October 5, 2011
Practice Groups:
Privacy, Data
Protection and
Information
Management
Technology
Transactions and
Data Protection
Check Your Local Listings: California and
Illinois Data Breach Law Amendments
Highlight Varying State Compliance
Obligations
By Holly Towle and Samuel Castic
Data security breaches are an unfortunate reality of modern commerce. For most entities, it is not a
question of whether a breach will occur, but when, because perfect security is, essentially, impossible.
Recent amendments by California and Illinois to their data breach notification laws are an important
reminder that getting a breach response right can be difficult.
California was the first state to mandate that a business experiencing a data breach of certain personal
information inform the affected individuals. Following California’s lead, almost every other state
enacted a version of a data breach notification law. The laws vary significantly and usually apply in
addition to federal rules. The state laws set different triggers for what constitutes a breach of covered
“personal information,” and impose different obligations for when to provide notice and what to say.
For example, a name and date of birth is not covered “personal information” under many state statutes
but is covered under some (e.g., North Dakota).
California recently amended its statutes (Cal. Civil Code §§ 1798.29 for governmental agencies and
1798.82 for businesses) to regulate the content of security breach notices. It received a lot of press for
doing so, but it is a Johnny-come-lately on that topic. Several other states have long mandated notice
content and the new California rules simply add to the complexity of dealing with multiple and
conflicting state laws, including notice content rules. Illinois recently piled on by amending its data
breach notification law, 815 ILCS 530/10.
We summarize below the California and Illinois notice content rules. However, the more important
point is that more than a dozen states have specified content requirements for breach notifications, so
looking at California and Illinois alone will not generate compliant notices. California requires that
notifications include:
 The name and contact information of the reporting person or business;
 A list of the types of personal information that were or are reasonably believed to have been the
subject of a breach;
 If the information is possible to determine at the time the notice is provided, information about the
date of the breach and notification;
 Whether notification was delayed as a result of a law enforcement investigation, if that information
is possible to determine at the time the notice is provided;
 A general description of the breach incident, if that information is possible to determine at the time
the notice is provided; and
Check Your Local Listings: California and Illinois Data
Breach Law Amendments Highlight Varying State
Compliance Obligations
 The toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach
exposed a social security number or a driver's license or California identification card number.
Illinois requires the following and precludes the notice from including “information concerning the
number of Illinois residents affected by the breach”:
 The number of individuals affected (in Puerto Rico, the notice “must indicate, as far as the need for
any investigation or judicial case in course allows. . . the number of clients potentially
affected….”);
 A telephone number the data subject can call for additional information;
 Contact information for the state attorney general;
 Advice to monitor credit reports and to remain vigilant for incidents of fraud and identity theft; and
 Information on how to place a fraud alert or security freeze with credit reporting agencies.
Should a business comply with all of the above in every state? No. Some of the rules for one state
conflict with rules in another. For example:
 The California rule requires “a general description of the breach incident,” whereas the
Massachusetts statute provides that the notice of security breach “shall not include the nature of
1
the breach or unauthorized acquisition;
 The Puerto Rican rule requiring the number of data subjects affected conflicts with both the Illinois
rule (noted above) and with the Massachusetts rule (precluding disclosure of “the number of
residents of the commonwealth affected by said breach or unauthorized access or use”).
These kinds of variations preclude use of “one-size-fits-all” notices. Some of the variations may
reflect different policy judgments about what information is unwise to include, so it is important to
comply with each rule. Of course, media and Internet reports using information provided under the
laws of one state may spread to other states information required to be omitted in those states, but that
is beyond the control of persons required to give notice.
Also beyond their control is the harm that can come from notices given. The notices can be a doubleedged sword: on the one hand, they provide information that can be used by data subjects to protect
themselves from possible misuse of data exposed by the breach. On the other hand, they may provide
notice to fraudsters that a group of data subjects exists that may be predisposed to falling for a
“phishing” email or text, letter or phone call purporting to be from a company assigned to help address
the breach. This reality—the fact that harm can come from giving notice—is why definitions of
“personal information” vary and tend to be limited to sensitive data. It is also why federal regulators
tend to favor rules that limit notices to situations in which notice is “warranted” and is not
automatically given for every breach.
Many states agree and that is a reason for another variation among state statutes. Many of them set a
stated threshold before notice should be given. These thresholds are non-uniform so they need to be
examined before a decision to provide notice is made.
When notice is required, about a dozen states also require notice to specified governmental regulators
or other entities. For example, California’s amendments require a business to provide an electronic
sample of the data subject notice (without personal information) to the California Attorney General’s
1
Mass. Gen. Laws ch. 93H, § 3(b).
2
Check Your Local Listings: California and Illinois Data
Breach Law Amendments Highlight Varying State
Compliance Obligations
office when more than 500 California individuals must be notified. Other states require notice to the
government before a notice can even go out to data subjects.
The publicity given the California amendments is not warranted because content of notices is being
addressed in a state data security breach notice statute—that concept is old news. That publicity is
helpful, however, as a reminder that notice content is regulated by some states along with many other
aspects of data security breaches. This is all done with non-uniform, often conflicting, laws and
regulations. Accordingly, it is a good idea to have a data security breach plan and sample notices in
place before a breach occurs. That can not only save time and money, but it also allows a business to
chart a course for navigating these statutes free of the frenzy that will ensue once a breach occurs.
To learn more about the ways that K&L Gates can help your business or organization to prepare for or
respond to a data security incident, please view our practice overview here, and contact Holly Towle
or Samuel Castic.
Authors:
Holly Towle
holly.towle@klgates.com
+1.206.370.8334
Samuel Castic
sam.castic@klgates.com
+1.206.370.6576
3