Data Breach Notification and Applicable Laws

This year saw the data breaches of Sony Pictures, Ashley Madison, and Experian Credit Bureau. The increasing commonality of data breaches has prompted the federal and state legislatures to review their data breach notification laws.

What is a data breach?

A data breach occurs when an unauthorized user (i.e., hacker) accesses sensitive personal identifiable information. The hacker then copies the confidential information and uses it as he or she sees fit.  Often times, the personally identifiable information is used to commit identity theft and fraud.  This information can include, names, telephone numbers, email addresses, credit card numbers, or social security numbers. The target of these breaches can be businesses, financial institutions, and health care institutions.

What are the notification requirements?

After a breach happens, the company that was the target of the breach is required to notify individuals whose information was or may have been accessed. Notification can be done through various mediums: notice by mail, electronic notice, or substitute notice when direct contact is difficult to obtain. Substitute notice is clear posting on the source’s website or clear notice print or broadcast media in areas where affected individuals may reside.

In the United States, 47 states have adopted their own data breach notification laws. The three states that have yet to adopt such a law are Alabama, New Mexico, and South Dakota. What is required in the notice is relatively the same across the board. It requires the notice to be in plain language and include information about the breach and the information accessed or may have been accessed during the breach.  In California, the data breach notification law was recently amended to require the source of the breach to provide identity protection services for at least 12 months at no cost to the affected individual and how the affected individual can access the services.

However, there is no federal standard for data breach notification for individuals or businesses. Following the Sony Pictures hacking, President Obama called for a uniform federal standard and proposed the Personal Data Notification and Protection Act.  This law did not make it past the House of Representatives.  There is, however, a federal notification standard for financial institutions (Gramm-Leach Bliley Act or GLBA) and health care institutions (Health Insurance Portability and Accountability Act or HIPAA).  GLBA requires notification regarding sharing non-public information with affiliates or third parties and protection of non-public information. HIPAA requires the same notification methods and requirements as when a breach occurs in a business.

What remedies are available if notification requirements are not met?

Under California law, affected individuals may file a civil suit to recover damages.  Affected individuals, however, may only collect damages if they can show that the lack of notice or inadequate notice lead to an injury such as identity theft.  There is, however, no private right of action under both GLBA and HIPAA.

At our law firm, we assist clients with legal issues related to business, technology, and e-commerce transactions. You may contact us to set up an initial consultation.