What are data breach notification laws? Many people have heard about, or have themselves been potentially victimized by a data breach. Your credit card information might have been hacked, or your personal identifying information might have been exposed in a data security breach. But many people do not realize that there are legal protections in place that require businesses and governments to notify potential victims when there is a data security breach.

What Are Data Breach Notification Laws?

At present, there are a few national standards in place regarding data breach notification of potential victims, but federal laws are limited at this time to financial institutions (the Gramm-Leach-Bliley Act, 15 U.S.C. Section 6801, et seq., which requires notification when nonpublic personal information of a consumer is breached) and the healthcare industry (the Health Insurance Portability and Accountability Act, 45 CFR Sections 106.103, 164.400-414, and 42 U.S.C. Section 1320d, et seq., which requires notification when a patient’s protected health information is breached).

Laws Vary From State to State

Data breach notification laws vary from state to state. However, as a general rule these laws are written consistent with a typical format. Data breach notification laws typically:

• Outline who the law applies to (i.e., private entities, government entities, educational institutions, etc.). Oftentimes, data breach notification laws apply to government entities, private entities, and educational institutions.
• Provide a definition as to what is personal information for the purposes of the notification law. In most states, “personal information” includes data such as a person’s first and last name, Social Security number, driver’s license number, state-issued identification card number, account number, credit card or debit card number and security code, access code, or PIN necessary to access the account, credit card or debit card.
• Provide an explanation of what constitutes a data security breach. Typically, a data security breach involves an unauthorized breach of the security of a system thereby gaining access to personal information. The specific definition associated with breach notification laws can vary greatly by state.
• Include details concerning what is required for compliance with the data breach notification law. Examples include identification of the timeframe in which notifications must be made, whether the notification must be made in writing, and specific information that must be included in the data breach notification.
• Identify any exemptions to the data breach notification laws. In some states, if data is encrypted it might be exempt from state data breach notification laws.
• Address the penalties associated with a failure to comply with the law. Each state identifies the penalties associated with a failure to comply with the state’s breach notification laws.

Key State Data Breach Notification Laws in Depth

While all 50 states have enacted data breach notification statutes, several states have adopted particularly demanding requirements that businesses operating nationally must understand. The following state laws represent the leading edge of consumer protection in this area.

California

California was the first state to enact a data breach notification law, in 2002. The current California notification statute, Cal. Civ. Code § 1798.82, requires notification to California residents whose personal information was acquired by an unauthorized person “in the most expedient time possible and without unreasonable delay.” California’s definition of personal information is among the broadest in the country and includes, in addition to the standard financial identifiers, medical information, health insurance information, usernames and passwords to online accounts, and genetic data.

The California Consumer Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act at Cal. Civ. Code §§ 1798.100–1798.199.100, adds a private right of action when a consumer’s nonencrypted and nonredacted personal information is subject to unauthorized access and exfiltration as a result of the business’s failure to implement and maintain reasonable security procedures. Statutory damages range from $100 to $750 per consumer per incident, with no requirement to prove actual injury. Class actions aggregating these claims represent enormous potential liability for businesses holding large quantities of California consumer data.

New York

New York’s SHIELD Act, N.Y. Gen. Bus. Law § 899-aa, significantly expanded the state’s data breach notification requirements. The SHIELD Act broadened the definition of “private information” to include biometric information, email addresses combined with passwords or security questions, and usernames with corresponding passwords. It requires notification in the “most expedient time possible and without unreasonable delay” and mandates concurrent notification to the New York Attorney General, the Department of State, and the Division of State Police when more than 500 New York residents are affected.

Separately, New York’s Stop Hacks and Improve Electronic Data Security Act requires any person or business that owns or licenses private information of New York residents to implement and maintain reasonable safeguards to protect that information — whether or not a breach has occurred. This affirmative security obligation is independent of the notification requirement.

Colorado

Colorado’s data breach notification law, C.R.S. §§ 6-1-716 through 6-1-722, is notable for its 30-day notification deadline — one of the shortest in the country. The 30-day period runs from the date of determination that a breach occurred. Colorado also requires notification to the Colorado Attorney General when a breach affects 500 or more Colorado residents, and the notification to the AG must be sent simultaneously with notification to affected consumers.

Florida

Florida’s Information Protection Act, Fla. Stat. § 501.171, imposes a 30-day notification deadline from the date of determination that a breach occurred. The statute also establishes a 72-hour notification timeline to the Florida Department of Legal Affairs for breaches affecting 500 or more Florida residents. Violations of Florida’s notification statute carry civil penalties of up to $500,000 for a single breach.

Texas

Texas’ data breach statute, Tex. Bus. & Com. Code §§ 521.002, 521.053, requires notification to affected individuals “as quickly as possible.” For breaches affecting 250 or more Texas residents, the entity must also report to the Texas Attorney General no later than 30 days after determining that the breach occurred. The Attorney General may bring enforcement actions for violations, and civil penalties can reach $100 per individual up to a maximum of $250,000 per breach.

The Notification Content Requirements

Most state notification statutes specify the content that must be included in breach notification letters. Common required elements include: a description of what happened, the types of information involved, what the company is doing in response, what affected individuals can do to protect themselves, and contact information for follow-up questions. Some states — including California, New York, and Oregon — require the notification to include information about the affected individual’s right to place a security freeze on their credit report. Notification letters that omit required content elements create independent statutory violations separate from the underlying breach.

Talk to a Data Breach Lawyer

Cybersecurity as an area of law is constantly changing and evolving. Revision Legal has worked with a number of businesses in assessing data retention risks and providing legal counsel on data security breach notifications in all 50 states. If you have concerns about your exposure or have recently received a data breach notification, contact the experienced attorneys at Revision Legal immediately. Civil fines are available in some states for a failure to expeditiously notify those affected by breaches. Contact Revision Legal’s internet lawyers using the form on this page or call us at 855-473-8474.