Clearing the Confusion about State Data Breach Notification Laws

If you have a breach involving Texas residents, prepare to be befuddled. Or, as they say in the Lone Star State, “I can explain it to you, but I can’t understand it for you.”

According to an article in the Dallas Business Journal, state law allows the Office of Attorney General to penalize companies for failing to notify customers of a breach, but it doesn’t require businesses to report these breaches to the government. Records show that the OAG has been notified in writing of only about 30 “cybersecurity incidents,” many from out-of-state companies. Perhaps that’s why the OAG has yet to discipline a single Texas company for not notifying customers of a data breach.

Report: When a data breach strikes, what’s the best way to respond?

Go figure.

“That is a proverbial drop in the ocean,” Jason Cook, BT Americas’ Dallas-based chief information security officer, told the Business Journal. “If you were to look back in the last two or three years–just because of the sheer activity that’s going on in Texas, we’re talking hundreds of breaches of various shapes and sizes.”

Confusion Comes in All States and Sizes

As the Texas law illustrates, perplexity is the name of the game when dealing with state breach notification laws. There is no federal statute that applies to most companies, David Zetoony, a partner with the law firm Bryan Cave, wrote in a recent Lexology article. Rather, 51 states and territories each have their own laws, and while there are similarities, these statutes are not consistent. According to the National Conference of State Legislators, at least 26 states have introduced or are considering breach notification bills or resolutions in 2016.

So, what should you do when faced with a data breach, especially one that crosses state lines?

Mr. Zetoony posed 10 questions to consider:

1. In which jurisdictions do the affected population reside? Do the laws of those jurisdictions claim to be extraterritorial—i.e. have the legal ability to exercise authority beyond the normal boundaries?
2. Is your organization exempt from the applicable state data breach laws?
3. What types of personal information are covered by the applicable statutes?
4. Do the applicable statues only require notification if the breach is “material”? If so, what language does the statute use to determine whether a breach is material?
5. If notification to consumers is required, how much time is allowed to provide notice?
6. Do the applicable statues require you to notify state regulators?
7. Do they require that notification letters contain specific types of information?
8. Do they prohibit you from including certain types of information in the letter?
9. What form should the notification take? A letter? An email? A telephone call?
10. Are you required to notify any third parties?

The Bottom Line

These are important factors to consider when drafting a breach notification letter, but it can be overwhelming to attempt to cross every legal t and dot every legal i. At ID Experts, when we respond to a data breach, we take the highest common denominator and verify that all state requirements are included. If a specific state is an outlier from the others and requires something outside the norm, you may want to consider sending a specific letter to that state, but you don’t need 50 different letter versions.

At the end of the day, what matters the most is peoples’ personal information. These state laws, while often different, are making a strong impact and starting a positive change that is definitely overdue.

Report: When a data breach strikes, what’s the best way to respond?