With increasing awareness, regulations, and liabilities, business owners must be even more cognizant of their duties and potential liabilities surrounding data breaches. Data breaches are generally defined as any event that releases personal identifiable information (“PII”) without the consent of that individual. PII typically includes information such as name, address, birth date, passwords, and biometric data as well as identification numbers such as Social Security numbers, bank and credit card account numbers with access codes or passwords, and driver’s license numbers. Most business owners are aware of data breaches resulting from the unauthorized access or hacking of company records, however, data breaches can also occur as a result of improperly secured networks, theft, and the use of poor security protocols and policies.

Virtually any company that conducts business over the internet or utilizes web-based databases is at risk of being a victim of a data breach. Companies of all sizes ranging from Target to local medical practices have been targeted by hackers in recent years. These breaches can have significant impacts on businesses of all sizes. Over two dozen class action lawsuits have been filed against Target as a result of the 2013 data breach. Estimates vary, but business owners can expect data breaches to cost between $90 and $305 per record lost.

In 2003, California was the first state to pass a law requiring entities to notify individuals impacted by a data breach. Since then, 46 other states have gone on to impose affirmative duties on businesses to notify impacted individuals. While the duties and regulations vary by state, there are several common elements.

Most states apply these regulations to PII in electronic or hard copy. However, some states exclude password-protected information from data breach regulations while other states only include data that is reasonably likely to cause harm if exposed.

Some states only require private entities to provide notifications of data breaches, while others require both private and government entities to provide notifications. Further, some states only require notifications of breaches when there is a reasonable likelihood that the breach will result in harm to the individual.

Notifications must be made within a reasonable amount of time. Several states have a statutory timeframe for when notifications must be made. Generally, four to five weeks from the time the breach is discovered is regarded as a reasonable timeframe. Almost every state allows for a law enforcement exception. Under this exception, businesses are required to withhold notifications while law enforcement authorities investigate the data breaches. Generally, notifications must

be provided via the mail, however, many states allow for alternative, most cost effective methods for breaches of a certain size.

Enforcement and penalties vary significantly based on which state law is applied. Some states permit impacted citizens to enforce the data breach laws while other states only allow for charges to be brought by the state’s attorney general. Some states allow for enforcement by both. Penalties can range from $5,000 to $250,000, with most states falling on the higher end of that range.

Businesses of all sizes should consider data breaches and develop policies and procedures to help avoid data breaches, as well as how to handle the notifications and restoring the integrity of the database after a breach.

 

Below is a brief summary of Ohio, Texas, Washington, New York, and California data breach laws.

Ohio Texas Washington New York California
Who’s regulated? Any person who owns or licenses computerized data Any person or business conducting business in Texas who owns or licenses computerized data Any person or business conducting business in Washington that owns or licenses data that includes personal information Any person or business conducting business in NY who owns or licenses computerized data Any person or business conducting business in California that owns or licenses data that includes personal information
Information covered First name or first initial and last name in combination with any of the following:–          SSN

–          Driver’s license number

–          Account numbers in combination with passwords or access information

 

*does not include any publicly available information

First name or first initial and last name in combination with any of the following:–          SSN

–          Driver’s license number

–          Account numbers in combination with passwords or access information

 

Or, information that identifies an individual and relates to physical or mental health, health care of the individual, or payment for health care of the individual

 

*does not include any publicly available information

First name or first initial and last name in combination with any of the following:–          SSN

–          Driver’s license number

Account numbers in combination with passwords or access information

 

*does not include any publicly available information

Personal Information – Any information concerning a natural person which because of name, number, personal mark, or other identifies, can be used to identify such natural person 

Private Information – personal information in combination with any of the following:

–          SSN

–          Driver’s license number

–          Account numbers in combination with access information

 

*does not include any publicly available information

First name or first initial and last name in combination with any of the following:–          SSN

–          Driver’s license number

–          Account number in combination with password

–          Medical or health insurance information

Notifications Must notify impacted Ohio residents (and credit reporting agency if breach of more than 1,000). No government notice required. Must notify impacted individuals (and credit reporting agencies if breach of more than 10,000). No government notice required. Must notify impacted individuals (and attorney general for breaches over 500+ records) Must notify impacted individuals and government (and credit reporting agencies if breach of more than 5,000) Must notify impacted individuals (and attorney general for breaches over 500+ records)
Timing of Notification Must be given within 45 days of discovery of the breach. Permits law enforcement exception. Within a reasonable amount of time. Permits law enforcement exception. Must be given within 45 days of discovery of the breach. Permits law enforcement exception. Within a reasonable amount of time. Permits law enforcement exception. Within a reasonable amount of time. Permits law enforcement exception.
Notification Methods Mail, phone, electronic notification, substitute notice if none of the previous methods would be effective Mail, electronic, or other more reasonable method if the cost of providing notice under the other methods would exceed $250,000 or impacts more than 500,000 people Mail, electronic, or other more reasonable method if the cost of providing notice under the other methods would exceed $250,000 or impacts more than 500,000 people Mail, phone, or other method approved by AG (or electronic if individual has consented to electronic notification) Mail, electronic, or other more reasonable method if the cost of providing notice under the other methods would exceed $250,000 or impacts more than 500,000 people
Enforcement Only enforceable by the state’s attorney general Only enforceable by the state’s attorney general Impacted individuals or state’s attorney general may enforce. Only enforceable by the state’s attorney general Impacted individuals can enforce
Penalties $2,000 to $50,000 per violation plus civil penalty of $100 per individual. Permitted to recover damages. Additional, penalties for government agencies and payment processors. Damages (plus up to $10,000 per breach if business acted recklessly or knowingly) Permitted to recover damages