errors and omissions insurance One-Size-Fits-All Data Breach Notification Laws Don't Exist | Axis Error & Omission
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions

One-Size-Fits-All Data Breach Notification Laws Don’t Exist


One-Size-Fits-All Data Breach Notification Laws Don’t ExistFirms Must Be Aware of State Data Breach Notification Laws

The Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, reveals that the average cost to a company for investigations, notification, and response when sensitive and confidential information was lost or stolen was $3.5 million. Moreover, according to Identity Theft Resource Center, 92 million records were exposed from 619 data breaches in 2013, 84% coming from the business sector. In addition, the United States spent $562,000 per incident on notification costs following a breach of identity-type data.

Furthermore, while companies increasingly struggle to prepare for and respond to cyber attacks, part of the issue they face is the patchwork of data breach notification laws that exist and how each state defines compliance and personal information. These state notification laws cover not only the companies that own or license a consumer’s personal information, but also companies that maintain or control personal information they do not own, such as a vendor that manages a database of subscription information for a magazine. In the event that a company that maintains, but does not own, personal information suffers a breach, the company that actually owns or licenses the information is still responsible for proper notification to consumers.

Currently, there are 47 states that have laws regarding security breach notifications. They use a common definition of “personal information” that consists of the consumer’s name (usually first name or first initial and last name) and at least one of the following pieces of information: Social Security number, driver’s license number or state identification card number, or financial information. Moreover, some states over the last few years as data breaches have increased have expanded the definitions of “personal information”, with California and Missouri also including health insurance information.

Indeed, California has gone even further in amending its security breach notification law effective this past January by expanding the definition of personal information requiring individual notification. The definition now includes a username or email address in combination with a password or security question where that information would permit access to an online account. In a breach involving this type of information, a company will have to provide notification that directs individuals to change their passwords and security questions, and take other action to protect the breached account and any other online accounts where they might have used the same login credentials.

Some other examples of states amending their statutes to broaden the definition of personal information include Iowa, which has added “unique biometric data, such as fingerprint, retina, or iris image, or another unique physical representation or digital representation of biometric data. Maryland’s statute includes “An Individual Taxpayer Identification Number,” and Oregon’s includes a passport number. Wyoming’s statute includes a tribal identification card. In addition, it’s likely even more states will alter their definition of “personal information” as this area of the law evolves.

The trigger for a company to notify customers in the event of a breach also varies depending on the state. A number of states use an approach that resembles strict liability—requiring notification if personal information “was or is reasonably believed to have been” obtained by an unauthorized person, regardless of the likelihood that the consumer will become the victim of identity theft, fraud, or other harm. Other states take a different track and allow companies to evaluate the risk of harm to consumers in determining whether to provide notification. These statutes typically require notification if it is reasonably likely that the unauthorized access to the consumer personal information will result in misuse of the information, harm to the consumer, or identity theft. Some states require companies to conduct “in good faith a reasonable and prompt investigation” to determine the likelihood that personal information has been or will be misused. Other states do not set forth a particular method by which a company may determine the likelihood of misuse, but in practice an investigation is the typical route followed in these states as well.

The method of notification varies, too. The majority of states hold that notice may be provided by one of the following methods: written notice, telephonic notice, or electronic notice if the company’s primary means of communication with the consumer is by electronic means. The one state that does not explicitly permit email notification is Wisconsin, which requires a company to provide notice “by mail or by a method the entity has previously employed to communicate with the subject of the personal information.”

There are additional issues to consider including the timing of notification, whom needs to be notified, whether any notification waivers can apply, penalties for failure to comply, and whether a consumer can sue (“private right of action) if a company violates notification provisions, among others.

It’s clear that without a universally applicable federal law and the existence of varied state laws that address data breaches, the risks associated with cyber security is made even more complicated. Therefore, it is critical that companies not only understand their own state laws when it comes to compliance and notification but that those companies doing business in multiple jurisdictions comply with each state’s notification statutes should a breach occur. Otherwise, they will be facing significant exposures. That means maintaining a comprehensive and regularly updated data breach response plan, with immediate access to experienced outside counsel who are prepared to assist in identifying relevant laws and preparing compliant notifications.

Also critical is having the right type of Cyber Liability / Privacy & Network Security insurance in place should a breach occur. A policy can be designed to cover first- and third-party liability and expenses, including notification costs, remediation services, regulatory breach expenses and industry fines. At Axis Insurance Services, we specialize in providing clients with Cyber Liability solutions and can help put together a program to minimize your risk. Give us a call at (877) 787-5258.

Sources: Property/Casualty 360, Bloomberg, Crowell Moring

Comments

comments

Blogged on: June 13, 2014 by Mike Smith
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions