach, who is exempted from the law, and within what timeframe a breach needs to be officially reported. The National Conference of State Legislatures (NCSL) maintains a list of security breach notification laws. This repository provides a baseline understanding of what the laws in your state might look like.

One of the biggest complications that a business can experience is having to adhere to laws in multiple states. Although countless state-level data breach notification laws are similar, they do have some differences. This means a one-size-fits-all notification strategy is not a workable solution. Since data breach notification is a relatively new legal concern, states have been the driving forces for cyber breach notification legislation. If your company experiences a breach then you are required to follow the data breach notification laws for each state in which you do business as well as each state in which your customers reside. With cyber breach notification laws in their infancy and with so many different laws to adhere to, if you operate in a multi-state capacity the road ahead can seem intimidating. Having a baseline understanding of information covered by breach notification laws can bring clarity to what is an otherwise ambiguous topic.

The Basics

While there are some clear complexities dealing with state-by-state notifications, there is a silver lining. For the most part, state laws are not particularly comprehensive and are more fragmented than not.  However, there are some baseline terms that are helpful to understand when it comes to cyber security breaches that involve personal information. It is important to recognize that these definitions are only fundamental and many states have expanded on them.  Baker Hostetler puts forth two helpful definitions that are essential to know when it comes to understanding the basics of breach notification law.

• Personal Information: An individual’s first name or first initial and last name plus one or more of the following data elements: (i) Social Security number, (ii) driver’s license number or state issued ID card number, (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes personal information. Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media. In addition, Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

• Breach of Security: The unlawful and unauthorized acquisition of personal information that compromises the security confidentiality, or integrity of personal information

As helpful as these definitions may be, your legal requirements require intricate attention to detail to make sure you are taking all the appropriate measures in the event you experience a data breach. Below are a few measures you can take to ensure your organization is prepared for the state push for better breach notification laws.

To-Do’s

To make sure you stay on top of state cyber breach notification laws remember the following:

1. Plan – Before a breach occurs, have a legal response plan prepared. Your legal counsel needs to be prepared to advise management and technical staff of the legal consequences if a breach occurs. That also means knowing in advance all the state laws you may be subject to in the event of a breach.

2. Adhere – No matter how well-educated your legal team might be on matters of cyber breach notification law, you have to be prepared to respond to a breach. Know what your legal notification obligations are if you are compromised.

3. Persist – Laws continue to evolve. It’s important to stay up to date with any newly proposed and enacted legislation that might affect your business. Ensure your legal staff have the most recent information on the breach notification laws that apply to you.

4. Communicate – Communication is essential during pre and post-breach. Internal communication should be tailored to be fast and efficient to remedy the breach. External communication needs to be comprehensive enough so that all of your stakeholders are notified according to your legal obligations.  

When it comes to fulfilling your legal obligations, you have your work cut out for you. With every state now having breach notification laws, and the EU General Data Protection Regulations (GDPR) soon going into effect all businesses need to prepare for a new wave of legal requirements. N2K’s Resolve program is a great way to prepare business leaders to manage and oversee cyber risk.