This blog post is a reprint of an article originally published in the Summer 2018 edition of the ThreatAdvice Cybersecurity Journal.
The Plot Thickens: Companies Face Increased Data Protection and Breach Response Requirements at Home and Abroad
by Partners Jonathan W. Macklem and J. Paul Zimmerman
Just as the cyberliability and data breach legal landscape started to give some semblance of settling down, recent changes have emerged to remind businesses of the complexity and difficulties of compliance on this topic. At the state level, on March 28, 2018, Alabama Governor Kay Ivey signed into law the state’s Data Breach Notification Act of 2018. In summary, the Alabama Data Breach Notification Act of 2018 requires “covered entities” doing business in Alabama to do the following: (1) take reasonable steps to protect sensitive customer data; (2) to provide notice if an entity discovers it is the subject of a data breach; and (3) dispose of data in a secure manner.
Alabama’s passage of its Data Breach Notification Act is particularly noteworthy because it was the last state in the country to pass such a law. Alabama was the remaining holdout for only a few weeks, as South Dakota only passed its own law in late February 2018. With Alabama falling in line, all 50 states and the District of Columbia now have their own particular sets of laws and regulations with which companies must abide.
The problem for companies is that they cannot simply follow the legislative enactment of the state or states in which they are principally located. Data breach notification laws are written to protect a state’s citizens, and as such, businesses are required to comply with the laws of every state in which its customers reside. This is particularly troublesome for companies that have clients in all 50 states, such as manufacturers and companies in the hospitality industry.
Compliance with each and every state’s data breach notification law is further complicated by significant variations in those laws among the various states. For instance, some states, such as Alabama, require that businesses take proactive steps to protect the personal information of their customers and impose upon businesses a standard they must meet in doing so. Some states require very concrete and specific data protection measures, while other states have no requirements as to data protection standards. Among the most exacting standards for data security are New York’s Cybersecurity Requirements for Financial Services Companies.
Across the country, state laws even vary as to how they define data that is subject to the notification requirements. A breach regarding the same type of personal information may trigger notification requirements in one state but not in another. Also, state laws vary as to the timeframe in which a business must provide notification to its customers of a data breach. Alabama’s new notification law requires companies to provide notification to affected customers within 45 days of learning that a breach has occurred. Florida requires notification within 30 days. In contrast, a number of other states do not have a prescribed time limit, requiring instead that companies provide notification as soon as reasonably practicable. An incorrect determination of how long that is could lead to some sort of enforcement action against the company in many of those states.
In addition to variations on the time periods in which companies must provide notice to customers of a breach, the laws vary significantly as they relate to other reporting requirements – such as whether companies are obligated to provide notice to the three credit reporting agencies or whether companies are required to notify a state’s attorney general’s office. The state notification laws also vary in terms of how notification can be given and what it must contain. For instance, there is disagreement among the state laws on whether notifications can be made through electronic means, such as email.
Importantly, there are also differences in terms of the enforcement mechanisms for these laws. In some states, such as Alabama and Mississippi, the laws specifically provide that no private cause of action is being created by the law; whereas other states, such as Tennessee, do provide for a private cause of action if a company knowingly violates the law. Other states have fairly complicated enforcement mechanisms through their respective attorneys general offices, along with processes companies must follow in giving notification to an attorney general’s office (or other agency) of a data breach.
The problems confronting businesses from the myriad of state laws are further compounded by federal laws and regulations that apply to various industries, such as banking and health care, or to various types of data. The Federal Trade Commission is becoming the leading enforcement agency with regard to data protection, and it is actively filing enforcement actions against companies that mislead the public regarding their data protection practices.
The regulatory landscape is becoming increasingly complex internationally as well. It has been well-publicized that the European Union’s (“EU”) General Data Protection Regulations (“GDPR”) went into effect on May 25, 2018. The GDPR provide a comprehensive set of requirements and data protection and breach notification measures for companies that process, store, or transmit personal data of individuals residing in EU countries. It is broad in scope — it may even apply to a website accessible from EU countries if the website collects data regarding those individuals. Many small- to medium-sized businesses that we have encountered have not given much, if any, thought to whether they must comply with the GDPR. Many U.S. companies do not realize that the GDPR may apply to them if they direct their business efforts at EU residents, even if the companies do not have a physical presence in an EU country. The GDPR applies to any U.S. company that processes or transmits personal data of EU citizens. Any manufacturer who sends products to the EU and collects a citizen’s personal information is likely required to follow the GDPR. The consequences of non-compliance with the GDPR are staggering, as companies can be fined for non-compliance at 4 percent of annual global turnover or 20 million euros (approximately $24 million dollars), whichever is greater. Companies should be careful in assuming that the regulations to do not apply to them.
In light of the varying compliance requirements presented by all of the differing state, national, and now international laws, it is increasingly important for companies to ensure that they are taking the necessary steps to comply with data protection requirements, as well as having data breach response plans in place. Businesses should take proactive steps, such as designating someone within an organization to lead data-protection initiatives, conduct ongoing employee training, obtain adequate insurance, and maintain a data breach response plan. The data breach response plan should be complemented by a proactive security assessment, and both should include stakeholders who will be involved in the response process, including forensic technicians and legal counsel who can assist in the company’s efforts to comply with the different laws.
Identifying — before any breach occurs — where a company does business, what type of data it holds, how it protects that data, and why the company even maintains particular types of data at all, can help a company in its compliance efforts and to know ahead of time what requirements it faces when (not if!) a data breach occurs.