Comparative Analysis of Data Breach Laws: Comprehension, Interpretation, and External Sources of Legislative Text: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3334688
I was pretty busy in 2018, which is a story for later. One of the things that I did with my time was I spent months digging through every state data breach law to compare them. In this entry, I am summarizing some of the observations that I made during this study.
I put this together as a snapshot of some of the common elements:
Analysis included fifty state laws, the data breach law of the District of Columbia, and a model data breach law proposed by a private organization. Progress was tracked in a spreadsheet. Linguistic analysis led to the creation of 121 columns, which can be placed into eight categories: 1) General information; 2) Enforcement; 3) Notification requirements; 4) Security requirements; 5) Personal information; 6) Breaches; 7) Interaction with other laws; and 8) Miscellaneous.
Data breach laws should address prevention. Encryption is a bare minimum practice that almost all states include in their data breach laws. Wyoming is the singular exception, as the language of the Wyoming statute only refers to redaction of personal information, not encryption.
State data breach laws that address prevention may also do so by requiring reasonable security practices, as sixteen states do, or by addressing the disposal of records, as is the case in twenty-three states. Records disposal can be and often is addressed elsewhere in a state’s code, but for this study, only records disposal provisions that were in the textual proximity of data breach laws were counted. Nevada is one of the states that requires some reasonable security practices, but Nevada also goes further by exempting entities from data breach liability if they comply with the security requirements and if the breach incident was not caused by gross negligence.
Of the sixteen states that require the adoption of reasonable security practices, eight states also require covered entities to ensure that third parties they send data to have reasonable security measures. Oregon does not address data transfers broadly, but requires “service providers” that work with the covered entity to be subject to contract terms requiring safeguards and practices to protect personal information.
Massachusetts (201 Code of Mass. Reg. 17.04) and Oregon (Or. Rev. Stat. § 646A.622) have the most detailed security requirements among state data breach laws. Of the two, Massachusetts is more detailed about technology, and Oregon is more detailed about administrative protocol. Massachusetts requires secure authentication protocols, secure access control measures, encryption, ongoing monitoring of systems that contain personal information, firewalls to protect systems that contain personal information, up-to-date antivirus software, and employee education on the security of personal information. Oregon requires three categories of protection: administrative safeguards, technical safeguards, and physical safeguards. Administrative safeguards include employee training, regular review of user access privileges, and risk management practices. Technical safeguards include security updates, regular tests of the effectiveness of security, and requirements to monitor, detect, prevent, and respond to cyberattacks and system failures. Physical safeguards includes relevant risk assessment, monitoring, and safeguards for the disposal of records.
Data breach statutes are activated by security events. In analyzing statutory language, attention was paid to how the statutes defined a breach of security. A majority, 28 of 51, referred to a breach as an incident that “compromises the security, confidentiality, or integrity” (SCI) of protected information. Seven states require that the incident “materially” compromises the SCI of protected information. Eight states omit data integrity as a factor. In two of those eight, the incident must materially compromise the security or confidentiality of protected information. Eight other states do not include SCI language in their definition of a breach of security.
A wide majority, 50 of 51, tie breaches to the unauthorized acquisition of protected data. Sixteen states tie breaches to the unauthorized access to protected data. Of those sixteen, New Jersey is the only one that does not also connect breaches to unauthorized acquisition. Maine and North Carolina include the unauthorized release of information in their breach definitions, and unauthorized use is part of the breach definition in both Maine and Massachusetts. Alabama, New York, and Vermont include some guidelines for determining whether protected information has been subject to unauthorized acquisition. Data breach laws are almost always focused on the breach of personal information that could facilitate identity theft. The standard formula is last name and first initial plus a social security number, driver’s license number, or financial account information and the means to access that account, such as a password or PIN. Biometric data is included in the definition of personal information in a minority of states, including Arizona, Colorado, and Illinois. In Connecticut, biometric data is listed as a protected type of “confidential information” in section 4e-70, which pertains to state contractors who receive confidential information, but NOT as a type of “personal information” under section 36a-701b, which is the state’s primary data breach law. Delaware and Wisconsin include not just biometric indicators, but also an individual’s DNA profile as an example of personal information.
Most data breach laws are based on notifications at this time. Recurring questions include:
- Who sends the notice?
- Who gets the notice?
- What information must the notice include?
- When must the notice be sent?
- How is the notice sent?
- How does the data breach law interact with other data privacy laws?
The party most likely to be subject to a data breach law’s requirements is the data owner. Most of the data breach laws in the United States require third parties who maintain data owned by someone else to notify the data owner in the event of a breach, and then it will be the responsibility of the data owner to follow the notification requirements. Data owners are thus generally responsible for notifications, even if the data owner entered into an agreement with a third party to process or store some of its data.
In a minority of states, the data breach law appears to not apply to breaches of government systems. New Mexico is the only one that explicitly states that the data breach provisions do not apply to government agencies (N.M. Stat. § 57-12C-12). Most of the other laws in this category instead use language referencing business and exclude government agencies by implication. In Connecticut, there is a data breach law that applies to state contractors (Conn. Gen. Stat. § 4e-70), and the primary data breach law applies only to persons doing business in the state (Conn. Gen. Stat. § 36a-701b), so breaches at the state agencies themselves seem to not be subject to either set of requirements. Some states that subject government agencies to the same notification requirements do so in a separate section specifically about government data breaches.
There are three main recipients of data breach notifications: the consumer, the state Attorney General, and credit reporting agencies. State data breach laws always address notification to the information subject, as this is part of the laws’ fundamental purpose. Thirty-two states require notification also be submitted to the AG’s office or other government agency. While most states allow the AG notification to be made at the same time as the notice to consumers, Maryland and New Jersey both require the AG to be notified before the consumers are notified.
One of the points where states differ is when a notification requirement is triggered. Commonly, a data breach law’s notification requirements will not apply in the absence of a certain type of risk or injury. The data breach laws of nine states are written broadly enough that the notification requirement appears to be triggered by the mere inclusion of personal information in a breach,[ but most states require something more. In thirteen states, the data holder must notify when the compromised information has or could result in identity theft or similar fraud affecting the information subject. Eighteen breach notification laws are triggered when the breach creates a risk of harm for the information subject. Most of the states that focus on harm look for a reasonable risk of harm. The requirement in Alabama, though, is triggered by a substantial risk of harm, and the requirement in South Carolina is triggered by a material risk of harm. Notification requirements in Arizona and Iowa are triggered based on the likelihood of financial harm specifically (Arizona 18-552; Iowa 715C.2). In Wyoming, a breach is defined as including an unauthorized data acquisition that “causes or is reasonably believed to cause loss or injury” to a state resident (Wyoming 40-12-501). Fourteen states focus on the risk of misuse of the information rather than harm or identity theft. Only eleven states require data owners to document instances where they determined that a notification was not required.
A failure to notify data subjects of a breach in a timely manner is generally considered to be a violation of a data breach law. Thirty-two of the data breach laws analyzed for this article (31 states plus DC) do not provide a specific timeframe, instead requiring the notice to be made without unreasonable delay. Texas requires notifications to be sent “as quickly as possible,” while New Hampshire uses the language “as soon as possible.” The unreasonable delay language is preferable to the latter two, because it allows for reasonableness considerations to be a factor in enforcement.
Forty-two of the analyzed data breach laws include language suggesting that a reasonable delay would include time to recover from the breach. This is commonly phrased to include time to determine the scope of the breach and time to restore system integrity. All of the analyzed data breach laws included explicit language allowing for delays due to a law enforcement investigation related to the breach.
The “notification clock” for data breaches often starts running at the discovery of the breach. As noted above, thirty-four data breach laws use flexible language for notification deadlines, most commonly “without unreasonable delay.” The other sixteen are divided across 30 days, 45 days, 60 days, and 90 days. As the below figure shows, 45 days is the most common deadline.
Figure 2. Deadlines for notification
There are some states that require the data owner to investigate the data breach, and subsequent deadlines may be based on the date that investigation is completed. Maryland, for example, requires a “reasonable and prompt investigation” (Maryland 14-3504). The notification clock in Maryland starts upon completion of this investigation. Maryland is one of the states that does not use “without unreasonable delay” language, instead requiring that notices be sent within 45 days. Many other states reference investigations by the data owner without creating a formal requirement.
Data breach laws also differ in how they address interactions with other laws. There are four major sources of law that data breach laws might address: consumer protection law, contract law, local law, and federal law. Twenty-four of the analyzed data breach statutes say that a violation of the data breach law is an unfair or deceptive act or an unlawful trade practice under state law. Texas also references the state deceptive trade practice law, but only for a violation of the prohibition on unauthorized possession or use of personal information. Seventeen data breach laws emphasize that the requirements of the data breach law cannot be waived by contract, and seven data breach laws explicitly state that the data breach law preempts local ordinances. Data breach laws vary on which federal laws or guidelines they address, but two common players are the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). The GLBA addresses data privacy issues affecting financial institutions, and HIPAA concerns medical information.
Interaction with federal law and privacy standards gets a little linguistically sticky. Thirty-four data breach laws indicate that if the data owner is regulated by the specified laws, compliance with those laws counts as compliance with the data breach law. In six data breach laws, the language indicates that entities are exempt from application of the law if they are regulated by and comply with other specified laws. Twelve data breach laws use broader language that seemingly allows for an exemption from the data breach law just for being regulated by specified laws or entities. Three of those, though, limit the exemption to the requirement to notify credit report agencies (CRA) about the breach. The data breach laws of New Hampshire, West Virginia, and the District of Columbia say that the CRA notification requirement does not apply to entities regulated by Title V of the GLBA, which also addresses CRA notifications. Similarly, California’s exemption only applies to the provisions about data security. These exemptions apply to entities regulated by California’s Confidentiality of Medical Information Act, California’s Financial Information Privacy Act, and HIPAA (Cal. Civ. Code § 1798.81.5). Outside of data security requirements, other references within California’s law follow the more common “compliance there is compliance here” model.
More detailed analysis is available in the posting on SSRN.
None of the information in this post constitutes legal advice.