K&LNG
NOVEMBER 2005
Alert
Privacy, Data Protection and Information Management
Compliance Strategies for Handling Security
Breach Notifications
To date, nearly half the states have enacted
legislation requiring notifications to consumers
following a data security breach. Although Congress
has been considering a federal notification
requirement, it appears highly unlikely that a federal
notification law will pass this year, and it remains
unclear whether the federal standard—if and when it
is enacted—will preempt the state requirements.
This means that financial institutions and other
companies must be prepared to comply with the state
security breach laws that are currently in effect and
those that will go into effect at the beginning of 2006.
Although most of the state breach notification laws
are modeled after California’s Notice of Security
Breach Act, which went into effect in July 2003,
there are many variations that can affect whether a
particular incident would trigger a duty to notify.
Given the expense, administrative burden and
negative publicity that can result from issuing breach
notices, it is important to know when they are —and
are not—required under applicable law.
Although it is impossible to know exactly how to
respond to an information security breach before one
happens, every company should have a plan for
complying with notification requirements if a breach
occurs because most breach notification laws require
that notifications be provided promptly or
immediately. This alert (a) provides some practical
guidance on how to analyze a company’s duties in
the event of a breach and (b) suggests certain steps a
company can take before a security breach occurs
that will help simplify compliance with notification
requirements.
ANALYZING BREACH NOTIFICATION
REQUIREMENTS
Identify the States Impacted by the Breach
Many security breaches involve information about
consumers in all 50 states, but in some cases—such
as when a loan officer’s laptop computer is stolen—
an incident may only involve data about consumers
from as few as one or two states. Although a
company may decide to notify all consumers,
regardless of whether the applicable state(s)
expressly require a notification, the first step in
assessing the situation should be to isolate the states
at issue and determine whether those states have a
notification law in place.
Identify the Entities Covered by
Applicable Law
Once a company has identified the states that are
impacted by a security breach and which of those
states have breach notification laws in effect, the next
step is to determine what types of entities are covered
by the laws in question. Although most state breach
notification laws apply broadly to any person or
business, a handful of them are restricted to particular
types of entities. Georgia’s law, for example, applies
only to “information brokers,” a term that does not
appear to include most financial institutions.
Similarly, Indiana’s law applies only to state agencies,
and thus would not extend to non-governmental
entities. Furthermore, some breach notification laws,
such as Minnesota’s, appear not to apply to any
financial institutions that are covered by the GrammLeach-Bliley Act (even though that Act does not
currently require all financial institutions to provide
consumer notices in the event of a security breach).
Kirkpatrick & Lockhart Nicholson Graham LLP |
NOVEMBER 2005
Under most breach notification laws, the consumer
notification obligations apply to the entity that owns
or licenses an individual’s information. Most of
these laws, however, do not define “owns or
licenses,” and in some cases this can make it difficult
to determine who must provide the notifications.
Moreover, most breach notification laws require
entities that maintain, but do not own, covered
information to notify the owner of the information in
the event of a security breach. In these cases, the
owner would then need to issue notifications to the
applicable consumers.
Determine if the Law Covers
Your Information
Once a company knows which states have
notification laws to which it is subject, it needs to
establish whether the laws apply to the particular
information involved in the security breach. Many
states follow California’s law and require notification
if the information in question (a) is computerized and
unencrypted and (b) includes an individual’s first
name or initial and last name, in combination with
any one or more of the following: social security
number, drivers license/state identification card
number, or account number, credit card number or
debit card number in combination with any required
security or access code/password that would permit
access to an individual’s financial account.
Some states, however, have departed from the
California model and require notification when other
information is involved. North Carolina’s law, for
instance, applies to non-computerized data. North
Dakota’s law is triggered if the information at issue
includes a person’s date of birth, mother’s maiden
name, employer-assigned identification number or
digitized or other electronic signature.
Determine Whether the Incident Triggers
Notification Obligations
A company also needs to establish whether the
incident is serious enough to trigger the applicable
statutes’ notification obligations. In many states, any
breach in which covered information was acquired,
or is reasonably believed to have been acquired, by
an unauthorized person triggers the obligation to
provide notices to consumers. Some states’ laws
state that no notification is required if the company
concludes that it is unlikely that the breach will result
in harm to consumers. Other states have similar
exemptions, but require that a law enforcement
agency concur with the conclusion and/or that the
conclusion be properly documented. Furthermore,
most states permit companies to delay issuing breach
notifications if a law enforcement agency believes
that a notification will impede a criminal investigation.
Notifications to Third Parties
In addition to requiring notifications to consumers, a
handful of states—including New York—require that
a copy of the notice and/or related information be
provided to state authorities. New York and a
number of other states also require that if a certain
number of individuals—for example, 5,000 under the
New York law—will receive a breach notification,
the company providing the notification also must
notify certain consumer reporting agencies.
Form, Delivery and Content of Notification
Most breach notification laws specify whether the
breach notice must be in writing or can be delivered
by some other means (such as email.). Many of the
laws provide for substitute notice procedures—for
example, providing notice by email, website posting
and notification to major statewide media—if the
company determines that the cost of using the
primary notification method would exceed a certain
dollar amount or that more than a certain number of
consumers must be notified. Furthermore, certain
states, such as New York, impose specific
requirements regarding notice content.
It is important to note that the majority of the states’
breach notification laws provide that if a company
maintains security breach notification procedures as
part of its privacy/information security program,
compliance with its internal policies and procedures
will constitute compliance with the state’s
requirements, provided that the person complies with
the state’s notification timing requirements. In
addition, certain states’ laws indicate that financial
institutions that comply with the Interagency
Guidance on Response Programs for Unauthorized
Access to Customer Information and Customer
Notice are deemed in compliance with the state’s
breach notification requirements.1
1 The Interagency Guidance applies to financial institutions regulated by the Office of the Comptroller of the Currency, Federal Reserve Board, Federal
Deposit Insurance Corporation and Office of Thrift Supervision. The Guidance requires, among other matters, that financial institutions notify their customers
as soon as possible after the institution becomes aware of an incident of unauthorized access to “sensitive customer information,” when a reasonable investigation reveals that misuse of the information has occurred or is reasonably possible.
2
Kirkpatrick & Lockhart Nicholson Graham
LLP
|
NOVEMBER 2005
STEPS TO SIMPLIFY COMPLIANCE WITH BREACH
NOTIFICATION REQUIREMENTS
Unless and until Congress enacts security breach
notification legislation that preempts state
requirements, financial institutions and others will
need to comply with the varying state notification
laws in effect. This means that a company
experiencing a security breach will likely need to
comply with a series of somewhat differing
obligations in the midst of managing the breach
event. There a few actions, however, that a company
can take in advance to simplify its notification
compliance and help mitigate the disruption resulting
from a breach.
First, companies should establish, and train key
employees on, security breach response procedures
even if they have never experienced a security
breach. These procedures should include procedures
for (a) assessing the incident—how it happened, what
information was compromised, what customers were
affected, and whether the incident is reasonably likely
to cause harm to those customers, (b) containing the
incident and preventing a repetition, (c) assessing the
company’s obligation to notify its customers and/or
other parties of the incident, and (d) carrying out the
company’s notification obligations within the time
required under applicable law. As noted above, many
state breach notification laws provide that their
requirements will be deemed satisfied if a company
provides notifications in accordance with its own,
internal policies (so long as the state’s timing
requirements are met). This means that a company
3
that establishes its notification procedures in advance
may be able to avoid having to follow the specific
formatting and delivery requirements that are
otherwise required under some state laws.
Second, because most breach notification laws apply
only when unencrypted data is compromised, use of
encryption whenever feasible will dramatically reduce
a company’s breach notice obligations. If the expense
and administrative considerations associated with
encryption make it impractical to use in all cases, a
company could consider using it only in higher risk
situations, for example, when significant amounts of
customer data are stored on a laptop computer.
Finally, because security breach requirements are
changing and expanding rapidly, companies should
take steps to keep abreast of the laws that apply to
them. Being aware of applicable breach notification
requirements in advance will enable a company to
efficiently assess and comply with its obligations if
and when it experiences an information security
breach.
If you have any questions about the security breach
notifications that may apply to your company, please
contact one of the lawyers listed below.
Melanie Brody
202-778-9203
mbrody@klng.com
Bruce H. Nielson
202-778-9256
bnielson@klng.com
Kirkpatrick & Lockhart Nicholson Graham
LLP
|
NOVEMBER 2005
For more information, please visit our website at www.klng.com or contact one of the lawyers listed below:
BOSTON
Thomas F. Holt, Jr.
John C. Hutchins
Deborah J. Peckham
Michael D. Ricciuti
617.261.3165
617.261.9165
617.261.3126
617.951.9094
tholt@klng.com
jhutchins@klng.com
dpeckham@klng.com
mricciuti@klng.com
HARRISBURG
Ruth E. Granfors
717.231.5835
rgranfors@klng.com
LONDON
Rachel Boothroyd
Dominic J. Bray
44.20.7360.8255
44.20.7360.8191
rboothroyd@klng.com
dbray@klng.com
LOS ANGELES
Katherine J. Blair
310.552.5017
kblair@klng.com
MIAMI
Marc H. Auerbach
305.539.3304
mauerbach@klng.com
NEWARK
Stephen A. Timoni
973.848.4020
stimoni@klng.com
NEW YORK
John D. Vaughan
212.536.4006
jvaughan@klng.com
PITTSBURGH
David G. Klaber
Mark A. Rush
412.355.6498
412.355.8333
dklaber@klng.com
mrush@klng.com
SAN FRANCISCO
Jonathan D. Jaffe
Kathryn M. Wheble
415.249.1023
415.249.1045
jjaffe@klng.com
kwheble@klng.com
WASHINGTON
Melanie Brody
Benjamin S. Hayes
Henry L. Judy
Bruce H. Nielson
Jeffrey B. Ritter
Robert A. Wittie
202.778.9203
202.778.9884
202.778.9032
202.778.9256
202.778.9396
202.778.9066
mbrody@klng.com
bhayes@klng.com
hjudy@klng.com
bnielson@klng.com
jritter@klng.com
rwittie@klng.com
www.klng.com
BOSTON • DALLAS • HARRISBURG • LONDON • LOS ANGELES • MIAMI • NEWARK • NEW YORK • PALO ALTO • PITTSBURGH • SAN FRANCISCO • WASHINGTON
Kirkpatrick & Lockhart Nicholson Graham (K&LNG) has approximately 1,000 lawyers and represents entrepreneurs, growth and middle market companies, capital
markets participants, and leading FORTUNE 100 and FTSE 100 global corporations nationally and internationally.
K&LNG is a combination of two limited liability partnerships, each named Kirkpatrick & Lockhart Nicholson Graham LLP, one qualified in Delaware, U.S.A. and
practicing from offices in Boston, Dallas, Harrisburg, Los Angeles, Miami, Newark, New York, Palo Alto, Pittsburgh, San Francisco and Washington and one
incorporated in England practicing from the London office.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in
regard to any particular facts or circumstances without first consulting a lawyer.
Data Protection Act 1988—We may contact you from time to time with information on Kirkpatrick & Lockhart Nicholson Graham LLP seminars and with our regular
newsletters, which may be of interest to you. We will not provide your details to any third parties. Please e-mail cgregory@klng.com if you would prefer not to
receive this information.
© 2005 KIRKPATRICK & LOCKHART NICHOLSON GRAHAM LLP. ALL RIGHTS RESERVED.