New Data Breach Laws Expand Covered Data

Nearly all states have data breach laws requiring businesses holding certain types of consumer personal data to notify affected persons when there is a breach or suspected breach. As consumers are barraged seemingly on a weekly basis with news reports of yet another breach, what trends have emerged and what does it mean for affected businesses?

Two trends appear to be converging: first, states are amending their laws to bring ever-broader categories of data within the sweep of these laws. As a general matter, most states only require notification when there has been a breach of certain unencrypted “personal data” in combination with a consumer’s first name/last name (or first initial/last name), where “personal data” is defined to mean clearly sensitive items such as credit card numbers or social security numbers. However, so far in 2015, two states, Nevada and Wyoming, have followed the lead of California and North Carolina in making a breach of a consumer’s email address plus password, when combined with the consumer’s first name/last name (or first initial/last name), covered under their breach notification statutes. Other notable expansions in the laws are the inclusion by Nevada of an “electronic signature” and “name or date of birth (or address), in combination with other information that would increase [the likelihood of identify theft],” and Wyoming’s addition of “shared secrets…known to be used for data-based authentication” and “medical information…including mental or physical condition.” These additions are slowly but surely moving the goalposts for breach notifications from relatively unusual data sets to include data held in the ordinary course of business activities by the majority of businesses.

The second trend, which has not fully come to fruition yet, is the continued efforts of the plaintiffs’ bar to allege sufficient injury by victims of data breach to survive defendants’ motions to dismiss for lack of standing or lack of monetary harm. While the courts have not been bending over to assist the plaintiffs in their attempts to recover in class actions, the odd case has made it past summary judgment, especially where there was an actual breach and plaintiffs had out-of-pocket damages as a result.

The result of these trends is that businesses holding all sorts of consumer personal data can expect more and more to fall within the scope of these state breach notification laws when their data has not been encrypted. Even the best defenses can be penetrated, so businesses should have a well-considered breach response plan ready for use in the event of a data breach (including, of course, ensuring that all of the affected consumers’ expenses in obtaining identity protection products are paid by the company). Culhane Meadows’ Data Privacy & Security team is ready to assist you in taking the critical front-end steps that can make all the difference in these situations.

Author Kim Verska is a Certified Information Privacy Professional (US) through the International Association of Privacy Professionals and a Partner in Culhane Meadows’ Atlanta office. She is a frequent speaker regarding evolving legal issues for the technology industry and other businesses and can be reached at

*Culhane Meadows is ranked by U.S. News/Best Law Firms in Technology Law, Bankruptcy/Reorganization Law, and Information Technology Law. This website and the communications herein may be considered attorney advertising. Previous results are not a guarantee of future outcome. This website is for informational purposes only and does not constitute legal advice. The information herein is not intended to create an attorney-client or similar relationship. Until you establish such a relationship and receive an engagement letter, you have not hired a Culhane Meadows attorney nor become a client of the firm. Whether you are a new or existing client of the firm, Culhane Meadows must determine that there is no conflict of interest and that it is willing and otherwise able to accept the new engagement before representing you on a new matter. Only if and after Culhane Meadows has informed you it is willing and able to accept your new matter should you send the firm any information or documents that you consider private or confidential. Such information will not be treated as private, confidential or otherwise protected from disclosure until Culhane Meadows has communicated in writing that it is willing and able to accept your new matter and provide you with legal counsel. Whether you need legal services and which lawyer or law firm you select are important decisions that should not be based on this website alone.

Accessibility Toolbar