Data Breach Litigation Preparation: What U.S. Laws Apply to Data Breaches?

As of January 1, 2020, California became the first state to permit residents whose personal information is exposed in a data breach to seek statutory damages between $100-$750 per incident, even in the absence of any actual harm, with the passage of the California Consumer Privacy Act (“CCPA”). The class actions that follow are not likely to be limited to California residents, but will also include non-California residents pursuing claims under common law theories.  A successful defense will depend on the ability of the breached business to establish that it implemented and maintained reasonable security procedures and practices appropriate to the nature of the personal information held.  The more prepared a business is to respond to a breach, the better prepared it will be to defend a breach lawsuit. To help our clients prepare for the CCPA, Bryan Cave Leighton Paisner is issuing a series of data security articles to empower organizations to focus on breach readiness.  

United States Legal Framework

Although Congress has attempted to agree on federal data breach legislation, as of the publication date, there is no national data breach notification law that applies to most companies.  There are federal statutes that apply to financial institutions, common carriers, health care providers, educational institutions, and vendors of health records. If your organization falls within one of the aforementioned categories, be sure to understand the requirements of the relevant federal law and any additional requirements imposed by state law, as state law may apply in addition to federal law.

While federal data breach notification law is limited in scope, state data breach laws apply whenever a data breach involves records of that state’s residents.  All 50 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving certain types of personally identifiable information.   

The following section first summarizes key information about the federal data breach laws. It then explains pertinent state data breach law provisions and highlights important areas in which the state laws diverge.  In the event of a breach involving records of consumers who live in multiple states, the laws of those states should be reviewed to ensure that the organization is complying with notification requirements. 

1. Are there any federal laws that apply to your organization?

While there is currently no national data breach notification law, there may be other federal laws that apply to the organization. Federal law most notably implicates organizations in the health care industry, financial institutions, and common carriers.

HIPAA requires health care providers, health plans, healthcare clearinghouses and certain “business associates”¹to protect covered health information. Covered entities that fall within HIPAA’s scope must notify each impacted individual within 60 days after discovering a breach.² Notification under HIPAA must be written unless consent for alternative notification has been given.  The written notice must include a description of the incident, the type of health information accessed, protective steps impacted individuals should take, any mitigation the organization is undertaking, and contact information for those individuals who wish to learn more.

The Gramm-Leach-Bliley Act (“GLBA”) regulates financial institutions’ use of consumer nonpublic personal information.  In the event of a data breach, if it is found reasonably possible that misuse of compromised personal data will occur, the financial institution should notify its customers.

Common carriers should be aware of their obligations under the Telecommunications Act of 1996.  If a customer’s proprietary network information is breached, an organization subject to the Telecommunications Act must notify law enforcement within seven days and, following the law enforcement notification, the organization must notify affected customers.

These federal laws do not supersede state law.  Meaning, organizations subject to federal law also must consider the often more stringent state laws at play, although many state laws provide that notification in compliance with HIPAA or the GLBA constitutes proper notice under the state law.

2. Do the state laws apply to your organization?

As a general rule, if your organization maintains or transmits Personally Identifiable Information (“PII”) belonging to citizens of a particular state, you should consult the data breach notification law of that state in the event of a breach.  Some states maintain that “any entity” is subject to the data breach notification law, while other states limit applicability only to those entities that “conduct business in the state.”  Most of the statutes place the onus on the “owner or licensor” to ensure that affected consumers are notified, however, some states (e.g., Rhode Island and Wisconsin) place that obligation on organizations that simply “maintain” consumer information.  As discussed below, even if the breached organization does not own or license the consumer information, most state laws will require that the organization timely notify the data owner(s) of the breach so that they may fulfill their notification obligations. 

The notification laws typically apply only to consumers who are residents of the state in question.  However, Hawaii, New Hampshire, and North Carolina’s statutes do not contain this limitation and apply instead to “affected persons,” while Texas’ statute specifically applies to Texas residents and residents of other states. 

The statutes generally require notification in the event of breaches involving the following information: the consumer’s name in combination with their Social Security number, driver’s license number, account number and access code.  Some states go even further and require notification in the event other types of information are accessed or acquired.  For example, many states (e.g., Arkansas, Nebraska, Washington and Wisconsin) require notification if biometric data is breached.  North Dakota requires notification if the consumer’s date of birth or mother’s maiden name are exposed, since this data is often associated with password recovery or identity verification on online accounts.  A number of states require notification if certain medical or health information is at issue.  Alabama, Arizona, Delaware, Maryland, North Carolina, Montana, and Wyoming have expanded their definitions to include taxpayer identification numbers.  Washington recently added student ID number and private key (used for online signatures) to its list of protected information.  Some states require notification if military ID and passport numbers are impacted.

Increasingly, states have added the requirement for notification in the event of a breach involving a username or email address in combination with a password or security question and answer that would permit access to an online account.  The rationale is that many people use the same username and password across multiple online accounts.  Having those credentials stolen in one breach could expose individuals to the risk of having other accounts hacked.  Some states, like California and Arizona, permit notification to be electronic for such breaches only.

The state statutes provide that a breach of personal information that is publically available does not give rise to a notification requirement.  Similarly, the breach of personal information that is encrypted generally does not give rise to notification obligations because data is assumed to be sufficiently protected from disclosure if accessed in its encrypted form. 

Because not every breach of personal information is likely to lead to a risk of harm to the affected person, many states have included a materiality threshold that limits notification only in cases where the breach “compromises confidentiality, integrity, or security.”  A handful of states do not contain any such limitation, however, and appear to require notification in the event of any breach, regardless of the risk of harm flowing from the breach.

1. A “business associate” is defined as “with respect to a covered entity, a person who: (i) [o]n behalf of such covered entity . . . , but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter . . . ; or (ii) [p]rovides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation . . . , management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.” 45 C.F.R. § 160.103

2. 45 C.F.R. § 164.404

3. https://www.law.cornell.edu/cfr/text/12/appendix-F_to_part_225